Table Of Contents
Resolved Caveats—Cisco IOS Release 12.3(5f)
Resolved Caveats—Cisco IOS Release 12.3(5e)
Resolved Caveats—Cisco IOS Release 12.3(5d)
Resolved Caveats—Cisco IOS Release 12.3(5c)
Resolved Caveats—Cisco IOS Release 12.3(5b)
Resolved Caveats—Cisco IOS Release 12.3(5a)
Resolved Caveats—Cisco IOS Release 12.3(5)
Resolved Caveats—Cisco IOS Release 12.3(3i)
Resolved Caveats—Cisco IOS Release 12.3(3h)
Resolved Caveats—Cisco IOS Release 12.3(3g)
Resolved Caveats—Cisco IOS Release 12.3(3f)
Resolved Caveats—Cisco IOS Release 12.3(3e)
Resolved Caveats—Cisco IOS Release 12.3(3c)
Resolved Caveats—Cisco IOS Release 12.3(3b)
Resolved Caveats—Cisco IOS Release 12.3(3a)
Resolved Caveats—Cisco IOS Release 12.3(3)
Novell IPX, XNS, and Apollo Domain
Resolved Caveats—Cisco IOS Release 12.3(1a)
Resolved Caveats—Cisco IOS Release 12.3(1)
Novell IPX, XNS, and Apollo Domain
Obtaining Documentation and Submitting a Service Request
Resolved Caveats—Cisco IOS Release 12.3(5f)
Cisco IOS Release 12.3(5f) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5f) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Basic System Services
•
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Miscellaneous
•
Symptoms: The makefile is missing the ik9s-mz image list for the Cisco AS5350 gateway.
Conditions: This symptom has been observed for the Cisco AS5350 and AS5400 platforms.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5e)
Cisco IOS Release 12.3(5e) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5e) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
Symptoms: Retransmissions may not be sent to all RADIUS servers in a server group.
Conditions: This symptom is observed when an active RADIUS server in a server group is declared dead and when the server group already contains some dead RADIUS servers. In this situation, the retransmission attempt is not made to all the dead RADIUS servers in the server group but only to the server that is just declared dead. This is not proper behavior: retransmissions should be sent to all the dead RADIUS servers.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: The show controllers t1 slot/port command may show only the current interval.
Conditions: This symptom is observed on a Cisco 7200 series when FDL is configured.
Workaround: There is no workaround.
Further Problem Description: When FDL is configured, the router updates the MIB data after checking for a valid local and remote MIB data interval that it receives from the T1 port adapter. During the remote MIB update, and if the received data interval is invalid, the router clears both the remote and the local data instead of clearing only the remote data and starting again.
IP Routing Protocols
•
Symptoms: A Cisco 1600 series crashes with an "Unexpected exception to CPU vector 2" error.
Conditions: This symptom is observed when stateful NAT is configured with the redundancy in command.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Miscellaneous
•
Symptoms: Traceback messages are seen on a Cisco AS5400 origination GW (OGW). The tracebacks are reproducible.
Conditions: This symptom is observed when running tests with an E1R2 interface.
Workaround: There is no workaround.
•
Symptoms: A NAS crashes when stress scripts are running and when bulk calls are made.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5800 that are configured for T1 when scripts run that enter the shutdown command followed by the no shutdown command on controllers in digital callers and the clear modem all command in analog callers. The NAS is stressed with both analog and digital calls made from a traffic generator that sends 20 packets per second and the scripts run every 10 minutes.
Workaround: There is no workaround.
•
Symptoms: All SWIDBs may be used.
Conditions: This symptom is observed when PPPoA sessions flap continuously.
Workaround: There is no workaround.
•
Symptoms: IMA link status sticks in NE usable/usable while showing FE active/active.
Conditions: This happens when connecting an IMA module in a Cisco 3640 to a third party vendor switch.
Workaround: Administratively shut down the link and then bring it back.
•
Symptoms: On a Cisco 7500 series, all PVCs may suddenly enter the down state and remain in this state for about two minutes before they come back up. During the DLCI down state, the subinterface does not go down and no notifications are observed in the message log.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an RPS4+ or an RSP8 and that runs the rsp-jsv-mz image of Cisco IOS Release 12.2(12i). In addition, the router is configured with an 8-port serial port adapter and an HSSI port adapter, is configured for Frame Relay, and has more than 450 PVCs/DLCIs. Note that the symptom may be platform-independent and may also occur on other Cisco platforms in a similar configuration.
Note
Workaround: There is no workaround.
•
Symptoms: When the Cisco IOS Firewall CBAC is configured, the router seems to have a software-forced reload caused by one of the inspections processed.
Conditions: This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: There is no workaround.
•
Symptoms: When a T.38 fax failure occurs, for example because a call is disconnected, a Cisco AS5400 may incorrectly generate the following message in its log:
%DSM-3-DSP_TIMEOUT: DSP timeout on channel <channel specific information> T38 Codec Switch Failed or Timed outConditions: This symptom is observed when there is no real failure in the codec download. The symptom may occur when a disconnect from the telephony side occurs while the Cisco AS5400 is in the middle of a codec download.
Workaround: There is no workaround.
•
Symptoms: A software-forced reload may occur on an MGCP gateway that uses embedded messages in the MGCP protocol.
Conditions: This symptom is observed on a Cisco platform that functions as an MGCP gateway and is caused by the MGCP embedded message processing.
Workaround: There is no workaround.
•
Symptoms: %ALIGN-3-SPURIOUS and %ALIGN-3-TRACE messages may appear in the logs of a router, and the output of the show align command shows that some spurious memory accesses are recorded.
Conditions: This symptom is observed on a Cisco 7500 series when a dLFIoATM interface on the router flaps.
Workaround: There is no workaround. However, the capabilities and performance of the router are not affected.
•
Symptoms: The MGCP default setting for a minimum jitter buffer size is 4 ms; this setting degrades the voice quality until you configure the setting to be different via the mgcp playout command. It has always been this way in IOS, but MGCP has been using a fixed MGCP playout buffer instead of a dynamic buffer even though it was configured to use dynamic. During some recent IOS changes, it now uses dynamic playout buffer.
Conditions: This symptom is observed under normal operating conditions.
Workaround: Configure the nominal MGCP default setting for the minimum jitter buffer size to be the same as for H.323 and SIP gateways so that the setting for each individual gateway does not need to be changed via the mgcp playout command.
•
Symptoms: A Cisco router accepts an incoming plaintext that matches the crypto map that is applied to an interface. The packet should be rejected because is should have been encrypted.
Conditions: This symptom is observed when all the following conditions occur:
–
–
–
Workaround: Ensure that all interfaces have fast switching and CEF switching either enabled or disabled.
•
Symptoms: A software-forced crash may occur on a gatekeeper that processes an incoming call.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that runs Cisco IOS Release 12.2(15)T13 and occurs only when a GKTMP server is configured for LRQ triggering.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Symptoms: A Cisco Access server that terminates virtual-profile calls with per-user access control lists (ACLs) does not remove all per-user ACLs when calls are terminated. This situation may cause the memory of the access server to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco access server that runs a Cisco IOS Release that contains the fix for CSCee01688.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
•
Symptoms: Spurious memory accesses occur on a gatekeeper during RAS communication for H.323 voice calls.
Conditions: This symptom is observed when the gatekeeper sends an LRQ for a voice call.
Workaround: There is no workaround.
•
Symptoms: When the calling number or the called number or both contains the * character, for example *67#1234567890, the call is rejected by the gateway and is released with cause code 63 (service or option not available). In the debugs the following message is generated before call is released:
H225Lib::is_valid_e164_number: Number has non-supported IA5 character - * cch323_ras_arj_notify:calledConditions: This symptom is observed on a Cisco platform that functions as a gateway in an H.323 VoIP network and that runs Cisco IOS Release 12.3(6c) or another release that contains the fix for CSCee07037. The symptom occurs only in gatekeeper-routed call scenarios, that is, RAS-based call flows.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee07037. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
The symptom does not occur with other characters such as #.
Workaround: There is no workaround.
•
Symptoms: When you perform a stress test on a Cisco 7200 series that processes H.323 voice calls, the following error message and traceback may be generated:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6241A498 reading 0x94 %ALIGN-3-TRACE: -Traceback= 6241A498 6241C788 623EB0F8 623ED694 00000000 00000000 00000000 00000000 DGK7201#Conditions: This symptom is observed when you make approximately 40 calls per second and when the directory gatekeeper (DGK) loader constantly sends LRQs to the DGKs to query a route server to obtain routes. Note, however, that the router continues to process calls normally.
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml.
•
Symptoms: A router may reload unexpectedly while you disable label distribution protocol (LDP) on an interface.
Conditions: This symptom is observed on a router that has several interfaces that are configured for LDP when you disable LDP on all interfaces and when there is still one open TCP connection that is passively used by LDP while you disable LDP on the last interface.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Wide-Area Networking
•
Symptoms: A spurious memory access may occur on a Cisco router that is configured for PPP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5).
Workaround: There is no workaround.
•
Symptoms: With PPP multilink over ATM configured in Cisco IOS, the router may reload with a bus error.
Conditions: This symptom is observed when the PPP over ATM link goes down and is removed from the multilink bundle.
Workaround: Increasing the keepalive interval or retry count, or disabling keepalives altogether, may help to avoid the problem by making it less likely that the PPP over ATM session goes down during periods of instability in the ATM network.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Resolved Caveats—Cisco IOS Release 12.3(5d)
Cisco IOS Release 12.3(5d) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5d) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Information about a port adapter (PA) may be missing from the output of a show diag command.
Conditions: The show diag command for the affected controller will display similar information:
PA Bay 0 Information:
Fast-Ethernet PA, 1 ports, 100BaseTX-ISL
EEPROM format version 0
HW rev 0.00, Board revision UNKNOWN
Serial number: 00000000 Part number: 00-0000-00The problem is related to a timing issue and is not always reproducible.
Workaround: There is no workaround. On the other hand it does not impact the functionality of the router.
•
Symptoms: A "%SYS-2-LINKED: Bad enqueue ....." error message may be seen in the syslog of an LNS right after traffic is send through a PPP multilink bundle that is establish via an L2TP session on the LNS. This message is also seen when multilink PPP fragments are switched or when multicast packets are replicated.
Certain packet buffers (particle clones) are eventually depleted, and multilink fragmentation stops working when all particle clones are exhausted. You can monitor the availability of particle clones by entering the show buffers | begin Particle Clones: EXEC command; the command does not produce any output if no more particle clones are available.
Conditions: This symptom is observed when multilink is configured on a virtual template that is handling the VPDN sessions or when multicast packets are switched.
Workaround: When L2TP multilink calls are terminated, disable multilink fragmentation by entering the ppp multilink fragment disable interface configuration command on the virtual template.
•
Symptoms: A serial interface on a Cisco 7500 series may stop transmitting traffic and may report the following VIP crashes:
%MDS-2-LC_FAILED_IPC_ACK: RP failed in getting Ack for IPC message of size 84 to LC in slot 2 with sequence 1007, error = timeout
%RSP-3-RESTART: interface Serial3/0/0:0, not transmitting
%VIP2-3-MSG: slotX VIP-3-SVIP_CYBUSERROR_INTERRUPT: A Cybus Error occurred. %VIP2-1-MSG: slotX CYASIC Error Interrupt register 0x4000000
%VIP2-1-MSG: slotX DMA Transmit Error
%VIP2-1-MSG: slotX CYASIC Other Interrupt register 0x100
%VIP2-1-MSG: slotX QE HIGH Priority Interrupt
%VIP2-1-MSG: slotX QE RX HIGH Priority Interrupt
%VIP2-1-MSG: slotX CYBUS Error Cmd/Addr 0xD00FF3AConditions: This symptom is observed on a Cisco 7500 series running Cisco IOS Release 12.3(5a). This symptom is not observed in Release 12.1(8c).
Workaround: There is no workaround.
•
Symptoms: Attributes 42 and 43 may be of value "zero" in Connection STOP records.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5850 that run Cisco IOS Release 12.3 or Release 12.3(4)T4 when a TCP-clear call is disconnected by the caller. For call disconnects by the NAS, the values are proper.
Workaround: There is no workaround.
•
Symptoms: After a VIP crashes, a FIB-3-FIBDISABLE error message due to an IPC timeout may occur for all the slots of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series after the VIP crashes and before the VIP recovers. The FIB-3-FIBDISABLE error message is generated for all the slots of the VIP, causing dCEF switching to become disabled.
Workaround: There is no workaround. You can reenable dCEF by entering the clear cef linecard command.
Interfaces and Bridging
•
Symptoms: A Cisco 7500 series may show a %SYS-3-CPUHOG error message when an ATM link on the router is flapped.
Conditions: This symptom is observed only when there are a lot of VCs on the ATM interface and when the VIP is oversubscribed.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may leave ATM PVCs up when the ATM interface is shut down.
Conditions: This symptom is observed on a Cisco 7500 series that has a PA-A3 when the CPU utilization of the VIPs is high.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: Address Resolution Protocol (ARP) may not be triggered for an inside-local address destination after the outside-to-inside translation is performed correctly, causing packets to be dropped because the adjacency remains gleaned.
Conditions: This symptom is observed on a Cisco router when the Multi-VRF feature is configured and when you configure a customer edge (CE) router to perform Network Address Translation (NAT).
Workaround: Perform a ping from the router to the CE router to trigger ARP and to populate the adjacency table.
•
Symptoms: A router may reload unexpectedly because of a bus error when it accesses a low address during the translation of TCP port 514.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5) and that is configured for Network Address Translation (NAT).
Workaround: Prevent the translation of TCP port 514.
•
Symptoms: A Cisco router that is configured for SIP NAT may not be able to process authentication messages from a third-party SIP gateway that performs SIP proxy authentication.
Conditions: This symptom is observed in a Call Hold/Resume procedure.
Workaround: There is no workaround.
•
Symptoms: T.38 fax calls between a Cisco router and a third-party gateway may fail.
Conditions: This symptom is observed when two third-party gateways are connected via a Cisco router that runs SIP NAT. The T.38 fax calls fail from one of the third-party gateways to the Cisco router and vice versa.
Workaround: There is no workaround.
•
Symptoms: When the debug ip pim auto-rp command is enabled on a Cisco 7500 series, the router crashes when it receives an AutoRP message.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-isv-mz image of Cisco IOS Release 12.2(15)T7 or 12.2(15)T9. The symptom may also occur in other releases of Release 12.2 T, or in Release 12.3 or Release 12.3 T.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Connectivity difficulties may occur when Virtual Private Network (VPN) routing/forwarding (VRF) packets follow the global routing table instead of the VRF table.
Conditions: This symptom is observed on a low-end Cisco router that runs Cisco IOS Release 12.2(7a) or another release when the global address space in the router overlaps with the VRF address that is configured on a VRF interface of a connected PE router. The VRF interface of this PE router may be unreachable but end-to-end connectivity may not be affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a voice gateway may reload unexpectedly after a series of calls that include call transfers and diverted calls have been processed.
Conditions: This symptom is observed on a Cisco 2621XM and Cisco 3640 when you use a third-party vendor protocol convertor to translate and provide a tunnel for Digital Private Network Signaling System (DPNSS) traffic over Q Signaling (QSIG). The symptom is not platform specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco Service Selection Gateway (SSG) router may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router when Cisco Express Forwarding (CEF) is enabled and access list configurations on the router are changed.
Workaround: Disable CEF.
•
Symptoms: A cbus complex (which will bring down all the interfaces on the box for some time but the router will not reload) may be observed on a Cisco router when the following message appears on the serial interface:
%RSP-3-RESTART: interface Serial8/1/0/23:23, not transmittingConditions: This symptom occurs specifically on a Cisco 7500 series router when Multilink PPP (MLP) is configured on the serial interface and distributed Cisco Express Forwarding (dCEF) switching is enabled.
The problem occurs when multilink member links flap. It may be after a single flap or multiple flaps.
Workaround: There is no workaround.
Further Problem Description: The time-frame associated with Interfaces being down tied to a cbus complex depends on the number of VIPs/IPs (time taken for microcode download) and the type of PAs (time taken for VIP reload) present in those VIPs. All the interfaces will be come back up without any manual intervention.
•
Symptoms: On an ASBR-PE, the TFIB may be missing a forwarding entry for a prefix that is learnt from a PE.
Conditions: This symptom is observed on an "ABSR-co-located PE" (that is, an ASBR that also functions as a PE router) when the PE functionality is removed by deconfiguring VRF, for example, by entering the no ip vrf vrf-name command.
Since this is a timing issue, it may occur in Cisco IOS Release 12.0 S, 12.2 S, 12.2 T, and 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco Media Gateway Control Protocol (MGCP) gateway may be unregistered by a Cisco CallManager.
Conditions: This symptom is observed on a Cisco router that functions as a gateway and that runs Cisco IOS Release 12.2 T, Release 12.3, or Release 12.3 T when the T1 channel-associated signaling (CAS) and PRI backhaul is configured.
Following is an example of the sequence of events that cause the symptom to occur:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Workaround: Do not use MGCP. Rather, use H.323.
•
Symptoms: The amount of free memory on a router decreases as the memory that is held by the Simple Network Management Protocol (SNMP) engine process increases. The decrease in the amount of free memory can be verified by examining the output of the show proc mem | i SNMP privileged EXEC command.
Conditions: This symptom is observed when SNMP is used to attempt to set values in the LDP-MIB, TE-MIB, or VPN-MIB.
Workaround: Avoid using SNMP to set values in the MIBs. Use the CLI on the router to set the values needed.
•
Symptoms: A 1-port E3 serial port adapter (PA-E3) may fail to recover to the "up/up" state even when the original cause of the failure is corrected.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface of the PA-E3.
•
Symptoms: Users fail to authenticate on a Cisco router when the CiscoSecure authorization (CSAuth) service module fails on a primary Access Control Server (ACS).
Conditions: This symptom is observed on a Cisco router when the CSAuth services fail on the primary ACS server. When the primary ACS server is unavailable because CSAuth services stop, the ACS server returns the "Authserver is Down" error message but the router does not detect this message and fails to submit the authentication CSAuth request to the secondary server.
Following is an example of the current server configuration:
aaa group server tacacs+ group-name
server x.x.x.x
server y.y.y.y
aaa authentication ppp default group group- nameWorkaround: If there are only several servers in a group, the servers may be inserted in separate groups and those groups may be included as separate methods. For example:
aaa group server tacacs+ group-name-1
server x.x.x.x
aaa group server tacacs+ group-name-2
server y.y.y.y
aaa authentication ppp default group group-name-1 group-name-2•
Symptom: Cisco IOS software may accept and process a "RESPONDER LIFETIME" notify message before it has processed a "Main Mode 6" message. (A "RESPONDER LIFETIME" notify message is sent by a headend router to a remote device to facilitate the synchronization of Internet Key Exchange (IKE) rekeying.)
Conditions: This symptom is observed when a "RESPONDER LIFETIME" notify message arrives before a "Main Mode 6" message. IKE packets can arrive out of order because IKE relies on User Datagram Protocol (UDP) as the transmission protocol.
Workaround: If the remote device functions as Easy VPN Client, configure the device to operate in "auto connect mode" to prevent you from having to reinitiate the connection manually.
Alternate Workaround: Ensure that the IKE peers have matching lifetimes. Doing so makes the "RESPONDER LIFETIME" notify message unnecessary and prevents Cisco IOS software from sending this message.
•
Symptoms: Analog recEive and transMit (E&M) ports may become stuck intermittently. When the symptom occurs, the following error message is displayed:
%C542-1-NO_RING_DESCRIPTORS: No more ring descriptors on recEive And transMit 3/0/1. Msg id=48, Len=38In addition, the output of the show voice call summary EXEC command indicates that the voice-port state is "EM_PARK_IDLE."
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T5 and that has an analog E&M port to connect to a PBX. Note that the symptom does not occur in Release 12.2(15)T1. The symptom may occur in Release 12.3.
Workaround: Reload the Cisco gateway.
•
Symptoms: Spurious memory accesses may occur on a router.
Conditions: This symptom is observed on a Cisco router that runs Routing Information Protocol (RIP).
Workaround: There is no workaround.
•
Symptoms: A VIP may reload when an SSO occurs on an RP.
Conditions: This problem occurs intermittently when distributed MLP is configured on the router.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for quality of service (QoS) may reload unexpectedly because of a segmentation violation (SegV) exception.
Conditions: This symptom was observed on a Cisco 2600 series that runs the c2600-telco-mz image of Cisco IOS Release 12.3(1a). This can be seen on other IOS-based routers.
Possible Workaround: Disable QoS.
•
Symptoms: When configuring QoS on a Cisco 7200 series, the router may reload with a bus error. Specifically, the bus error occurs after having entered the no class name command on subinterfaces.
Conditions: This symptom is observed on a Cisco 7200 series that runs the c7200-jk9s-mz image of Cisco IOS Release 12.2(17a). The symptom may also occur in other releases. This behavior is associated to the use of "payload-compression" and Weighted Random Early Detection (WRED) configurations.
Workaround: There is no workaround.
•
Symptoms: A FlexWAN or VIP in which a channelized port adaptor such as a PA-STM1 or PA-MC-8TE1+ is installed may reload continuously.
Conditions: This issue is seen when distributed LFI is configured on channelized serial interfaces and heavy traffic (close to line rate) occurs on these interfaces.
Workaround: There is no workaround.
•
Symptoms: A buffer leak may occur in the Multilink PPP (MLP) header pool on a Versatile Interface Processor (VIP). The speed of the leak depends on the rate of traffic that is flowing between the interface of the VIP and the interface on the other end. The leak may eventually cause memory allocation failures (MALLOCFAIL) on the VIP and may result in memory fragmentation.
Conditions: This symptom is observed on a Cisco 7500 series when all of the following conditions are present:
–
–
–
–
Workaround: Stop the leak by removing fancy queueing from the VIP interface.
Alternate Workaround: Move the MLP interfaces to a different VIP that does not have an interface that performs fancy queueing.
•
Symptoms: A Cisco AS5300 may reload unexpectedly while voice extensible markup language (VXML) is being processed.
Conditions: This symptom is observed when Cisco AS5300 is configured with four E1 interfaces. The symptom does not occur when the Cisco AS5300 is configured with only two E1 interfaces.
Workaround: There is no workaround.
•
Symptoms: FXO ports on a Cisco IAD2420 may cease to process inbound and outbound calls because a voice port is stuck in the "FXOGS_PARK" state.
Conditions: This symptom is observed on a Cisco IAD2420 voice gateway with FXO ports that runs Cisco IOS Release 12.2(15)T8, 12.3, or 12.3 T. The FXO ports are connected to the PSTN.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected voice port.
•
Symptoms: A router may reload with a bus error.
Conditions: This symptom is observed on a Cisco router that is configured for time-division multiplexing (TDM) hairpinning.
Workaround: There is no workaround.
•
Symptoms: An H.323 proxy may fail when a conference call between a PSTN user and IP phones users is initiated by an IP phone in a Cisco CallManager environment.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper, that has the H.323 proxy enabled, and that runs Cisco IOS Release 12.3(5) in the following topology:
An IP phone connects to a Cisco CallManager that connects to the Cisco gatekeeper that has the H.323 proxy enabled. The Cisco gatekeeper connects to yet another gatekeeper that connects to a gateway that, in turn, connects to the PSTN.
All calls to and from the Cisco CallManager IP phone via the Cisco gatekeeper are proxied. The Cisco CallManager runs software version 3.3(3)SR3. The display IE delivery option is disabled in the H.225 trunk configuration in the Cisco CallManager administration web page. The H.225 trunk is controlled by one of the gatekeepers.
The symptom occurs in the following sequence of events:
1.
2.
3.
4.
5.
6.
7.
Workaround: Enable the "Display IE delivery" option in the H.225 trunk configuration Cisco CallManager administration web page.
Alternate Workaround: Disable the H.323 proxy on the Cisco gatekeeper.
•
Symptoms: An alignment error may cause a Cisco router to reload unexpectedly.
Conditions: This symptom is observed under rare conditions (an "extreme corner case") on a MIPS-based Cisco platform or on a Versatile Interface Processor (VIP), port adapter, or line card that contains a MIPS processor. The symptom is not release-dependent and may occur in all Cisco IOS releases.
Workaround: There is no workaround.
Further Problem Description: All Cisco 7500 VIPs and Cisco 7200 NPEs use MIPS- based processors. The following are additional platforms that use MIPS processors:
Cisco 2691, 3620, 3631, 3640, 3660, 3725, 3745, 4500, 4500-M, 4700, 4700-M, AS5300, AS5400, AS5450, AS5800 router shelf, AS5800 system controller (3640 based), 7120, 7140, UBR7100, UBR7200 - all NPEs, 7301, 7304, 7400, 6500 MSFC, 6500 MSFC2, 7600 MSFC, 7600 MSFC2, 10000, UBR10012, 12000 GRP, and most (if not all) 12000 line cards.
•
Symptoms: A Versatile Interface Processor (VIP) with an ATM port adaptor may reload unexpectedly.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) when the ATM interface is configured for Multilink PPP, Link Fragmentation and Interleave (LFI), and distributed Cisco Express Forwarding (dCEF).
Workaround: Disable LFI by entering the no ppp interleave command.
•
Symptoms: A Cisco voice gateway may use an incorrect codec payload value (that is different from the configured value) during media transmission after the call is transferred to a new endpoint.
Conditions: This symptom is observed on a Cisco voice gateway that runs Cisco IOS Release 12.2(15)T9 or Release 12.3 and that is configured to use H.323 as the VoIP protocol. The symptom occurs when the remote endpoint sends an H.245 EmptyCapabilitySet (ECS) message to initiate the call transfer (H.323 Version 4, Section 8.4.6) after the initial call establishment and then sends an H.245 OpenLogicalChannel (OLC) message before sending a new H.245 TerminalCapabilitySet (TCS) message.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a PE router may crash.
Conditions: This symptom is observed when traffic is switched through a multilink interface on which a QoS service policy is configured that includes a set command and when the multilink interface flaps (goes down and comes back up). The symptom occurs at random and depends on the traffic pattern. This applies only to non-distributed CEF platforms.
Workaround: There is no workaround.
•
Symptoms: Several prefixes for nonredistributed and connected interfaces in different VRFs may be partially bound to the same MPLS VPN label, causing traffic that is bound for one or more of these VRFs to be disrupted.
Conditions: This symptom is observed on a Cisco router after the VRF interfaces have flapped.
Workaround: Clear the routes in the VRFs in sequence.
•
Symptoms: A router may log a CPUHOG message that is caused by the CEF reloader process.
Conditions: This symptom is observed on a Cisco router when a VRF with more than 9000 routes is added to the configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series with a VIP that has any type of ATM port adapter (PA) may crash with a bus error (sig 10) upon bootup. The VIP will ultimately come on line and the services are not impacted thereafter.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3 when ATM subinterfaces on the PA are configured for any QoS queueing feature (for example, shaping, LLQ, WRED, CFWFQ, fair-queueing, etc.)
Workaround: There is no workaround.
Further Problem Description: This is a timing issue between ATM interfaces coming up and being fully configured (via IPC) for QoS on the PA. The higher the number of ATM subinterfaces/PVCs, the more likely is a chance that the router crashes. However, if only one subinterface/PVC is configured, there is still a potential problem; the router may not crash but QoS may not function.
•
Symptoms: A Versatile Interface Processor (VIP) on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) and that is configured for distributed Link Fragmentation and Interleaving over ATM (dLFIoATM) may reload.
Conditions: This crash occurs when all of the conditions below are present:
–
–
–
–
Workaround: Avoid local VIP switching to the dLFIoATM PVC.
•
Symptoms: On a Cisco IOS VoIP gateway, a memory leak may occur in the context of the H.323 process.
Conditions: This symptom is observed when there are low memory conditions and when translation rules are configured.
Workaround: Reload the gateway.
•
Symptoms: A router may reload due to a bus error when processing VTSP.
Conditions: This symptom is when the router is configured for voice.
Workaround: There is no workaround.
•
Symptoms: A router with VOIP configured may experience a memory leak in VTSP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(15)T10. The symptom may also occur in Release 12.3 and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: An H.323 call across a Cisco IP-to-IP H.323 gateway (GW) may not work correctly.
Conditions: This problem is observed in the following topology:
A third party H.323 GW connects to a Cisco IP-to-IP H.323 GW (a Cisco 3660) that connects to a Cisco GW (a Cisco 2600 series) that, in turn, connects to an FXS phone.
Calls from the FXS phone to the third party GW do not work intermittently. The Cisco IP-to-IP H.323 GW runs Cisco IOS Release 12.3(5). This problem happens only when the Alerting and Connect messages are received by the IP-to-IP H.323 GW very quickly in succession and when the Connect message has a Facility element.
Workaround: There is no workaround.
•
Symptoms: DTS may not work properly on dot1q Fast Ethernet subinterfaces. Traffic is not shaped at the expected rate
Conditions: This problem is observed on a Cisco 7500 series that is configured as a PE router and that runs Cisco IOS Release 12.2(12i). The symptom may also occur in other releases.
Workaround: If this is an option, use ISL subinterfaces.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for Cisco's IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers.
This vulnerability is documented by Cisco bug ID CSCee08584.
•
Symptoms: All VIPs in a Cisco 7500 series restart as a consequence of a Cbus complex that is triggered by a stuck output. Just before the output becomes stuck, IPC timeout errors occur.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) in a dLFIoATM environment.
Workaround: There is no workaround.
•
Symptoms: A file type sometimes becomes ASCII text when you enter the write memory command on an NRP2-SV. You can see the file type when you enter the show file info disk0:slotX/nrp2-startup-config command on the NSP, as in the following example:
NSP# shos file info disk0:slot5/nrp2-startup-config
disk0:slot5/nrp2-startup-config:
type is ascii text <<<<<Conditions: This symptom is observed on an NRP2-SV that is installed in a Cisco 6400 series that runs Cisco IOS Release 12.2(15)T9 or 12.3(6).
Workaround: There is no workaround.
•
Symptoms: A router may experience a memory leak when the LSR MIB is queried.
Conditions: This symptom is observed on a Cisco router running Cisco IOS Release 12.2(15)T10 but is software-independent.
Workaround: Disable the LSR MIB queries and reboot the device to reclaim the leaked memory.
•
Symptoms: A Cisco AS5400 may crash with a bus error at address 0xFFFFFFFF.
Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(6) only when facility messages are generated. The symptom may also occur on a Cisco 1700 series and Cisco 2600 series.
Workaround: There is no workaround.
•
Symptoms: When you change the Cisco IOS release from one release to another release, a router may reload because of a bus error.
Conditions: This symptom is observed when changing the Cisco IOS release from Release 12.2 to Release 12.3(6a).
Workaround: There is no workaround.
•
Symptoms: A Versatile Interface Processor (VIP) may reload, and the following error message may be logged:
%RSP-2-QAERROR: reused or zero link errorAfter the message has been logged, all VIPs in the router may reload.
Conditions: These symptoms are observed on a Cisco 7500 series that has dual RSPs installed, that runs Cisco IOS Release 12.2T, 12.3, or 12.3 T, and that has the service single-slot-reload-enable global configuration command enabled. The symptom occurs after the following events:
–
–
Workaround: There is no workaround.
•
Symptoms: TCCS clear-channel codec calls may not go through. The trunks may be up but the signaling information may not be communicated.
Conditions: This symptom is observed only when a medium complex codec is configured.
Workaround: Use a high complex codec, or use stun encapsulation for the D-channel.
•
Symptoms: A Cisco 7500 series with a multilink DLFI configuration may crash.
Conditions: This symptom is observed when an Ethernet packet is received on the RSP and is switched by the RSP to a DLFI multilink interface.
Workaround: There is no workaround.
•
Symptoms: A FlexWAN, enhanced FlexWAN, or Versatile Interface Processor that has a PA-MC-E3 or PA-MC-T3 installed may crash.
Conditions: This symptom is observed under rare conditions in a stress situation with dFLI and dCRTP configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series or MSFC2 with a FlexWAN module may spontaneously reload.
Conditions: This problem mainly occurs when there are multiple FR DLCIs or ATM PVCs attached to the same virtual-template interface or the same multilink virtual-access interface and when one of the following conditions occurs:
–
–
Workaround: There is no workaround.
•
Symptoms: A PPP session may stay down after a long series of link flaps.
Conditions: This symptom is observed when MLP/LFI is enabled on an ATM PVC.
Workaround: There is no workaround.
•
Symptoms: The following tracebacks can occur on a Route Processor (RP) console:
04:24:32: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x619B6AD8 reading 0x10 04:24:32: %ALIGN-3-TRACE:
-Traceback= 619B6AD8 60EC5764 60EC58D0 60EDAC74 6037C6A8 6037C694 00000000 00000000Conditions: This problem is seen when a dLFIoATM interface flaps on a Cisco 7500 platform.
Workaround: There is no workaround.
•
Symptoms: On an LFI over ATM interface, ping does not work.
Conditions: This occurs only when distributed LFI over ATM is configured on a Cisco 7500 platform.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A Cisco router that is configured for ISDN may reload unexpectedly and generate a "low stack for ISDN" error message.
Conditions: This symptom is observed when a high rate of bidirectional traffic occurs on the ISDN B channels. This problem occurred during a stress test.
Workaround: There is no workaround.
•
Symptoms: After a router has reloaded, an ISDN PRI interface may not reestablish the proper layer 2 state.
Conditions: This symptom is observed on a Cisco router that communicates via Media Gateway Control Protocol (MGCP) with a Cisco CallManager that runs Release 3.3(2)spC.
Workaround: Enter the no mgcp global configuration command followed by the mgcp global configuration command.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ISDN D channel.
•
Symptoms: A Call Control Block (CCB) may not be freed when a "suspend" message that was received in an incorrect state is not processed correctly because a CCB leak occurs after a Redundant Link Manager (RLM) flaps.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(15)T7 or Release 12.3 and that is a component of a Cisco PGW 2200 PSTN Gateway that functions in a nailed configuration.
Workaround: There is no workaround.
•
Symptoms: Dialer ping packets that are transferred via an asynchronous line may be dropped at the receiving end.
Conditions: This symptom is observed on a Cisco platform when the interface at the receiving end has the dialer map interface configuration command enabled.
Workaround: Do not enter the dialer map interface configuration command. Rather, enter the dialer string interface configuration command.
•
Symptoms: A parity error on a Versatile Interface Processor (VIP) card may cause other VIPs to go to a wedged state.
Conditions: This symptom is observed on a Cisco 7500 series router.
Workaround: There is no workaround.
•
Symptoms: Software interface description blocks (IDBs) may become exhausted after an interface flaps repeatedly.
Conditions: This symptom is observed under the following conditions:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When a call is not answered, no release cause value may be sent to the public switched telephone network (PSTN) leg and an incorrect release cause value of 102 may be sent to the voice over IP (VoIP) leg.
Conditions: This symptom is observed on a Cisco router that is configured for ISDN when a T301 timer expires. When a call is not answered, a release cause value of 19 ("No answer from user [user alerted]") should be sent to both legs.
Workaround: There is no workaround.
•
Symptoms: A Cisco router running a Cisco IOS image may crash because of a bus error when it accesses an invalid address (0x0B0D0B0D).
Conditions: This symptom is occasionally observed when an MLP bundle containing virtual-access PPP links goes down.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series Route Switch Processor (RSP) may crash while Multilink PPP (MLP) is running.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5), that is equipped with a VIP4-80 and PA-A3 ATM port adapters, and that is configured for distributed Link Fragmentation and Interleaving over ATM (dLFIoATM).
Workaround: There is no workaround.
•
Symptoms: An "ALIGN-3-SPURIOUS" spurious memory access and traceback may occur on a Cisco 7500 series.
Conditions: This symptom is observed in one of the following conditions:
–
–
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5c)
Cisco IOS Release 12.3(5c) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 42 -Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18Conditions: The symptom is observed on a Cisco 7513 that runs Cisco IOS Release 12.0(17)ST. The symptom may also occur on other Cisco 7500 series routers that run Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
Symptoms: A PC that is running Tactical Software DialOut/EZ (tacticalsoftware.com) may halt data transfer.
Conditions: This symptom is observed with Tactical Software DialOut/EZ that is running on a PC and a modem that is attached to a Cisco AS5300 that is running Cisco IOS software. The Cisco IOS software may lower the Data Set Ready (DSR) Data Carrier Detect (DCD) with a Clear To Send (CTS) message to the PC side. This causes the PC to halt data transfer.
Workaround: There is no workaround.
•
Symptoms: Protocol translation sessions that require RADIUS authentication may fail to propagate class-attribute or state-attribute information in subsequent authentication and accounting packets.
Conditions: This symptom is observed in Cisco IOS Release 12.2 T, 12.3, and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: When you configure the Per VRF AAA feature by using a remotely defined customer template, a Virtual Home Gateway (VHG) may fail to parse authentication, authorization, and accounting (AAA) attributes that it receives in an Access-Accept response from a RADIUS server.
Conditions: This symptom is observed when the virtual-template interface is configured to support virtual-access subinterfaces and when the VHG functions under a heavy traffic load.
Workaround: Disable the virtual-access subinterfaces by entering the no virtual-template subinterface global configuration command.
Alternate workaround: Enter the ntp disable interface configuration command on the virtual-template interface.
•
Symptoms: The individual AAA periodic accounting update messages (Radius accounting messages with Acct-Status-Type=Watchdog) generated by an IOS gateway for each call leg (TDM and IP) of the same voice call may be sent to the Radius server more than 5 minutes apart due to the randomized timer algorithm used by the AAA message transmit function.
Conditions: The command aaa accounting update newinfo periodic is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco Catalyst 2950 experiences a memory leak in the CDP process.
Conditions: The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
Interfaces and Bridging
•
Symptoms: When a Cisco router reloads, the ATM permanent virtual circuit (PVC) status remains inactive (INAC) even though the ATM subinterface is in an UP/UP state. The following message may also be displayed when you enter the debug atm errors privileged EXEC command:
ATM(ATMx/x/x):point-to-point interface does not have a VCDConditions: This symptom can occur on a Cisco router with a PA-A3 port adapter. The root cause is there were some physical line errors during reload which were causing carrier transition on PA-A3 interface which in turn caused this problem.
Workaround: Enter the no shutdown interface configuration command on the ATM interface.
Further Problem Description: This problem can be seen on router reload even without any traffic.
IP Routing Protocols
•
Symptoms: When the following Open Shortest Path First (OSPF) MIB tables are queried via snmpwalk, some interfaces may not be displayed:
–
–
–
Conditions: This symptom is observed on any Cisco platform that runs OSPF.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: When polling the cbQosREDClassStatsTable of the CISCO-CLASS-BASED- QOS-MIB, spurious memory accesses may occur on a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series. A Cisco 3640 router may also reboot. The spurious memory accesses may be reproduced when polling the above-mentioned table via Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series that run Cisco IOS Release 12.2(8)T, Release 12.3, or Release 12.3 T.
Workaround: Prevent the router from answering to queries on the cbQosREDClassStatsTable by implementing the following SNMP view in the router configuration:
snmp-server view qos internet included
snmp-server view qos 1.3.6.1.4.1.9.9.166.1.20.1 excluded
snmp-server community string view qos ro
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: When two or more phone calls (Foreign Exchange Office [FXO] or BRI) are set as "hold" and "hold," or "resume" is repeated by one of the calls, an input queue wedge may occur.
Conditions: This symptom is observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(15)T1 and that has multicast for Music on Hold (MOH) configured.
Workaround: Enable Protocol Independent Multicast (PIM) on the voice gateway.
Alternate Workaround: Use unicast MOH.
Second Alternate Workaround: Reboot the router. Entering the clear interface EXEC command and the shutdown interface configuration command followed by the no shutdown interface configuration command does not clear the input queue wedge.
•
Symptoms: On a Cisco router, output queue packet drops may occur on the priority queue of an E1 serial interface on a 1-port multichannel E3 port adapter (PA-MC-E3), after which the E1 serial interface becomes congested.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.1(18)E. However, the symptom is not specific to the platform or the Cisco IOS software release but specific to the port adapter.
Workaround: Enter the tx-ring-limit interface configuration command to increase the value of the drivers that are transmitted on the queue. For additional information, refer to the document at the following location:
/en/US/tech/tk39/tk824/technologies_tech_note09186a00800fbafc.shtml
•
Symptoms: An interface of a Cisco router may not be able to receive traffic that is destined for an address that is configured on the router.
Conditions: This symptom is platform independent and occurs only when there is a route in a different VPN routing and forwarding instance (VRF) that is attached or connected to the interface. This may occur when the route has been exported from one VRF to another or when a static route in a VRF points to the interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
•
Symptoms: When a gateway that is in Media Gateway Control Protocol (MGCP) fallback mode reloads, no calls can be made, nor can calls be received. When the gateway comes up again, all controllers including a serial controller are automatically shut down. When you turn off auto configuration and reload the router again, you can make calls, but you still cannot receive calls.
Conditions: This symptom is observed on a Cisco 3700 series that functions as a gateway when all Cisco CallManagers (including the primary and the backup Cisco CallManager) are down, when the TFTP server is still up, and when the gateway is reloaded. This situation causes an E1 or T1 controllers to be shut down. This caveat is platform independent and may occur on another Cisco router that functions as a gateway.
Workaround: Enter the no shutdown controller configuration command on the affected E1 or T1 controller.
•
Symptoms: A Foreign Exchange Office (FXO) port on a Cisco 3600 series may lock up and not process any calls.
To determine if the port is locked up, enter the show voice port summary EXEC command and look for a port that is in the "up, up, idle, on-hook" state, as in the following example:
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
========= == ============ ===== ==== ======== ======== ==
2/0/0 -- fxo-ls up up idle on-hook yConditions: This symptom is observed when the port processes a moderate traffic load.
Workaround: Enter the shutdown port configuration command followed by no shutdown port configuration command on the affected port.
•
Symptom: A Cbus Complex may occur and the packet memory may be recarved, causing a temporary disruption in service.
Conditions: This symptom is observed on a Cisco 7500 series when you install an 8-port multichannel T1/E1 PRI port adapter (PA-MC-8TE1+) or an enhanced 2-port T1/E1 high-capacity port adapter (PA-VXC-2TE1+) and when you configure the port adapter via the command-line interface (CLI) for E1 or T1.
Workaround: There is no workaround. Try to install the port adapter during a maintenance window.
•
Symptoms: Subinterfaces that are not configured for policing may randomly drop packets.
Conditions: This symptom is observed when modular QoS CLI (MQC) class-based policing is configured on an Inter-Switch Link (ISL) subinterface and when there are other ISL subinterfaces that are not configured for policing.
Possible Workaround: Remove the quality of service (QoS) policy with class-based policing from the ISL subinterface.
•
Symptoms: Gateways may not be able to register with the gatekeeper.
Conditions: This symptom is observed when the security password is enabled on the gatekeeper.
Workaround: There is no workaround. If you remove the security password, there is no authentication.
•
Symptoms: A Cisco IAD2420 may reload unexpectedly when a watchdog timeout occurs in the voice telephony service provider (VTSP) process.
Conditions: This symptom is observed during normal processing of calls in the local-bypass mode.
Workaround: There is no workaround.
•
Symptoms: A terminating gateway rejects incoming Voice over IP (VoIP) calls that carry Field Compatibility Information (FDC) national calling party category (CPC) information in the generic transparency descriptor (GTD) message.
Conditions: This symptom is observed on an H.323 version 4 (V4) Cisco gateway that terminates T1 channel-associated signaling (CAS). Calls that originate from Signaling System 7 (SS7) and R2 trunks that carry national CPC vales are affected.
Workaround: There is no workaround.
•
Symptoms: A gateway does not send an H.225 progress (PROG) Information Element (IE) when it receives an ISDN call proceeding (callp) with a progress indicator (PI).
Conditions: This symptom is observed when an ISDN public switched telephone network (PSTN) switch returns a callp message with a PI IE in response to the setup message from the terminating gateway. The callp does not trigger any H.225 message from the terminating gateway to the originating gateway.
Workaround: There is no workaround.
•
Symptoms: An originating gateway (OGW) may incorrectly insert the calling number information element (IE) in an H.225 call setup message to the terminating gateway (TGW).
Conditions: This symptom is observed on a Cisco AS5400 that functions as an OGW. The symptom occurs only for calls from an H.323-Version 4 OGW to an H.323-Version 2 TGW when the following conditions are present:
–
–
–
Workaround: There is no workaround.
•
Symptoms: Incorrect tags may be imposed after a route has flapped.
Conditions: This symptom is observed on a Cisco router that functions in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error, and the following message appears:
PC 0x616F0B80, address 0x3C.Conditions: This symptom is observed on a Cisco 3660 router that has low memory.
Workaround: There is no workaround.
•
Symptoms: One-way audio may occur during a phone call: a user on the public switched telephone network (PSTN) side may not hear a Cisco IP SoftPhone user.
The output of debug command and sniffer traces do not indicate any packets drops, and when you listen to the sniffer trace, there seems to be two-way audio.
Conditions: This symptom is observed when the Cisco IP SoftPhone calls the PSTN via a Cisco VG200 series that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2(11)T2.
•
Symptoms: A Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router that is running distributed Cisco Express Forwarding (dCEF) may have high memory usage and memory allocation failures when dCEF is disabled and then reenabled.
Conditions: This symptom is observed on a PE router that has a large number of VPN routes (over 30,000) in a VPN routing/forwarding (VRF) table when CEF is disabled and then reenabled.
Further Problem Description: View the output of the show processes memory EXEC command to verify that the CEF process memory usage increases.
Workaround: Reload the router.
•
Symptoms: A Cisco 2691XM router that is configured as an H.323 gatekeeper may reload when the gatekeeper functionality is shut down and when the dynamic zone prefix gatekeeper configuration command is configured.
Conditions: This symptom is observed on a Cisco 2691XM that is running Cisco IOS Release 12.2(15)T5 or Release 12.3(2)T when the dynamic zone prefix gatekeeper configuration command is enabled by default on both the gateway and the gatekeeper, and when the following conditions occur:
–
–
For example:
This symptom is observed when the gateway and the gatekeeper have the following configurations (the same destination pattern and zone prefix):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 385....Gatekeeper configuration:
zone prefix zone-1 385 ....
gw-priority 10 GW1The symptom is not observed when the gateway and the gatekeeper have the following configurations (the destination pattern and the zone prefix are different):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 555....Gatekeeper configuration:
zone prefix zone-1 385....
gw-priority 10 GW1For information on how to disable dynamic zone prefixes, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_h323_configuration_guide/old_archives_h323/4gwconf.html
•
Symptoms: An incorrect MAC encapsulation string in a Multiprotocol Label Switching (MPLS) forwarding table on a provider edge (PE) router causes traffic to go down.
Conditions: This symptom is observed on a cell-based Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) that rebuilds the MPLS forwarding table after traffic stops on a PE router.
Workaround: Enter the clear ip route network EXEC command on the PE router that has the traffic problem.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface command on the MPLS interfaces of the problem PE.
•
Symptoms: When multiple dial peers are configured with different translation rules that are used one the same call, the authentication, authorization, and accounting (AAA) accounting records do not show accurate information of the translated called number.
Conditions: This symptom is observed on a Cisco AS5350 and a Cisco AS5400 when the outbound dial peers have translation rules configured and when multiple dial peers are used for and outbound call because of dial-peer hunting. The symptom does not occur on a Cisco AS5300.
Workaround: Analyze the call by using the correct number that is contained in the gw-final-xlated-cgn vendor-specific attribute (VSA) that is part of the stop record for the RADIUS server.
Further Problem Description: When a universal gateway such as a Cisco AS5350 or Cisco AS5400 receives a call via time-division multiplexing (TDM), and this call needs to be forwarded via Voice over IP (VoIP), the universal gateway tries the first dial peer, which translates the called number and adds a prefix to it. When this call does not go through, the universal gateway tries a second dial peer via dial-peer hunting. This second dial peer translates the number and adds a different prefix to it.
There is a start and stop record for each dial peer:
–
–
Although the number is translated and properly sent, the AAA records are incorrectly populated.
•
Symptoms: There may be no memory for the expanded TFIB PSA. The label allocation may fail with error messages that are shown below and may be followed by a memory traceback.
%TAGCON-3-LCLTAG_ALLOC: Cannot allocate local tag
%TFIB-2-MEMORY: No memory for expanded TFIB PSA -Traceback=Conditions: This symptom is only observed on an MPLS-capable Cisco platform and only when the label space has been exhausted to the maximum level supported by the platform or is about to be exhausted (only a few hundred labels are available) and when the TFIB table is expanded further.
Workaround: Enter the mpls label range 16 101900 command at the conf-t level to avoid the error messages.
•
Symptoms: There may be a format difficulty when you save digital signal (DS) power-level information onto the NVRAM of a Cisco uBR900.
Conditions: This symptom is observed on a Cisco uBR900 that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series pauses indefinitely in the middle of a link control protocol (LCP) negotiation. The PPP over ATM (PPPoATM) session receives a "Sending Acct Event [Reneg]" message and terminates the LCP phase. The remote peer renegotiates another PPP session and uses the same PPP ID. This causes a continuous LCP state for that user.
Conditions: This symptom is observed on a Cisco 7200 series that is configured for PPPoATM and that runs Cisco IOS Release 12.2(15)T9. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A router may reload when the police policy-map class configuration command is enabled under a policy map.
Conditions: This symptom has been observed rarely and is not easily reproduced.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5xx0 platform that is equipped with a particular third-party vendor E1/T1 framer may bring down the controller immediately upon receiving an alarm indication signal (AIS).
Conditions: This symptom is observed when noisy line conditions that last less than 2 seconds cause T1 links to go down or when outages or cable difficulties that last less than 2 seconds cause the controller to go down.
Workaround: There is no workaround.
•
Symptoms: The maximum MTU with a DF set across an L2TP MPLS VPN is 1460 while the physical layer MTU is 1500; any ping larger than 1460 may fail.
Condition: This symptom is observed on a LES platform such as a Cisco 3600 series or a Cisco 4500 series when the router performs MPLS operations and functions as an L2TP Network Server (LNS). The incoming MPLS packet is dropped while the router attempts to inject the packet into the L2TP tunnel.
Workaround: Traffic of packets between 1460 and 1500 bytes can be made possible by fragmenting the tagged packets before the transmission.
Enter the mpls mtu 1450 command on the router in the MPLS cloud before the MPLS packet reaches the router that injects the packet into the L2TP tunnel.
•
Symptoms: R2 International Telecommunication Union (ITU) base variants do not apply the correct mapping for the following two ISDN or ISDN User Part (ISUP) cause values (CVs):
–
–
Conditions: This symptom is observed on Cisco gateways that are configured with ISDN and Redundant Link Manager (RLM) and that have R2-ITU trunks.
Workaround: There is no workaround.
•
Symptoms: The node of a local Label Switch Controller (LSC) that is part of a Multiprotocol Label Switching (MPLS) cell-based network may observe the following symptoms:
–
–
–
–
–
–
Conditions: These symptoms are observed on the LSC of a Cisco MGX Route Processor Module (MGX-PRM-PR-512) that is running Cisco IOS Release 12.2(15) T4a.
Workaround: From the node of the local LSC that is observing the symptoms, enter the clear ip route network EXEC command.
•
Symptoms: A gateway that receives a mid-call invite message with a missing contact header may respond with a "400 Bad Request" message, causing the call to be terminated. This is improper behavior.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: Some PPP sessions may not come up and become stuck in the link control protocol (LCP) negotiation state.
Conditions: This symptom is observed on a Cisco 6400 series Node Route Processor (NRP). A list of the affected releases can be found at:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec49097. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.Workaround: There is no workaround.
•
Symptoms: A Cisco Session Initiation Protocol (SIP) gateway does not use calling information that is contained in the Remote-Party-ID header. A traceback may be observed and the following error is displayed in the output of the debug ccsip error privileged EXEC command:
sippmh_parse_remote_party_id: syntax error in Remote-Party -ID headerConditions: This symptom is observed on a Cisco SIP gateway that runs Cisco IOS Release 12.2(13)T, 12.3, or 12.3 T and occurs when the gateway receives an initial INVITE message with a Remote-Party-ID header that contains the "other" parameters in the header. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: An output wedge and drops may occur on the multilink interface of a Cisco 7200 series. The output of the show interfaces privileged EXEC command may display the following information:
.
.
.
Multilink3 is up, line protocol is up
.
.
.
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5526
Queueing strategy: fifo
Output queue: 31/40 (size/max)
.
.
.Conditions: This symptom is observed on a multilink interface that has two E1 interfaces in a multilink bundle when there is a low traffic rate.
Workaround: Use the physical interface without a multilink bundle.
•
Symptoms: Some virtual circuit (VC) information is missing in the Simple Network Management Protocol (SNMP) MIB object cAal5VccEntry from the output of the snmpwalk router configuration command. The ATM VCs 0/100, 0/200 and 0/500 exist on the router but are missing in the MIB.
Conditions: This symptom is observed on a Cisco 7513 router that is running a special image of Cisco IOS Release 12.2(15)T5. The symptom may also occur in other releases.
Workaround: Enter the show atm vc privileged EXEC command on the same device to obtain a complete list of all the VCs.
•
Symptoms: Tag entries may be missing on a Versatile Interface Processor (VIP).
Conditions: This symptom is observed on a Cisco 7500 series that has distributed Cisco Express Forwarding (dCEF) enabled.
Workaround: Enter the clear cef linecard user EXEC or privileged EXEC command.
•
Symptoms: When you enter the undebug all privileged EXEC command on a Cisco 3700 series, all traffic that passes through an encrypted generic routing encapsulation (GRE) tunnel may stop.
Conditions: This symptom is observed on a Cisco 3700 series that is configured with a GRE tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching.
Workaround: Reinitialize CEF switching by entering the no ip cef global configuration command followed by the ip cef global configuration command.
Alternate Workaround: Do not enter the undebug all privileged EXEC command. Rather, individually disable each debug command.
•
Symptoms: The output queue of a Gigabit Ethernet port may become stuck, preventing traffic from leaving the interface.
Conditions: This symptom is observed on the Gigabit Ethernet port 0/1 (gig0/1) of a Network Processing Engine NPE-G1 (NPE-G1) that is installed in a Cisco 7200 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate Workaround: Reload the router.
•
Symptoms: Hairpin voice calls that are made via recEive and transMit (E&M) wink on multiple channels may cause digital signal processors (DSPs) to time out. The output of the show voice dsp privileged EXEC command may show "-1" followed by "DSP_TIMEOUT."
Conditions: This symptom is observed on a Cisco IAD2420 series. The symptom does not occur with plain old telephone system (POTS) calls, nor does it occur on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.
Workaround: Enter the voice dsp allocation round-robin global configuration command.
•
Symptoms: A terminating gateway (TGW) that receives a group B backward signal 5 (B5 signal) from a terminating switch that is configured for R2 signaling may map the B5 signal to cause value 42 ("Switching equipment congestion") in the H.225 Release Complete message. This is improper behavior: the B5 signal should be mapped to cause value 1 ("Unallocated [unassigned] number").
Conditions: This symptom is observed on a Cisco platform that functions as a TGW.
Workaround: There is no workaround.
•
Symptoms: A gatekeeper that is configured for H.323 version 4 (H.323v4) may not insert service IDs in an Admission Rejection (ARJ) message to an H.323v4 gateway.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that receives service IDs from a route server but does not include the service IDs in the ARJ message to the H.323v4 gateway.
Workaround: There is no workaround.
•
Symptoms: When an originating gateway (OGW) receives an R2 Group II signal that is equal to 5 from an incoming E1 R2 trunk, the OGW may map this signal to a generic transparency descriptor (GTD) ISDN User Part (ISUP) calling party category (CPC) that is equal to 6. This is improper behavior: the R2 Group II signal that is equal to 5 should be mapped to a GTD ISUP CPC that is equal to 29.
Conditions: This symptom is observed on a Cisco AS5xxx platform that functions as an OGW with an R2 interface and that uses GTD for signaling transparency across an H.323 Voice over IP (VoIP) network.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when packets are tag switched.
Conditions: This symptom is observed when a Bridge-Group Virtual Interface (BVI) is created after the router has booted up, when IP packets are received through the BVI, and when these IP packets are forwarded as Multiprotocol Label Switching (MPLS) packets through another interface.
Workaround: Disable tag switching on the BVI interface by entering the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: At 12 cps, the following message is displayed on a V4 gatekeeper:
ASSERT failed: line 9900 in file ../mm/gk/gk_rassrv_util.cConditions: This symptom is observed when an external server is using the GKTMP interface to communicate with the gatekeeper and when the gatekeeper is configured with "send-cisco-circuit-info."
Workaround: There is no workaround.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) network server (LNS) may not remove a per-user access control list (ACL) from the configuration. This situation may cause the memory of the LNS to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco router that functions as an LNS in a Large-Scale Dial-Out (LSDO) configuration when a per-user ACL is present in the RADIUS profile of the user.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
Symptoms: A router may reload unexpectedly after it attempts to access a low memory address.
Conditions: This symptom is observed after ACLs have been updated dynamically or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), a router may reload after accessing a freed Label Information Base (LIB) entry. When the symptom occurs, an error message similar to the following is likely to precede the reload:
%TIB-3-LCLTAG: 10.10.10.10/10.10.10.10, tag advert; unexpected tag state=13Conditions: This symptom is observed when a very uncommon timing of a Label Distribution Protocol (LDP) events occurs. The symptom may occur with LDP or Tagswitching Distribution Protocol (TDP).
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
•
Symptoms: The show flash-filesystem EXEC command and the dir filesystem EXEC command may not work properly on a Cisco 2600XM, preventing you from seeing the flash images.
In addition, the copy destination url flash: EXEC command may fail when the erase option is not selected (that is, you type in no when you are asked if you want to erase the device). The copy destination url flash: EXEC command functions fine when you do select the erase option.
Conditions: These symptoms are observed on a Cisco 2600XM that is configured with a particular third-party vendor 16-MB SIMM. Note that the router is still functional with this SIMM; you can boot or reload the router, perform a TFTP download operation, and similar actions without any difficulty.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series or Cisco 3700 series may not initialize correctly and report the following error message during startup:
%VPN_HW-1-INITFAIL: Slot 1: hifn7814_init_dsConditions: This symptom is observed on Cisco 3600 series and Cisco 3700 series that run Cisco IOS Release 12.3(6) and that use a Virtual Private Network (VPN) encryption and hardware advanced integration module AIM-VPN/EPII or an AIM-VPN/HPII. If the AIM is installed in slot 1, it fails to initialize.
Workaround: Install the AIM in slot 0 instead of slot 1.
•
Cisco Internetwork Operating System (IOS) Software releases trains 12.0S 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload.
The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575.
This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS)
This advisory is available at
/en/US/products/products_security_advisory09186a008021b9b5.shtml•
Symptoms: An MFR interface does not forward traffic.
Conditions: This symptom is observed on a Cisco platform when traffic is forwarded outbound on the MFR interface.
Workaround: Flap the MFR interface.
•
Symptoms: An uncorrectable ECC parity error may occur on a Cisco 7200 series that is configured with an NPE-G1.
Conditions: This symptom is observed rarely when you enter the show sysctlr or the show tech command on the NPE-G1.
Workaround: Do not enter the show sysctlr or the show tech command.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetConditions: This symptom is observed on a Cisco 7200vxr series that is configured with an NPE-G1 Network Processing Engine
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR may reload when there is a high E1 PRI call load.
Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-is-mz image of Cisco IOS Release 12.3(3) or Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: A provider edge (PE) router may reload when packets are forwarded while a remote Virtual Private Network (VPN) prefix is being reresolved.
Conditions: This symptom is observed when the MPLS VPN—Inter-AS—IPv4 BGP Label Distribution feature is configured for option 4, that is, for a non-VPN transit provider and a multi-hop external Border Gateway Protocol (eBGP) connection between route reflectors (RRs).
Workaround: For the exchange of PE loopback addresses between autonomous systems, do not use eBGP with IPv4 label distribution. Rather, configure redistribution into Interior Gateway Protocol (IGP) or static routes.
•
Symptoms: Interfaces of a serial port adapter may not be recognized.
Conditions: This symptom is observed on a Cisco 7200 series, Cisco 7500 series, and Cisco 7600 series that run Cisco IOS Release 12.3 or 12.3 T and that have any the following port adapters installed:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: "Calling Party Number" is not seen in the ISDN setup message on the terminating gateway while verifying whether the remote party ID information is properly passed to the Q931 interface.
Conditions: This symptom occurs when there is calling party information coming from the SIP leg and privacy is not set.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: A leak may occur in the big buffers of a Cisco platform even when the platform receives a relatively low number of calls.
Conditions: This symptom is observed on a Cisco AS5300 that runs the c5300-js-mz image of Cisco IOS Release 12.1(21) or Release 12.3. The symptom may be platform independent.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A call from a remote client may be terminated at a Layer 2 Tunneling Protocol (L2TP) network server (LNS) that functions as a multihop node instead of being forwarded to a second LNS.
Conditions: This symptom is observed when the L2TP Tunnel Connection Speed Labeling feature is enabled in a multihop-node configuration in which an LNS functions as a multihop node that authenticates a user based on the connection speed of the user. When the connected Cisco Access Registrar (ARS) RADIUS server sends an Access-Accept message, the LNS should forward the L2TP session to a second LNS, but does not do so, causing the call to be terminated on the LNS itself.
Workaround: There is no workaround.
•
Symptoms: When a terminating gateway (TGW) receives an ISDN call proceeding (callp) message with a progress indicator (PI) information element (IE), ISDN may not create a generic transparency descriptor (GTD). This situation prevents the TGW from sending an H.225 message to the originating gateway (OGW).
Conditions: This symptom is observed when an ISDN public switched telephone network (PSTN) switch returns a callp message with a PI IE in response to a setup message from the TGW.
The proper behavior should be as follows:
When the TGW receives the callp message, ISDN creates the following GTD:
gtd msg = " CPG, PRN,isdn*,,NET5*,"With this GTD, the callp message triggers an H.225 progress message from the TGW to the OGW.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5b)
Cisco IOS Release 12.3(5b) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When you reload a faulty Cisco IP Conference Station 7935, a Catalyst 4000 Supervisor Engine III or IV may reload. Before the supervisor engine reloads, the following message may be displayed:
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet5/1 (not half duplex), with SEP00e0752447b2 port 1 (half duplex).Conditions: This symptom is observed on a Cisco Catalyst 4000 Supervisor Engine III or IV that runs Cisco IOS Release 12.1(19)EW1. The symptom may also occur in other releases.
Workaround: Disconnect the Cisco IP Conference Station 7935 or disable Cisco Delivery Protocol (CDP) by entering the no cdp enable interface configuration command.
Miscellaneous
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Wide-Area Networking
•
Symptoms: A router may return to ROM monitor (ROMmon) because of a bus error at PC 0x6012F880, address 0x114. The log file may show the following information:
%ALIGN-1-FATAL: Illegal access to a low address addr=0x114, pc=0x6012F880, ra=0x6012F880, sp=0x61FF00B8
%ALIGN-1-FATAL: Illegal access to a low address addr=0x114, pc=0x6012F880, ra=0x6012F880, sp=0x61FF00B8
Unexpected exception, CPU signal 10, PC = 0x6012F880 -Traceback= 6012F880 6010CD54 6010D538 601369A0 600A19BCConditions: This symptom is observed on a Cisco AS5300 that runs Cisco IOS Release 12.3(5) and that is configured for ISDN PRI signaling.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5a)
Cisco IOS Release 12.3(5a) is a rebuild release for Cisco IOS Release 12.3(5). The caveats in this section are resolved in Cisco IOS Release 12.3(5a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The input queue of the Gigabit Ethernet (GE) interface of a SiByte processor complex on a Multi-processor WAN Application Module (MWAM) may become full, preventing traffic from being forwarded between the subinterfaces that are configured on the GE interface of the SiByte processor complex and a Multilayer Switch Feature Card (MSFC). Pings between these subinterfaces and the MSFC may fail.
Conditions: This symptom is observed on a MWAM that is running a Service Selection Gateway (SSG) application and that is installed in a Cisco Catalyst 6500 series or a Cisco 7600 series. The symptom occurs only when an authentication, authorization, and accounting (AAA) server failure occurs and this failure causes the AAA server to return messages that it has received from the SSG application on the MWAM back to the MWAN.
Workaround: Reset the MWAM.
•
Symptoms: A Cisco Virtual Home Gateway (VHG) may fail to download authentication, authorization, and accounting (AAA) attributes that contain remote virtual templates.
Conditions: This symptom is observed when the Per VRF AAA feature is configured by using a remotely defined customer template on a RADIUS server.
Workaround: There is no workaround.
•
Symptoms: Several tty lines may become stuck in the "Modem state: Carrier Dropped" state. You can verify this situation by entering the show line line-number EXEC command for an individual line. However, when you enter the show line EXEC command (that is, you do not enter a value for the line-number argument), the output shows that the same tty lines are active (that is, they are in the "*" state):
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int ...
5/00 Dig.mod. - DialIn - - - 78 0 0/0 - *
5/01 Dig.mod. - DialIn - - - 132 0 0/0 - I
5/02 Dig.mod. - DialIn - - - 32 0 0/0 - *
5/03 Dig.mod. - DialIn - - - 120 0 0/0 - A
5/04 Dig.mod. - DialIn - - - 130 0 0/0 - I
5/05 Dig.mod. - DialIn - - - 132 0 0/0 - IIn addition, both the output of the show users EXEC command and the output of the show caller EXEC command do not show a user or caller name or show an incorrect user or caller name. The output of the show caller EXEC command does show that the service is "TTY."
Conditions: These symptoms have been observed on a Cisco AS5850 in which an Universal Port Card 324 (UPC324) is installed. The UPC324 is configured for modem dialin with PPP and EXEC connectivity and for login authentication via a TACACS+ server.
Workaround: Reload the UPC324 by entering the hw-module slot shelf-id/slot-number reload privileged EXEC command. Note that doing so terminates all active modem calls.
IP Routing Protocols
•
Symptoms: A Cisco router that is configured for Network Address Translation (NAT) may reload unexpectedly because of a software condition.
Conditions: This symptom is observed when the router translates a Lightweight Directory Access Protocol (LDAP) packet.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A security association (SA) may fail to come up when you enter the correct extended authentication (Xauth) password on a PC that functions as a Virtual Private Network (VPN) client. When you enter the vpnclient connect profilename nocertpwd command on the PC, a connection to the remote peer is not established.
Conditions: This symptom is observed when you attempt to make a VPN connection from a PC to a Cisco router.
Workaround: There is no workaround.
•
Symptoms: An alignment traceback may occur when a router is configured for Multilink PPP over Frame Relay (MLPoFR) and weighted random early detection (WRED).
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3, Release 12.3 T, or Release 12.3 XA.
Workaround: Remove or modify the service-policy map to prevent WRED from running on MLPoFR interfaces.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetConditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that is running Cisco IOS Release 12.2(14)S3. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: An enhanced route switch controller (eRSC) may reload unexpectedly during the bootup process. This symptom does not occur on an RSC (that is, a legacy RSC) but the boot Flash memory may become unusable during the bootup process. The following error messages may be displayed during the bootup process:
%Error: Flash disk0 bank 0 chip 0 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 1 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 2 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 bank 0 chip 3 unknown, chip id 0x0 (reversed = 0x0 )
%Error: Flash disk0 initialization failedConditions: These symptoms are observed on a Cisco AS5850.
Workaround: There is no workaround.
•
Symptoms: Routing Information Protocol (RIP) may not send updates through an interface that is configured for Virtual Private Network (VPN).
Conditions: This symptom is observed on a Cisco router that has the router rip global configuration command enabled and on which the RIP router process is configured for VPN.
One of the few configurations in which the symptom is observed is a configuration in which the router has the passive-interface default router configuration command enabled. After the router has reloaded, when you enter the no passive-interface interface-type interface-number router configuration command on the interface that is configured for VPN, the symptom may occur.
The natural order of the configuration is for the no passive-interface interface-type interface-number router configuration command to be enabled before the passive-interface default router configuration command. However, this situation prevents the interface from sending updates.
Workaround: After the router has reloaded and RIP is configured, enter the passive-interface default router configuration command. Then, enter the no passive-interface interface-type interface-number router configuration command for the interface that is configured for VPN.
•
Symptoms: The CPU usage on a Cisco AS5850 may be close to 100 percent with a moderate number of voice calls with any Voice over IP (VoIP) device that uses the User Datagram Protocol (UDP) checksum (for example, Cisco Analog Telephone Adapter [ATA] devices and the Cisco 7900 series IP phones).
Conditions: This symptom is observed on a Cisco AS5850 when VoIP devices that use the UDP checksum are installed in a client network as a VoIP gateway that uses the Session Initiation Protocol (SIP) and has the ip udp checksum dial-peer configuration command enabled. This causes the Cisco AS5850 to punt packets to the Route Switch Controller (RSC) and have high CPU usage at the RSC with only a moderate number of calls.
Workaround: Disable the UDP checksum option in the client network by entering the no ip udp checksum dial-peer configuration command. If this is not possible, there is no workaround.
•
Symptoms: Tracebacks may be generated on a Cisco router that runs a Cisco IOS k8 or k9 crypto image, or memory corruption may occur and the router may reload unexpectedly.
Conditions: These symptoms are observed during normal operation, but are more likely to occur when you enter the clear crypto sa EXEC command or when a crypto access control list (ACL) is configured while crypto traffic is flowing through the IP Security (IPSec) tunnel.
Workaround: There is no workaround.
•
Symptoms: An inverse multiplexing over ATM (IMA) interface may enter an endless loop when you enter the snmpwalk command for the ifStackStatus object.
Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS 12.2(16)B2, 12.3, or 12.3 T and that is configured with an 8-port ATM Inverse MUX E1 port adapter (PA-A3-8E1IMA).
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series that functions as a provider edge (PE) router may fail to receive an Internet Control Message Protocol (ICMP) echo message on a Multilink PPP (MLP) ingress interface.
Conditions: This symptom is observed on a Cisco 7500 series when Virtual Private Network (VPN) routing/forwarding (VRF) is configured on the MLP interface.
Workaround: There is no workaround.
•
Symptoms: It is not possible to change to the default value of 64 milliseconds (ms) when you enter the echo-cancel coverage voice-port configuration command.
Conditions: This symptom is observed when the following steps are taken to change to the default value (64) of the echo-cancel coverage voice-port configuration command.
–
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload unexpectedly when you perform a soft reset of the platform while a parser attempts to read an extensible markup language (XML) file that is downloaded from a call manager.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(1a) and that has the ccm-manager config global configuration command enabled.
Workaround: Create static dial peers.
•
Symptoms: A Cisco 3745 router may reload unexpectedly when an E1 or T1 line flaps.
Condition: This symptom is observed on a Cisco 3745 that runs a Cisco IOS c3745-jsx-mz image (which supports Cisco Express Forwarding [CEF]) when you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the E1 or T1 interface or when the E1 or T1 line becomes unstable.
Workaround: Disable auto-configuration by entering the no ccm-manager config global configuration command.
Wide-Area Networking
•
Symptoms: A network access server (NAS) that runs Microsoft CHAP (MS-CHAP) or Microsoft CHAP version 2 (MS-CHAPv2) may reload unexpected.
Conditions: This symptom is observed on a Cisco AS5400 that functions as a NAS but may be platform independent.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(5)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(5). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: "%SYS-2-LINKED" and "%SYS-3-MGDTIMER" messages may be displayed soon after you configure the Service Assurance Agent (SAA) echo probe:
%SYS-2-LINKED: Bad enqueue of 636539EC in queue 62E13470
-Process= "SAA Event Processor", ipl= 0, pid= 121
-Traceback= 6048E724 605A1AD4 605A171C 60B868F8 60B86AA4 60B95434 60B7B78C 60B7B8BC 60B95434 60B87280 60B95434 60B7D7B0 60B95434 60B7D740 60B7CA80
%SYS-3-MGDTIMER: Running timer, init, timer = 63653A3C.
-Process= "SAA Event Processor", ipl= 0, pid= 121
-Traceback= 60487B60 60487CA4 60487E00 605A1B0C 605A171C 60B868F8 60B86AA4 60B95434 60B7B78C 60B7B8BC 60B95434 60B87280 60B95434 60B7D7B0 60B95434 60B7D740Conditions: This symptom is observed on a Cisco 3600 series that runs Cisco IOS Release 12.2(13)T1 but may also occur in other releases.
Workaround: Disable the SAA echo probe by entering the no rtr operation-number global configuration command. For the operation-number argument, enter the ID of the echo probe.
•
Symptoms: A Route Switch Processor (RSP) that is acting as a slave may have complete packet switching activity interrupted for several minutes. This situation may cause the RSP to permanently pause.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(12d).
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 series may reload, generate a crashinfo file, and then pause indefinitely.
Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(26)S and that is configured with the exception dump global configuration command.
Workaround: There is no workaround.
•
Symptoms: Performance difficulties may occur on a Cisco 7500 series master Route Processor (RP) when the slave RP reloads continually.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3 and that has dual Route Switch Processors (RSPs).
Workaround: There is no workaround.
•
Symptoms: The CPU utilization of a Cisco 7500 series Versatile Interface Processor (VIP) may reach 100 percent when the rate of the incoming traffic exceeds the bandwidth of the egress interface.
Conditions: This symptom is observed only with local switching, that is, it is observed only with traffic that enters through one interface of the VIP and that leaves through another interface of the same VIP.
Workaround: Reload the affected VIP.
•
Symptoms: A voice-enabled Cisco router or switch may reload when you use Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco IAD2420 series but may occur on any voice-enabled Cisco router or switch that has at least one analog voice port that is numbered 14, for example, voice-port 1/14.
Workaround: Disable SNMP.
•
Symptoms: You may not find the Versatile Interface Processor (VIP) index when you use Simple Network Management Protocol (SNMP) to monitor VIP CPU utilization. The PROCESS-MIB MIB does not return the correct value for the ENTITY-MIB index.
Conditions: This symptom is observed on a VIP that is installed in a Cisco 7500 series that runs Cisco IOS Release 12.2 T or Release 12.3.
Workaround: Enter the show controllers vip slot-number process cpu privileged EXEC command to monitor the CPU utilization for each VIP.
•
Symptoms: A router may reload when the asynchronous queue (async-queue) is not empty and you enter the show line async-queue or clear line async-queue EXEC command. The following error message appears:
%Software-forced reload Unexpected exception, CPU signal 23, PC = 0x6043BFC4Conditions: This symptom is observed when the async-queue is not empty and you enter the show line async-queue or clear line async-queue EXEC command. If the async-queue is empty, the router does not reload, and the show line async-queue or clear line async-queue EXEC commands work correctly.
Workaround: If the async-queue is not empty, enter the show line async-queue rotary-group and clear line async-queue rotary-group EXEC commands.
•
Symptoms: A Cisco router or switch may reload when it attempts to read the ifIndex information from an NVRAM file during the bootup process.
Conditions: This symptom is observed when the NVRAM file is corrupt.
Workaround: Disable the ifIndex persistence.
•
Symptoms: The order of the Service Assurance Agent (SAA) Response Time Reporter (RTR) schedule command options is incorrect in the output of the show running-config EXEC command. This situation may cause difficulties with third-party vendor software that configures and manages RTR probes.
Conditions: This symptom is observed on all Cisco platforms that run Cisco IOS Release 12.2(13)T1.
Workaround: There is no workaround.
•
Symptoms: Packets of a call fallback probe may be incorrectly marked with precedence 0.
Conditions: This symptom is observed on a Cisco router after you have set the precedence value for the call fallback probe to 5 by entering the call fallback jitter-probe precedence 5 global configuration command.
Workaround: There is no workaround.
•
Symptoms: Packets may be rejected when nontransparent text is received and the block check character (BCC) is 0x7f.
Conditions: This symptom is observed when a Cisco 1600 series runs in bisynchronous mode with the ASCII character set.
Workaround: There is no workaround.
•
Symptoms: The authentication, authorization, and accounting (AAA) user command authorization may fail via HTTP access.
Conditions: This symptom is observed when you attempt to log in via HTTP to a Cisco router that has both AAA user command authorization and HTTP server enabled.
Workaround: When AAA user command authorization is enabled, use a Telnet or console-port connection to access the router.
•
Symptoms: The voice busyout monitor Response Time Reporter (RTR) probe may not work.
Conditions: This symptom is observed on a Cisco router that has active voice ports to which a voice class is attached. Note that the busyout monitor inservice, interface, and subinterface work fine.
Workaround: There is no workaround.
•
Symptoms: The CPU utilization of a Cisco router may increase to 99 percent.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3 T when you disable Media Gateway Control Protocol (MGCP) by entering the no mgcp global configuration command.
Workaround: There is no workaround.
EXEC and Configuration Parser
•
Symptoms: A Cisco router that is configured for ISDN services may reject the pri-group controller configuration command when this command is configured on the T1 or E1 controllers as part of the running configuration during the bootup process. This situation may cause the loss of custom configurations that are defined under the ISDN serial x/y:23 or serial x/y:15 interface. If the router is configured for ISDN voice operation, the ISDN voice-port assignment under the plain old telephone service (POTS) dial peers may also be lost.
Conditions: This symptom is observed when the isdn switch-type global configuration command appears in the running configuration after any pri-group controller configuration command under a T1 or E1 controller.
When the running configuration is saved to NVRAM and the router is reloaded, the router may reject the pri-group controller configuration command and display the "%ISDN switch-type must be set first" error message.
Workaround: Enter the copy startup-config running-config privileged EXEC command to reconfigure the pri-group controller configuration command on the ISDN serial x/y:23 or serial x/y:15 interfaces and any ISDN voice-port assignments under any POTS dial peer.
IBM Connectivity
•
Symptoms: A router may reload with a segmentation violation (SegV) exception, and the following error message appears:
%SYS-3-MGDTIMERConditions: This symptom is observed on a Cisco 2611 router. The symptom is specific to data-link switching (DLSw) Ethernet redundancy. Any other usage of DLSw does not affect this symptom.
Workaround: Do not use DLSw Ethernet redundancy. Use DLSw with transparent bridging support. In this case, you can have only one active DLSw router at a time per transparent Ethernet domain.
•
Symptoms: The focal point buffer may overflow as shown in the following messages:
SNA: MV_SendVector rc = 8001 SNA: Alert E14A3440 not sent, Focal point buffer overflowedIn the latter message the Alert ID (E14A3440) may vary.
Conditions: This symptom is observed on a Cisco router that has a Systems Network Architecture (SNA) physical unit (PU) that is defined with a focal point.
Workaround: Remove the SNA PU definitions from the router and configure them again.
•
Symptoms: After you have upgraded the Cisco IOS software image, a Cisco MGX Route Processor Module-PRemium (RPM-PR) may reboot continually, generate tracebacks, and generate crashinfo files.
Conditions: This symptom is observed on an RPM-PR that is configured as a provider (P) router in a Multicast Virtual Private Network (MVPN) environment when both the customer router and the core router are using the Protocol Independent Multicast (PIM)-Source Specific Multicast (SSM) protocol.
Workaround: Before you upgrade the Cisco IOS software image, save the configuration. Enter the clrsmcnf slot-id command on the Processor Switch Module (PXM). For the slot-id argument, enter the slot in which the RPM-PR is installed. Then, upgrade the Cisco IOS software image. After the RPM-PR has booted up, reload the configuration that you had saved before you upgraded the Cisco IOS software image.
•
Symptoms: A Cisco 2620 may reload because of a segmentation violation (SegV).
Conditions: This symptom is observed when you attempt to run X.25 (at packet level) over a Logical Link Control, type 2 (LLC2) (at frame level) from a third-party vendor workstation to the Cisco 2620.
Workaround: There is no workaround.
•
Symptoms: Ethernet redundancy may not function with Inter-Switch Link (ISL) trunking.
Conditions: This symptom is observed on a Cisco router or switch that is configured for data-link switching (DLSw) and Ethernet Redundancy (ER).
Workaround: There is no workaround.
•
Symptoms: Binary Synchronous Communications (Bisync) IP (BIP) may strip an extra data character from the beginning of the data packet before the data packet is sent to the host.
Conditions: This symptom is observed when nontransparent text is being processed.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for data-link switching (DLSw) may generate the following error messages and tracebacks:
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "DLSw Peer Process", ipl= 0, pid= 81
-Traceback= 603BDCDC 603BEFC4 60AC5A24 60AC6E00 60AC4F54 60AB51D0 60AB4D04 60AB4 958 60223B44 60223B30
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0
-Process= "IP Input", ipl= 0, pid= 29
-Traceback= 603BDCDC 603BEFC4 60AC5A24 60AC6E00 60AC4F54 60AB51D0 60ABCF44 603BD C28 60325EC0 60327C44 6035E49C 60346DCC 603452C8 603453C4 60345538 60223B44Conditions: This symptom is observed in a DLSw border peer network that uses DLSw priority peers. Note that the symptom does not affect the DLSw functionality.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: A Cisco 7500 series router may encounter a bus error when applying a crypto map on an FDDI interface.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(11)T2, Release 12.2(13)T1, or Release 12.2 (13a). The symptom may also occur in other releases such as Release 12.0 S.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may generate the following message on its console:
%VIP-3-BADMALUCMD: Unsupported MALU command 81/82Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0(23)S1.
Workaround: There is no workaround.
•
Symptoms: IP does not function on a third-party access server in a Token Ring topology.
Conditions: This symptom is observed when IP routing is configured on an access server in a Token Ring topology.
Workaround: There is no workaround.
•
Symptoms: The ifOutUcastPkts, ifOutOctets, and ifHCOutOctets Simple Network Management Protocol (SNMP) counters of a Fast Ethernet subinterface may not be incremented.
Conditions: This symptom is observed on a Cisco 7500 series when traffic is received from a serial interface in a Multiprotocol Label Switching (MPLS) network and when the Fast Ethernet subinterface is configured for dot1q encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Switch Processor (RSP) that is configured as a bridge may not pass bridged traffic, regardless of the protocols that are configured on Ethernet interfaces. This situation can lead to a loss of connectivity.
Conditions: This symptom is observed on a Cisco RSP that is running a Cisco IOS rsp-jsv-mz image.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you enter the no encapsulation frame-relay interface configuration command for an interface.
Conditions: This symptom is observed when the interface is configured for interface fragmentation and payload compression.
Workaround: Configure the interface for map-class fragmentation.
•
Symptoms: A Cisco 7500 series that is configured as a bridge may not pass bridged traffic on a FDDI interface. This situation may lead to a loss of connectivity.
Conditions: This symptom is observed on Cisco 7500 series that runs a Cisco IOS rsp-jsv-mz image.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the FDDI interface.
•
Symptoms: A segmentation and reassembly (SAR) crash dump does not show valid debug information.
Conditions: This symptom is observed when there is a SAR crash and there are incorrect register dumps that are logged for SAR0 and SAR1.
Workaround: There is no workaround.
•
Symptoms: Packet-over-SONET (POS) interfaces on a 1-port POS OC-3c/STM-1 port adapter (PA-POS-OC3) that is installed in a Cisco 7200 series router that runs Cisco IOS Release 12.2(14)S3 may stop transmitting packets. The output packets counter stops incrementing.
Conditions: This symptom is observed when you reload the router with a queueing configuration on the POS interfaces.
Workaround: Remove the queueing configuration before you reload the router. Reapply the queueing configuration after the router has booted up.
•
Symptoms: The following error message appears on a Cisco router:
SYS-2-BADSHAREConditions: This symptom is observed on a Cisco 7200 series with an ATM port adapter (PA-A3) that is running Cisco IOS Release 12.2(15)B when the router is configured with 100 PPP over ATM (PPPoA) sessions and bidirectional traffic is sent across the ATM port adapter.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Cisco router or switch may reload unexpectedly when you enter the show ip eigrp neighbors EXEC command.
Conditions: This symptom is observed when you enter the show ip eigrp neighbors EXEC command immediately after you have entered the shutdown interface configuration command followed by the no shutdown interface configuration command for the interface that connects the router or switch to the neighbor.
Workaround: Wait for the neighbor list to be completely rebuilt before you enter the show ip eigrp neighbors EXEC command.
•
Symptoms: A Cisco router may reload unexpectedly because of a bus error at "ip_fast_accumulate_acctg."
Conditions: This symptom is observed on a Cisco router that has the ip accounting interface configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A Border Gateway Protocol (BGP) next-hop router may not redistribute Virtual Private Network (VPN) routes.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0 S or Release 12.2 S.
Workaround: There is no workaround.
•
Symptoms: A ping may not be sent from the router that generates the ping.
Conditions: This symptom is observed when the ping originates from a Cisco router that has a virtual access interface as the only interface that is configured for IP.
Workaround: Configure IP on any physical interface of the router, in addition to the virtual access interface.
•
Symptoms: Cisco IOS software may cause a Cisco router that is configured for Next Hop Resolution Protocol (NHRP) to reload unexpectedly. When the router reloads, the console displays the following error message:
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = NHRP.Conditions: This symptom may occur on any Cisco router that is configured for NHRP.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you enter a show command that is related to IP multicast.
Conditions: This symptom is observed on a Cisco router that has remained at the "more" prompt for a long period of time.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when Border Gateway Protocol (BGP) is configured to carry Virtual Private Network version 4 (VPNv4) routes.
Conditions: This symptom is observed when VPNv4 import processing occurs simultaneously with a BGP neighbor reset, for example, when a VPN routing and forwarding (VRF) instance is configured and you enter the clear ip bgp * privileged EXEC command.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR periodically reloads when Network Address Translation (NAT) is configured and L4 Internet Locator Service (ILS) Lightweight Directory Access Protocol (LDAP) entries are translated.
Conditions: This symptom is observed on a Cisco 7206VXR router with a Network Processing Engine (NPE-G1) that is running the c7200-is-mz image of Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround.
•
Symptoms: Packet loss may occur about once per minute.
Conditions: This symptom is observed in an IP multicast environment when a router is directly connected to both a source and a receiver and when the shortest path tree (SPT) threshold is configured as infinite.
The packet loss occurs about once per minute because the (S,G) entry is deleted every minute, causing the hardware shortcut to be deleted and reinstalled.
Workaround: There is no workaround.
•
Symptoms: When both the VRF Aware NAT feature and the ip nat inside source static network global configuration command are enabled, the network may not be Virtual Private Network (VPN) routing/forwarding (VRF) aware. This situation may cause Network Address Translation (NAT) that is configured for one VRF instance to be applied to all other VRF instances.
Conditions: This symptom is observed on a Cisco 7206VXR router that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T and that functions in a Multiprotocol Label Switching (MPLS) VPN environment.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload if it is low on processor memory and Simple Network Management Protocol (SNMP) get operations are performed on Open Shortest Path First (OSPF) MIBs.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(8)YW, Release 12.2(8)YY, Release 12.2 T, Release 12.3, or Release 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Reverse Path Forwarding (RPF) lookup may cause a Route Processor (RP) to reload because of a stack overflow.
Conditions: This symptom is observed on a Cisco 12000 series when there is a unicast routing loop and when a static multicast route (mroute) has been configured. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: When refresh reduction is enabled and a Cisco router has been operational for a long time, valid Resource Reservation Protocol (RSVP) messages that are received from a neighbor may be dropped when the message IDs have cycled through the entire number space once (that is, from 0 to 4,294,967,295) and then progressed up to 2,147,483,648 (0x80000000).
Conditions: This symptom is observed when a message ID number space begins at zero, increases up to 4,294,967,295 (32 bits), but then does not properly wrap back to zero, causing message IDs greater than 2,147,483,648 to be out of sequence, and to be dropped.
Note that a neighboring router is able to send Message IDs and properly wraps back from 4,294,967,295 to zero, but the receiving router that does not record the wrap event, causing the symptom to occur.
Workaround: There is no workaround.
•
Symptoms: Packets that are switched via process switching may cause high CPU utilization on a router.
Conditions: This symptom is observed in an IP multicast environment when the packets are sent from a virtual host interface (VIF) and are destined for a multicast address. The packets should be switched via fast switching.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when the tunnel interface is shut down or one of the following NHRP interface configuration commands under the tunnel interface is removed from the router's configuration:
–
–
–
Conditions: This symptom is observed on a Cisco 1600 series router that has Next Hop Resolution Protocol (NHRP) configured on a multipoint generic routing encapsulation (GRE) tunnel interface.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely because of a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0x60B5F1C0, address 0xEF4321E5Conditions: This symptom is observed on a Multiprotocol Label Switching (MPLS) provider edge (PE) router.
Workaround: There is no workaround.
•
Symptoms: An IP packet that is sent with an invalid IP checksum may not be dropped.
Conditions: This symptom is observed if the IP checksum is calculated with a decreased time-to-live (TTL) value. For example, in the situation where the IP checksum must be 0x1134 with a TTL of 3, if the packet is sent with an IP checksum of 0x1234 that is calculated by using a TTL value of 2, the packet is not dropped. In all other cases, packets with incorrect checksums are dropped.
Workaround: There is no workaround.
•
Symptoms: Enhanced Interior Gateway Routing Protocol (EIGRP) hello messages may be sent from a virtual-access interface when they should not be sent.
Conditions: This symptom is observed on a Cisco router that has the passive-interface default or passive-interface virtual-template interface-number router configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: You may not be able to configure the ip nat inside source list access-list-number pool name overload router configuration command because the pool keyword may not be accepted and the overload keyword may be missing.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T and that has the VRF Aware NAT feature enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when the Designated Forwarder (DF) interface is changed to an interface that is already in the Outgoing Interface list (O-list).
Conditions: This symptom is observed on a Cisco router that is configured for multicast Bidirectional PIM (Bidir-PIM).
Workaround: There is no workaround.
•
Symptoms: When you attempt to make a Session Initiation Protocol (SIP) call, Network Address Translation (NAT) may not properly modify the embedded address.
Conditions: This symptom is observed on a Cisco platform that has the NAT Support for SIP feature enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router or switch may reload unexpectedly when you enter the show ip igmp tracking detail EXEC command.
Conditions: This symptom is observed when the ip igmp explicit-tracking interface configuration command is enabled and the entries in the cache have expired.
Workaround: There is no workaround.
•
Symptoms: Routing Table Protocol (RTP) ports may not be opened for H.245 Network Address Translation (NAT) traffic to get back in.
Conditions: This symptom is observed on a Cisco platform when H.245 NAT processing for outgoing traffic is not invoked in a configuration with static NAT and Virtual Private Network (VPN) routing/forwarding (VRF) instances.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may generate continual tracebacks when you perform an online insertion and removal (OIR) of a line card.
Conditions: This symptom is observed when Internet Group Management Protocol (IGMP) and IP Protocol Independent Multicast (PIM) are enabled.
Workaround: Before you perform the OIR, disable IP PIM.
•
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml.
•
Symptoms: A Cisco device that functions as a spoke may reload.
Conditions: This symptom is observed when a spoke-to-spoke connection is terminated.
Workaround: Disable all spoke-to-spoke connections. If this is not an option, there is no workaround.
•
Symptoms: A Cisco router that processes external link-state advertisements (LSAs) may generate spurious memory access tracebacks or reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that runs Open Shortest Path First version 3 (OSPFv3).
Workaround: There is no workaround.
•
Symptoms: A retransmission counter may not be reset when a neighbor is terminated.
Conditions: This symptom is observed on a Cisco platform that is running Open Shortest Path First (OSPF) when the retransmission limit default (12 or 24) is added to the retransmission mechanism.
Workaround: Clear the OSPF process by entering the clear ip ospf process pid privileged EXEC command. Then, enter the limit retransmissions non-dc disable router configuration command.
•
Symptoms: A Cisco platform may not complete a reload procedure and may pause indefinitely.
Conditions: This behavior is observed on a Cisco platform that runs a Cisco IOS image when you enter the reload EXEC command.
Workaround: Power-cycle the Cisco platform.
•
Symptoms: A memory leak may occur in the "IP Input" process on a Cisco platform, and memory allocation failures (MALLOCFAIL) may be reported in the processor pool.
Conditions: This symptom is observed on a Cisco platform that is configured for Network Address Translation (NAT).
Workaround: There is no workaround.
•
Symptoms: A cable modem may reload unexpectedly with a segmentation violation (SegV) exception.
Conditions: This symptom is observed when you configure the cable modem for DHCP proxy with Network Address Translation (NAT) by entering the cable-modem dhcp-proxy nat interface configuration command.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you manually reload the router.
Conditions: This symptom is observed when the router is configured for Open Shortest Path First (OSPF).
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Multicast may be disabled on an interface of a Cisco 7500 series Gigabit Ethernet Interface Processor (GEIP) or GEIP plus (GEIP+).
Conditions: This symptom is observed when the Cisco IOS image is loaded and the configuration is added. The symptom does not occur when the configuration is added, saved, and then the Cisco IOS image is loaded.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: Interprocess communication (IPC) memory buffer difficulties may occur on a Gigabit Ethernet interface on a Cisco 7500 router after the output becomes stuck, and the following message may be displayed:
%RSP-3-RESTART: interface GigabitEthernet0/0/0, not transmitting Output Stuck on GigabitEthernet0/0/0Conditions: This symptom is observed on the Gigabit Ethernet interface of a Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: You may not be able to use the command-line interface (CLI) to disable a remote loopback request on the network.
Conditions: This symptom is observed when a remote loopback is initiated toward a Cisco AS5xx0 and the Cisco AS5xx0 responds to the remote loopback request.
Workaround: Enter the loopback network ignore controller configuration command on the T1 controllers.
•
Symptoms: A Cisco router may reload at the "rsp_ipfib_feature_switch" process when you enter the no ip cef global configuration command and the ip cef global configuration command in succession.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.1 T, 12.2, or 12.2 T and Resource Reservation Protocol (RSVP) over ATM while data traffic is traveling over switched virtual circuits (SVCs) that are established by RSVP.
Workaround: To deconfigure Cisco Express Forwarding (CEF) on a router that has RSVP over ATM reservations, remove the RSVP configuration from all ATM interfaces by entering the no ip rsvp bandwidth interface configuration command and then reenable CEF by entering the ip cef global configuration command, the ip rsvp bandwidth interface configuration command, and the ip rsvp svc-required interface configuration command.
•
Symptoms: When the MPLS VPN—Carrier Supporting Carrier—IPv4 BGP Label Distribution feature is enabled, you may be able to configure Label Distribution Protocol (LDP) and Border Gateway Protocol (BGP) with IPv4+ labels on the same Virtual Private Network (VPN) routing/forwarding (VRF) instance on the same router. This is an invalid configuration that may lead to errors.
Conditions: This symptom is observed on a Cisco 12000 series.
Workaround: There is no workaround. The fix for this caveat will prevent you from configuring the router in the way that is described in the symptoms.
•
Symptoms: A Cisco router may reload because of a segmentation violation (SegV) exception.
Conditions: This symptom is observed under the following circumstances:
–
–
–
–
Workaround: Configure prefragmentation.
Alternate Workaround: Clear the DF bit by entering the crypto ipsec df-bit clear global configuration command.
•
Symptoms: Pings that have designated forwarder (DF) bits set and packet sizes greater than 1496 bytes are dropped.
Conditions: This symptom is observed only on single-hop Multiprotocol Label Switching (MPLS) traffic-engineered (TE) tunnels.
Workaround: There is no workaround.
•
Symptoms: Packet transmission over a serial channel-group interface that is part of a backhaul trunk may be slow.
Conditions: This symptom is observed only on a channel-group interface and occurs irrespective of whether or not the interface is configured for Low Latency Queueing (LLQ) for large packet sizes.
Workaround: There is no workaround.
•
Symptoms: After a few weeks of normal operation, the interface on a Cisco PA- MC-8E1 begins flapping and finally pauses with the output queue stuck as follows:
Serial1/1:1 is up, line protocol is up
Encapsulation HDLC, crc 16, Data non-inverted
Keepalive set (120 sec)
Last input 00:00:03, output 04:14:23, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21952
Queueing strategy: weighted fair
Output queue: 30/4000/64/21855 (size/max total/threshold/drops)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
43903807 packets input, 3646461183 bytes, 0 no buffer
Received 0 broadcasts, 321 runts, 0 giants, 0 throttles
5160 input errors, 4 CRC, 0 frame, 0 overrun, 0 ignored, 2945 abort
42026998 packets output, 2185017012 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
31 carrier transitions
no alarm present
Timeslot(s) Used:1-31, subrate: 64Kb/s, transmit delay is 0 flagsThe following traceback is observed in the log:
%LINK-4-TOOBIG: Interface Serial60:1, Output packet size of 1526 bytes too big
Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55EC
%LINK-4-TOOBIG: Interface Serial20:1, Output packet size of 1526 bytes too big
Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55ECConditions: This symptom is observed on a Cisco router that is configured with a PA-MC-8E1 interface.
Workaround: There is no workaround.
•
Symptoms: Transmit underruns or cyclic redundancy check (CRC) errors may occur on a serial interface on the motherboard of a Cisco router.
Conditions: This symptom is observed on the serial interface on the motherboard of a Cisco 3700 series.
Workaround: Do not use the WAN interface card (WIC) slot on the motherboard. Rather, use the serial interface on a 2-WAN card slot network module (NM-2W), a 1-port Fast Ethernet 2-WAN card slot network module (NM-1FE2W), or a 2-port Fast Ethernet 2-WAN card slot network module (NM-2FE2W).
•
Symptoms: When configuring Routing Information Protocol (RIP) version 2 on a Cisco router, tracebacks may be displayed.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: IP commands that are sent in the Cisco Networking Services (CNS) config-changed event output may contain an extra ip prefix.
Conditions: This symptom is observed on a Cisco router when you enter both ip global configuration commands and the cns config notify diff global configuration command to capture commands that change configuration for the config-changed event output.
Workaround: Enter the all keyword in the cns config notify global configuration command. This workaround is not valid when the only changes in the configuration occur in the config-changed event output.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Conditions: This symptom is observed when Virtual Private Network (VPN) routing/forwarding (VRF) forwarding is configured on the interfaces that flap.
Workaround: There is no workaround.
2.
Conditions: This symptom is observed when you perform an OIR of an interface that has a VRF configuration in which the connected route is learned via a network statement. The connected route is removed when you perform the OIR.
Workaround: Do not simultaneously enter the clear ip bgp * privileged EXEC command and perform an OIR.
•
Symptoms: A 1-port High-Speed Serial Interface network module (NM-1HSSI) that is running Frame Relay traffic shaping (FRTS) and Frame Relay fragmentation 12 (FRF.12) may randomly stop functioning and does not recover on its own.
Conditions: This symptom is observed on a Cisco 3600 router that is running Cisco IOS Release 12.2(11)T1 or Release 12.2(13a).
Workaround: Disable FRF.12 fragmentation.
First Alternate Workaround: Enter the clear interface EXEC command on the affected interface.
Second Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: The RADIUS "Acct-Session-Id" attribute may not be sent correctly.
Conditions: This symptom is observed in a Service Selection Gateway (SSG) configuration that is running Cisco IOS Release 12.2(15)T or a later release when you enter the ip route-cache flow interface configuration command on a virtual template. The symptom may also occur in other conditions.
Workaround: In the above-mentioned conditions, deconfigure the ip route-cache flow interface configuration command.
•
Symptoms: When the create on-demand command is enabled in any command mode for a permanent virtual circuit (PVC) and this PVC becomes active, the following message may be displayed:
%ATM-5-UPDOWN: Interface ATM3/0/0, Changing autovc 1/32 to UPAn "Auto VC" of this type becomes active when a cell is detected with the appropriate virtual channel identifier (VCI) and virtual path identifier (VPI). Before becoming active, the virtual circuit (VC) does not consume significant system resources or detract from system VC scalability. After a configurable period of inactivity, the VC may enter the "down" state with a similar message and free up system resources for other VCs.
With a large number of VCs (in the tens of thousands on some platforms), the churn rate of VCs (that is, VCs going up and down) may cause so many of these log messages that the console may become unusable and other important log messages may be missed. In extreme cases, the processing and displaying of these messages may consume significant processing cycles on the system CPU.
Conditions: These symptoms are observed when the create on-demand command is enabled in any command mode or when "Auto VCs" are active.
Workaround: Change the console logging level to a relatively high level to avoid the many "Auto VC" notification messages, which are level 5 notification messages. The console logging level must be reduced to level 4 (warnings) to avoid these messages. Because this is a relatively high logging level, the system log should be checked occasionally to ensure that no important messages are missed.
Note
•
Symptoms: A Cisco uBR905 or Cisco uBR925 router may lose the configuration of the crypto map map-name local-address interface-id global configuration command from its startup configuration.
Conditions: This symptom is observed when the router reloads and is related to the use of the Cable DHCP Proxy feature.
Possible Workaround: Set up a permanent lease for the loopback interface in the Dynamic Host Configuration Protocol (DHCP) server by using the "ethernet0" MAC address and assigning a fixed IP address on the DHCP server.
•
Symptoms: NetFlow may count the number of exported flows as less than the actual number of exported flows.
Conditions: This symptom is observed on a Cisco platform that has Parallel Express Forwarding (PXF) NetFlow enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may restart with a bus error if the following conditions are met:
–
–
–
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX 8850 Route Processor Module-PRemium (RPM-PR) may log the following traceback error:
%ATMPA-3-BADPARTICLE: Switch1: bad rx particle 0x61CA8040 flags 0x00000001 index 9937
Traceback= 6007968C 6008F404 60E844F0 60E815F4 60D80BF4 60D8E8A4 6009CF94 600B56ECConditions: This symptom occurs in the following configuration:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco 2600 series router may pause indefinitely with a segmentation violation (SegV) exception.
Conditions: This symptom is observed on a Cisco 2600 series router with a 4- port voice Performance Monitor (PM) and a BRI voice daughter card that is configured for telephony service.
Workaround: There is no workaround.
•
Symptoms: The Simple Network Management Protocol (SNMP) agent may use 99 percent of the CPU bandwidth of a Route Processor (RP) for an arbitrarily long time (hours or days), without necessarily generating CPUHOG errors. This situation causes other processes on the router to fail because these processes do not receive the CPU bandwidth that they require. Consequently, the following difficulties may occur:
–
–
–
–
The output of the show snmp summary EXEC command may indicate that the number of requests is "N" while the number of replies that were sent is "N-1." The output of the show processes cpu | include SN EXEC command may indicate that the SNMP process uses 99 percent of the CPU bandwidth of the RP.
Conditions: These symptoms are observed when the MPLS-LSR-MIB MIB is enabled, when you query the mplsXCTable or a MIB walk occurs, and when there are more than 10,000 Multiprotocol Label Switching (MPLS) labels active. The symptoms are platform independent.
Workaround: Perform the following steps:
1.
2.
snmp-server view nolsrmib mplsLsrMIB exclude
snmp-server view nolsrmib iso include
3.
snmp-server community public view nolsrmib ro
4.
•
Symptoms: When interim accounting packets are sent by the Service Selection Gateway (SSG), the difference between the start time and the interim time may be as much as 60 seconds.
Conditions: This symptom is observed on all Cisco platforms and in all versions of Cisco IOS software when the ssg accounting interval seconds global configuration command is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 6400 series Node Route Processor 2 (NRP2) may reload.
Conditions: This symptom is observed when the Cisco 6400 series NRP2 is running Cisco IOS Release 12.2(13)T1 and the Service Selection Gateway (SSG) is enabled.
Workaround: There is no workaround.
•
Symptoms: PPP over Ethernet (PPPoE) or PPP over ATM (PPPoA) sessions that go down may cause a leak of full virtual-access interfaces. The symptom is not observed with configurations that use virtual-access subinterfaces.
Conditions: This symptom is observed with PPPoE or PPPoA sessions that clear because of the PPP protocol going down (because of a termination request [TERMREQ] from a peer router or a PPP keepalive failure). The leaked virtual-access interfaces are not reused for new sessions. This results in the creation of new virtual-access interfaces for new sessions.
Workaround: There is no workaround.
•
Symptoms: When a Tributary Unit Alarm Indication Signal (TU-AIS) is inserted for an Engine 1 (E1) tributary on a channelized Synchronous Transport Module level 1 port adapter (PA-ChSTM1) on an SPE3, packet corruption occurs on the adjacent E1.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: When a large number (30,000) of established PPP sessions are terminated at the same time (for instance, when an interface is shut down), a Cisco router may exhaust its I/O memory, causing loss of other services such as the maintenance of Layer 2 Tunneling Protocol (L2TP) tunnels and the forwarding of authentication, authorization, and accounting (AAA) accounting requests to a RADIUS server. This situation occurs because a flood of AAA accounting STOP records are sent for the terminated sessions to the RADIUS server.
Conditions: This symptom is observed only when a large number of PPP sessions are active on the router and the RADIUS server is slow to respond, causing a backlog in the router of messages that are waiting to be transmitted or that are waiting for a response.
Workaround: Install the RADIUS server on a faster machine. Doing so may alleviate but not completely eliminate the symptom. There is no other workaround.
•
Symptoms: Two-way voice may be lost after a modify connection (MDCX) message is sent.
Conditions: This symptom is observed on a Cisco AS5850 that is configured for Real-Time Transport Protocol (RTP) hairpinning after a two-way voice call is established and an MDCX message with any parameter setting is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway may reject a "subscribe" request with a "400" response, indicating a "Bad Request, Malformed/Missing Request Line."
Conditions: This symptom is observed when the Session Initiation Protocol (SIP) address in the Uniform Resource Identifier (URI) of the "subscribe" request does not contain a user portion.
Workaround: There is no workaround.
•
Symptoms: It may take a long time for an Internet Key Exchange (IKE) tunnel to be set up.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Virtual Private Network (VPN) acceleration module (VAM) or VAM2 for hardware encryption and that has the authentication rsa-sig ISAKMP policy configuration command configured.
Workaround: Use software encryption.
•
Symptoms: Packet loss may occur on a Cisco 7401.
Conditions: This symptom is observed on a Cisco 7401 that is running Cisco 12.2 B and that has Parallel Express Forwarding (PXF) enabled.
Workaround: Disable PXF.
•
Symptoms: A line card may reload after a Stateful Switchover (SSO) occurs.
Conditions: This symptom is observed on a Cisco 12000 router.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience a memory leak in IP input.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15) and that is configured for the Cisco Intrusion Detection System (IDS).
Workaround: Disable IDS.
Alternate Workaround: Disable the Domain Name System (DNS) signatures.
•
Symptoms: A Cisco router may not be able to access the Internet.
Conditions: This symptom is observed on a Cisco router when Unicast Reverse Path Forwarding (uRPF) is enabled.
Workaround: Remove the ip verify unicast source reachable-via rx interface configuration command.
•
Symptoms: When you enter the atm pvp vpi interface configuration command on a Cisco 7206VXR, the router may reload unexpectedly and display the following error message:
%ALIGN-1-FATAL: Illegal access to a low address addr=0x40, pc=0x60202778, ra=0x60202780, sp=0x63BF1718Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-js-mz image of Cisco IOS Release 12.3, 12.3 B, or 12.3 T and that is configured with a Network Processing Engine 225 (NPE-225).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may fail to create an ATM virtual circuit (VC) and may display the following error message:
%ATM-3-FAILCREATEVC: ATM failed to create VC(VCD=3, VPI=1, VCI=35) on Interface ATM0/0, (Cause of the failure: vpi/vci pair already in use)Additional traceback messages may also be generated.
Conditions: This symptom is observed on a Cisco 3600 series or Cisco 7200 series that is configured with a 4-port T1 IMA network module (NM-4T1-IMA).
Workaround: There is no workaround.
•
Symptoms: Hardware compression may not function on a Cisco router that is configured with an Advanced Integration Module (AIM) for hardware compression, and the following error messages may be displayed:
%CAIM-1-HIFNERR: Caim 0: Hifn 9711 Errors reported: 9711 Status 0x848AC DMA status 0x80808098
%CAIM-6-SHUTDOWN: CompressionAim0 shutting down
%CAIM-6-STARTUP: CompressionAim0 starting upConditions: This symptom is observed on a Cisco 2600, Cisco 3600, or Cisco 3700 series that is configured for Multilink PPP (MLP) and ISDN. Note that software compression works fine.
Workaround: There is no workaround.
•
Symptoms: When an ATM link flaps or a remote ATM platform reloads, a Fast Etherchannel may fail and Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors that are connected via the Fast Etherchannel may be lost.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-pv-mz image of Cisco IOS Release 12.0(21)S5.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX 8850 Route Processor Module-PRemium (RPM-PR) may reset when a service-policy map is removed.
Conditions: This symptom is observed when a service-policy map is removed from multiple tag interfaces, or from a single tag interface, or from both.
Workaround: Shut down the tag interface before you remove the service-policy map.
•
Symptoms: When a Cisco IOS gateway loses communication with its Call Manager, Media Gateway Control Protocol (MGCP) failover to H.323 may not occur. The opposite incorrect behavior may also occur: the gateway works properly only in failover mode but not when registered to a Call Manager.
Conditions: These symptoms are observed on a Cisco IOS gateway when the ccm-manager config global configuration command is configured together with MGCP gateway fallback. The ccm-manager config global configuration command does not work properly in this situation.
Workaround: Disable the ccm-manager config global configuration command before you configure MGCP gateway fallback. Do not enable the ccm-manager config global configuration command while MGCP gateway fallback is enabled.
Note
•
Symptoms: When data is sent across an internal modem line, intermittent data loss may occur.
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, or Cisco 3700 series that is configured with an 8- or 16-port analog modem network module (NM-8AM or NM-16AM) and that is configured for PPP encapsulation.
Workaround: Do not use PPP encapsulation. Rather, use Serial Line Internet Protocol (SLIP) encapsulation.
Alternate Workaround: Enter the no ppp microcode interface configuration command.
•
Symptoms: After a Cisco AS5850 router is reloaded, the first 911 call sends two KP tones to mark the beginning of the Automatic Number Identification (ANI) and the Digital Number Identification Service (DNIS) digits, instead of one KP tone.
Conditions: This symptom is observed after the Cisco AS5850 has been reloaded or after Media Gateway Control Protocol (MGCP) has been explicitly restarted by issuing the no mgcp router configuration command followed by the mgcp router configuration command. The symptom will not occur again until MGCP is restarted again.
Workaround: There is no workaround.
•
Symptoms: If a three-level hierarchy service policy is attached to two different interfaces and the policers are removed from the parent class, the policers for the child class are also removed.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7500 series.
Workaround: Detach the service policies from the interfaces, and reattach them.
•
Symptoms: A modem may become stuck in the active state while the call switching module (CSM) is in the idle state, as is displayed in the output of the show csm modem privileged EXEC command. The output of the debug modem csm privileged EXEC command displays the "failed to allocate a non-idle modem" message.
Conditions: This symptom is observed during peak call rate on a Cisco AS5xx0 that is configured for Resource Policy Management System (RPMS) and Signaling System 7 (SS7).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may generate a "SYS-2-GETBUF" message during the "Tag Input" process and may subsequently reload unexpectedly.
Conditions: This symptom is observed when the router fragments a Multiprotocol Label Switching (MPLS) packet.
Workaround: There is no workaround.
•
Symptoms: A large part of the startup configuration may be deleted.
Conditions: This symptom is observed when you load a boot image on a Cisco uBR905.
Workaround: There is no workaround.
•
Symptoms: A Cisco router pauses indefinitely when Cisco Express Forwarding (CEF) is disabled and there is traffic from one of the ports on a 16-port or 36-port EtherSwitch.
Conditions: This symptom is observed on a Cisco 3660 router or a Cisco 3700 series that is running Cisco IOS Release 12.3(1), that is configured with IP Security (IPSec), and that uses an Advanced Integration Module (AIM) card for encryption.
Workaround: Enable CEF globally.
Alternate Workaround: Disable the AIM card.
•
Symptoms: A Cisco Node Route Processor 1 (NRP-1), with 2000 PPP over Ethernet (PPPoE) over VLAN sessions, and the multi virtual terminal (VT) feature enabled, pauses indefinitely when sending traffic. CPU utilization reaches 100 percent, and the NRP-1 stops responding.
Conditions: This symptom is observed on a Cisco NRP-1 in heavy traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS voice gateway may reload unexpectedly.
Conditions: This symptom is observed when an interactive voice response (IVR) prompt is simultaneously played out to multiple callers with streaming mode and the prompt server is delayed while the Cisco IOS voice gateway is under stress.
Workaround: Avoid placing the Cisco IOS voice gateway under stress for long periods of time.
Alternate Workaround: Disable the prompt streaming mode by entering the ivr prompt streamed none global configuration command.
•
Symptoms: After a Cisco router has reloaded, part of the configuration that is defined in the startup configuration may not show up in crypto maps.
Conditions: This symptom is observed on any Cisco platform that has an interface that requires a controller statement under the following conditions:
–
–
–
Workaround: After the router has reloaded, enter the copy startup-config running-config EXEC command.
•
Symptoms: An Any Transport over Multiprotocol Label Switching (AToM) virtual circuit (VC) may become stuck and not respond to changes in the state of its attachment circuit.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series or Cisco 7600 series that is configured for Ethernet over MPLS (EoMPLS) in VLAN mode.
Workaround: There is no workaround.
•
Symptoms: An IP version 6 (IPv6) link local address that has been manually configured by entering the ipv6 address ipv6-address link-local interface configuration command may disappear from the running configuration.
Conditions: This symptom is observed when you reload the Cisco platform on which the IPv6 link local address is configured or when a switchover between Route Processors (RPs) occurs on this platform.
Workaround: Reconfigure the IPv6 link local address.
Alternate Workaround: Manually configure the MAC address on the interface on which the IPv6 link local address is configured.
•
Symptoms: A Cisco AS5850 router may have high CPU usage in the IP input process because voice packets are punted from the line cards to the Route Switch Controller (RSC) card. To verify this symptom, enter the show interface type number stat EXEC command. The following output from the show interface command indicates that the entry for packets out (Pkts Out) in the "Distributed cache" field is 0.
Router#show interface g6/0 stat
GigabitEthernet6/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 752 56786 25 3267
Route cache 0 0 3120 666090
Distributed cache 3019 644372 0 0
Total 3771 701158 3145 669357Conditions: This symptom is observed on a Cisco AS5850 that handles voice calls. The symptom is not observed on the Cisco AS5850 with modem calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may delay the transmission of the RADIUS Accounting-On message for too long.
Conditions: This symptom is observed on a Cisco router that is terminating PPP sessions. The delay in the transmission of the RADIUS Accounting-On message clears the accounting data related to the PPP sessions that are already up from the RADIUS server.
Workaround: Reset the PPP over X (PPPoX) clients that connected too early.
•
Symptoms: The same local label may be allocated to two different prefixes, which may be learned via two different routing protocols.
The Cisco Express Forwarding (CEF) entry for these two prefixes shows the same local label. Depending on how the route was learned, the local label in the Border Gateway Protocol (BGP) or Label Distribution Protocol (LDP) database may show the same label or two different labels for the two prefixes.
The Multiprotocol Label Switching (MPLS) forwarding table has only one entry that matches the last prefix that used the local label, and there is no entry for the other prefix. This situation may lead to a connectivity failure for the prefix that does not have an entry in the MPLS forwarding table.
Conditions: These symptoms are observed on a Cisco router that is configured with the MPLS VPN Carrier Supporting CarrieróIPv4 BGP Label Distribution feature and that has both BGP IP version 4 (IPv4) label distribution entries and LDP entries in the Routing Information Base (RIB).
The symptoms occur when a route is learned via both BGP IPv4 label distribution and Interior Gateway Protocol (IGP) (for example via Open Shortest Path First [OSPF] or Intermediate System-to-Intermediate System [IS-IS]), and the route that is learned via BGP IPv4 label distribution replaces the route that is learned via IGP in the RIB.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdx74321. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Ensure that the local label is reallocated for the first prefix that does not have an entry in the MPLS forwarding table:
–
–
•
Symptoms: A Cisco fax relay call does not go back into voice mode after a fax is sent. The fax call is transmitted successfully.
Conditions: The symptom is observed on a Cisco router when the call switches to fax and then back to voice.
Workaround: There is no workaround. The symptom is cleared with the next call.
•
Symptoms: A Cisco router that functions in a Multiprotocol Label Switching (MPLS) environment may reload unexpectedly with a bus error.
Conditions: This symptom is observed under rare circumstances when the router attempts to send an Internet Control Message Protocol (ICMP) packet that was triggered by an MPLS packet.
Workaround: There is no workaround.
•
Symptoms: A Cisco VG200 that has a transcoder and is configured with Cisco Conference Connection (CCC) has only one-way audio for certain callers.
Conditions: This symptom is observed under the following conditions:
–
–
–
–
–
Workaround: Use Cisco IOS Release 12.1(5)YH4.
•
Symptoms: Calls on an E1 controller within an STM-1 trunk card using Media Gateway Control Protocol (MGCP) and PRI backhaul may not come up.
Conditions: This symptom is observed with a STM-1 trunk card on a Cisco AS5850 that is running Cisco IOS Release 12.3 or Release 12.3 T.
Workaround: Configure a PRI group under the E1 controller after the system and the STM-1 card are up. If the system reloads, unconfigure the PRI group and add the group again.
•
Symptoms: A Cisco router intermittently experiences a high CPU load because of a Service Selection Gateway (SSG) timeout.
Conditions: This symptom is observed after a Cisco router is upgraded to Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: The Cisco IOS Firewall may open an access control list (ACL) for media channels in the reverse direction.
Conditions: This symptom is observed when a third-party vendor Session Initiation Protocol (SIP) is configured with a Cisco IP telephone on an inside network and an inbound call is made.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that terminates a PPP-over-ATM (PPPoA) connection may fail to send a PPP terminate request (TERMREQ) to its PPP peer when the PPPoA session is cleared by entering the clear interface virtual-access number EXEC command.
Conditions: This symptom is observed when per-user authentication, authorization, and accounting (AAA) attributes are downloaded when the PPPoA session initially comes up.
Workaround: When the PPPoA session comes up, ensure that "no per-user" AAA attributes are downloaded from the remote AAA server. If this is not an option, there is no workaround.
•
Symptoms: During a failover between Route Switch Controllers (RSCs), the IDSN User Adaptation Layer (IUA)/Stream Control Transmission Protocol (SCTP) links of the failed RSC are not restored properly on the active RSC. This situation prevents the D channel from being maintained between the gateway and the call agent after the RSC handover event.
Conditions: This symptom is observed when the handover-split mode is enabled on a Cisco AS5850 that is configured with IUA/SCTP as the transport mechanism.
Workaround: There is no workaround.
•
Symptoms: Use of the show version EXEC command still shows the L3 cache in use even though the configuration includes the cache L3 bypass diagnostic command-line interface (CLI) command and the MGX Router Processor Module (RPM-XF) has been reloaded.
Conditions: This symptom is observed on a Cisco RPM-XF when a no redundancy switchover is performed.
Workaround: Perform a 1:N redundancy switchover.
•
Symptoms: A Cisco router may reload when a subdirectory is created on an Advanced Technology Attachment (ATA) Flash disk.
Conditions: This symptom is observed when the ATA Flash disk space that is allocated to the subdirectory contains data from previously deleted files.
When a subdirectory is created or extended, it is given space on the ATA Flash disk. If this space contains zeros, the symptom does not occur. However, if the space was previously used, the space does contain data bytes from the previous file, and these data bytes may confuse the file system. This situation may cause the router to reload.
Workaround: Do not create subdirectories on the ATA Flash disk.
•
Symptoms: A Cisco router that has a quality of service (QoS) service policy attached to an interface may generate memory alignment errors or reload unexpectedly because of a bus error during normal operation.
Conditions: This symptom is observed when the policy map of the service policy has a set action configuration and when traffic is being processed.
Workaround: Remove the set action configuration from the policy map.
•
Symptoms: Traffic that leaves a subinterface of a Cisco 7401 may be forwarded to the Route Processor (RP). The output of the show pxf accounting summary user EXEC or privileged EXEC command indicates that the counter for the "output feature" is increasing.
Conditions: This symptom is observed when a Cisco 7401 boots up with a configuration that includes two subinterfaces of the same interface that are configured to forward traffic via the same access group.
Workaround: Remove the configuration that enables the subinterfaces to forward traffic via the same access group. After the router has booted up, reenable this configuration.
•
Symptoms: E1 R2 calls may fail on a Cisco router.
Conditions: This symptom is observed on a Cisco AS5850 router that is running Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: A call transfer from one local IP telephone to another local IP telephone may fail.
Conditions: This symptom is observed when a remote H.323 endpoint calls a Cisco IOS Telephony Services (ITS) IP telephone, as in the following call scenario:
1.
2.
3.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is performing tag imposition, it may reload because of a bus error.
Conditions: This symptom is observed when you create a new generic routing encapsulation (GRE) tunnel after the router has booted up and when GRE packets are received through this GRE tunnel and forwarded as Multiprotocol Label Switching (MPLS) packets.
Workaround: Enter the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command on the newly-created GRE tunnel interface.
•
Symptoms: VLAN class of service (CoS) bits may not be set for outgoing Multiprotocol Label Switching (MPLS) packets, although the modular QoS CLI (MQC) may indicate so.
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series that runs Cisco IOS Release 12.2, Release 12.3, or Release 12.3 B when CoS marking is applied to a VLAN subinterface. Note that traffic that is generated by the router itself receives the correct CoS for all classes.
Workaround: There is no workaround.
•
Symptoms: When the MPLS VPN Carrier Supporting Carrier feature is configured on a Cisco router, Label Distribution Protocol (LDP) may advertise a local label binding without installing an associated entry in the Multiprotocol Label Switching (MPLS) forwarding table. When peers of the Cisco router receive the advertised label binding and use the Cisco router as an MPLS next hop for the prefix for which there is no entry in the MPLS forwarding table, packet loss occurs.
Conditions: This symptom is observed when the prefix is advertised by both Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP).
Workaround: Deconfigure and then reconfigure BGP on the Cisco router.
First Alternate Workaround: Reset the BGP connections.
Second Alternate Workaround: Disable and then reenable IP over MPLS globally by using the no mpls ip global configuration command followed by the mpls ip global configuration command.
•
Symptoms: The name of an interface in the output of the show ip vrf interfaces EXEC command may be truncated to 22 characters.
Conditions: This symptom is observed on a provider edge (PE) router that has Virtual Private Network (VPN) routing/forwarding (VRF) configured on an interface when the name of the interface is longer than 22 characters.
Workaround: To display the full name of the interface, enter the show ip vrf EXEC command, that is, without the interfaces keyword.
•
Symptoms: A Node Route Processor 1 (NRP-1) on a Cisco 6400 series may reload.
Conditions: This symptom is observed on a Cisco 6400 series that is configured with a Fast Ethernet interface. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCin44735. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you attach a hierarchical quality of service (QoS) policy with a police feature.
Conditions: This symptom is observed when the router is configured with a Virtual Private Network (VPN) hardware accelerator module that has Low Latency Queueing (LLQ) enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS gateway that functions as a terminating endpoint may reload unexpectedly when a call is terminated by an interactive voice response (IVR) application.
Conditions: This symptom is observed when an IVR application attempts to bridge a delayed-media Session Initiation Protocol (SIP) call.
Workaround: There is no workaround.
•
Symptoms: The interfaceSpecificBillingId field in the admission request (ARQ) nonstandard message is not copied into in the location request (LRQ) nonstandard message.
Conditions: This symptom is observed on a Cisco gatekeeper (for example, a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series) when it receives ARQ nonstandard field information from a voice gateway.
Workaround: There is no workaround.
•
Symptoms: An IP Security (IPSec) hub router that has been reloaded may send traffic unencrypted instead of triggering an Internet Key Exchange (IKE) to negotiate new IPSec security associations (SAs), which can be verified in the output of the show crypto ruleset detail privileged EXEC command. This situation causes a spoke router to deny the unencrypted traffic from the IPSec hub router because security policy of the spoke router requires the traffic to be encrypted.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2(15)T or Release 12.3 and that functions as an IPSec hub router that has nontrivial crypto maps and access control lists (ACLs) that are applied to one or more interfaces. The router has more than 100 maps in a map set; each map has a separate ACL; each ACL has two or three access control entries (ACEs).
The symptom does not occur with a simple crypto configuration.
Remote exploitation of this caveat is possible but opportunistic. Although an adversary may cause the router to reload, it cannot control the configuration of the router. There is some regularity as to which crypto maps will not be applied, but that is not guaranteed, and an adversary cannot control this situation. Furthermore, the spoke router or router at the far end will reject packets because they are not encrypted. This limits the usefulness of this vulnerability to an adversary.
The consequence of this caveat is a potential information disclosure. However, the information disclosure may be limited, depending on the underlying protocol. In a case in which some form of a handshake must be performed first, no information disclosure will occur: the spoke router or router at the far end will refuse to establish a session, so no actual data will be transmitted and no information disclosure will occur.
Workaround: To prevent the symptom from occurring, remove the configuration of the crypto map map-name local-address interface-id global configuration command from the affected crypto map set.
When the symptom occurs, remove the affected crypto map from the interface. Then, reconfigure the crypto map on the interface. Alternately, remove the ACL from the affected crypto map. Then, reapply the ACL to the crypto map.
•
Symptoms: The banner global configuration command in the Cisco Networking Services (CNS) config-changed event output may not be correctly formatted.
Conditions: This symptom is observed on a Cisco IOS platform when you enter the cns config notify diff global configuration command and the banner global configuration command.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module XF (RPM-XF) may not allow two partitions to share the same virtual path identifier (VPI) range.
Conditions: This symptom is observed when you configure two partitions with the same VPI range but with a different virtual channel identifier (VCI) range.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Condition 1: This symptom is observed when a RADIUS server performs EXEC authorization for users with service type 6 (administrative) and service type 2 (framed).
Workaround 1: There is no workaround.
2.
Condition 2: This symptom is observed on a Cisco NAS that runs Cisco IOS Release 12.3.
Workaround 2: There is no workaround.
•
Symptoms: The following symptoms may occur:
–
–
–
–
Conditions: These symptoms are observed when fax pass-through calls are placed to the following ATM adaptation layer 2 (AAL2) types:
–
–
–
–
–
–
–
–
The symptom may be specifically associated with g729br8.
Workaround: If the symptom is related to g729br8, select another codec. If you do not need to use any AAL2 codecs, configure IP or Frame Relay. If you do need to use g729br8 and the symptom is related to this codec, there is no workaround.
•
Symptoms: A Cisco router may pause indefinitely because of memory corruption.
Conditions: This symptom is observed on a Cisco router whenever the show atm svc [vpi/vci | name | interface atm interface-number] EXEC command or the show atm vc [vcd | interface interface-number] EXEC command is entered.
Workaround: There is no workaround.
•
Symptoms: Incorrect values may be returned for the ifInOctets IF-MIB object.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Processing Engine G1 (NPE-G1) when the ifInOctets counter is polled via Simple Network Management Protocol (SNMP) on a Gigabit Ethernet subinterface that is configured for 802.1q encapsulation.
Workaround: There is no workaround.
•
Symptoms: When the tx-ring-limit interface configuration command is used and the value is set at 3, packets are dropped.
Conditions: This symptom is observed on a Cisco router that is configured for quality of service (QoS) and that uses digital subscriber line (DSL) interfaces.
Workaround: Remove the tx-ring-limit 3 interface configuration command for non-QoS configurations. When a QoS configuration is required, use Cisco IOS Release 12.2(15)T or a later release, or use Release 12.3(1).
•
Symptoms: A Cisco 831 may reload unexpectedly when you enter the no ip urlfilter exclusive-domain {permit | deny} domain-name global configuration command.
Conditions: This symptom is observed when you attempt to deconfigure an exclusive domain without having first configured it. That is, you have not first entered the ip urlfilter exclusive-domain {permit | deny} domain-name global configuration command.
Workaround: There is no workaround.
•
Symptoms: When the CSAdmin or CSAuth services fail on a primary Access Control Server (ACS), authentication does not failover to the secondary server as it should.
Conditions: This symptom is observed on a Cisco ACS that acts as the primary server.
Workaround: Configure CSAuth.
•
Symptoms: When generic routing encapsulation (GRE) is protected with IP security (IPSec) by use of the tunnel protection router configuration command and the peer loses its security associations (SAs), the peer that lost its phase 2 SAs does not act upon invalid service profile identifier (SPI) events as it should. This symptom also occurs if the crypto policy is dynamically constructed and the peer loses its phase 2 SAs. This behavior could be tunnel protection for multipoint GRE (mGRE), dynamic crypto maps, crypto profiles for Layer 2 Tunneling Protocol (L2TP) traffic, or Easy VPN connections.
Conditions: This symptom is observed when the original delete notification is not sent because at that time there is no active Internet Key Exchange (IKE) SA between the peers. However, when a new IKE SA is subsequently established and traffic continues to be sent on the old SAs, the peer that does not have the phase 2 SAs still does not generate the necessary delete notifications.
Dead-Peer Detection (DPD) cannot cure either symptom and the tunnel remains unusable until either the SAs are cleared on the peer that has the phase 2 SAs or the SAs time-out normally.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is configured for both internal Border Gateway Protocol (iBGP) load balancing and Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN), incorrect MPLS labels may be installed. When one of the load-balancing links flaps, connectivity may be lost between the VPN sites.
Conditions: This symptom is observed in the Cisco IOS releases that are listed in the "First Fixed-in Version" field at the following location:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdy76273.
Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Disable iBGP load balancing.
•
Symptoms: In a non-RADIUS proxy mode, a Service Selection Gateway (SSG) does not include attribute 25 (class) in the host accounting packets. In RADIUS proxy mode, SSG functions correctly, and attribute 25 is included in the host and connection accounting packets.
Example of attribute 25:
RADIUS(00000000): Send Accounting-Request to 192.168.69.7:1813 id 21659/178, len 228
RADIUS: Class [25] 12
RADIUS: 31 34 30 34 39 36 32 37 31 30 [1404962710]
RADIUS: Service-Type [6] 6 Framed [2]Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround when you are unable to use SSG in RADIUS proxy mode.
•
Symptoms: An Easy VPN tunnel may come up with an incorrect password that is configured on the Easy VPN server.
Conditions: This symptom is observed when you configure the right password and make the tunnel come up and then when you change the password on the Easy VPN server, disconnect the tunnel and once again establish the tunnel from the unity client. The tunnel will come up properly even when the wrong password is configured.
Workaround: Wait until all of the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) table is flushed, and try once again. The tunnel does not come up, and an error will be displayed.
•
Symptoms: When the integrated Signaling Link Terminal (SLT) functionality is running on a Cisco AS5350 or Cisco AS5400, the Signaling System 7 (SS7) links will not come into service. Using an SS7 analyzer indicates that Link Status Signal Units (LSSUs) are not being transmitted from the Cisco AS5350 or Cisco AS5400 to the SS7 network.
Conditions: This symptom is observed when the Cisco AS5350 or Cisco AS5400 is configured with a 2-, 4-, or 8-port PRI board that contains the D4 version of an MPC860 processor. You can verify the version of the MPC860 processor by entering the show chassis slot detail EXEC command. The symptom occurs when the board hardware version is version 4.0 or a later version.
Workaround: Install a PRI board with a board hardware version earlier than 4.0.
•
Symptoms: The timeouts ringing {seconds | infinity} voice-port configuration command is used to determine the value of the ring, no answer timer. The timer is limited by the H.323 timer when the call is using H.323. The timer will always be stopped on call cleanup procedures. The H.323 connect timer that is configured under the voice class h323 tag global configuration command is always started on the originating gateway after reception of an Alerting or Progress message. The default value is 180 seconds with a range of 60 to 360 seconds. Upon triggering this timer, the cleanup procedures for the call are invoked. If the ring, no answer timer exceeds the H.323 connect timer, it will have no affect.
Conditions: This symptom is observed for ISDN-H.323 calls.
Workaround: There is no workaround. The best solution is to configure the H.323 connect timer to the maximum value of 360.
•
Symptoms: A Cisco IAD2420 series may not collect digits properly. One number 2 may become two number 4s in the dialed digits that are detected by a voice telephony service provider (VTSP).
Conditions: This symptom is observed on a Cisco IAD2420 series that is interconnected via a digital interface to a BTS10200 softswitch that runs software release 3.5.1v01. When the Cisco IAD2420 series is rebooted and sends Restart in Progress (RSIP) messages to the call agent (CA), the trunks are automatically brought back into service. The symptom occurs when a PBX goes off-hook, then on-hook (without dialing digits), then off-hook again on the same channel, and then begins dialing.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module XF (RPM-XF) front card may reset because of a software exception.
Conditions: This symptom is observed rarely when the multi-virtual-circuit (Multi-VC) feature is enabled, when the Label Switch Controller (LSC) reloads or you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that is configured for Multiprotocol Label Switching (MPLS), and when routes flap.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series or Cisco 7600 series may generate the following error message on its console:
Invalid memory action (malloc) at interrupt levelConditions: This symptom is observed when you enter the clear counters EXEC command.
Workaround: There is no workaround.
•
Symptoms: A Service Selection Gateway (SSG) is unable to resolve a Domain Name System (DNS) query.
Conditions: This symptom is observed on a Cisco 6400 series router.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that is configured for IP Security (IPSec) Virtual Private Networks (VPNs) and that has hardware acceleration enabled on a service adapter VPN Acceleration Module (SA-VAM) may reload because of a software condition.
Conditions: This symptom is observed on a Cisco 7200 series that has operated normally for a period of time.
Workaround: Enter the crl optional ca-trustpoint configuration command on the router.
•
Symptoms: When you attempt to load a Tool Command Language (Tcl) script by using the call application voice global configuration command, a Cisco gateway may reload.
Conditions: This symptom is observed when the Tcl script contains a nested procedure call.
Workaround: There is no workaround.
•
Symptoms: When a provider edge (PE) router that is running IP version 6 (IPv6) in a Multiprotocol Label Switching (MPLS) environment (also referred to as a 6PE router) is switching traffic, low performance may occur. The output of the show alignment EXEC command displays spurious memory accesses (one per packet) at a low address (around 17).
Conditions: This symptom is observed on the 6PE router when an IP version 4 (IPv4) output feature is configured on any interface or when an IPv4 input feature is configured on the MPLS interface that is used by 6PE traffic. Enter the show mpls interfaces [interface] [detail] privileged EXEC command, and check the output for the presence of the phrase "MPLS feature vector."
Workaround: Ensure that on the 6PE router, no IPv4 output feature is configured on any interface and that no input feature is configured on an MPLS interface on which 6PE traffic is traversing.
•
Symptoms: A linkUp trap may not be generated on a Cisco router.
Conditions: This symptom is observed on a Cisco 3600 series that runs Cisco IOS Release 12.2(17) but may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when a PPP over Ethernet over Ethernet (PPPoEoE) session is initiated.
Conditions: This symptom is observed on a Cisco Node Route Processor 2 (NRP-2).
Workaround: There is no workaround.
•
Symptoms: When two Media Gateway Control Protocol (MGCP) messages that specify the same MGCP endpoint are sent within moments of each other to a Cisco IOS MGCP gateway, the messages may be processed out of order or the first message may not be answered.
Conditions: This symptom is observed when the call agent sends a Modify Connection (MDCX) RecvOnly that is followed by a Notify Request (RQNT S) L/dl in quick succession.
Workaround: Ensure that there is only one command outstanding per MGCP endpoint. This is the recommendation of the Internet standard RFC 2705, and most MGCP call agents already follow this recommendation.
•
Symptoms: A Cisco router may pause indefinitely when the no telephony-service and no call-manager-fallback global configuration commands are continuously entered on the router.
Conditions: This symptom is observed in a test environment when the router is stressed by continuously entering the no telephony-service and no call-manager-fallback global configuration commands.
Workaround: Do not continuously enter the no telephony-service and no call-manager-fallback global configuration commands.
•
Symptoms: A Reliability, Availability, and Serviceability (RAS) server does not allocate the IP addresses to the dial-in clients when the user profile on the Access Control Server (ACS) contains a pool name "addr-pool=foo." If this pool is not defined locally, the subsequent request to the ACS fails.
Conditions: This symptom is observed on a Cisco RAS server that is running Cisco IOS Release 12.3(3) when the authorization profile contains an IP pool name that is not configured locally.
Workaround: Configure the IP address pool locally.
•
Symptoms: A voice connectivity test may fail.
Conditions: This symptom is observed on a Cisco 1751 router that is running the c1700-sv3y-m image of Cisco IOS Release 12.3(2)T. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 that is configured with two DS0 groups may select the DS0 group that is not defined on any plain old telephone service (POTS) dial peer for outgoing calls.
Conditions: This symptom is observed when one of the DS0 groups is already in use, causing the gateway to select the DS0 group that is not defined on a POTS dial peer.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds.
1.
Condition 1: This symptom is observed when you configure the CNS cns config notify diff global configuration command and you configure interface global configuration commands on the Cisco IOS device.
Workaround 1: There is no workaround if only the changes in the configuration are expected in the CNS configuration notify changed message.
Alternate Workaround 1: Specify the all option for the cns config notify global configuration command.
2.
Condition 2: This symptom is observed when the diff option in the cns config notify global configuration command is selected and a new dynamic interface is created.
Workaround 2: There is no workaround.
•
Symptoms: A Cisco router may reload because of memory corruption.
Conditions: This symptom is observed on a Cisco 7200 series with a Network Service Engine 1 (NSE-1) processor board or a Cisco 7401 router that acts as a Layer 2 Tunneling Protocol session endpoint system. Parallel Express Forwarding (PXF) is turned on and the per-user rate limit configuration has been downloaded from an authentication, authorization, and accounting (AAA) server that has a high traffic rate (about 120 Mbps) and a high CPU load (about 70 percent). The symptom occurs as the sessions go up and down when the users log on and off.
Workaround: There is no workaround.
•
Symptoms: The effective call rate may be 75 percent of the expected call rate.
Conditions: This symptom is observed on a Cisco 10000 series that functions as an L2TP network server (LNS) that is enabled for PPP Termination Aggregation (PTA).
Workaround: There is no workaround.
•
Symptoms: A call setup failure may occur for high-delay links with a round-trip time greater than 300 milliseconds.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(16) but may also occur in other releases.
The call fallback subsystem hard-codes the amount of time it will wait for the response to probes to 300 milliseconds. The probes fail if the round-trip time is more than 300 milliseconds, even though the network is a high-bandwidth network.
Workaround: There is no workaround.
•
Symptoms: During an onramp fax call, a Cisco router may take up to 40 seconds to clear a channel.
Conditions: This symptom is observed on a Cisco 2600 series when the fax call was terminated during the fax negotiation. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with VPN routing and forwarding (VRF) aware IP security (IPSec) does not route packets in the given VRF; instead, the packets are routed using the default routing table.
Conditions: This symptom is observed on a Cisco router if Cisco Express Forwarding (CEF) is enabled, and if there is a subinterface configured with VRF aware IPSec and another subinterface configured with VRF.
Workaround: Turn off CEF switching on the IPSec aggregator.
•
Symptoms: When a Cisco AS5400 that functions as a gateway originates a Session Initiation Protocol (SIP) "invite" message for a voice call and receives a "200 OK" response to this message while it is processing a T.38 fax call, the gateway may send a "bye" message to terminate the established dialog for the voice call.
Conditions: This symptom is observed when the incoming voice call does not match a Voice over IP (VoIP) dial peer and the default fax protocol on the gateway is T.38.
Workaround: Configure an inbound VoIP dial peer that matches an initial incoming SIP "invite" message.
•
Symptoms: A Cisco platform that functions as a gateway may report a "destination out of order" cause code for a call that is disconnected in a normal way.
Conditions: This symptom is observed when an H.245 TCP connection close request reaches the gateway before the H.225 release complete message (RLC), which causes the gateway to assume that the H.245 connection is terminated and to tear down the call with a "destination out of order" cause code. This situation may occur with semirouted gatekeeper signaling, when the H.225 connection runs via a gatekeeper and the H.245 connection runs directly between the gateway and a third-party vendor endpoint. This situation may also occur when a race condition occurs between the connection close request and the RLC.
Workaround: Ensure that the third-party vendor endpoint sends an end session command (an H.245 message) before tearing down the H.245 connection.
•
Symptoms: A Label Distribution Protocol (LDP) session may not be established and may cause network connectivity problems (a ping may fail). The local LDP identifier is set to 0.0.0.0:0 instead of a valid identifier.
Conditions: This symptom is observed in Multiprotocol Label Switching (MPLS) configurations when LDP is enabled.
Workaround: Enter the no mpls ip router configuration command followed by the mpls ip router configuration command.
•
Symptoms: Packets that are received from the Multiprotocol Label Switching (MPLS) backbone by a provider edge (PE) router are not encrypted and are forwarded to the customer edge (CE) router. A traceback appears.
Conditions: This symptom has been observed on a Cisco 2650 router that is configured to terminate IP security (IPSec) tunnels with Virtual Private Network (VPN) routing and forwarding (VRF).
Workaround: There is no workaround.
•
Symptoms: After a Node Switch Processor (NSP) failover has occurred, Open Shortest Path First (OSPF) on the NSP may become stuck in the "INIT" state, even though OSPF is in the "FULL" state on the Node Route Processor 2 (NRP-2).
Conditions: This symptom is observed on a Cisco 6400 series that is configured with redundant NSPs.
Workaround: Reload the NRP-2.
•
Symptoms: The following traceback may appear during a fax call:
%HPI-3-FAILED_START: channel:1:15:25 DSP ID:0x1, failed mode 0 for service 26 -Traceback= 147434C 1483864 1580C40 160043C 1600E58 154B758 154C79C 14F2D34442E48 446F28Conditions: This symptom is observed on a Cisco 3810 after an upgrade from Cisco IOS Release 12.2(13) to Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload because of a software condition when an Internet Key Exchange (IKE) security association (SA) expires and certificates and Rivest, Shamir, & Adleman (RSA)-signature authentication are used for the SA.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T when the peer uses fully qualified domain name (FQDN) or user FQDN as the identity, but the certificate that it provides does not carry the FQDN or user FQDN.
Workaround: Use certificates that carry the FQDN or user FQDN.
Alternate Workaround: Configure the peer to send the identity as an IP address or Distinguished Name (DN).
•
Symptoms: A Cisco feature board may not come up after a system reload.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: Bulk updates on a Cisco router do not occur.
Conditions: This symptom is observed on a Cisco router if the configuration is downloaded from the auto configuration (auto_config) file on the Processor Switch Module (PXM).
Workaround: Switch over to a redundant Route Processor Module (RPM).
•
Symptoms: When an originating gateway (OGW) has the fax protocol t38 fallback none dial-peer configuration command enabled and the terminating gateway (TGW) is not configured for fax, a fax call fails, which is proper behavior. However, when Session Initiation Protocol (SIP) sends a negative acknowledgment (NAK) response to the "FAX_START" event that was sent by the voice telephony service provider (VTSP), the VTSP may continue to send "FAX_START" events, even after it has received the NAK response. This situation continues for a while before the fax call is finally disconnected.
Conditions: This symptom is observed when a SIP T.38 fax call is made between a Cisco AS5300 that functions as an OGW and another Cisco AS5300 that functions as a TGW.
Workaround: There is no workaround.
•
Symptoms: A start accounting request is not sent for a redundant dial peer when the primary dial peer fails.
Conditions: This symptom is observed on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: Software bus errors may occur at the "DEADBEEF" invalid address when you configure extended access control lists (ACLs) on a Cisco 7400 series, and the following error message may be displayed:
System returned to ROM by bus error at PC 0x6050CDBC, address 0xDEADBEFBConditions: This symptom is observed on a Cisco 7400 series that is running Cisco IOS Release 12.2(15)T2 but may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that uses RSA-SIG authentication for Internet Key Exchange (IKE) stops responding because of a watchdog timeout of the crypto certificate authority (CA) process.
Conditions: This symptom is observed if the watchdog timeout occurs when the router receives a sudden barrage of certificate revocation list (CRL) update requests from several peers simultaneously.
Workaround: Make sure that the CRL update requests from the peers are staggered.
•
Symptoms: All of the extended Multiprotocol Label Switching (MPLS) ATM (XTagATM) interfaces may flap on a label switch controller (LSC).
Conditions: This symptom is observed when an edge label switch router (LSR) resets or when ATM Services (AXSM) trunks flap.
Workaround: There is no workaround.
•
Symptoms: The output from the show diag EXEC command indicates that a voice interface card (VIC-1J1) is an unknown card.
Conditions: This symptom is observed on a Cisco router that has a VIC-1J1.
Workaround: There is no workaround.
•
Symptoms: There may not be an E1 R2 variant to support an interconnection with a PBX.
Conditions: This symptom is observed on a Cisco AS5400.
Workaround: There is no workaround.
•
Symptoms: In a T.38 fax relay test environment, the accounting records display an 8 second difference in the disconnection time between the IP leg and the telephony leg of the call.
Conditions: This symptom is observed when an originating fax machine loses power or its connection while a fax is being transmitted.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reserve the incorrect amount of bandwidth in the flow reservation procedure. This can lead to incorrect Call Access Control (CAC) calculations and voice quality problems.
Conditions: This symptom is observed on a Cisco router that is configured with Resource Reservation Protocol (RSVP) in order to perform CAC and provide quality of service (QoS) to the Voice over IP (VoIP) traffic.
Workaround: Use another QoS feature instead of RSVP.
•
Symptoms: Very high CPU utilization (up to 99 percent) may occur on a Cisco router when you enter the clear pppoe interface interface-type interface-number all privileged EXEC command.
Conditions: This symptom is observed on a Cisco router that is configured with a large number of subinterfaces (32,000) and PPP-over-Ethernet (PPPoE) sessions (16,000).
Workaround: There is no workaround.
•
Symptoms: While a bandwidth class is congested, there may be extra latency available for another bandwidth class that is not congested.
Conditions: This symptom is observed on an enhanced ATM OC-3 port adapter (PA-A3) that is installed in a Cisco 7500 series on which distributed Class-Based Weighted Fair Queueing (dCBWFQ) is enabled.
Workaround: There is no workaround.
•
Symptoms: A directory gatekeeper may reload unexpectedly.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper when it receives a "RESPONSE LRQ" message from a Gatekeeper Transaction Message Protocol (GKTMP) server with only "i" (destination carrier ID) information in the "J" (carrier information) tag.
Workaround: There is no workaround.
•
Symptoms: Any packets that are locally generated by a Route Processor (RP) or Route Switch Processor (RSP) may not be properly forwarded over a Multiprotocol Label Switching (MPLS) traffic engineering (TE) Fast Reroute (FRR) backup tunnel.
Conditions: This symptom is observed on any Cisco platform that has a distributed architecture such as a Cisco 7500 series and a Cisco 12000 series when the Cisco Express Forwarding (CEF) adjacency for the primary TE tunnel appears to be incomplete, as can be displayed in the output of the show adjacency type number EXEC command when you enter the primary TE tunnel interface for the type and number arguments.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may continue to send 64-bit counters in authentication, authorization, and accounting (AAA) records when it no longer should do so. These counters may also be invalid.
Conditions: This symptom is observed for certain TCP-Clear connections.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(17), later releases of Release 12.2, or Release 12.3. The interface of the router has an output service policy attached, and the bandwidth interface configuration command or the fair-queue interface configuration command is configured in the policy map attached by the service-policy router configuration command. The traffic is flowing through the interface at a fast rate. The router reloads under the following conditions:
–
–
–
In all three situations, a service policy that is configured with the bandwidth or fair-queue command is attached to the interface.
Workaround: Shut down the interface before issuing the above commands. Enable the interface again after issuing the commands.
•
Symptoms: If an originating gateway (OGW) advertises payload type 13 or 19 for comfort noise in Session Description Protocol (SDP) of an "Invite" message, and the terminating gateway (TGW) does not indicate its support in SDP of its response to the OGW, the OGW may continue to generate comfort-noise packets to fill up periods of silence.
Conditions: This symptom is observed when an outbound Voice over IP (VoIP) dial peer has voice activity detection (VAD) configured and when the OGW advertises payload type 13 or 19 in SDP of its "Invite" message.
Workaround: Disable comfort-noise generation on the OGW by entering the no vad dial-peer configuration command. However, doing so does not facilitate the negotiation of comfort-noise packet generation.
•
Symptoms: An outgoing Large Scale Dial-Out (LSDO) call may not be forwarded to other Stack Group Bidding Protocol (SGBP) members from a network access server (NAS) that has all of its trunks down.
Conditions: This symptom is observed on a Cisco NAS that is configured with SGBP, and that is running Cisco IOS Release 12.2(15)T2.
Workaround: There is no workaround.
•
Symptoms: Internet Key Exchange (IKE) fails if the crl optional ca-identity configuration command is configured on a Cisco router.
Conditions: This symptom is observed on a Cisco router that has IKE configured. If the crl optional command is changed to the crl mandatory command on an nsca-r1 trustpoint, IKE does not fail.
Workaround: Do not configure the crl optional command.
•
Symptoms: Public keys may be lost from a key ring on a Cisco router, preventing the command-line interface from parsing the configuration when the router boots up.
Conditions: This symptom is observed after the router has reloaded and when there are multiple Rivest, Shamir, & Adleman (RSA) public keys in the key ring.
Workaround: There is no workaround.
•
Symptoms: When an interdigit timeout occurs, an incoming call may be rejected when the translation rule for the called number is defined under a voice port or in the ephone-dn global configuration command.
Conditions: This symptom is observed when the incoming call is controlled by an interactive voice response (IVR) application. The symptom occurs because no outbound dial-peer matching is invoked when the translation of the called number fails when the interdigit timeout occurs.
Workaround: When the translation rule for the called number is defined in the ephone-dn global configuration command, there is no workaround. When the translation rule for the called number is defined under a voice port, define the "default.c.old" application on an inbound dial peer.
•
Symptoms: The Calling Line ID (CLID) and dialed number identification service (DNIS) information reported in the authentication, authorization, and accounting (AAA) accounting records for RADIUS as Calling-Station-ID and Called-Station-ID may not be accurate.
Conditions: This symptom is observed in a mixed dial-in and dial-out environment in which Large-Scale Dial-Out (LSDO) is used. Some LSDO accounting records contain the number of a different dial-in call. Some dial-in calls report the Called-Station-ID from a previous dial-out call as their Calling- Station-ID.
These symptoms are caused by the network access server (NAS) allocating the same AAA ID to different calls. The output from the debug radius privileged EXEC command sometimes shows the same AAA ID for both calls.
Workaround: There is no workaround.
•
Symptoms: An L2TP access concentrator (LAC) may stop processing Routing Information Protocol (RIP) updates on all its interfaces.
Conditions: This symptom is observed when you enter the show running-config privileged EXEC command for a large configuration.
Workaround: There is no workaround. After the output of the show running-config privileged EXEC command is displayed, the LAC continues to process RIP updates.
•
Symptoms: A Cisco voice gateway that has the voice translation-rule global configuration command enabled may not accept a correct translation rule and may generate a syntax error message. If the voice translation rule that is defined in the voice translation-rule global configuration command is accepted, it may incorrectly strip off the last character in the replacing string.
Conditions: This symptom is observed on a Cisco voice gateway that runs a Cisco IOS release that is listed in the "First Fixed-in Version" field at the following location:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb37190
Workaround: There is no workaround.
•
Symptoms: After a Cisco gateway reloads, only the first 24 channels initialize.
Conditions: This symptom is observed on a Cisco gateway that uses Media Gateway Control Protocol (MGCP).
Workaround: There is no workaround.
•
Symptoms: Not all of a MIB may be delivered over the CNS Event Bus.
Conditions: This symptom is observed when the MIB is large.
Workaround: There is no workaround.
•
Symptoms: A call setup to an IP network may be delayed or rejected.
Conditions: This symptom is observed when a Tool Command Language (Tcl) interactive voice response (IVR) application attempts to set up a call without specifying the incoming leg. A call setup without an incoming call leg results in an H.225 "setup" message or Registration, Admission, and Status (RAS) protocol admission message with zeros in the callIdentifier field.
Workaround: Set up a call with an incoming leg.
Alternate Workaround: Assuming that the generated globally unique identification (GUID) does not affect the billing system or the remote endpoint, enter the set callinfo TCL IVR API command to generate a new conference ID and call ID.
•
Symptoms: An incorrect virtual circuit (VC) disposition label may be generated, causing packets to drop.
Conditions: This symptom is observed when VC label attributes, such as a control word setting or a VC type, do not match on a pseudowire.
Workaround: Toggle the interface on which the pseudowire is configured by entering the shutdown interface configuration command followed by the no shutdown interface configuration command.
•
Symptoms: A Cisco AS5850 with a Synchronous Transport Module level 1 (STM-1) board cannot support a network access server (NAS) on more than 29 Engine 1 (E1) controllers.
Conditions: This symptom is observed on a Cisco AS5850 with an STM1 that is configured for use with the Media Gateway Control Protocol (MGCP). The STM1 has a total of 63 E1 controllers. The system correctly accepts the configuration up to 29 E1 controllers. Starting from the thirtieth E1, the system does not apply the extsig mgcp controller configuration command. The system accepts the command without giving an error message, but the command is not applied to the controller.
Workaround: There is no workaround.
•
Symptoms: The Media Gateway Control Protocol (MGCP) is too slow in acknowledging the delete connection (DLCX) parameter on a Cisco AS5400. The output of the show mgcp stat EXEC command indicates that the CreateConn rx counter is increasing.
Conditions: This symptom is observed when a DLCX is received on a Cisco AS5400 under a heavy call volume with calls on different slots but on the same port number and DS0 number.
Workaround: There is no workaround. The symptom will clear when the call volume decreases.
•
Symptoms: A dial-on-demand routing (DDR) connection via a 2-port serial WAN interface card (WIC-2T) may fail because data set ready (DSR) drops occur after a chat script completes successfully. PPP may fail to start on the router that you dial up from; the router that you dial in to may not receive any PPP packets.
Conditions: This symptom is observed when you dial out from a Cisco 3745 that runs Cisco IOS Release 12.2(15)T5 or Release 12.3.
Workaround: Enter the no ppp microcode interface configuration command on the interface of the WIC-2T that you dial out from.
•
Symptoms: When a spurious memory access occurs in a Cisco router, the CPU utilization may increase to 100 percent, all of which may be reported as interrupt processing time.
Conditions: This symptom is observed on a Cisco 831 and Cisco 837 that function in a Dynamic Multipoint Virtual Private Network (DMVPN) configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload unexpectedly during a service-policy configuration.
Conditions: This symptom is observed when you attach a level 2 policy map as a child of a level 1 policy map and when the level 1 policy map is already attached to an interface.
Workaround: Create a level 3 policy map, and attach it to the interface.
•
Symptoms: A Cisco router may reload with a "pppoa_set_error" when the PPP over ATM (PPPoA) context is freed (poisoned) while sessions are being established.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(15)T2. There are two situations in which this symptom can occur:
–
–
Workaround: There is no workaround.
•
Symptoms: A Systems Network Architecture (SNA) switch may fail to write the Physical Unit (PU) name in an "unbind" response, and internal buffer corruption may occur.
Conditions: This symptom is observed on a Cisco router that functions as an SNA switch when an "unbind" request is received and an "unbind" response is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may display the following error message:
CNS XML Parser: Tag <config-pwd> not allowed as rootConditions: This symptom is observed when you perform an initial Cisco Networking Services (CNS) configuration. When you resynchronize a password in conjunction with the initial CNS configuration, the CNS configuration may not take and the router may not be able to connect to a Cisco IE2100 series.
Workaround: Do not perform an initial CNS configuration. Rather, configure the router manually.
•
Symptoms: When you enter the cns config initial global configuration command on a Cisco router, the connectivity may be interrupted.
Conditions: This symptom is observed when the cns config connect-intf global configuration command is enabled. When the symptom occurs, the existing configuration is overwritten by the configuration of the cns config connect-intf global configuration command.
Workaround: Disable the cns config connect-intf global configuration command before you enter the cns config initial global configuration command.
•
Symptoms: When you enter the cns image retrieve privileged EXEC command, the console EXEC prompt may be lost.
Conditions: This symptom is observed on a Cisco router when applications of an image server continually send information to the Cisco Networking Services (CNS) Image Agent. This situation causes the session to be permanently open and the console EXEC prompt to be permanently shut.
When you connect to the router via a Telnet port and disable the CNS Image Agent, you do not get the console EXEC prompt back, and a traceback is generated.
Workaround: If this is an option, shut down the server applications to enable the CNS Image Agent to reset itself when the session times out.
•
Symptoms: This caveat concerns a Cisco router that functions as a DHCP relay agent for DHCP clients that are connected via ATM or serial unnumbered interfaces and that adds host routes to all the DHCP clients on the unnumbered interfaces when the clients receive a new IP address. The router may reload unexpectedly when a database agent is configured to store these routes.
Conditions: This symptom is observed under very rare circumstances on a Cisco router that runs Cisco IOS Release 12.1 T, Release 12.2, or Release 12.2 T when the DHCP database agent attempts to write all route information to a server, the route timer expires, and the route is freed. In this situation, when the DHCP database agent accesses the freed route, the router reloads.
Workaround: Do not configure a database agent.
•
This caveat exhibits several symptoms, each of which has a distinct cause and workaround. All symptoms have the following precondition: The router is configured with the Per VRF AAA feature and is downloading information from a RADIUS server. The aaa authorization template global configuration command is used.
Symptoms 1: A Cisco router may return to ROM monitor (ROMmon) by bus error.
Conditions 1: This symptom occurs when a RADIUS server vendor-specific attribute (VSA) in a user profile is not fully parsed. This can happen if the RADIUS server VSA is malformed, or if the router is unable to allocate storage for one of many data structures associated with the method list, server group, or server.
Workaround 1: If VSA is malformed, correct the RADIUS user profile so that the RADIUS server VSA is correctly formatted. Permissible formats are:
Cisco:Cisco-Avpair = N: "aaa:rad-serv=A.B.C.D auth-port X acct-port Y
key Z retransmit V timeout W"
Cisco:Cisco-Avpair = :N: "aaa:rad-serv=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"
Cisco:Cisco-Avpair = "aaa:rad-serv#N=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"The following parameters must be present in order to ensure proper function:
–
–
The following parameters are optional, provided that a global default is configured on the router:
–
–
Symptoms 2: The router uses the retransmit value from the RADIUS server VSA as the timeout, and the timeout from the RADIUS server VSA as the number of retransmits.
Conditions 2: This symptom occurs any time the router receives a RADIUS server VSA containing the retransmit or timeout parameters or both.
Workaround 2: Either omit the retransmit and timeout parameters from the VSA, using the global defaults on the router, or swap the two values.
Symptoms 3: The show memory | inc AAA Server handle command will show a steadily increasing number of server handles allocated. Roughly 800 bytes will be consumed for each RADIUS server attribute parsed as part of a downloaded template. An additional roughly 900 bytes will be consumed for each downloaded template in Cisco IOS images which have CSCea85517 integrated. Eventually, all memory on the router will be consumed.
Conditions 3: This symptom occurs any time the RADIUS server VSA is used in a downloaded template to tell the router which RADIUS server to use.
Workaround 3: If you are using a Cisco IOS image which does not have CSCea85517 integrated, and the configuration of local templates is practical, then you can configure local templates instead of downloading them from a RADIUS server.
For example, if you had a template defined on your RADIUS server as:
example.com Password = "EXAMPLE"
Service-Type = Outbound,
Cisco:Cisco-Avpair = "aaa:rad-serv#1=a.b.c.d auth-port XXXX acct-port YYYY key ZZZZZ"
Cisco:Cisco-Avpair = :1:"aaa:rad-serv-vrf=examplevrf",
Cisco:Cisco-Avpair = "template:ppp-authen-type=chap"
Cisco:Cisco-Avpair = "template:ppp-authen-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-author-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-acct-list=start-stop group 1",
Cisco:Cisco-Avpair = "template:ip-vrf=examplevrf"
Cisco:Cisco-Avpair = "template:ip-unnumbered=Loopback 1"you would instead configure the following:
aaa authorization network default local
radius-server host a.b.c.d auth-port XXXX acct-port YYYY
aaa group server radius example_servers
server a.b.c.d
ip vrf forwarding examplevrf
aaa authentication ppp example_list group example_servers
aaa authorization network example_list group example_servers
aaa accounting network example_list group example_servers
template example.com
ppp authentication chap example_list
ppp authorization example_list
aaa accounting delay-start
aaa accounting send stop-record authentication failure
interface virtual-template 1
ip vrf forwarding examplevrf
ip unnumbered Loopback 1
ppp authentication chap
•
Symptoms: On a terminating PPP over ATM (PPPoA) interface, the input byte count may be incorrect when virtual-access subinterfaces are used. The input byte count on the physical interface is correct, but the reported value in the virtual-access subinterface is higher than it should be.
Conditions: This symptom is observed on a Cisco 6400 series node route processor (NRP) that is running Cisco IOS Release 12.3(1a) and that uses virtual-access subinterfaces.
Workaround: There is no workaround.
•
Symptoms: A device is unable to authenticate itself to the PPP peer using local authentication if the interface is not configured with authentication parameters (username and password).
Conditions: This symptom is observed if the peer requests that the device authenticate itself and the corresponding protocol configuration is not present on the interface (for example, ppp pap sent- username or ppp chap password). The session is not established.
Workaround: Enable ppp pap sent-username or ppp chap password on the interface.
Alternate Workaround: Use TACACS+ for mutual bidirectional authentication.
•
Symptoms: Network authorizations may fail for locally authenticated sessions.
Conditions: This symptom is observed for network authorizations for PPP sessions if the user is authenticated locally and the authorization method list contains the radius keyword.
Workaround: Use separate lists for local and RADIUS authorization.
•
Symptoms: An E1 PRI controller that is configured for 4-bit cyclic redundancy check (CRC-4) may not set the spare bits (SA4-SA7) in timeslot 0 to one when not in use. The network side expects a one on the spare bits and may treat this situation as an error condition.
Conditions: This symptom is observed on a Cisco ICS 7750 Multiservice Route Processor (MRP).
Workaround: Each time the MRP reboots, enter the framing no-crc4 controller configuration command followed by the framing crc4 controller configuration command on the E1 PRI controller.
•
Symptoms: Voice calls that use telephony channel associated signaling (CAS) may fail to complete. In the case of PRI telephony signaling, the voice calls do complete, but there is no audio path. In the latter case, both the calling and called parties hear dead air.
Conditions: These symptoms are observed on a Cisco 2600 or Cisco 2600XM voice gateway that has an AIM-ATM-VOICE-30 or AIM-VOICE-30 AIM module when the user tries to terminate voice calls on a T1/E1 voice WAN interface card (VWIC) that is inserted into an NM-2W Network Module (NM). All appropriate network clocking may be configured on the voice gateway, but the output of the show tdm connection aim 0 and show tdm connection slot 1 EXEC commands indicates that no Time Division Multiplexing (TDM) connections exist between the AIM VOICE card, the T1/E1 VWIC, and the NM- 2W.
Workaround: There is no workaround when the T1/E1 VWIC is installed on an NM- 2W. The VWIC must be installed on one of the Cisco 2600 or Cisco 2600XM WIC slots, and appropriate network clocking must be configured in order for voice services to work as expected.
•
Symptoms: The main High-Speed Serial Interface (HSSI) interface flaps when you enter the map-class frame-relay global configuration command on a subinterface.
Conditions: This symptom is observed only when map class contains both traffic shaping and Random Early Detection (RED).
Workaround: Use only traffic shaping under the map-class.
•
Symptoms: When you upgrade the Cisco IOS release on a Cisco MGX Route Processor Module-PRemium (RPM-PR) and the firmware on the Processor Switch Module (PXM), and you reload the RPM-PR, the startup configuration may disappear.
Conditions: This symptom is observed when you perform a major upgrade (for example, from Cisco IOS Release 12.1 to Release 12.2) and when, after the upgrade, you do not save the configuration before you add redundancy by entering the addred command.
Workaround: After the upgrade, save the configuration before you enter the addred command.
•
Symptoms: After you change the configuration on a Cisco router, a Voice over IP (VoIP) call may fail.
Conditions: This symptom is observed only for the DS0 controller group.
Workaround: After you have changed the configuration, reload the router.
•
Symptoms: A Cisco 7200 series router with a Network Processing Engine (NPE-G1) may pause indefinitely on bootup if there is no Compact Flash Card in the disk2: device slot.
Conditions: This symptom is observed only with an NPE-G1 on a Cisco 7200 series. It does not affect any other Cisco 7200 series NPE.
Workaround: Insert a Compact Flash Card into the disk2: device slot and power-cycle the router. The Compact Flash Card does not need to contain any particular files; however, a copy of the desired Cisco IOS image is recommended.
•
Symptoms: A Cisco Route Processor Module (RPM) may reload when the segmentation and reassembly (SAR) autorecovery feature is enabled and the oam-pvc manage 0 command is entered for the permanent virtual circuits (PVCs).
Conditions: This symptom is observed on an RPM that is enabled with the SAR autorecovery feature.
Workaround: Specify the Operation, Administration, and Maintenance (OAM) management frequency instead of using the oam-pvc manage 0 command.
•
Symptoms: In a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment, if you enter the ping vrf EXEC command toward the directly connected interfaces of a neighbor's provider edge (PE) router, the ping may fail.
Conditions: This symptom is observed when aggregate routes on Cisco routers are pinged.
Workaround: The ping will be successful if you select options when you enter the ping vrf EXEC command.
•
Symptoms: The Generic Transparency Descriptor (GTD) data that is printed to the console when the debug gtd events command is enabled may contain incorrect information for the channel-associated signaling (CAS) countries Thailand, China, Vietnam, and Venezuela. The incorrect values are the calling party category (CPC) (00 instead of 09), the unknown field compatibility (UFC) (222 instead of 221), and the backward call indicator (BCI) (BCI,u,u,u,n,n,y,n,n,n,n,u instead of BCI,y,f,u,n,n,y,n,n,n,n,u).
Conditions: This symptom is observed on a Cisco AS5400 in an R2 signaling environment with the following call-flow topology:
•
The symptom occurs when you configure the test environment for Thailand, China, Vietnam, or Venezuela, you configure CAS variants, and you make a call.
Workaround: There is no workaround.
•
Symptoms: A label may not be assigned for a peer provider edge (PE) router.
Conditions: This symptom is observed on a Cisco 7500 series and a Cisco 12000 series in a Virtual Private Network (VPN) configuration with multiple route reflectors (RRs) and label controlled ATM (LC-ATM) links between PE routers. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur when a Gatekeeper Transaction Message Protocol (GKTMP) server provides alternate endpoints.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper.
Workaround: Do not use a GKTMP server to provide alternate endpoints. If you must use a GKTMP server, check the memory consumption of the gatekeeper regularly, and reload the router when the amount of free (processor) memory is low.
•
Symptoms: A Cisco router may reload when you enter the show ip cef non-recursive detail EXEC command.
Conditions: This symptom is observed when any show command attempts to display information about tag rewrite entries while the tag rewrite entries are being deleted by route updates.
Workaround: Do not enter any show command to display tag rewrite entries when many route updates occur.
•
Symptoms: A Cisco AS5850 may not be able to play a tone after two telephony legs have been unbridged.
Conditions: This symptom is observed under the following circumstances:
–
–
–
The TCL IVR script can instruct the incoming leg to play a busy tone to indicate that the outgoing call has failed. However, in this case, the IVR infrastructure has internally released the digital signal processor (DSP) when the legs are bridged to pass the inband alert signals. When the DSP is released, subsequent play-tone commands are ignored.
Possible Workaround: Ensure that the call disconnect message for the outgoing leg occurs before the alert event.
•
Symptoms: When the radius-server attribute 8 include-in-access-req global configuration command is entered on a RADIUS server, attribute 8 (Framed-IP-Address) is not included in the access request.
Conditions: This symptom is observed on a RADIUS server that is running Cisco IOS Release 12.2(15)T5.
Workaround: There is no workaround.
•
Symptoms: A Systems Network Architecture Switching Services (SNASw) router pauses indefinitely when a LOCATE variable is received from a third-party vendor platform. From the data link control (DLC) trace entry in the LOCATE field, the order in which general data stream (GDS) variables are received from the third-party vendor platform is different from what the SNASw router expects.
Conditions: This symptom is observed on a Cisco SNASw router that is attached to a third-party vendor platform.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 router with a channelized T3 port adapter (CT3) controller shows the incorrect D channel interface name.
Conditions: This symptom is observed on a Cisco AS5850 router that is configured with a CT3 controller and that is running Cisco IOS Release 12.3(2)T or Release 12.3(3).
Workaround: There is no workaround.
•
Symptoms: A router may reload if tunnel protection is configured on the interface tunnel and flow switching is enabled on the router.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(2.3a) when the tunnel protection ipsec profile name interface configuration command is configured on the interface tunnel and flow switching is enabled on the router.
Workaround: Disable flow switching on the interface tunnel.
•
Symptoms: A Media Gateway Control Protocol (MGCP) gateway may send Restart In Progress (RSIP) messages with a very low delay to a call agent (CA), and with a low delay between the RSIP messages. The delay may be much less than one second, which is the minimum value that is permitted by the MGCP standard. The resulting flood of RSIP messages may cause the CA to overload, and may prevent the overloaded CA from recovering.
Conditions: These symptoms are observed on a Cisco AS5400 that has not received a timely acknowledgement (ACK) response to a delete connection (DLCX) message that the Cisco AS5400 sent to the call agent (CA); an overloaded CA may send highly delayed responses.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series router that is running LAN Emulation (LANE) and switched virtual circuits (SVCs) may experience a reload caused by a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0xXXXXXXXXConditions: This symptom is observed on a Cisco 7500 series router with a PA- A3-OC3MM ATM port adapter that is running Cisco IOS Release 12.2(15)T5 or a later release.
Workaround: There is no workaround.
•
Symptoms: A virtual circuit (VC) between two provider edge (PE) routers may not come up.
Conditions: This symptom is observed after you have changed the VC ID in an Xconnect configuration.
Workaround: On both PE routers, delete the Xconnect configuration and reconfigure the Xconnect configuration with the new VC.
•
Symptoms: An Integrated Services Adapter (ISA) may reset and lose its security associations (SAs) or may reload unexpectedly.
Conditions: These symptoms are observed on a Cisco 7200 series that is configured with an ISA when packet memory buffer starvation occurs and when a buffer allocation failure occurs for the Internet Key Exchange (IKE) command path.
Workaround: Do not use an ISA. Rather, use a Virtual Private Network Acceleration Module (VAM).
First Alternate Workaround: Reduce the traffic volume.
Second Alternate Workaround: Remove the bottleneck for the egress packets.
•
Symptoms: Cisco IOS software may cause a Cisco router to reload unexpectedly when the router receives a malformed H.225 setup message.
Conditions: This symptom is observed on a Cisco 1700 series that runs Cisco IOS Release 12.2(13c). The symptom occurs when the following debug privileged EXEC commands are enabled:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When you enter the snmpwalk command for the CISCO-AAL5-MIB MIB via a permanent virtual circuit (PVC) bundle, the command output may not display the ATM adaptation layer 5 (AAL5) "entity-specific" information in the cAal5VccTable.
Conditions: This symptom is observed on a Cisco 7200 series router that runs Cisco IOS Release 12.2(15)T5 but may also occur in other releases. The symptom does not occur when you enter the snmpwalk command for the CISCO-AAL5-MIB MIB via a regular PVC.
Workaround: Log into the router and enter a show interfaces command to get the required information.
•
Symptoms: A standby Enhanced Route Switch Controller (ERSC) reloads when a multichannel STM-1 port adapter car is configured.
Conditions: This symptom is observed on a Cisco ERSC when the extsig mgcp controller configuration command is entered.
Workaround: Save the configuration and reload the router.
•
Symptoms: An outgoing label may not be installed in the Label Forwarding Information Base (LFIB) for an IP version 4 (IPv4) prefix.
Conditions: This symptom is observed when the prefix is learned via a Border Gateway Protocol (BGP) session. This situation may occur when the prefix is deleted in the Label Information Base (LIB) and not allocated to any local label binding.
Workaround: There is no workaround.
•
Symptoms: Backward explicit congestion notification (BECN) packets may be dropped by an Any Transport over Multiprotocol Label Switching (AToM) tunnel.
Conditions: This symptom is observed when you configure AToM in the network core, the network core contains Frame Relay interfaces, and BECN is enabled.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6000 series Supervisor 2 may reload unexpectedly because of a bus error.
Conditions: This symptom is observed when access control list (ACL) counters are sent from a line card to the Route Processor (RP) and when the ACL number is in the expanded range (that is, from 1300 to 1999 or from 2000 to 2699).
Workaround: There is no workaround.
•
Symptoms: When a preexisting Data Encryption Standard (DES) key is changed, the block of memory that holds the old key is not cleared before the memory block is returned to the heap.
Conditions: This symptom is observed when you change a preexisting DES key by entering the key config-key 1 string router configuration command, in which the string argument consists of eight characters.
Workaround: There is no workaround.
•
Symptoms: A gateway may respond to a Session Initiation Protocol (SIP) proxy server with a 302 message ("Moved Temporarily") to an incoming SIP call that is redirected to a telephone that does not answer ("call-forward, no answer").
Conditions: This symptom is observed on a Cisco 3640 router that functions as a SIP gateway when the incoming SIP call is redirected toward the public switched telephone network (PSTN) and when the gateway fails to receive the redirect information in the redirect information element (IE).
Workaround: Remove the incoming called number from the matching Voice over IP (VoIP) dial peer.
•
Symptoms: A Cisco router ignores an ISDN User Adaptation (IUA) 0x508 (REL-REQ) message that is sent by a third party call agent. The router does not act upon or reject the message by taking down ISDN Layer 3.
Conditions: This symptom is observed on a Cisco AS5850.
Workaround: There is no workaround.
•
Symptoms: Data packets may be punted to the process path when user logon and logoff activity occurs.
Conditions: This symptom is observed in all of the Service Selection Gateway (SSG) images of Cisco IOS software under heavy load conditions.
Workaround: There is no workaround.
•
Symptoms: Simple Network Management Protocol (SNMP) values that are retrieved by the snmpget command may be inconsistent compared to the SNMP values that are shown on an interface.
Conditions: This symptom is observed on a Cisco 12000 series that runs in a Multiprotocol Label Switching (MPLS) environment when you use SNMP to retrieve various counter values from a Packet-over-SONET (POS) interface.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), the Label Distribution Protocol (LDP) peer address table may become corrupted and cause the router to reload.
Conditions: This symptom may be observed in situations where three or more routers have advertised the same IP address in LDP address messages. This normally happens when routers have been misconfigured but in very rare circumstances may be done deliberately.
The circumstance can be recognized by the presence of the following error message:
%TAGCON-3-DUP_ADDR_RCVD: Duplicate Address 10.0.0.1 advertised by peer 10.2.2.2:0 is already bound to 10.1.1.1:0If only one such message is seen for a given IP address—10.0.0.1 in the above example—then only two routers have advertised the IP address, and only the second is being treated as a duplicate. At least one more such message should be seen if at least three routers have advertised the IP address in question.
Workaround: The symptom does not occur in typical configurations because duplicate addresses are not configured. If such a configuration is accidentally done, the failure may be avoided if the configuration is corrected before the LDP session to any of the involved peers goes down. If the configuration is deliberate, there is no workaround.
•
Symptoms: The CNS event agent does not detect when the connection to the server breaks.
Conditions: This symptom is observed when the CNS event agent service is configured by the cns event keepalive configuration command.
Workaround: There is no workaround.
•
Symptoms: A Parallel Express Forwarding (PXF) exception error message may be displayed, and the PXF processor may stop forwarding packets.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine 1 (NSE-1) and on a Cisco 7401 when PXF is enabled. The symptom occurs when traffic exceeds the configured quality of service (QoS) parameters and when the PXF processor drops packets, or when incoming IP traffic has a corrupted header.
Workaround: There is no workaround.
•
Symptoms: Routing Information Protocol (RIP) route updates may be lost.
Conditions: This symptom is observed on a Cisco 10000 series when you remove more than 10,000 sessions.
Workaround: There is no workaround.
•
Symptoms: A multilink interface may stop processing received packets.
Conditions: This symptom is observed on a Cisco 7500 series when Multilink PPP (MLP) is configured and when a lot of traffic is forwarded to the process-switching path.
Workaround: To clear the symptom, move the physical interfaces to a new multilink interface with a new interface number.
•
Symptoms: An outbound access control list (ACL) may drop downstream traffic that is destined to travel via IP to a Layer 2 Tunneling Protocol (L2TP) tunnel.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine 1 (NSE-1) and on a Cisco 7401. The symptom occurs when the routers are configured as L2TP network servers (LNSs) that are functioning as L2TP termination session endpoints, when PXF is enabled, and when an outbound ACL is configured on a virtual-template interface.
Workaround: Use an inbound ACL instead of an outbound ACL.
Alternate Workaround: Use an inbound ACL that is configured on a physical input interface.
•
Symptoms: Calls from a Cisco gateway to a third-party vendor platform work fine, but calls from the third-party vendor platform to the Cisco gateway do not go through. The output of the debug cch323 all privileged EXEC command shows the following information:
cch323_gw_process_read_socket: received msg for H.225
h225ParseData: Q.931 SETUP received on socket [1]H225Lib::h225RecvData: TPKT does not contain a whole message. Partial message will be ignored.
cch323_h225_receiver: parse error RXDATA_NONEConditions: This symptom is observed when the third-party vendor platform connects via a LAN to the Cisco gateway. The decode error is caused by the incorrect position of a "Sending Complete IE" in the received packet. The "Sending Complete IE" should be the first information element (IE), but it is not.
Workaround: There is no workaround.
•
Symptoms: Two routers that perform IP security (IPSec) with certificates fail to establish an Internet Security Association and Key Management Protocol (ISAKMP) tunnel, and the following error message may appear:
CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.0.1 is bad: CA request failed:Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(3).
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module (RPM-XF) reloads when the microcode reload pxf privileged EXEC command is entered.
Conditions: This symptom is observed when the Parallel Express Forwarding (PXF) firmware filename that is provided is not actually PXF firmware. The symptom does not occur with valid filenames.
Workaround: Make sure that the PXF firmware filename used in the command is valid.
•
Symptoms: A router may reload with a bus error if a quality of service (QoS) class map or policy map is renamed through modular QoS CLI (MQC) and a subsequent show memory EXEC command is issued.
Conditions: This symptom is observed in all Cisco IOS software releases on all Cisco platforms where the rename command is available under class map and policy map modes. It is observed in Cisco IOS Release 12.1(14)E, Release 12.2(12) and later releases. This symptom is not observed in Release 12.1. The symptom occurs after a global class map or policy map is renamed and a subsequent show memory EXEC command is issued.
Workaround: Avoid use of the rename command. Remove and recreate the class map or policy map instead.
•
Symptoms: When you enter the no ipv6 route global configuration command, an IP version 6 (IPv6) static route that is deleted by the command may not be deleted from the IPv6 routing table.
Conditions: This symptom is observed when two IPv6 static routes, each with a different administrative distance, point to the same destination.
Workaround: Enter the clear ipv6 route ipv6-prefix/prefix-length privileged EXEC command to delete the IPv6 static route from the IPv6 routing table.
•
Symptoms: A memory allocation failure may occur on compiled access control list (ACL) tables. There may be continued attempts to recompile the ACLs that fail.
Conditions: This symptom is observed when compiled ACLs are enabled by entering the access-list compiled global configuration command, and the total number of ACL entries is relatively large (over 1500 lines). Random or constantly changing traffic patterns may cause the compiled ACL tables to grow to the point at which memory fragmentation causes the memory allocation failure.
Workaround: Disable and then reenable the compiled ACLs by entering the no access-list compiled global configuration command followed by the access-list compiled global configuration command.
Alternate Workaround: Completely disable the compiled ACLs.
Second Alternate Workaround: ACLs may sometimes be rearranged to make the list shorter or less complex. This will reduce the memory requirements. Large ACLs used for Border Gateway Protocol (BGP) route prefixes may be converted to use a prefix list configuration instead.
•
Symptoms: A gatekeeper may not be able to bind a circuit ID to an H.323 ID.
Conditions: This symptom is observed when an H.323 gateway (or terminal) deregisters from a gatekeeper and then reregisters with the gatekeeper. After the gateway has reregistered with the gatekeeper, the gatekeeper no longer has the circuit ID of the gateway.
Workaround: Bind the circuit ID to the H.323 ID by entering the endpoint circuit-id h323id gatekeeper configuration command. (You must enter the endpoint circuit-id h323id gatekeeper configuration command, even though the command still exists under the gatekeeper configuration.)
•
Symptoms: An Internet Key Exchange (IKE) session may use certificate revocation list (CRL) configuration information from an incorrect trustpoint.
Conditions: This symptom is observed when you use CRLs and when the local trustpoint differs from the trustpoint that is used by a peer. In this situation, the IKE session uses the CRL configuration option ("crl optional, best effort") from the local trustpoint rather than from the trustpoint that is used by the peer.
Workaround: Use the same CRL configuration options for both trustpoints.
•
Symptoms: A Cisco Catalyst 4224 Access Gateway Switch may reload with a segmentation violation (SegV) exception when a Tool Command Language (Tcl) interactive voice response (IVR) script is used.
Conditions: This symptom is observed on a Cisco Catalyst 4224 Access Gateway Switch that is running Cisco IOS Release 12.2(15)T5, Release 12.3, or Release 12.3 B.
Workaround: There is no workaround.
•
Symptoms: The following error message may be displayed on the console of a Route Switch Processor (RSP):
%CBUS-3-CMDDROPPED: Cmd dropped,CCB 0xF800FFB0,slot 9, cmd code 24Conditions: This symptom is observed on a Cisco 7500 series when software compression is enabled on serial interfaces and dialer interfaces and when Cisco Express Forwarding (CEF) switching rather than distributed CEF (dCEF) switching is enabled. This situation causes software compression to occur on the RSP.
Because software compression is enabled on all the serial interfaces, the CPU utilization of the RSP becomes very high, causing commands to be dropped.
Workaround: Remove software compression from the serial interfaces.
•
Symptoms: When a Cisco router boots up, the following messages appear and the router is unusable:
Process= "MIPC Periodic Timer", ipl= 0, pid= 32
%PIF-3-READ_IMEM_ERROR: NULL response for READ_IMEM MIPC msg to, XPIF2 Process= "FDM Forwarding Stats Process", ipl= 0, pid= 35
%PIF-3-READ_PHY_ERROR: NULL response for PIF_PHY_REG_SEND_CMD MIPC msg to, XPIF2Conditions: This symptom is observed on a Cisco AS5850 gateway that has a Route Switch Controller (RSC) card with revision 8.9 or later, and that is running Cisco IOS Release 12.2(11)T4, Release 12.2(11)T9, Release 12.3(1), Release 12.3(1a), or Release 12.3(3a).
Workaround: Load a Cisco IOS software image other than those listed in the Conditions section above onto the Cisco AS5850. Then, reload the gateway with the new Cisco IOS software image without turning the power off and on.
•
Symptoms: A slot0: file system may not be created, preventing the use of an external Flash card.
Conditions: This symptom is observed when you boot up a Cisco router without a compact Flash card inserted or when you insert a compact Flash card when the router is online.
Workaround: Insert the compact Flash card, and reload the router. After the router has booted up with the compact Flash card installed, the router creates a slot0: file system.
•
Symptoms: Interface bit-rate counters may not be cleared when they should be cleared.
Conditions: This symptom is observed on a Cisco router that is configured for quality of service (QoS) when you enter the clear counters user EXEC or privileged EXEC command. The QoS bit-rate counters are cleared, but the interface bit-rate counters are not.
Workaround: There is no workaround. Wait for the next update interval for the bit-rate counters.
•
Symptoms: A Cisco MGX Route Processor Module (RPM-XF) pauses indefinitely when a Multiprotocol Label Switching (MPLS) subinterface is being removed.
Conditions: This symptom is observed on a Cisco RPM-XF that is running an rpmxf-p12-mz image of Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T when an MPLS subinterface is being removed, even though there is no traffic on the subinterface.
Workaround: Shut down the MPLS subinterface before removing it.
•
Symptoms: A Cisco AS5300 may fail intermittently to hunt dial peers for cause codes such as "no circuit," "interworking," and "dest-out-of-order."
Conditions: This symptom is observed on a Cisco AS5300 that runs Cisco IOS Release 12.2(11)T9, 12.3, or 12.3 T when the dial peers are configured for dial-peer hunting.
Workaround: There is no workaround.
•
Symptoms: A software-forced reload may occur on a Cisco router.
Conditions: This symptom is observed on a Cisco 2691, Cisco 3660, Cisco 3725, or Cisco 3745 router if a Gigabit Ethernet Network Module (NM-1GE) is present in the router and the show interfaces EXEC command is entered after the show tech EXEC command has been entered.
Workaround: There is no workaround.
•
Symptoms: The Cisco 7200 series boothelper image for Cisco IOS Release 12.2(14)S2 may reload unexpectedly, and the router may return to the ROM monitor (ROMmon) mode.
Conditions: This symptom is observed when you install a 2-port Token Ring Inter-Switch Link 100BASE-TX port adapter (PA-2FEISL-TX) or a 1-port ATM Enhanced OC-3 Packet-over-SONET (POS) port adapter in a Cisco 7200 series Network Processing Engine G-1 (NPE-G1) and you reload, reset, or power up the router with the boothelper image.
Workaround: Remove the PA-2FEISL-TX or 1-port ATM Enhanced OC-3 POS port adapter when you reload, reset, or power up the router with the boothelper image. Once the router has booted up, you can reinstall the port adapters.
•
This caveats consists of two symptoms, two conditions, and two workarounds:
1.
Condition 1: This symptom is observed when the Tcl script contains a "set callInfo(destinationNum)" statement that exceeds 32 characters in length.
Workaround 1: Ensure that the assignment string is within 32 characters.
2.
Condition 2: This symptom is observed when the Tcl script contains one or more of the following statements that exceed 32 characters in length:
set callInfo(originationNum)
set callInfo(pinNum)
set callInfo(accountNum)
set callInfo(redirectNum)
Workaround 2: Ensure that the assignment strings are within 32 characters.
•
Symptoms: A 1-port multichannel STM-1 port adapter (PA-MC-STM-1) may report huge numbers of degraded minutes on an E1 controller. For example, after 15 minutes of operation since startup, 35,000,000 degraded minutes may be reported and these values may increase every second. Code violations may also be reported.
Conditions: These symptoms are observed on a Cisco router in which a PA-MC-STM-1 is installed.
Workaround: There is no workaround. However, the traffic is not affected, and the symptom is of a cosmetic nature.
•
Symptoms: A Cisco AS5850 reloads when digital signal processor (DSP) timeouts occur, and the following error messages appear:
%DIAL5-3-MSG:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x601F4AA4 reading 0x24
%ALIGN-3-TRACE: -Traceback= 601F4AA4 601F79BC 60215FB0 601B0B1C 00000000 00000000 00000000 00000000
%ALIGN-3-TRACE: -Traceback= 601F4AAC 601F79BC 60215FB0 601B0B1C 00000000 00000000 00000000 00000000
%ALIGN-3-TRACE: -Traceback= 601F4AB0 601F79BC 60215FB0 601B0B1C 00000000 00000000 00000000 00000000
%DIAL5-3-MSG:
%NP_BS-3-NO_KEEPALIVE: NextPort module 5/1/0 failed to respond to keepalive message
%DIAL5-3-MSG:
%NP_MM-3-MODULE_CRASH: Module Crash detected 5/1/0: state = 8, cause code = 1
%FB-6-OIR: Card in slot 5 removed
%DSIPPF-5-DS_KEEPALIVE_LOSS: DSIP Keepalive Loss from shelf 0 slot 5
%OIR-6-REMCARD: Card removed from slot 5, interfaces disabled
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6083A9CC reading 0x24
%ALIGN-3-TRACE: -Traceback= 6083A9CC 60848068 6084CCE0 60816F70 60819540 6081D674 602BCBD8 602C3BD8
%ALIGN-3-TRACE: -Traceback= 608151C0 608155A0 608473E4 6084807C 6084CCE0 60816F70 60819540 6081D674
%SYS-3-CPUHOG: Task ran for 2212 msec (8/7), process = Crash writer, PC = 601ED890.
-Traceback= 601ED898 60210564 60360AF4 6020CE7C 601186D4 601190A8 6011892C 60118C68 602150B0 601839C4 60183BCC 601D1604 601D15F0Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(11)T9 but may also occur in other releases.
Workaround: Replace the faulty NextPort card in the router.
•
Symptoms: A Cisco universal access server or universal gateway that functions as a T.37 off-ramp gateway may reload unexpectedly.
Conditions: This symptom is observed when the platform is under a fairly heavy traffic load.
Workaround: There is no workaround.
•
Symptoms: In a Large Scale Network Testing (LSNT) environment, a transmit path segmentation and reassembly (SAR) component reloads and then the Route Processor Module (RPM) reloads.
Conditions: This symptom is observed on a Cisco router that has a transmit path SAR component and a Revision 4 RPM, and that is running Cisco IOS Release 12.2(15)T4a under stress conditions with a high rate of traffic. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: Input access control lists (ACLs) that are applied to a PPP-over-ATM (PPPoA) session may not filter traffic properly.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine 1 (NSE-1) and on a Cisco 7401 when these platforms function as PPPoA termination servers and when Parallel Express Forwarding (PXF) is enabled. The input ACLs are configured on the PPPoA session virtual template.
Workaround: Use output ACLs to filter traffic on egress interfaces.
Alternate Workaround: Disable PXF.
•
Symptoms: The CPU utilization on a Cisco gateway that runs a voice extensible markup language (VXML) application and that is configured for Real Time Streaming Protocol (RTSP) or HTTP may reach 100 percent, and the gateway may pause indefinitely.
Conditions: This symptom is observed under stress conditions when a call simulator sends seven Session Initiation Protocol (SIP) calls with dual tone multifrequency (DTMF) inputs to the gateway. Each call runs an initial VXML application that fetches about three VXML documents from an HTTP server, plays about six HTTP prompts, and plays about seven RTSP prompts.
In addition, the gateway is also configured with many applications that point to unreachable servers. (This last situation is the key to the high CPU utilization.)
Workaround: There is no workaround.
•
Symptoms: A 1-port or 2-port channelized T1/E1 network module (NM-1CE1T1-PRI or NM-2CE1T1-PRI) may not be properly configured when a router is booting up.
Conditions: This symptom is observed when the T1/E1 controller configuration is lined up before the "card type" configuration for the NM-1CE1T1-PRI or NM-2CE1T1-PRI. The symptom occurs because the "card type" configuration must be applied before the T1/E1 controller configuration is applied.
Workaround: After the router has booted up, enter the copy startup-config running-config EXEC command.
•
Symptoms: A Cisco router or switch may reload unexpectedly when the variable bit rate real time (VBR-rt) or the variable bit rate nonreal time (VBR-nrt) is configured with the same peak cell rate (PCR).
Conditions: This symptom is observed when you configure the sustainable cell rate (SCR) in a manner that is similar to the following:
router(config)#interface a4/0/0
router(config-if)#pvc 10/100
router(config-if-atm-vc)#vbr ?
<48-155000> Peak Cell Rate (PCR) in Kbps
router(config-if-atm-vc)#vbr 100000 100000 ?Workaround: There is no workaround.
•
Symptoms: If an access control list (ACL) is recompiled under heavy load conditions, CPUHOG messages may be generated.
Conditions: This symptom is observed when compiled ACLs are enabled by entering the access-list compiled global configuration command, and the total number of ACL entries is relatively large (over 1500 lines). Random or constantly changing traffic patterns may cause the CPUHOG messages. A side effect of this symptom is that not enough time is provided for other processes, and areas such as keepalives or Cisco Express Forwarding (CEF) management may be impacted.
Workaround: Disable and then reenable the compiled ACLs by entering the no access-list compiled global configuration command followed by the access-list compiled global configuration command.
Alternate Workaround: Disable the compiled ACLs completely.
•
Symptoms: A Cisco 7200 series with a Network Service Engine (NSE) and a Cisco 7401 may reload.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7401 router that have an ATM or serial interface configured for multilink and that have Parallel Express Forwarding (PXF) enabled.
Workaround: Disable the PXF microcode.
•
Symptoms: A Cisco router may reload when you enter the show policy-map interface EXEC command.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a Frame Relay permanent virtual circuit (PVC) policy.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running IP over Multiprotocol Label Switching (MPLS) may reload when the Label Distribution Protocol (LDP) responds to the creation of a new session.
Conditions: This symptom is observed when the router is operating under extremely stressful conditions that cause the CPU utilization to be close to 100 percent. This situation rarely occurs.
Workaround: There is no workaround.
•
Symptoms: A RADIUS server may be marked as "dead" and may not show to be in the "up" state after the deadtime interval has expired.
Conditions: This symptom is observed when two RADIUS servers are configured on one L2TP network server (LNS) and when the following sequence of events occurs:
–
–
–
Even after the deadtime interval has expired, the LNS still does not change the status of the RADIUS server to the "up" state.
Workaround: There is no workaround.
•
Symptoms: Two channel group interfaces on a 1-port multichannel STM-1 port adapter (PA-MC-STM-1) may receive the same ifIndex. This can be observed in the following command output:
show snmp mib ifmib ifindex serial X/X/X:0
Interface = SerialX/X/X:0, Ifindex = 496show snmp mib ifmib ifindex serial Y/Y/Y:0
Interface = SerialY/Y/Y:0, Ifindex = 496Conditions: This symptom is observed when some of the E1 interfaces are deleted and recreated.
Workaround: Do not delete any of the E1 interfaces.
•
Symptoms: When Cisco Express Forwarding (CEF) is enabled, all packets that ingress from a Multiprotocol Label Switching (MPLS) over a Multilink PPP (MLP) core are process switched when a Route Switch Processor (RSP) is used.
Conditions: This symptom is observed on a Cisco 7500 series with CEF enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco Node Route Processor 2 (NRP2) that acts as a Service Selection Gateway (SSG) either does not process or does not clear the interface input queue buffer of SSG packets that come in. SSG packets that get stuck are requests that are sent by the Subscriber Edge Services Manager (SESM) server during SSG and SESM interactions. This eventually causes a wedged interface.
Conditions: This symptom is observed on a Cisco NRP2 that is running a special version of Cisco IOS Release 12.3(3) with SESM version 3.1.7.
Workaround: There is no workaround.
•
Symptoms: A spurious memory access traceback may occur at an IP Security (IPSec) component on a Cisco router.
Conditions: This symptom is observed on a Cisco router that functions in an IPSec Internet Security Association and Key Management Protocol (ISAKMP) environment when the following conditions are present:
–
–
Workaround: Disable the debug crypto isakmp privileged EXEC command.
First Alternate Workaround: Ensure that the DN string of the peer is RFC compliant and parsable.
Second Alternate Workaround: Instead of a DN string that is not parsable, configure the peer to send another type of identity.
•
Symptoms: When you reload a Cisco router, the ATM permanent virtual path (PVP) configuration may disappear and the following error message may be displayed:
%ATM: PVP, interface specific setupvp failureConditions: This symptom is observed on a Cisco 3640 that is configured with an ATM network module but may also occur on another router that is configured with an ATM network module.
Workaround: Remove the permanent virtual circuit (PVC) configuration, reload the router, and reconfigure the PVP and PVC configuration.
•
Symptoms: A Cisco 7200 series may reload when you enter the show pas i82543 interface gigabitEthernet number mta privileged EXEC command.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Processing Engine G-1 (NPE-G1).
Workaround: There is no workaround.
•
Symptoms: A large memory leak occurs when you enter the write memory privileged EXEC command on a Cisco router.
Conditions: This symptom is observed on a Cisco router when the following global configuration commands are in the router configuration:
–
–
Workaround: Do not use the two commands together.
•
Symptoms: Virtual private dial-up network (VPDN) authorizations fail to send a request for domain authorization to the RADIUS servers.
Conditions: This symptom is observed for PPP connections that begin on an EXEC connection with VPDN turned on for the user.
Workaround: Use PPP connections instead of EXEC connections.
•
Symptoms: A Virtual Private Network (VPN) client in a VPN routing/forwarding instance (VRF) that is connected to a provider edge (PE) router may have connectivity only to other devices that are directly connected to the same PE router but no connectivity to other PE routers.
Conditions: This symptom is observed when the connectivity between the PE routers is fine. Only VPN clients are affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco terminating gateway fails to send the correct generic transparency descriptor (GTD) for calls that are reattempted due to a glare condition. The terminating gateway attempts setup and sends an NI2-SETUP message. When this message does not go through, the terminating gateway reattempts setup and sends another NI2-SETUP message. The format of the second setup message is not the same as the format of the first setup message.
Conditions: This symptom is observed when a terminating gateway sends an NI2-SETUP message to a public switched telephone network gateway (PGW). The egress public switched telephone network (PSTN) sends an Initial Address Message (IAM) in response, and the IAM causes a glare condition. The PGW sends down CV=15 as it is configured to do in the NI2 DISC message to the terminating gateway. The terminating gateway is configured to reattempt on receiving the CV. The gateway sends a reattempt NI2-SETUP message to the PGW.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when it attempts to play a nonexistent audio file.
Conditions: This symptom is observed on a Cisco 3660 when it attempts to get a nonexistent audio file from a Real-Time Streaming Protocol (RTSP) server.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may reload when one of the physical multilink member interfaces is shut down while traffic passes through the interface of the multilink member.
Conditions: This symptom is observed on a Cisco 7500 series and is specific to configuring tag switching (and not VPN routing/forwarding [VRF] forwarding) on a multilink interface that is based on Versatile Interface Processor (VIP) channels or serial interfaces in the distributed mode (for example, the symptom may occur only if a provider edge [PE] link is implemented over the multilink interface.
Workaround: Shut down the Multilink PPP (MLP) interface first, and then shut down the MLP physical subinterface as needed.
•
Symptoms: You may not be able to authenticate a certificate authority (CA), enroll with the CA, or download a certificate revocation list (CRL).
Conditions: This symptom is observed on a Cisco router that is configured for IP Security (IPSec) and Internet Key Exchange (IKE) after a CRL that was previously downloaded expires.
Workaround: There is no workaround.
•
Symptoms: When authorization is defined under the aaa dnis map dnis-number authorization network group server-group-name global configuration command, a Cisco router sends an access request for the user to the RADIUS server with service outbound. The RADIUS server refuses the authorization with an "authentication failure" message, and the user is disconnected.
Conditions: This symptom is observed after an upgrade to Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T when a specific authentication, authorization, and accounting (AAA) dialed number identification service (DNIS) for authorization is configured, as in the following example:
aaa dnis map enable
aaa dnis map 999999 authorization network group my_groupWorkaround: Suppress the authorization under the aaa dnis map dnis-number authorization network group server-group-name global configuration command, and use the main AAA authorization.
•
Symptoms: A memory leak may occur on a Cisco platform that functions as an T.37 off-ramp gateway.
Conditions: This symptom is observed when multiple dial peers match an outgoing T.37 fax call and when the call is disconnected in an abnormal way (for example, when the ringing timeout expires).
Workaround: Configure the dial peers in such a way that each call can match only one dial peer.
•
Symptoms: A Cisco router may reload unexpectedly when you enter the precedence other VC-class configuration command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3 B.
Workaround: There is no workaround.
•
Symptoms: High CPU utilization may occur on a Versatile Interface Processor (VIP), causing latency on all interfaces of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series when Network Based Application Recognition (NBAR) is configured to match a third-party vendor peer-to-peer software application as a protocol or when NBAR protocol discovery is enabled.
Workaround: Load a more recent version of the third-party vendor Packet Description Language Module (PDLM).
•
Symptoms: A permanent virtual circuit (PVC) may lock up when you run a session with Subnetwork Access Protocol (SNAP).
Conditions: This symptom is observed on a Cisco platform that functions in a PPP-over-ATM (PPPoA) environment when the Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs feature is enabled.
Workaround: Change the encapsulation to another encapsulation type such as MUX and then back to the Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs feature.
•
Symptoms: A Cisco router may reload unexpectedly when you enter the ip rtp reserve interface configuration command on an interface that is congested.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3 B and that is configured for Real-Time Transport Protocol (RTP).
Workaround: Shut down the interface before you enter the command. Enable the interface after you have entered the command.
•
Symptoms: A Cisco router (router 1) with a digital modem is connected over a public switched telephone network (PSTN) to another router (router 2) with a digital modem. Router 1 is configured to check the basic connectivity to router 2. When router 1 tries to ping router 2, router 1 reloads.
Conditions: This symptom is observed on a Cisco 3725 router with a digital modem that is configured to test the digital modem connectivity between the two routers.
Workaround: There is no workaround.
•
Symptoms: Downstream traffic may not be forwarded properly to a PPP-over-Ethernet (PPPoE) client.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine (NSE) and on a Cisco 7401 when the following conditions are present:
–
–
–
Workaround: Disable PXF to prevent the PXF processor form forwarding downstream traffic.
Alternate Workaround: Remove the VLAN subinterfaces from the L2TP link.
•
Symptoms: When you enter the interface type 1/0.0 global configuration command to configure subinterface 0, the command does not configure the subinterface but the main interface; that is, the command is executed as if you had entered the interface type 1/0 global configuration command.
Conditions: This symptom is observed when you configure an ATM, Fast Ethernet, or Gigabit Ethernet subinterface 0; that is you enter atm, fastethernet, or gigabitethernet for the type argument.
Workaround: There is no workaround. You cannot configure subinterface 0. The fix for this caveat changes the subinterface range from the 0-to-4294967295 range to the 1-to-4294967295 range.
•
Symptoms: A Cisco router that has a Hot Standby Router Protocol (HSRP) group configured on a subinterface may stop responding and may reload.
Conditions: This symptom is observed when an HSRP Simple Network Management Protocol (SNMP) query is performed. The symptom occurs only when HSRP is configured on a subinterface. The symptom does not occur for an HSRP group that is configured on a major interface.
Workaround: Do not initiate an SNMP query for HSRP.
•
Symptoms: On a Cisco router that is configured with a Multilink PPP (MLP) interface, the available processor memory may decrease rapidly because of a memory leak.
Conditions: This symptom is observed when the MLP interface flaps repeatedly.
Workaround: There is no workaround. You must resolve the cause of the flapping MPL interface.
•
Symptoms: A Network Processing Engine G-1 (NPE-G1) may forward unicast IP packets that have a Layer 2 multicast MAC address.
Conditions: This symptom is observed on an NPE-G1 that is installed in a Cisco 7200 series.
Workaround: Create an access control list (ACL) to filter the packets.
Alternate Workaround: Configure a static multicast MAC address mapping to the ports of the connected Layer 2 switch.
•
Symptoms: A Cisco router may reload unexpectedly when you disable the Cisco Networking Services (CNS) configuration partial agent.
Conditions: This symptom is observed when you disable the CNS event agent before you disable the CNS configuration partial agent.
Workaround: Ensure that the CNS event agent is configured before you disable the CNS configuration partial agent.
•
Symptoms: When you enter the radius-server attribute nas-port format e global configuration command, the expected behavior is that the network access server (NAS) port attribute in the RADIUS access request equals the session ID and is different for each session. However, this behavior may not occur; the RADIUS access request may remain 0.
Conditions: This symptom is observed on a Cisco 7206 router that functions as a NAS, a Service Selection Gateway (SSG), and a digital subscriber line (DSL) aggregator.
Workaround: There is no workaround.
•
Symptoms: A single modem that is marked as bad may prevent an adjacent modem from successfully accepting calls. The call is rejected with "no answer."
Conditions: This symptom is observed on a Cisco AS5800 when a modem module has a hardware difficulty and is marked as bad. Other modems on the same module are not marked as bad but may fail to accept calls.
Workaround: When a modem on a module is marked as bad during the bootup process or during normal use, busyout the entire modem module.
•
Symptoms: A Cisco 7200 series router with a VPN Accelerator Module 2 (VAM2) may reload because of stack corruption.
Conditions: This symptom is not observed under normal router operation. The symptom occurs only when the VAM2 is disabled and enabled through the command-line interface (CLI) (for example, by entering the no crypto engine accelerator global configuration command followed by the crypto engine accelerator global configuration command) or a physical online insertion and removal (OIR) of the VAM2 is performed.
Workaround: There is no workaround.
•
Symptoms: A traceback may be generated when you enter the cns config notify diff global configuration command and then disable the command.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3 or Release 12.3 B.
Workaround: Do not enter the cns config notify diff global configuration command.
•
Symptoms: A router may pause indefinitely if you enter the show crypto ca cert trustpoint-label EXEC command.
Conditions: This symptom is observed on a Cisco router if the trustpoint-label argument is not defined in the router's running configuration, or if multiple trustpoint-label arguments are defined in the running configuration.
Workaround: Use the show crypto ca cert EXEC command without a trustpoint.
•
Symptoms: When you enter the send break command on the active CPU and keep the active CPU in the ROM monitor (ROMmon) mode for a long time, the standby CPU may reload because of a bus error exception.
Conditions: This symptom is observed on a Cisco ONS 15540.
Workaround: There is no workaround.
•
Symptoms: set commands that are used with a service policy can cause a router to reload in some circumstances. The set cos policy-map class configuration command can cause reloads in addition to other set commands.
Conditions: This symptom may be observed with configurations that have a service policy with the set command on the interface in combination with one or all of the following three configurations:
access-list filtering
unicast rpf
multicast routingUnder these circumstances, configuration changes of the set-based policy map can cause the router to reload.
Workaround: There is no workaround.
•
Symptoms: Virtual access interfaces stop processing input packets and are eventually reset on a Cisco MGX Route Processor Module (RPM-XF).
Conditions: This symptom occurs for packets that are punted to the Route Processor (RP) and are then fast-switched. The interface stops processing input packets once the number of the packets received by the RP exceeds the input hold queue size.
Depending on the packet type, Parallel Express Forwarding (PXF) or process switching may occur instead of fast switching. In these cases, the symptom does not occur.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when it attempts to authenticate a subordinate certificate authority (CA) certificate after the root CA certificate has been authenticated.
Conditions: This symptom is observed on a Cisco 831 but may also occur on other Cisco platforms.
Workaround: There is no workaround.
•
Symptoms: In an authentication, authorization, and accounting (AAA) configuration, an EXEC user is unable to start a PPP session when EXEC authorization is used.
Conditions: This symptom is observed on a Cisco router when double authentication occurs. PPP authentication is configured and AAA authentication is also configured.
If the aaa authorization global configuration command is included in the AAA configuration, the router has the ability to support server provided autocommands (the autocommand push feature). An exec user who starts a PPP session fails because the router attempts to authenticate the PPP session even though the user has already been authenticated at login when the aaa authentication ppp default if-needed command is configured.
Workaround: Disable the aaa authorization EXEC command. This action disables the ability to support the autocommand push feature from the TACACS+ server.
Alternate Workaround: Use a RADIUS server instead of a TACACS+ server.
•
Symptom: A Cisco 7301 or Cisco 7401ASR may boot up in the boot image rather than in the Cisco IOS image.
Conditions: This symptom is observed in the following configurations:
–
–
The symptom is observed in Cisco IOS Release 12.2(16)B2 but may also occur in Release 12.2 S, 12.3, 12.3 B, or 12.3 T.
Workaround: Enable the router to boot the image from a disk by entering the boot system global configuration command.
•
Symptoms: A Cisco router with a VPN Accelerator Module 2 (VAM2) may not be fully compliant with the Federal Information Processing Standards specifications for power-up self tests. There is no loss of functionality (FIPS-140-2). There are no operational symptoms that are apparent.
Conditions: This symptom is observed on a Cisco 7200 series with a G1 Network Processing Engine (NPE-G1) and a VAM2 that is enabled for IP Security (IPSec) acceleration.
Workaround: There is no workaround.
•
Symptoms: A Cisco voice gateway may reload unexpectedly when it runs a voice extensible markup language (VXML) script.
Conditions: This symptom is observed when the VXML script calls a subdialog with a name list in a loop.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway that runs a voice extensible markup language (VXML) application may pause indefinitely.
Conditions: This symptom is observed when the following two conditions are met:
–
–
In addition, one of the following conditions must also be present:
–
<prompt cisco-vcrprompt="true">
<audio src="http://px1-sun/audio/DUCF_33_httpg711ulaw.au"/>
<audio src="http://px1-sun/audio/DUCF_33_httpg711ulaw.au"/> </prompt>–
Workaround: Turn off HTTP streaming by entering the no ivr prompt streamed http global configuration command or the ivr prompt streamed none global configuration command.
Alternate Workaround: Turn off HTTP caching by entering the http client cache memory pool 0 global configuration command.
•
Symptoms: A Cisco router repeatedly displays the following error message:
%PXF-2-TALLOCFAILConditions: This symptom is observed on a Cisco 7200 series with a Network Service Engine (NSE-1) or on a Cisco 7401 router whenever the router turns on any routing protocol.
Workaround: There is no workaround.
•
Symptom: The cptone jp voice-port configuration command may not have any effect on the cadence settings for Japan.
Conditions: This symptom is observed when you enter the cptone jp voice-port configuration command and you observe the signal timing.
Workaround: There is no workaround.
•
Symptoms: PPP authentication credentials may not be authenticated on a network access server (NAS) if the if-needed keyword is configured in the ppp authentication if-needed interface configuration command and the autoselect during-login line configuration command is configured while login authentication is set to RADIUS.
Conditions: This symptom is observed on a Cisco access server that runs Cisco IOS Release 12.3.
Workaround: Remove the if-needed keyword from the ppp authentication if-needed interface configuration command.
Alternate Workaround: Remove the autoselect during-login line configuration command. Doing so enables the PPP authentication to proceed normally.
•
Symptoms: A host signal processor (HSP) modem in a VPN Accelerator Module 2 (VAM2) may not be fully compliant with the Federal Information Processing Standards specifications for power-up self-tests (FIPS-140-2).
In addition, an HSP modem may not properly handle some error conditions and may cause a router to reload unexpectedly.
Conditions: These symptoms are observed on a Cisco router that is configured with a VAM2.
Workaround: There is no workaround.
•
Symptom: A Cisco 3600 series or Cisco 3700 series may reload because of an unexpected exception.
Conditions: This symptom is observed on Cisco 3600 series and Cisco 3700 series that run Cisco IOS Release 12.3(3) and that are configured with a DES/3DES/AES VPN Encryption and Compression Module (AIM-VPN/EPII or AIM-VPN/HPII).
The symptom may occur during Internet Security Association and Key Management Protocol (ISAKMP) tunnel negotiation in all of the following conditions:
–
–
–
Workaround: For the first and second conditions there are no workarounds. For the third condition, match the IKE SA lifetimes on both peers.
•
Symptoms: The set command will not work if used in a non-leaf level in a hierarchical policy.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.3(3).
Workaround: There is no workaround.
•
Symptom: The segmentation and reassembly (SAR) chip may reload unexpectedly, and the following error message is displayed:
ATMPA-3-SARCRASH: ATM11/0/0: SAR0 Chip Crashdump:Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0 S or Release 12.3 and that is configured with an inverse multiplexing over ATM (IMA) port adapter. The symptom may occur when the Versatile Interface Processor (VIP) in which the SAR is installed reloads unexpectedly.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when processing a voice call.
Conditions: This symptom is observed on a Cisco 2600 series, a Cisco 3600 series, or a Cisco 3700 series and is caused by an illegal data pointer access.
Workaround: There is no workaround.
•
Symptoms: A traceback and register display with a cause is listed as follows:
Cause 0000041C (Code 0x7): Data Bus Error exceptionConditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(17). The condition reported was associated with a router that was being operated outside of its temperature parameters. Other physical or hardware associated issues could lead to this condition.
Workaround: There is no workaround.
•
Symptoms: Priority queueing does not deliver the expected bandwidth on a Cisco router.
Conditions: This symptom is observed on a Cisco router if Parallel Express Forwarding (PXF) is enabled.
Workaround: Turn off PXF.
•
Symptoms: A memory leak may occur on a Cisco uBR900 series or a Cisco CVA120 series.
Conditions: This symptom is observed when the cable interface flaps repeatedly and when the Multimedia Cable Network System Partners Ltd. (MCNS) file is not present on a TFTP server.
Workaround: There is no workaround.
•
Symptoms: A Versatile Interface Processor (VIP) may reload with a traceback that points to a distributed Link Fragmentation and Interleaving (dLFI) fragmentation process and may run out of memory.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFI over ATM (dLFIoATM) and quality of service (QoS).
Workaround: There is no workaround.
•
Symptoms: When you clear an Easy Virtual Private Network (EZVPN) tunnel or remove and reapply an EZVPN configuration on an EZVPN client, IP Security (IPSec) security associations (SAs) may not be created, and the EZVPN tunnel may fail to come up.
Conditions: This symptom is observed on a Cisco 827 that runs Cisco IOS Release 12.3(3) or Release 12.3(2)T. The symptom may also occur on another Cisco platform that functions as an EZVPN client.
Workaround: There is no workaround.
•
Symptoms: Link control protocol (LCP) packets may be discarded by a Network Service Engine (NSE).
Conditions: This symptom is observed on a Cisco router that is configured with an NSE when weighted fair queuing (WFQ) is configured.
Workaround: Change the queueing method.
•
Symptoms: Packets received from or going to unauthenticated users may be punted to the process path.
Conditions: This symptom is observed on all Service Selection Gateway (SSG) images of Cisco IOS software. If there is high unauthorized user traffic on the network, this symptom may cause a load on the process path (the IP input), but it does not break the functionality of the network.
Workaround: Configure the SSG TCP Redirect feature for unauthenticated users and unauthorized services. With this configuration, there are no unauthenticated packets punted to the process path, and all packets are handled in the Cisco Express Forwarding (CEF) path.
•
Symptoms: Domain Name System (DNS) packets may take more time than normal to process.
Conditions: This symptom is observed on all Service Selection Gateway (SSG) images of Cisco IOS software.
Workaround: If the number of domains is large, provide Internet service to each user and let the domains be resolved through the Internet DNS service.
•
Symptoms: A boot flash image upgrade using Flash MIB may fail.
Conditions: This symptom is observed on Cisco uBR905 and Cisco uBR925 routers and Cisco Cable Voice Adapter (CVA) modems.
Workaround: There is no workaround.
•
Symptoms: Pings between two customer edge (CE) routers may fail.
Conditions: This symptom is observed after a high traffic load has occurred for a short period of time on Any Transport over Multiprotocol Label Switching (AToM) Layer 2 Tunneling Protocol version 3 (L2TPv3) virtual circuits (VCs). The VCs stay up, but pings may fail.
Workaround: Reload the microcode onto the line card on which the VCs are configured.
•
Symptoms: A PPP over Ethernet (PPPoE) session may not come up when delivering the PPPoE configuration to the customer premises equipment (CPE). This symptom occurs even though the Internet service provider (ISP) router is configured for a PPPoE profile. The session comes up only when you enter the clear pppoe all EXEC command.
Conditions: This symptom is observed in Cisco IOS Release 12.3 and prevents PPP and IP connectivity.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•
Symptoms: Distributed Link Fragmentation and Interleaving (dLFI) may not function, preventing dLFI over Leased Line, dLFI over Frame Relay, and dLFI over ATM from functioning.
Conditions: This symptom is observed on a Cisco Catalyst 6000 series, Cisco 7500 series, and Cisco 7600 series.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when a VoiceXML (VXML) dialog is initiated.
Conditions: This symptom is observed on a Cisco AS5350 router when a VXML dialog is initiated and standard VXML events (for example, help, nomathc, noinput, and error) are sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 router pauses indefinitely when the Media Gateway Control Protocol (MGCP) regression feature is tested. Even the "send break" feature may not function, and the only solution is to turn the router off and on. This symptom occurs only one out of four or five times.
Conditions: This symptom is observed in a test environment on a Cisco AS5350 router that has MGCP enabled.
Workaround: There is no workaround.
•
Symptoms: A cable modem pauses indefinitely when an H.323 voice call is received.
Conditions: This symptom is observed on a cable modem that is running Cisco IOS Release 12.3.
Workaround: There is no workaround with Release 12.3.
Alternate Workaround: Use any 12.2 T release other than Release 12.2(15)T7, or use a release that is later than Release 12.3(3a).
•
Symptoms: Data packets gets punted to the process path when the Service Selection Gateway (SSG) timeout process is scheduled.
Conditions: This symptom is observed in all SSG images of Cisco IOS software.
Workaround: There is no workaround.
•
This caveat consists of four symptoms, four conditions, and a single workaround for all four symptoms and conditions:
1.
Condition 1: This symptom is observed when you enter the show flash-filesystem: EXEC command for a Personal Computer Memory Card International Association (PCMCIA) disk that is formatted for low-end file system (LEFS).
2.
Condition 2: This symptom is observed when you remove a compact Flash card that is formatted for MS-DOS FS, you replace it with one that is formatted for LEFS, and you enter the show flash-filesystem: EXEC command.
3.
Condition 3: This symptom is observed when you perform an online insertion and removal (OIR) and you replace an Advanced Technology Attachment (ATA) Flash card with a compact Flash card that is configured for LEFS.
4.
Condition 4: This symptom is observed when you perform an OIR and you replace a compact Flash card that is configured for LEFS with an ATA Flash card.
Workaround for all four symptoms and conditions: Before you enter any command or perform an OIR, enter the show version EXEC command. Doing so forces the PCMCIA card or the compact Flash card to be reread and clears the difficulties.
•
Symptoms: A ping may not go through when Internet Security Association and Key Management Protocol (ISAKMP) is configured on a BRI interface. When you enter the debug crypto ipsec privileged EXEC command, the following message may be displayed:
IPSEC(sa_initiate): Kicking the dialer interface...Conditions: This symptom is observed when traffic is subjected to IP Security (IPSec) encryption and when the dialing configuration occurs on the BRI interface.
Workaround: Rather than applying a dialer profile to the BRI interface, configure a separate dialer interface and associate it with the BRI interface.
•
Symptoms: A server reference count may incorrectly reach zero when all servers are dead. After the reference count of the server reaches zero without the server being unconfigured, the following error message may appear:
AAA/SG/REF_COUNT attempt to decrement ref count of invalid server handle XXXXXXXXin which "xxxxxxxx" is a seemingly random hexadecimal number.
In some releases of Cisco IOS software, particularly those with the -g4js- feature set, the router may return to rommon or reload instead of displaying the error message.
Conditions: This symptom is observed when there are two or more servers in a server group, and all the servers in that group are dead, and transactions are being sent to those servers because the server group that they are in (including the special groups RADIUS and TACACS) is the last method in a method list. The reference count of one server in the group increases dramatically while the reference count of another server in the group is reduced to zero.
Further Problem Description: You can observe the changes in the server reference count when you enter the debug aaa server-ref-count privileged EXEC command.
Workaround: Pick one particular server from the group as your server of last resort. Configure a special server group that contains only that server, and configure that special server group as the last method in your method list.
For example, if you have the following configuration:
aaa new-model
radius-server host x.x.x.x
radius-server host y.y.y.y
radius-server host z.z.z.z
radius-server key <XXXX>
aaa group server radius foo
server x.x.x.x
server y.y.y.y
server z.z.z.z
aaa authentication login default group fooYou would instead configure the following:
aaa new-model
radius-server host x.x.x.x
radius-server host y.y.y.y
radius-server host z.z.z.z
radius-server key <XXXX>
aaa group server radius foos
server x.x.x.x
server y.y.y.y
server z.z.z.z
aaa group server radius bar
server z.z.z.z
aaa authentication login default group foo group bar•
Symptoms: A cable modem does not respond to any Simple Network Management Protocol (SNMP) queries.
Conditions: This symptom is observed on a Cisco uBR900 cable modem.
Workaround: There is no workaround.
•
Symptoms: A gateway may reload unexpectedly while unconditional call forwarding to a voice mail system is in progress.
Conditions: This symptom is observed on a Cisco gateway that functions as a transferee (XEE) and transfer target (XTO).
Workaround: There is no workaround.
•
Symptoms: A Multilink Frame Relay (MLFR) bundle interface may flap along with its member links.
Conditions: This symptom is observed when distributed MLFR is configured on a nonchannelized port adaptor such as a 4-port serial enhanced port adapter (PA-4T+) or an 8-port serial port adapter (PA-8T).
Workaround: There is no workaround.
•
Symptoms: Ping packets may not pass between a native Gigabit Ethernet port of Cisco 7400 series and a Fast Ethernet port of a Cisco 7500 series.
Conditions: This symptom is observed when the Cisco 7400 series runs Cisco IOS Release 12.2(18)S.
Workaround: There is no workaround.
•
Symptoms: A RADIUS server command may be changed unexpectedly and may prevent RADIUS sessions from coming up.
Conditions: This symptom is observed when you enter the no radius-server unique-ident id global configuration command, causing the phrase "interval 10" to be appended to the previous RADIUS server command in the configuration.
Workaround: Reenter the radius-server unique-ident id global configuration command. Note that the value of the id argument does not need to be the same value that was entered in the no radius-server unique-ident id global configuration command.
•
Symptoms: A router that is configured with a voice extensible markup language (VXML) application may generate tracebacks.
Conditions: This symptom is observed on a Cisco AS5400.
Workaround: There is no workaround.
•
Symptoms: The plan field and the type field may change in a redirected call, even if no plan and type are defined under a translation rule.
Conditions: This symptom is observed when you make a Voice over IP (VoIP) call from an originating gateway (OGW) to a terminating gateway (TGW). The plan field and the type field at the OGW may differ from the plan field and the type field at the TGW.
Workaround: There is no workaround.
•
Symptoms: It is not possible to configure the Easy Virtual Private Network (VPN) remote feature on a Cisco router.
Conditions: This symptom is observed on a Cisco 2691 router that is running the c2691-adventerprisek9-mz image of Cisco IOS software.
Workaround: Use the classic 2691 k9 image of Cisco IOS software.
•
Symptoms: An H.323 proxy server may change the disconnect cause code that is sent by a terminating gateway.
Conditions: This symptom is observed in a network that is handling Voice over IP (VoIP) calls using two Cisco H.323 gateways, a gatekeeper, and a proxy server.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 may reload unexpectedly when you make a call.
Conditions: This symptom is observed when you run a voice extensible markup language (VXML) application on the Cisco AS5350.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you remove a policy that is associated with an active interface that is supported by Parallel Express Forwarding (PXF).
Conditions: This symptom is observed when you enter the no policy-map policy-map-name global configuration command.
Workaround: Before you enter the no policy-map policy-map-name global configuration command, turn off PXF by entering the no ip pxf global configuration command.
•
Symptoms: Packets that are sent from a hardware compression Advanced Integration Module (AIM) may be dropped when the following error messages and traceback are displayed:
%SYS-2-MALLOCFAIL: Memory allocation of 1716 bytes failed from 0x80363C68, alignment 32
Pool: I/O Free: 384 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Pool Manager", ipl= 0, pid= 6
-Traceback= 803C0554 803C11D4 80363C6C 803D3168 803D3354 803E75A0 803EB4ACConditions: This symptom is observed on a Cisco 2651XM that connects via Multilink PPP over ISDN to a Cisco 3640.
Workaround: There is no workaround.
•
Symptoms: A T.37 off-ramp fax call may disconnect without a T.30 data communications network (DCN). The fax is received correctly, but the call does not disconnect properly. The following error message is displayed:
T.30 flow error: DCN signal not received before session end.Conditions: This symptom is observed on a Cisco AS5350 router during fax off-ramp call testing.
Workaround: There is no workaround.
•
Symptoms: A provider edge (PE) router that is configured for Frame Relay over Multiprotocol Label Switching (FRoMPLS) may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that functions as a PE router when FRoMPLS is configured via an automatic script.
Workaround: Manually configure FRoMPLS.
•
Symptoms: A Cisco Service Selection Gateway (SSG) may run out of memory and reload unexpectedly.
Conditions: This symptom is observed when TCP-Redirect features are configured on the Cisco SSG.
Workaround: There is no workaround.
•
Symptoms: Permanent virtual circuits (PVCs) may not have a hardware resource, which is indicated by the error message "no hw resource."
Conditions: This symptom is observed when you perform a physical online insertion and removal (OIR) of a Node Route Processor 2 (NRP2) or when you enter the hw-module reset privileged EXEC command for the NRP2. Out of 16,000 PVCs in the configuration, some PVCs may not have a hardware resource.
Workaround: There is no workaround.
•
Symptoms: Path confirmation may not occur, causing a voice call to fail.
Conditions: This symptom is observed when you make a channel-associated signaling (CAS) H.323 call.
Workaround: There is no workaround.
•
Symptoms: The Cisco Networking Services (CNS) syntax checker may return an error even though the configuration is valid.
Conditions: This symptom is observed on a Cisco router that has the CNS syntax checking option enabled when you enter the encapsulation aal5snap VC bundle configuration command.
Workaround: Disable the CNS syntax checker before you enter the command.
•
Symptoms: When you save a configuration first to the standby Performance Routing Engine (PRE) and then to the active PRE, the configuration may not be saved and the following error message may be generated:
startup-config file open failed (Device or resource busy)Conditions: This symptom is observed on a Cisco 10000 series that is configured with redundant PREs and that runs Cisco IOS Release 12.0(26)S. The symptom may also occur in other Cisco IOS releases.
Workaround: There is no workaround.
•
Symptoms: When you perform a physical online insertion and removal (OIR) of a Route Switch Processor (RSP), the router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco 7500 series when Routing Information Protocol next generation (RIPng) for IPv6 is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway displays the following error message when a call agent sends a Modify Connection (MDCX) request:
%HPI-3-CODEC_NOT_LOADED: channel:3:0 (63) DSP ID:0x1342, command failed as codec not loadedConditions: This symptom is observed on all Cisco platforms.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when voice traffic is sent.
Conditions: This symptom is observed when voice traffic is sent over a Frame Relay (FR) subinterface and when Internet Protocol Header Compression (IPHC) is configured on a policy map.
Workaround: Configure IPHC directly on the FR subinterface.
•
Symptoms: When the Cisco Call Connection Manager (CCM) resets a Media Gateway Control Protocol (MGCP)-controlled gateway, some Foreign Exchange Office (FXO) cards remain shut down.
Conditions: This symptom is observed on Cisco 2651XM and Cisco 3745 routers that run Cisco IOS Release 12.2(15)T5. CCM sends an extensible markup language (XML) configuration file to the gateway, but some commands are not processed by the routers. The symptom may also occur in other releases.
Workaround: Enter the no shutdown interface configuration command on the FXO cards.
TCP/IP Host-Mode Services
•
Symptoms: Cisco IOS Release 12.3 has a new command-line interface (CLI) extension for the ip helper-address address redundancy vrg-name interface configuration command. There is no space between the IP address and the keyword redundancy. The router ignores the command after reboot and Dynamic Host Configuration Protocol (DHCP) breaks in the network.
Conditions: This symptom is observed in Cisco IOS Release 12.3 when an attempt is made to enable the Virtual Router Group feature for User Datagram Protocol (UDP) forwarding.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: The negotiated IP address is not cleared from an asynchronous interface when a call ends, even though the IP address is returned properly to the IP peer pool.
Conditions: This symptom is observed when the peer is configured to dial in to the network access server (NAS) and to obtain an IP address through IP Control Protocol (IPCP) negotiations with the NAS. The NAS is configured with pools of IP addresses to be allocated to the peer when the peers generate a PPP call to the NAS. The NAS is also configured to authenticate the peer through RADIUS.
Workaround: There is no workaround.
•
Symptoms: When you make a Voice over IP (VoIP) call via a PRI interface, a terminating gateway (TGW) on the ISDN user side may send a "progress" message after an "alerting" message, causing the call to fail.
Conditions: This symptom is observed on a Cisco AS5300 that functions as an originating gateway (OGW) and that runs Cisco IOS Release 12.2(2)XA3, Release 12.3(3), or Release 12.3(3)T in the following topology:
–
The symptom is caused by an incorrect VoIP configuration. When you disable the voice call send-alert global configuration command on the OGW, the symptom does not occur.
Workaround: Enter the no voice call send-alert global configuration command on the OGW.
•
Symptoms: When a client tries to authenticate the called system by using Challenge Handshake Authentication Protocol (CHAP), the client may fail to achieve connectivity over a virtual private dialup network (VPDN).
Conditions: This symptom is observed in very rare situations. Most clients do not try to authenticate the called system.
Workaround: Reconfigure the client so as not to challenge the system that the client is calling.
•
Symptoms: Virtual private dial-up network (VPDN) calls that are based on PPP Password Authentication Protocol (PAP) authentication may not be able to establish a VPDN tunnel.
Conditions: This symptom is observed when the autodetect encapsulation ppp v120 interface configuration command is enabled and occurs only for ISDN-based PPP calls.
Workaround: Enter the ppp authentication pap chap interface configuration command on the D channel of the serial lines.
First Alternate Workaround: Disable the autodetect encapsulation ppp v120 interface configuration command. Doing so may prevent the symptom from occurring, but will prevent V.120 calls from being accepted. This workaround may not always be valid.
•
Symptoms: A router may create call control blocks (CCBs) that it does not release, eventually preventing an interface from receiving calls.
Conditions: This symptom is observed when an interface of a Cisco router receives a setup message for a voice call and the router creates a CCB that is does not release. When the maximum number of CCBs is reached, the interface cannot not accept any more incoming calls, causing incoming calls to be released.
Workaround: Enter the isdn housekeeping free global configuration command on the router.
•
Symptoms: When more than two dialer strings are configured on a dialer interface of a Cisco platform, only the first two dialer strings may be dialed and the remaining dialer strings may be ignored. When you enter the dialer order interface configuration command, the keyword that you select does not have any effect; that is, the keywords sequential, round-robin, and last-successful all give the same result.
Conditions: These symptoms are observed on a Cisco AS5400.
Workaround: There is no workaround.
•
Symptoms: A router may not reestablish a backup connection if the ISDN physical link is interrupted while it is being used.
Conditions: This symptom is observed when dialer backup is enabled by using the dialer watch feature.
Workaround: There is no workaround.
•
Symptoms: A router may reload when it tries to add a permanent virtual circuit (PVC) to a bundle link.
Conditions: This symptom is observed when a normal Local Management Interface (LMI) frame is received without the User-Network Interface (UNI) fragmentation header. This situation causes the frame to be processed on the bundle link instead of on the bundle.
Workaround: There is no workaround.
•
Symptoms: When the backup interface dialer number interface configuration command is enabled under the primary serial interface, the dialer interfaces may not initiate outgoing calls through ISDN BRI lines if the line protocol status was switched from standby to up.
Conditions: This symptom is observed on a Cisco 7200 series router.
Workaround: Shut down the dialer interface that cannot trigger the outgoing call and create new dialer interfaces.
•
Symptoms: When call clearing is initiated on a Cisco gateway that has the isdn switch-type primary-net5 interface configuration or global configuration command enabled, the following symptoms may occur:
–
–
–
These symptoms may cause state inconsistencies on the B channel and a low level of automatic speech recognition (ASR) on the gateway.
Conditions: These symptoms are observed when the user and the network protocol emulation are not in compliance with the European Telecommunications Standards Institute (ETSI).
Workaround: There is no workaround.
•
Symptoms: Ping packets that are sent from a Cisco router that functions as an L2TP network server (LNS) via Layer 2 Tunnel Protocol (L2TP) may not reach a platform that is connected to a third-party vendor L2TP access concentrator (LAC).
Conditions: This symptom is observed when you configure the L2TP tunnel in a Virtual Private Network (VPN) routing/forwarding (VRF) instance by entering the vpn vrf vrf-name VPDN-group configuration command for a virtual private dial-up network (VPDN) group on the LNS. The symptom occurs because the third-party vendor LAC includes checksums in its packets.
Workaround: Configure the third-party vendor LAC in such a manner that is does not include checksums in its packets. Doing so will not only prevent the symptom from occurring but will also result in better performance.
Alternate Workaround: Enter the vpdn ip udp ignore checksum command on the LNS.
•
Symptoms: The first character of a user-to-user information element (UUIE) may not be displayed properly in a setup; the first character may be displayed as a hexadecimal value, while the remaining characters are displayed properly.
Conditions: This symptom is observed on both the originating gateway and the terminating gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400 may reload immediately after bootup if the incoming cells per second (CPS) are more than 5. A similar reload is observed when calls are cleared from the network access server (NAS).
Conditions: This symptom is observed on a Cisco AS5400 with calls made with authentication, authorization, and accounting (AAA).
Workaround: There is no workaround.
•
Symptoms: When a primary controller is shut down, calls across a backup controller may also be cleared.
Conditions: This symptom is observed in a Non-Facility Associated Signaling (NFAS) configuration.
Workaround: There is no workaround.
•
Symptoms: CallTracker may not populate the "userid" field with a user name.
Conditions: This symptom is observed when interactive authentication is performed.
Workaround: There is no workaround.
•
Symptoms: ATM switched virtual circuit (SVC) calls that are routed to a Cisco 7200 series router from a third party switch may fail.
Conditions: This symptom is observed when calls originate from a third party switch that includes the ATM adaptation layer 5 (AAL5) parameter information element (IE) with specified forward and backward call processing control system (CPCS) service data unit (SDU) sizes. The Cisco router is currently not compliant with RFC 2225 paragraph 7.2. This behavior makes it fail with systems that comply with RFC 2225.
Workaround: There is no workaround.
•
Symptoms: When RADIUS network accounting is configured, an L2TP network server (LNS) may send an incorrect network access server (NAS) IP address in a RADIUS attribute.
Conditions: This symptom is observed in a multihop environment that includes two LNSs (LNS1 and LNS2) that are connected via a Layer 2 Tunnel Protocol (L2TP) connection and an L2TP access concentrator (LAC) that is connected to LNS1 via an L2TP connection. LNS1, LNS2, and the LAC are all connected to separate RADIUS servers. The following global configuration commands are enabled:
vpdn multihop
vpdn aaa attribute nas-ip-address vpdn-nas
vpdn aaa attribute nas-port vpdn-nas
For the first session, both LNS1 and LNS2 send the correct NAS IP address (which is the IP address of the LAC) in a RADIUS attribute. However, for subsequent sessions, LNS1 sends the correct NAS IP address, but LNS2 sends the IP address of the LNS1 interface that is connected to LNS2.
Workaround: There is no workaround.
•
Symptoms: For digital Multilink PPP (MLP) calls, IP Control Protocol (IPCP) negotiation does not occur if the multilink virtual-template router configuration command is not present. The router may reload after the calls are cleared and a new call is made.
Conditions: This symptom is observed on a Cisco access server.
Workaround: Configure the router with the multilink virtual-template router configuration command.
•
Symptoms: A V.110 call may fail or may cause a Signaling System 7/C7 "connect" message to be sent instead of an Aironet Client Monitor (ACM) answer message (ANM).
Conditions: This symptom is observed when a V.110 call is sent over User Service Information (USI) signaling instead of over AT signaling.
Workaround: There is no workaround.
•
Symptoms: A user-to-user information element (UUIE) may be displayed twice in an "alerting" message.
Conditions: This symptom is observed on a Cisco platform that functions as a terminating gateway and that has the isdn switch-type primary-5ess interface configuration or global configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A redirecting number information element (IE) may not be displayed in an "alerting" message.
Conditions: This symptom is observed on a Cisco platform that has the isdn switch-type primary-5ess interface configuration or global configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A low-layer compatibility information element (IE) may not be included in a "connect" message on a terminating gateway (TGW).
Conditions: This symptom is observed on a Cisco platform that functions as a TGW and that has the isdn switch-type primary-ni interface configuration or global configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A notify indicator information element (IE) may not be included in a "connect" message, even after you have enabled the isdn outgoing ie notification-indicator codeset 0 message connect interface configuration command.
Conditions: This symptom is observed on a Cisco platform and is independent of the configured PRI switch type.
Workaround: There is no workaround.
•
Symptoms: The "change password' feature may not work when using Cisco Secure and Windows Client.
Conditions: This symptom occurs when the client times out and sends multiple change password requests before it gets a response for the first request.
Workaround: There is no workaround.
•
Symptoms: An ISDN interface may not properly propagate an incoming cause value.
Conditions: This symptom is observed on a Cisco gateway when a call is not successful and when inband information is sent via Session Initiation Protocol (SIP) before a "disconnect" message is sent.
The gateway receives a "progress" message with a cause value and sends inband information that does not include the received cause code. The gateway should send the cause code that it received in the "progress" message. After a timeout period, the gateway receives a "disconnect" message.
Workaround: There is no workaround.
•
Symptoms: Callbacks may fail with Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) on a network access server (NAS) that is configured for compression because the callbacks may interrupt Microsoft Callback Control Protocol (MSCB) and Call-Back Control Protocol (CBCP) early.
Conditions: This symptom is observed on a Cisco AS5400 that is configured for MSCHAP V2 authentication.
Workaround: There is no workaround.
•
Symptoms: The output of the show dialer EXEC command may display incorrect information. The actual number of successful call attempts does not match the number of successful call attempts in the output of the show dialer EXEC command.
Conditions: This symptom is platform independent.
Workaround: There is no workaround. However, the call functionality is not affected.
•
Symptoms: When you configure Open Shortest Path First (OSPF) on a new Multilink Frame Relay (MFR) interface, the following traceback may be displayed:
%OSPF-6-ZERO_BANDWIDTH: interface MFR100 has zero bandwidthConditions: This symptom is observed on a Cisco router when you configure a new MFR interface or after the router has rebooted.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is configured to do Microsoft Point-to-Point Compression (MPPC) and when a client connects and requests MPPC by using a null set of supported bits (which is the client's way of specifying that it does not want to do MPPC), then the network layer connectivity is not achieved.
Conditions: This symptom is observed on a Cisco router that is configured with MPPC.
Workaround: Disable MPPC on the router.
Alternate Workaround: Enable MPPC on the client.
•
Symptoms: A Cisco AS5xx0 that functions as a network access server (NAS) may immediately disconnect an outbound modem call.
The output of the debug isdn q931 and debug csm modem privileged EXEC commands may show the following information:
ISDN Se3/0:23 Q931: RX <- PROGRESS pd = 8 callref = 0x8025
Progress Ind i = 0x8381 - Call not end-to-end ISDN, may have in-band info
EVENT_FROM_ISDN: dchan_idb=0x63D214F4, call_id=0x802A, ces=0x1 bchan=0x14, event=0x5, cause=0x1
EVENT_FROM_ISDN:(802A): DEV_CALL_PROGRESSING at slot 1 and port 0
CSM_PROC_OC5_WAIT_FOR_CARRIER:
CSM_EVENT_ISDN_CALL_PROGRESSING at slot 1, port 0
CSM DSPLIB(1/0): np_dsplib_call_hangup reason 16
ISDN Se3/0:23 Q931: TX -> DISCONNECT pd = 8 callref = 0x0025 Cause i = 0x809F - Normal, unspecifiedConditions: This symptom is observed when the outbound modem call is placed over ISDN signaling and when an "alerting" or "progress" message is received from the connected switch.
Workaround: Enter the isdn block-progress interface configuration command on the D-channel interface.
•
Symptoms: ISDN calls may fail because of a PPP bind failure.
Conditions: This symptom is observed on ISDN calls that use per-user authentication, authorization, and accounting (AAA) attributes (for example, access control lists [ACLs]). The initial ISDN call passes, and subsequent calls fail with the PPP bind failure.
Workaround: There is no workaround.
•
Symptoms: When both an originating gateway (OGW) and a terminating gateway (TGW) are configured as a DMS100 switch type by entering the isdn switch-type primary-dms100 global configuration or interface configuration command, the Network Layer Protocol ID (NLPID) value 0xB1 (defined as FRF.12 Fragmentation) may not appear in the output of a debug command on the TGW.
Conditions: This symptom is observed on a Cisco platform that functions as a TGW and that is configured as a DMS100 switch type. According to the Digital Multiplex Switch (DMS) standard, the display information element (IE) must contain the value 0xB1 before the ASCII text is displayed.
Workaround: There is no workaround.
•
Symptoms: A router may reload when it makes a call that uses a username and password that are more than 176 characters in length.
Conditions: This symptom is observed on a router that uses PPP Password Authentication Protocol (PAP) authentication.
Workaround: There is no workaround.
•
Symptoms: During a test of B-Channel Maintenance Procedure (BCAC), a change of channel status from high availability to low availability may not occur. No error message is displayed to indicate that the configuration to change the channel status has been rejected. This causes inconsistent or incorrect information to be displayed in the output of the show isdn service privileged EXEC command and the in output of the show running-config privileged EXEC command.
Conditions: This symptom is observed when the D channel is inactive or shutdown and you try to change service states.
Workaround: Do not change service states while the D channel is inactive or shut down.
•
Symptoms: PPP may cause unnecessary authentication, authorization, and accounting (AAA) IDs to be allocated.
Conditions: This symptom is observed on a Cisco router that has a lot of traffic with many sessions going up and down. Over time, this symptom can cause a memory leak that will deplete the system memory.
Workaround: Do not overload the router.
•
Symptoms: Uplink packets that require reassembly at a Layer 2 Tunneling Protocol (L2TP) network server (LNS) may be dropped.
Conditions: This symptom is observed if a tunnel terminates at a Hot Standby Router Protocol (HSRP) virtual address of the LNS.
Workaround: Configure the maximum transmission unit (MTU) so that the L2TP access concentrator (LAC) is not required to fragment packets. For example, configure an MTU of 1460 or less if there is an Ethernet connection between the LAC and the LNS.
Alternate Workaround: Terminate the tunnel on a router loopback address.
•
Symptoms: A Cisco router may pause indefinitely when you enter the ppp multilink router configuration command on virtual template 1, and you enter the ppp authentication pap or ppp authentication chap router configuration command on dialer interface 0.
Conditions: This symptom is observed on a Cisco AS5400 when a heavy traffic load is present.
Workaround: There is no workaround.
•
Symptoms: Data packets fail to flow if Multilink PPP (MLP) calls use compression with virtual profile based calls with compression.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2 or Release 12.3.
Workaround: Turn off hardware compression or remove the compression adaptor.
•
Symptoms: The absolute-timeout line configuration command may not activate when the asynchronous interface comes up.
Conditions: This symptom is observed on a Cisco router.
Workaround: Reconfigure the absolute-timeout line configuration command to install the timer to the asynchronous interface.
•
Symptoms: With Microsoft Point-to-Point Compression (MPPC) configured, dialer sessions are torn down prematurely although packets are flowing all the time.
Conditions: This symptom occurs only if PPP compression is configured.
Workaround: There is no workaround.
•
Symptoms: PPP context may not be freed when a PPP over X (PPPoX) session goes down.
Conditions: This symptom is observed on a Cisco router that uses full virtual access (vaccess).
Workaround: There is no workaround.
•
Symptoms: A router may not accept any incoming calls because of to a memory leak in the ISDN call control blocks (CCBs). The router may allow only a limited number of active calls.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.3(1a), but may be observed on any Cisco platform that has a memory leak in the CCBs. The normal behavior is for the CCBs to be released regardless of whether a call goes through or fails, and when a call terminates, the CCB should be released. Otherwise, there are CCB leaks that may prevent new calls from being accepted, or in extreme circumstances, may cause the router to reload.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may discard any Multilink PPP (MLP) fragments that it receives and displays the following message:
MLP: I pkt len > MRRU in `xxx', discardingConditions: This symptom occurs when packets are received on a Cisco router that exactly match or are one octet less than the Maximum Receive Reconstructed Unit (MRRU) that is negotiated during the Link Control Protocol (LCP) phase.
Workaround: Configure the peer so that the maximum transmit unit (MTU) on the multilink bundle is at most two less than the MRRU that is requested by the Cisco IOS software.
•
Symptoms: A router may reload with a bus error when a high volume of new PPP connections occurs on the router.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15)T5 or Release 12.3.
Workaround: There is no workaround.
•
Symptoms: If a ping to the tunnel end of an L2TP network server (LNS) fails, a large number of packets are continuously generated, and the router may reload with a memory allocation failure error message.
Conditions: This symptom is observed on a Cisco router that is configured for voluntary Layer 2 Tunneling Protocol (L2TP) or client-initiated L2TP tunneling.
Workaround: There is no workaround.
•
Symptoms: A Cisco access server may reload under high call volume.
Conditions: This symptom is observed on a Cisco access server that has a call volume of approximately 600 analog PPP calls and 300 digital Multilink PPP (MLP) calls.
Workaround: There is no workaround.
•
Symptoms: A router always reports an E=69 error code for a Challenge Handshake Authentication Protocol (CHAP) Access-Reject response by the RADIUS server instead of the error code that is sent by the RADIUS server.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(4)T or Release 12.3(5).
Workaround: There is no workaround.
•
Symptoms: Calls that come into a Cisco router by way of PRI ISDN have the calling number digits truncated. The digits appear in the original SETUP message, but later in the call application, six to seven digits are missing from the end of the digit stream.
Conditions: This symptom is observed on a Cisco AS5400 that is running Cisco IOS Release 12.3(1a).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when the required keyword is included in the ppp encrypt mppe interface configuration command.
Conditions: This symptom is observed on a Cisco router when you clear a Point-to-Point Tunneling Protocol (PPTP) session or when you enter the clear interface type number EXEC command and the ppp encrypt mppe required interface configuration command is already configured.
Workaround: Remove the required keyword from the ppp encrypt mppe interface configuration command.
•
Symptoms: if a virtual-access interface is created, and that interface is ever assigned to a multilink-group interface by application of the configuration command ppp multilink group n, then when the interface goes down this configuration is not properly removed when the virtual access interface is recycled for reuse. A significant after-effect, and perhaps the most visible symptom, is that if the virtual-access interface negotiates to use multilink during some future session (a different use of the virtual-access interface than the one where the assignment was first made), the interface will not join the designated multilink-group interface. A separate virtual-access interface may be created for the bundle instead.
Workaround: There is no workaround.
•
Symptoms: When a Session Initiation Protocol (SIP) server transfers a call through a gateway to a Cisco AS5300, the SIP server may add extra information in the redirected number.
Conditions: This symptom is observed on a Cisco SIP Proxy Server (CSPS) that transfers calls to a Cisco AS5300. The correct redirected number may be observed through the Cisco AS5300. The extra information may be viewed by using a sniffer trace or from the telco logs.
Workaround: There is no workaround.
•
Symptoms: A router may experience a memory leak in the vtemplate background process. This symptom may be confirmed by entering the show processes memory EXEC command to monitor memory usage.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.2(13)T5.
Workaround: There is no workaround.
•
Symptoms: Compression Control Protocol (CCP) may receive a Configure Negative-Acknowledge (CONFNAK) PPP negotiation packet if one end uses Microsoft Point-to-Point Compression (MPPC) as a decompression protocol and the other end uses a different decompression protocol.
Conditions: This symptom is observed only with MPPC on routers that are running Cisco IOS Release 12.3(4)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly while closing a PPP connection.
Conditions: This symptom is observed when many PPP links are being established and closed.
Workaround: There is no workaround.
•
Symptoms: The idle-timeout timer may not be reset, causing a session to be cleared upon expiration of the idle-timeout timer.
Conditions: This symptom is observed when both the ip idle-group interface configuration command and compression are enabled on an interface.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error when PPP sessions are disconnected.
Conditions: This symptom is observed on a Cisco router that is running an interim release of Cisco IOS Release 12.3(4). The symptom occurs on PPP sessions that are not directly associated with an interface or a subinterface (for example, PPP over ATM [PPPoATM] or Layer 2 Tunneling Protocol [L2TP]). Earlier releases of Cisco IOS software do not display this symptom.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a network access server (NAS) and that is configured for Microsoft CHAP version 2 (MS-CHAPv2) may reload unexpectedly.
Conditions: This symptom is observed when a peer of the NAS terminates an MS-CHAPv2 call.
Workaround: Configure the NAS and the peer in such a way that the NAS (instead of the peer) terminates the MS-CHAPv2 call.
•
Symptoms: A link control protocol (LCP) negotiation may fail as a network access server (NAS) discards the packets and displays the following message:
Lower layer not up, discarding packetConditions: This symptom is observed when a ping from a client to an NAS fails with an authentication, authorization, and accounting (AAA) configuration.
Workaround: Do not configure anything that will cause a virtual-profile to be created (for example, an AAA per user configuration or a "virtual-profile virtual- template" configuration).
•
Symptoms: A router may reload after you enter the ppp multilink interface configuration command.
Conditions: This symptom occurs when multilink is configured on an active serial interface and neither the ppp multilink group interface configuration command nor the multilink virtual-template global configuration command is entered. Under these conditions, multilink normally fails to create a bundle because of the lack of a configuration source for the bundle interface, but in this instance, it causes the router to reload.
Workaround: Enter the shutdown interface configuration command to shut down the serial interface. Then, enter the ppp multilink group interface configuration command on the serial interface.
•
Symptoms: A router may reload when the no dialer pool interface configuration command is issued on the dialer interface.
Conditions: This symptom is observed on a Cisco router that has a PPP over Ethernet (PPPoE) session in the up state.
Workaround: Bring down the PPP session, and then enter the no dialer pool interface configuration command.
•
Symptoms: Virtual private dialup network (VPDN) sessions cannot be established at the Layer 2 Tunneling Protocol (L2TP) network server (LNS).
Conditions: This symptom is observed on a Cisco LNS that is running Cisco IOS Release 12.3 because PPP does not allow packets to be processed. The following debug message appears:
195: ppp4 LCP: Lower layer not up, discarding packetWorkaround: There is no workaround.
•
Symptoms: It may not be possible to add a bundle link to a Multilink Frame Relay (MFR) interface.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7600 series when data-link connection identifier (DLCI) 896 is configured on the router.
Workaround: Do not configure DLCI 896.
•
Symptoms: A separate Layer 2 Tunneling Protocol (L2TP) tunnel is created for each L2TP session.
Conditions: This symptom is observed when an L2TP access concentrator (LAC) that has a RADIUS profile tunnel authorization does not have "tunnel-id" or "client-auth-id" attributes configured in the RADIUS profile.
Workaround: Define "tunnel-id" and "client-auth-id" in the RADIUS profile.
Resolved Caveats—Cisco IOS Release 12.3(3i)
Cisco IOS Release 12.3(3i) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3i) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
IP Routing Protocols
•
Symptoms: A router may reset its Border Gateway Protocol (BGP) session.
Conditions: This symptom is observed when a Cisco router that peers with other routers receives an Autonomous System (AS) path with a length that is equal to or greater than 255.
Workaround: Configure the bgp maxas limit command in such as way that the maximum length of the AS path is a value below 255. When the router receives an update with an excessive AS path value, the prefix is rejected and recorded the event in the log.
Resolved Caveats—Cisco IOS Release 12.3(3h)
Cisco IOS Release 12.3(3h) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3h) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Attributes 42 and 43 may be of value "zero" in Connection STOP records.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5850 that run Cisco IOS Release 12.3 or Release 12.3(4)T4 when a TCP-clear call is disconnected by the caller. For call disconnects by the NAS, the values are proper.
Workaround: There is no workaround.
•
Symptoms: After a VIP crashes, a FIB-3-FIBDISABLE error message due to an IPC timeout may occur for all the slots of the VIP.
Conditions: This symptom is observed on a Cisco 7500 series after the VIP crashes and before the VIP recovers. The FIB-3-FIBDISABLE error message is generated for all the slots of the VIP, causing dCEF switching to become disabled.
Workaround: There is no workaround. You can reenable dCEF by entering the clear cef linecard command.
•
Symptoms: A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco device. Telnet, reverse telnet, RSH and SSH sessions established prior to exploitation are not affected.
All other device services will operate normally.
Conditions: User initiated specially crafted TCP connection to a telnet or reverse telnet port results in blocking further telnet sessions. Whereas, services such as packet forwarding, routing protocols and all other communication to and through the device remains unaffected.
Workaround: The detail advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml
•
Symptoms: Retransmissions may not be sent to all RADIUS servers in a server group.
Conditions: This symptom is observed when an active RADIUS server in a server group is declared dead and when the server group already contains some dead RADIUS servers. In this situation, the retransmission attempt is not made to all the dead RADIUS servers in the server group but only to the server that is just declared dead. This is not proper behavior: retransmissions should be sent to all the dead RADIUS servers.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: The show controllers t1 slot/port command may show only the current interval.
Conditions: This symptom is observed on a Cisco 7200 series when FDL is configured.
Workaround: There is no workaround.
Further Problem Description: When FDL is configured, the router updates the MIB data after checking for a valid local and remote MIB data interval that it receives from the T1 port adapter. During the remote MIB update, and if the received data interval is invalid, the router clears both the remote and the local data instead of clearing only the remote data and starting again.
IP Routing Protocols
•
Symptoms: A Cisco router may reload unexpectedly when you enter a show command that is related to IP multicast.
Conditions: This symptom is observed on a Cisco router that has remained at the "more" prompt for a long period of time.
Workaround: There is no workaround. If the user tries to avoid leaving a show command at a --More-- prompt for a long time, chance of running into this issue is very small. Also, if the router doesn't have directly connected receivers nor igmp join configured (e.g. core routers), this bug wouldn't cause any harm.
•
Symptoms: When using Cisco CallManager and PAT on the CE router, no voice is observed if a call is made across CCM clusters and is transferred back to another phone on the same CCM, between the IP phones behind PAT.
Conditions: This symptom occurs when Cisco CallManager is configured for Static NAT. The IP phones registered to the CCM in the location are configured to use PAT. A call is made across the CCM cluster and transferred back to the cluster.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1600 series crashes with an "Unexpected exception to CPU vector 2" error.
Conditions: This symptom is observed when stateful NAT is configured with the redundancy in command.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Miscellaneous
•
Symptoms: VLAN class of service (CoS) bits may not be set for outgoing Multiprotocol Label Switching (MPLS) packets, although the modular QoS CLI (MQC) may indicate so.
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series that runs Cisco IOS Release 12.2, Release 12.3, or Release 12.3 B when CoS marking is applied to a VLAN subinterface. Note that traffic that is generated by the router itself receives the correct CoS for all classes.
Workaround: There is no workaround.
•
Symptoms: On an ASBR-PE, the TFIB may be missing a forwarding entry for a prefix that is learnt from a PE.
Conditions: This symptom is observed on an "ABSR-co-located PE" (that is, an ASBR that also functions as a PE router) when the PE functionality is removed by deconfiguring VRF, for example, by entering the no ip vrf vrf-name command.
Since this is a timing issue, it may occur in Cisco IOS Release 12.0 S, 12.2 S, 12.2 T, and 12.3.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly because of a bus error when access control lists (ACL) counters are sent from a line card or network module to the Route Processor (RP).
Conditions: This symptom is observed when the ACL number is in the expanded range (that is, from 1300 to 1999 or from 2000 to 2699). Note that the symptom does not occur when named ACLs are used.
Workaround: There is no workaround.
•
Symptoms: The following tracebacks are seen on a voice router:
%DSM-3-NOEVENT: no free event structure available from dsm_ev_chunk_pool for DSM messageConditions: This symptom leads to dropped calls or DSP timeouts under high stress or high CPU.
Workaround: Reload the router.
•
Symptoms: A Cisco router may reload when you enter the show policy-map interface command in one router session while deleting the sub-interface on which the policy is attached from another session.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a Frame Relay permanent virtual circuit (PVC) policy.
Workaround: There is no workaround.
•
Symptoms: A 1-port E3 serial port adapter (PA-E3) may fail to recover to the "up/up" state even when the original cause of the failure is corrected.
Conditions: This symptom is observed on a Cisco 7500 series.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface of the PA-E3.
•
Symptoms: When configuring QoS on a Cisco 7200 series, the router may reload with a bus error. Specifically, the bus error occurs after having entered the no class name command on subinterfaces.
Conditions: This symptom is observed on a Cisco 7200 series that runs the c7200-jk9s-mz image of Cisco IOS Release 12.2(17a). The symptom may also occur in other releases. This behavior is associated to the use of "payload-compression" and Weighted Random Early Detection (WRED) configurations.
Workaround: There is no workaround.
•
Symptoms: Traceback messages are seen on a Cisco AS5400 origination GW (OGW). The tracebacks are reproducible.
Conditions: This symptom is observed when running tests with an E1R2 interface.
Workaround: There is no workaround.
•
Symptoms: An H.323 proxy may fail when a conference call between a PSTN user and IP phones users is initiated by an IP phone in a Cisco CallManager environment.
Conditions: This symptom is observed on a Cisco router that functions as a gatekeeper, that has the H.323 proxy enabled, and that runs Cisco IOS Release 12.3(5) in the following topology:
An IP phone connects to a Cisco CallManager that connects to the Cisco gatekeeper that has the H.323 proxy enabled. The Cisco gatekeeper connects to yet another gatekeeper that connects to a gateway that, in turn, connects to the PSTN.
All calls to and from the Cisco CallManager IP phone via the Cisco gatekeeper are proxied. The Cisco CallManager runs software version 3.3(3)SR3. The display IE delivery option is disabled in the H.225 trunk configuration in the Cisco CallManager administration web page. The H.225 trunk is controlled by one of the gatekeepers.
The symptom occurs in the following sequence of events:
1. A PSTN user calls IP phone (IP phone 1).
2. The user of IP phone 1 answers the call and the call is connected with two-way audio.
3. The user of IP phone 1 presses the "conference" button and calls another IP phone (IP phone 2).
4. The user of IP phone 2 answers the call and the call is connected with two-way audio.
5. The user of IP phone 1 presses the "conference" button again.
6. The H.323 proxy fails, causing the PSTN to be disconnected from the conference call.
7. The conference call continues between the user of IP phone 1 and the user of IP phone 2.
Workaround: Enable the "Display IE delivery" option in the H.225 trunk configuration Cisco CallManager administration web page.
Alternate Workaround: Disable the H.323 proxy on the Cisco gatekeeper.
•
Symptoms: Several prefixes for nonredistributed and connected interfaces in different VRFs may be partially bound to the same MPLS VPN label, causing traffic that is bound for one or more of these VRFs to be disrupted.
Conditions: This symptom is observed on a Cisco router after the VRF interfaces have flapped.
Workaround: Clear the routes in the VRFs in sequence.
•
Symptoms: A router may log a CPUHOG message that is caused by the CEF reloader process.
Conditions: This symptom is observed on a Cisco router when a VRF with more than 9000 routes is added to the configuration.
Workaround: There is no workaround.
•
Symptoms: A NAS crashes when stress scripts are running and when bulk calls are made.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5800 that are configured for T1 when scripts run that enter the shutdown command followed by the no shutdown command on controllers in digital callers and the clear modem all command in analog callers. The NAS is stressed with both analog and digital calls made from a traffic generator that sends 20 packets per second and the scripts run every 10 minutes.
Workaround: There is no workaround.
•
Symptoms: DTS may not work properly on dot1q Fast Ethernet subinterfaces. Traffic is not shaped at the expected rate
Conditions: This problem is observed on a Cisco 7500 series that is configured as a PE router and that runs Cisco IOS Release 12.2(12i). The symptom may also occur in other releases.
Workaround: If this is an option, use ISL subinterfaces.
•
Cisco Internetwork Operating System (IOSÆ) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed control protocol messages.
A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS). This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml
Cisco has made free software upgrades available to address this vulnerability for all affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability is documented by Cisco bug ID CSCee08584.
•
Symptoms: All SWIDBs may be used.
Conditions: This symptom is observed when PPPoA sessions flap continuously.
Workaround: There is no workaround.
•
Symptoms: All VIPs in a Cisco 7500 series restart as a consequence of a Cbus complex that is triggered by a stuck output. Just before the output becomes stuck, IPC timeout errors occur.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5) in a dLFIoATM environment. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A file type sometimes becomes ASCII text when you enter the write memory command on an NRP2-SV. You can see the file type when you enter the show file info disk0:slotX/nrp2-startup-config command on the NSP, as in the following example:
NSP# shos file info disk0:slot5/nrp2-startup-config disk0:slot5/nrp2-startup-config: type is ascii text <<<<<Conditions: This symptom is observed on an NRP2-SV that is installed in a Cisco 6400 series that runs Cisco IOS Release 12.2(15)T9 or 12.3(6).
Workaround: There is no workaround.
•
Symptoms: IMA link status sticks in NE usable/usable while showing FE active/active.
Conditions: This happens when connecting an IMA module in a Cisco 3640 to a third party vendor switch.
Workaround: Administratively shut down the link and then bring it back.
•
Symptoms: On a Cisco 7500 series, all PVCs may suddenly enter the down state and remain in this state for about two minutes before they come back up. During the DLCI down state, the subinterface does not go down and no notifications are observed in the message log.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with an RPS4+ or an RSP8 and that runs the rsp-jsv-mz image of Cisco IOS Release 12.2(12i). In addition, the router is configured with an 8-port serial port adapter and an HSSI port adapter, is configured for Frame Relay, and has more than 450 PVCs/DLCIs. Note that the symptom may be platform-independent and may also occur on other Cisco platforms in a similar configuration.
Note. This is a timing issue and is not dependant on the number of VC's.
Workaround: There is no workaround.
•
Symptoms: A router may experience a memory leak when the LSR MIB is queried.
Conditions: This symptom is observed on a Cisco router running Cisco IOS Release 12.2(15)T10 but is software-independent.
Workaround: Disable the LSR MIB queries and reboot the device to reclaim the leaked memory.
•
Symptoms: When the Cisco IOS Firewall CBAC is configured, the router seems to have a software-forced reload caused by one of the inspections processed.
Conditions: This symptom is observed when the router is part of a DMVPN hub-spoke with a Cisco VoIP phone solution deployed on it and the router is connected to the central office over the Internet. The Cisco VoIP phone runs the SKINNY protocol.
Workaround: There is no workaround.
•
Symptoms: When a T.38 fax failure occurs, for example because a call is disconnected, a Cisco AS5400 may incorrectly generate the following message in its log:
%DSM-3-DSP_TIMEOUT: DSP timeout on channel <channel specific information> T38 Codec Switch Failed or Timed outConditions: This symptom is observed when there is no real failure in the codec download. The symptom may occur when a disconnect from the telephony side occurs while the Cisco AS5400 is in the middle of a codec download.
Workaround: There is no workaround.
•
Symptoms: A software-forced reload may occur on an MGCP gateway that uses embedded messages in the MGCP protocol.
Conditions: This symptom is observed on a Cisco platform that functions as an MGCP gateway and is caused by the MGCP embedded message processing.
Workaround: There is no workaround.
•
Symptoms: The MGCP default setting for a minimum jitter buffer size is 4 ms; this setting degrades the voice quality until you configure the setting to be different via the mgcp playout command. It has always been this way in IOS, but MGCP has been using a fixed MGCP playout buffer instead of a dynamic buffer even though it was configured to use dynamic. During some recent IOS changes, it now uses dynamic playout buffer.
Conditions: This symptom is observed under normal operating conditions.
Workaround: Configure the nominal MGCP default setting for the minimum jitter buffer size to be the same as for H.323 and SIP gateways so that the setting for each individual gateway does not need to be changed via the mgcp playout command.
•
Symptoms: A Cisco router accepts an incoming plaintext that matches the crypto map that is applied to an interface. The packet should be rejected because is should have been encrypted.
Conditions: This symptom is observed when all the following conditions occur:
- The interface is a serial subinterface.
- The interface has both fast switching and CEF switching disabled.
- The outgoing interface for the packet has fast switching or CEF switching enabled.
Workaround: Ensure that all interfaces have fast switching and CEF switching either enabled or disabled.
•
Symptoms: A software-forced crash may occur on a gatekeeper that processes an incoming call.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that runs Cisco IOS Release 12.2(15)T13 and occurs only when a GKTMP server is configured for LRQ triggering.
Workaround: There is no workaround.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Symptoms: A Cisco Access server that terminates virtual-profile calls with per-user access control lists (ACLs) does not remove all per-user ACLs when calls are terminated. This situation may cause the memory of the access server to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco access server that runs a Cisco IOS Release that contains the fix for CSCee01688.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Cisco Internetwork Operating System (IOS) software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
More details can be found in the security advisory that is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml.
•
Symptoms: Spurious memory accesses occur on a gatekeeper during RAS communication for H.323 voice calls.
Conditions: This symptom is observed when the gatekeeper sends an LRQ for a voice call.
Workaround: There is no workaround.
•
Symptoms: When the calling number or the called number or both contains the * character, for example *67#1234567890, the call is rejected by the gateway and is released with cause code 63 (service or option not available). In the debugs the following message is generated before call is released:
H225Lib::is_valid_e164_number: Number has non-supported IA5 character - * cch323_ras_arj_notify:calledConditions: This symptom is observed on a Cisco platform that functions as a gateway in an H.323 VoIP network and that runs Cisco IOS Release 12.3(6c) or another release that contains the fix for CSCee07037. The symptom occurs only in gatekeeper-routed call scenarios, that is, RAS-based call flows.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee07037. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
The symptom does not occur with other characters such as #.
Workaround: There is no workaround.
•
Symptoms: When you perform a stress test on a Cisco 7200 series that processes H.323 voice calls, the following error message and traceback may be generated:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6241A498 reading 0x94 %ALIGN-3-TRACE: -Traceback= 6241A498 6241C788 623EB0F8 623ED694 00000000 00000000 00000000 00000000 DGK7201#Conditions: This symptom is observed when you make approximately 40 calls per second and when the directory gatekeeper (DGK) loader constantly sends LRQs to the DGKs to query a route server to obtain routes. Note, however, that the router continues to process calls normally.
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete authentication and potentially access network resources.
This advisory will be posted to http://www.cisco.com/warp/public/707/cisco-sa-20050406-xauth.shtml
•
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition.
Devices that do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected.
Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected.
Only devices running certain versions of Cisco IOS are affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml.
•
Symptoms: A router may reload unexpectedly while you disable label distribution protocol (LDP) on an interface.
Conditions: This symptom is observed on a router that has several interfaces that are configured for LDP when you disable LDP on all interfaces and when there is still one open TCP connection that is passively used by LDP while you disable LDP on the last interface.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Wide-Area Networking
•
Symptoms: A parity error on a Versatile Interface Processor (VIP) card may cause other VIPs to go to a wedged state.
Conditions: This symptom is observed on a Cisco 7500 series router.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series Route Switch Processor (RSP) may crash while Multilink PPP (MLP) is running.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(5), that is equipped with a VIP4-80 and PA-A3 ATM port adapters, and that is configured for distributed Link Fragmentation and Interleaving over ATM (dLFIoATM).
Workaround: There is no workaround.
•
Symptoms: With PPP multilink over ATM configured in Cisco IOS, the router may reload with a bus error.
Conditions: This symptom is observed when the PPP over ATM link goes down and is removed from the multilink bundle.
Workaround: Increasing the keepalive interval or retry count, or disabling keepalives altogether, may help to avoid the problem by making it less likely that the PPP over ATM session goes down during periods of instability in the ATM network.
•
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.
Resolved Caveats—Cisco IOS Release 12.3(3g)
Cisco IOS Release 12.3(3g) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3g) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A Route Switch Processor (RSP) that is acting as a slave may have complete packet switching activity interrupted for several minutes. This situation may cause the RSP to permanently pause.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(12d).
Workaround: There is no workaround.
•
Symptoms: The master Route Processor (RP) on a Cisco 7500 series router may experience a performance problem because of the continual reloading of the slave RP.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.3 and that has dual Route Switch Processors (RSPs).
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Cisco router may reload when Border Gateway Protocol (BGP) is configured to carry Virtual Private Network version 4 (VPNv4) routes.
Conditions: This symptom is observed when VPNv4 import processing occurs simultaneously with a BGP neighbor reset, for example, when a VPN routing and forwarding (VRF) instance is configured and you enter the clear ip bgp * privileged EXEC command.
Workaround: There is no workaround.
•
Symptoms: Address Resolution Protocol (ARP) may not be triggered for an inside-local address destination after the outside-to-inside translation is performed correctly, causing packets to be dropped because the adjacency remains gleaned.
Conditions: This symptom is observed on a Cisco router when the Multi-VRF feature is configured and when you configure a customer edge (CE) router to perform Network Address Translation (NAT).
Workaround: Perform a ping from the router to the CE router to trigger ARP and to populate the adjacency table.
•
Symptoms: A Cisco router that is configured for SIP NAT may not be able to process authentication messages from a third-party SIP gateway that performs SIP proxy authentication.
Conditions: This symptom is observed in a Call Hold/Resume procedure.
Workaround: There is no workaround.
•
Symptoms: T.38 fax calls between a Cisco router and a third-party gateway may fail.
Conditions: This symptom is observed when two third-party gateways are connected via a Cisco router that runs SIP NAT. The T.38 fax calls fail from one of the third-party gateways to the Cisco router and vice versa.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: Connectivity difficulties may occur when Virtual Private Network (VPN) routing/forwarding (VRF) packets follow the global routing table instead of the VRF table.
Conditions: This symptom is observed on a low-end Cisco router that runs Cisco IOS Release 12.2(7a) or another release when the global address space in the router overlaps with the VRF address that is configured on a VRF interface of a connected PE router. The VRF interface of this PE router may be unreachable but end-to-end connectivity may not be affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as a voice gateway may reload unexpectedly after a series of calls that include call transfers and diverted calls have been processed.
Conditions: This symptom is observed on a Cisco 2621XM and Cisco 3640 when you use a third-party vendor protocol convertor to translate and provide a tunnel for Digital Private Network Signaling System (DPNSS) traffic over Q Signaling (QSIG). The symptom is not platform specific.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Symptoms: A Route Processor (RP) may reload when you enter the clear ip bgp * privileged EXEC command while interfaces flap continuously.
Conditions: This symptom is observed when Virtual Private Network (VPN) routing/forwarding (VRF) forwarding is configured on the interfaces that flap.
Workaround: There is no workaround.
2.
Symptoms: An RP may reload when you simultaneously enter the clear ip bgp * privileged EXEC command and perform an online insertion and removal (OIR) by entering the hw-reload reset EXEC command.
Conditions: This symptom is observed when you perform an OIR of an interface that has a VRF configuration in which the connected route is learned via a network statement. The connected route is removed when you perform the OIR.
Workaround: Do not simultaneously enter the clear ip bgp * privileged EXEC command and perform an OIR.
•
Symptoms: A cbus complex (which will bring down all the interfaces on the box for some time but the router will not reload) may be observed on a Cisco router when the following message appears on the serial interface:
%RSP-3-RESTART: interface Serial8/1/0/23:23, not transmittingConditions: This symptom occurs specifically on a Cisco 7500 series router when Multilink PPP (MLP) is configured on the serial interface and distributed Cisco Express Forwarding (dCEF) switching is enabled.
The problem occurs when multilink member links flap. It may be after a single flap or multiple flaps.
Workaround: There is no workaround.
Further Problem Description: The time-frame associated with Interfaces being down tied to a cbus complex depends on the number of VIPs/IPs (time taken for microcode download) and the type of PAs (time taken for VIP reload) present in those VIPs. All the interfaces will be come back up without any manual intervention.
•
Symptoms: A Cisco Media Gateway Control Protocol (MGCP) gateway may be unregistered by a Cisco CallManager.
Conditions: This symptom is observed on a Cisco router that functions as a gateway and that runs Cisco IOS Release 12.2 T, Release 12.3, or Release 12.3 T when the T1 channel-associated signaling (CAS) and PRI backhaul is configured.
Following is an example of the sequence of events that cause the symptom to occur:
1) The Cisco CallManager tears down an active call on the gateway by sending an MGCP delete connection (DLCX) request.
2) The gateway sends a "200 OK" response to the MGCP DLCX request.
3) The Cisco CallManager sends an MGCP Request Notify (RQNT) response to the gateway with "DT/sup" and "D/[0-9ABCD*#]" as the requested events to be notified.
4) The gateway receives the MGCP RQNT request but does not immediately send a "200 OK" response to the MGCP RQNT request.
5) The Cisco CallManager retransmits the MGCP RQNT request four more times at a frequency of one request per 3 seconds.
6) The Cisco CallManager unregisters the gateway because it does not receive any response to its MGCP RQNT request.
7) After 20 seconds, the gateway sends an MGCP notify (NTFY) message with "DT/rlc" as the notified event.
8) Subsequently, the gateway sends a "200 OK" response to the MGCP RQNT request.
9) The gateway does not receive any response to its MGCP requests because the Cisco CallManager has unregistered the gateway.
Workaround: Do not use MGCP. Rather, use H.323.
•
Symptoms: The amount of free memory on a router decreases as the memory that is held by the Simple Network Management Protocol (SNMP) engine process increases. The decrease in the amount of free memory can be verified by examining the output of the show proc mem | i SNMP privileged EXEC command.
Conditions: This symptom is observed when SNMP is used to attempt to set values in the LDP-MIB, TE-MIB, or VPN-MIB.
Workaround: Avoid using SNMP to set values in the MIBs. Use the CLI on the router to set the values needed.
•
Symptoms: Analog recEive and transMit (E&M) ports may become stuck intermittently. When the symptom occurs, the following error message is displayed:
%C542-1-NO_RING_DESCRIPTORS: No more ring descriptors on recEive And transMit 3/0/1. Msg id=48, Len=38
In addition, the output of the show voice call summary EXEC command indicates that the voice-port state is "EM_PARK_IDLE."
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T5 and that has an analog E&M port to connect to a PBX. Note that the symptom does not occur in Release 12.2(15)T1. The symptom may occur in Release 12.3.
Workaround: Reload the Cisco gateway.
•
Symptoms: Spurious memory accesses may occur on a router.
Conditions: This symptom is observed on a Cisco router that runs Routing Information Protocol (RIP).
Workaround: There is no workaround.
•
Symptoms: A VIP may reload when an SSO occurs on an RP.
Conditions: This problem occurs intermittently when distributed MLP is configured on the router.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for quality of service (QoS) may reload unexpectedly because of a segmentation violation (SegV) exception.
Conditions: This symptom was observed on a Cisco 2600 series that runs the c2600-telco-mz image of Cisco IOS Release 12.3(1a). This can be seen on other IOS-based routers.
Workaround: Disable QoS.
•
Symptoms: A FlexWAN or VIP in which a channelized port adaptor such as a PA-STM1 or PA-MC-8TE1+ is installed may reload continuously.
Conditions: This issue is seen when distributed LFI is configured on channelized serial interfaces and heavy traffic (close to line rate) occurs on these interfaces.
Workaround: There is no workaround.
•
Symptoms: A buffer leak may occur in the Multilink PPP (MLP) header pool on a Versatile Interface Processor (VIP). The speed of the leak depends on the rate of traffic that is flowing between the interface of the VIP and the interface on the other end. The leak may eventually cause memory allocation failures (MALLOCFAIL) on the VIP and may result in memory fragmentation.
Conditions: This symptom is observed on a Cisco 7500 series when all of the following conditions are present:
- Distributed Cisco Express Forwarding (dCEF) is enabled.
- An MLP bundle that includes interfaces on the VIP is configured.
- A different interface on the same VIP performs some type of fancy queueing such as committed access rate (CAR), policing, or Class-Based Weighted Fair Queueing (CBWFQ).
- Packets are locally switched between the MLP interface and the interface that is configured for fancy queueing.
Workaround: Stop the leak by removing fancy queueing from the VIP interface.
Alternate Workaround: Move the MLP interfaces to a different VIP that does not have an interface that performs fancy queueing.
•
Symptoms: FXO ports on a Cisco IAD2420 may cease to process inbound and outbound calls because a voice port is stuck in the "FXOGS_PARK" state.
Conditions: This symptom is observed on a Cisco IAD2420 voice gateway with FXO ports that runs Cisco IOS Release 12.2(15)T8, 12.3, or 12.3 T. The FXO ports are connected to the PSTN.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected voice port.
•
Symptoms: An alignment error may cause a Cisco router to reload unexpectedly.
Conditions: This symptom is observed under rare conditions (an "extreme corner case") on a MIPS-based Cisco platform or on a Versatile Interface Processor (VIP), port adapter, or line card that contains a MIPS processor. The symptom is not release-dependent and may occur in all Cisco IOS releases.
Workaround: There is no workaround.
Further Problem Description: All Cisco 7500 VIPs and Cisco 7200 NPEs use MIPS- based processors. The following are additional platforms that use MIPS processors:
Cisco 2691, 3620, 3631, 3640, 3660, 3725, 3745, 4500, 4500-M, 4700, 4700-M, AS5300, AS5400, AS5450, AS5800 router shelf, AS5800 system controller (3640 based), 7120, 7140, UBR7100, UBR7200 - all NPEs, 7301, 7304, 7400, 6500 MSFC, 6500 MSFC2, 7600 MSFC, 7600 MSFC2, 10000, UBR10012, 12000 GRP, and most (if not all) 12000 line cards.
•
Symptoms: A Cisco voice gateway may use an incorrect codec payload value (that is different from the configured value) during media transmission after the call is transferred to a new endpoint.
Conditions: This symptom is observed on a Cisco voice gateway that runs Cisco IOS Release 12.2(15)T9 or Release 12.3 and that is configured to use H.323 as the VoIP protocol. The symptom occurs when the remote endpoint sends an H.245 EmptyCapabilitySet (ECS) message to initiate the call transfer (H.323 Version 4, Section 8.4.6) after the initial call establishment and then sends an H.245 OpenLogicalChannel (OLC) message before sending a new H.245 TerminalCapabilitySet (TCS) message.
Workaround: There is no workaround.
•
Symptoms: On a Cisco IOS VoIP gateway, a memory leak may occur in the context of the H.323 process.
Conditions: This symptom is observed when there are low memory conditions and when translation rules are configured.
Workaround: Reload the gateway.
•
Symptoms: A router with VOIP configured may experience a memory leak in VTSP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(15)T10. The symptom may also occur in Release 12.3 and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: TCCS clear-channel codec calls may not go through. The trunks may be up but the signaling information may not be communicated.
Conditions: This symptom is observed only when a medium complex codec is configured.
Workaround: Use a high complex codec, or use stun encapsulation for the D-channel.
•
Symptoms: A Cisco 7500 series with a multilink DLFI configuration may crash.
Conditions: This symptom is observed when an Ethernet packet is received on the RSP and is switched by the RSP to a DLFI multilink interface.
Workaround: There is no workaround.
•
Symptoms: A FlexWAN, enhanced FlexWAN, or Versatile Interface Processor that has a PA-MC-E3 or PA-MC-T3 installed may crash.
Conditions: This symptom is observed under rare conditions in a stress situation with dFLI and dCRTP configured.
Workaround: There is no workaround.
•
Symptoms: The following tracebacks can occur on a Route Processor (RP) console:
04:24:32: %ALIGN-3-SPURIOUS: Spurious memory access made at 0x619B6AD8 reading 0x10
04:24:32: %ALIGN-3-TRACE:
-Traceback= 619B6AD8 60EC5764 60EC58D0 60EDAC74 6037C6A8 6037C694 00000000 00000000Conditions: This problem is seen when a dLFIoATM interface flaps on a Cisco 7500 platform.
Workaround: There is no workaround.
•
Symptoms: On an LFI over ATM interface, ping does not work.
Conditions: This occurs only when distributed LFI over ATM is configured on a Cisco 7500 platform.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A Cisco router that is configured for ISDN may reload unexpectedly and generate a "low stack for ISDN" error message.
Conditions: This symptom is observed when a high rate of bidirectional traffic occurs on the ISDN B channels. This problem occurred during a stress test.
Workaround: There is no workaround.
•
Symptoms: After a router has reloaded, an ISDN PRI interface may not reestablish the proper layer 2 state.
Conditions: This symptom is observed on a Cisco router that communicates via Media Gateway Control Protocol (MGCP) with a Cisco CallManager that runs Release 3.3(2)spC.
Workaround: Enter the no mgcp global configuration command followed by the mgcp global configuration command.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ISDN D channel.
•
Symptoms: When a call is not answered, no release cause value may be sent to the public switched telephone network (PSTN) leg and an incorrect release cause value of 102 may be sent to the voice over IP (VoIP) leg.
Conditions: This symptom is observed on a Cisco router that is configured for ISDN when a T301 timer expires. When a call is not answered, a release cause value of 19 ("No answer from user [user alerted]") should be sent to both legs.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(3f)
Cisco IOS Release 12.3(3f) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3f) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Many memory allocation failure (MALLOCFAIL) messages may occur for a Cisco Discovery Protocol (CDP) process:
%SYS-2-MALLOCFAIL: Memory allocation of -1732547824 bytes failed from x605111F0, pool Processor, alignment 0 -Process= "CDP Protocol", ipl= 0, pid= 42 -Traceback= 602D5DF4 602D78A0 605111F8 60511078 6050EC88 6050E684 602D0E2C 602D0E18Conditions: The symptom is observed on a Cisco 7513 that runs Cisco IOS Release 12.0(17)ST. The symptom may also occur on other Cisco 7500 series routers that run Release 12.0 S, 12.2 S, 12.3, or 12.3 T.
Workaround: To prevent the symptom from occurring again, disable CDP by entering the no cdp run global configuration command.
•
Symptoms: Some Simple Network Management Protocol (SNMP) packets may linger in the input queue while they are processed. However, the packets do exit the queue on their own without any intervention from the user. This fix allows these packets to be removed from the queue more quickly.
Conditions: This symptom is observed on a device that runs Cisco IOS software and that supports SNMP operations. In addition, the SNMP request must contain a valid community string.
Workaround: Protect the SNMP community strings with good password management. Permit SNMP traffic only from trusted devices.
•
Symptoms: A Cisco router may continue to send 64-bit counters in authentication, authorization, and accounting (AAA) records when it no longer should do so. These counters may also be invalid.
Conditions: This symptom is observed for certain TCP-Clear connections.
Workaround: There is no workaround.
•
Symptoms: The order of the Service Assurance Agent (SAA) Response Time Reporter (RTR) schedule command options is incorrect in the output of the show running-config EXEC command. This situation may cause difficulties with third-party vendor software that configures and manages RTR probes.
Conditions: This symptom is observed on all Cisco platforms that run Cisco IOS Release 12.2(13)T1.
Workaround: There is no workaround.
•
Symptoms: A PC that is running Tactical Software DialOut/EZ (tacticalsoftware.com) may halt data transfer.
Conditions: This symptom is observed with Tactical Software DialOut/EZ that is running on a PC and a modem that is attached to a Cisco AS5300 that is running Cisco IOS software. The Cisco IOS software may lower the Data Set Ready (DSR) Data Carrier Detect (DCD) with a Clear To Send (CTS) message to the PC side. This causes the PC to halt data transfer.
Workaround: There is no workaround.
•
Symptoms: A Cisco device reloads on receipt of a corrupt CDP packet. One possible scenario is:
Reloading a faulty Cisco IP conference station 7935 or 7936 may cause a connected Cisco switch or router to reload. A CDP message may appear on the terminal, such as the following one:
%CDP-4-DUPLEX_MISMATCH duplex mismatch discovered on FastEthernet5/1 (not half duplex), with SEP00e0752447b2 port 1 (half duplex).Conditions: This symptom is observed when an empty "version" field exists in the output of the show cdp entry * command for at least one entry.
Workaround: Disable CDP by entering the no cdp run global configuration command.
First Alternate Workaround: Disable CDP on the specific (sub-)interface(s) whose corresponding neighbor(s) has or have an empty "version" field in the output of the show cdp entry * command.
Second Alternate Workaround: Disconnect the 7935 or 7936 phone, in the case of the specific symptom that is described above.
•
Symptoms: A Cisco Virtual Home Gateway (VHG) may fail to download authentication, authorization, and accounting (AAA) attributes that contain remote virtual templates.
Conditions: This symptom is observed when the Per VRF AAA feature is configured by using a remotely defined customer template on a RADIUS server.
Workaround: There is no workaround.
•
Symptoms: Protocol translation sessions that require RADIUS authentication may fail to propagate class-attribute or state-attribute information in subsequent authentication and accounting packets.
Conditions: This symptom is observed in Cisco IOS Release 12.2 T, 12.3, and 12.3 T.
Workaround: There is no workaround.
•
Symptoms: The individual AAA periodic accounting update messages (Radius accounting messages with Acct-Status-Type=Watchdog) generated by an IOS gateway for each call leg (TDM and IP) of the same voice call may be sent to the Radius server more than 5 minutes apart due to the randomized timer algorithm used by the AAA message transmit function.
Conditions: The command aaa accounting update newinfo periodic is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco Catalyst 2950 experiences a memory leak in the CDP process.
Conditions: The device sending CDP packets sends a hostname that is 256 or more characters. There are no problems with a hostname of 255 or fewer characters.
Workaround: Configure the neighbor device to use less than a 256 character hostname, or disable the CDP process with the global command no cdp run.
Interfaces and Bridging
•
Symptoms: When a Cisco router reloads, the ATM permanent virtual circuit (PVC) status remains inactive (INAC) even though the ATM subinterface is in an UP/UP state. The following message may also be displayed when you enter the debug atm errors privileged EXEC command:
ATM(ATMx/x/x):point-to-point interface does not have a VCDConditions: This symptom can occur on a Cisco router with a PA-A3 port adapter. The root cause is there were some physical line errors during reload which were causing carrier transition on PA-A3 interface which in turn caused this problem.
Workaround: Enter the no shutdown interface configuration command on the ATM interface.
Further Problem Description: This problem can be seen on router reload even without any traffic.
IP Routing Protocols
•
Symptoms: A Cisco router may reload unexpectedly because of a bus error at "ip_fast_accumulate_acctg."
Conditions: This symptom is observed on a Cisco router that has the ip accounting interface configuration command enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely because of a bus error, and the following error message may appear:
System returned to ROM by bus error at PC 0x60B5F1C0, address 0xEF4321E5Conditions: This symptom is observed on a Multiprotocol Label Switching (MPLS) provider edge (PE) router.
Workaround: There is no workaround.
•
Symptoms: When the following Open Shortest Path First (OSPF) MIB tables are queried via snmpwalk, some interfaces may not be displayed:
–
–
–
Conditions: This symptom is observed on any Cisco platform that runs OSPF.
Workaround: There is no workaround.
•
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path First (OSPF) Protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet. The OSPF protocol is not enabled by default.
The vulnerability is only present in IOS release trains based on 12.0S, 12.2, and 12.3. Releases based on 12.0, 12.1 mainlines and all IOS images prior to 12.0 are not affected. Refer to the Security Advisory for a complete list of affected release trains.
Further details and the workarounds to mitigate the effects are explained in the Security Advisory which is available at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml.
•
Symptoms: A router may reload unexpectedly because of a bus error when it accesses a low address during the translation of TCP port 514.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5) and that is configured for Network Address Translation (NAT).
Workaround: Prevent the translation of TCP port 514.
•
Symptoms: When the debug ip pim auto-rp command is enabled on a Cisco 7500 series, the router crashes when it receives an AutoRP message.
Conditions: This symptom is observed on a Cisco 7500 series that runs the rsp-isv-mz image of Cisco IOS Release 12.2(15)T7 or 12.2(15)T9. The symptom may also occur in Release 12.3 or 12.3T.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: You may not be able to use the command-line interface (CLI) to disable a remote loopback request on the network.
Conditions: This symptom is observed when a remote loopback is initiated toward a Cisco AS5xx0 and the Cisco AS5xx0 responds to the remote loopback request.
Workaround: Enter the loopback network ignore controller configuration command on the T1 controllers.
•
Symptoms: When the MPLS VPN—Carrier Supporting Carrier—IPv4 BGP Label Distribution feature is enabled, you may be able to configure Label Distribution Protocol (LDP) and Border Gateway Protocol (BGP) with IPv4+ labels on the same Virtual Private Network (VPN) routing/forwarding (VRF) instance on the same router. This is an invalid configuration that may lead to errors.
Conditions: This symptom is observed on a Cisco 12000 series.
Workaround: There is no workaround. The fix for this caveat will prevent you from configuring the router in the way that is described in the symptoms.
•
Symptoms: Packet transmission over a serial channel-group interface that is part of a backhaul trunk may be slow.
Conditions: This symptom is observed only on a channel-group interface and occurs irrespective of whether or not the interface is configured for Low Latency Queueing (LLQ) for large packet sizes.
Workaround: There is no workaround.
•
Symptoms: An interface of an 8-port multichannel E1 port adapter (PA-MC-8E1) may start to flap and may finally pause indefinitely with the output queue stuck. The output of the show interfaces privileged EXEC command may show information similar to the following:
Serial1/1:1 is up, line protocol is up
Encapsulation HDLC, crc 16, Data non-inverted
Keepalive set (120 sec)
Last input 00:00:03, output 04:14:23, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 21952
Queueing strategy: weighted fair
Output queue: 30/4000/64/21855 (size/max total/threshold/drops)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
43903807 packets input, 3646461183 bytes, 0 no buffer
Received 0 broadcasts, 321 runts, 0 giants, 0 throttles
5160 input errors, 4 CRC, 0 frame, 0 overrun, 0 ignored, 2945 abort
42026998 packets output, 2185017012 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
31 carrier transitions
no alarm present
Timeslot(s) Used:1-31, subrate: 64Kb/s, transmit delay is 0 flagsThe following traceback may be observed in the router log:
%LINK-4-TOOBIG: Interface Serial60:1, Output packet size of 1526 bytes too big Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55EC
%LINK-4-TOOBIG: Interface Serial20:1, Output packet size of 1526 bytes too big Traceback= 0x604007F8 0x604A927C 0x6084E4D4 0x6057425C 0x60CE921C 0x60CE55ECConditions: This symptom is observed on a Cisco router after a few weeks of normal operation.
Workaround: There is no workaround.
•
Symptoms: When polling the cbQosREDClassStatsTable of the CISCO-CLASS-BASED- QOS-MIB, spurious memory accesses may occur on a Cisco 2600 series, Cisco 3600 series, or Cisco 7200 series. A Cisco 3640 router may also reboot. The spurious memory accesses may be reproduced when polling the above-mentioned table via Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series that run Cisco IOS Release 12.2(8)T, Release 12.3, or Release 12.3 T.
Workaround: Prevent the router from answering to queries on the cbQosREDClassStatsTable by implementing the following SNMP view in the router configuration:
snmp-server view qos internet included
snmp-server view qos 1.3.6.1.4.1.9.9.166.1.20.1 excluded
snmp-server community string view qos ro
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: Transmit underruns or cyclic redundancy check (CRC) errors may occur on a serial interface on the motherboard of a Cisco router.
Conditions: This symptom is observed on the serial interface on the motherboard of a Cisco 3700 series.
Workaround: Do not use the WAN interface card (WIC) slot on the motherboard. Rather, use the serial interface on a 2-WAN card slot network module (NM-2W), a 1-port Fast Ethernet 2-WAN card slot network module (NM-1FE2W), or a 2-port Fast Ethernet 2-WAN card slot network module (NM-2FE2W).
•
Symptoms: The Simple Network Management Protocol (SNMP) agent may use 99 percent of the CPU bandwidth of a Route Processor (RP) for an arbitrarily long time (hours or days), without necessarily generating CPUHOG errors. This situation causes other processes on the router to fail because these processes do not receive the CPU bandwidth that they require. Consequently, the following difficulties may occur:
–
–
–
–
The output of the show snmp summary EXEC command may indicate that the number of requests is "N" while the number of replies that were sent is "N-1." The output of the show processes cpu | include SN EXEC command may indicate that the SNMP process uses 99 percent of the CPU bandwidth of the RP.
Conditions: These symptoms are observed when the MPLS-LSR-MIB MIB is enabled, when you query the mplsXCTable or a MIB walk occurs, and when there are more than 10,000 Multiprotocol Label Switching (MPLS) labels active. The symptoms are platform independent.
Workaround: Perform the following steps:
1.
2.
snmp-server view nolsrmib mplsLsrMIB exclude
snmp-server view nolsrmib iso include
3.
snmp-server community public view nolsrmib ro
4.
•
Symptoms: If a three-level hierarchy service policy is attached to two different interfaces and the policers are removed from the parent class, the policers for the child class are also removed.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7500 series.
Workaround: Detach the service policies from the interfaces, and then reattach them.
•
Symptoms: A large part of the startup configuration may be deleted.
Conditions: This symptom is observed when you load a boot image on a Cisco uBR905.
Workaround: There is no workaround.
•
Symptoms: Some Simple Network Management Protocol (SNMP) packets may linger in the input queue while they are processed. However, the packets do exit the queue on their own without any intervention from the user. This fix allows these packets to be removed from the queue more quickly.
Conditions: This symptom is observed on a device that runs Cisco IOS software and that supports SNMP operations. In addition, the SNMP request must contain a valid community string.
Workaround: Protect the SNMP community strings with good password management. Permit SNMP traffic only from trusted devices.
•
Symptoms: A Cisco router that functions in a Multiprotocol Label Switching (MPLS) environment may reload unexpectedly with a bus error.
Conditions: This symptom is observed under rare circumstances when the router attempts to send an Internet Control Message Protocol (ICMP) packet that was triggered by an MPLS packet.
Workaround: There is no workaround.
•
Symptoms: When two or more phone calls (Foreign Exchange Office [FXO] or BRI) are set as "hold" and "hold," or "resume" is repeated by one of the calls, an input queue wedge may occur.
Conditions: This symptom is observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(15)T1 and that has multicast for Music on Hold (MOH) configured.
Workaround: Enable Protocol Independent Multicast (PIM) on the voice gateway.
Alternate Workaround: Use unicast MOH.
Second Alternate Workaround: Reboot the router. Entering the clear interface EXEC command and the shutdown interface configuration command followed by the no shutdown interface configuration command does not clear the input queue wedge.
•
Symptoms: A Cisco VG200 that has a transcoder and is configured with Cisco Conference Connection (CCC) has only one-way audio for certain callers.
Conditions: This symptom is observed under the following conditions:
- The Cisco VG200 software has been upgraded from Cisco IOS Release 12.1(5)YH4 to Release 12.2(13)T4.
- A conference call is in progress on the CCC server. All parties use the G.711u codec.
- An IP phone caller at a remote site, using the G.729a codec, calls the CCC server to join the ongoing conference call.
- The remote caller hears the prompt from the CCC server to enter the conference ID to join the ongoing conference.
- Once the remote caller is in the conference, the caller cannot hear the other participants, but all other G.711u codec participants can hear the caller.
Workaround: Use Cisco IOS Release 12.1(5)YH4.
•
Symptoms: On a Cisco router, output queue packet drops may occur on the priority queue of an E1 serial interface on a 1-port multichannel E3 port adapter (PA-MC-E3), after which the E1 serial interface becomes congested.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.1(18)E. However, the symptom is not specific to the platform or the Cisco IOS software release but specific to the port adapter.
Workaround: Enter the tx-ring-limit interface configuration command to increase the value of the drivers that are transmitted on the queue. For additional information, refer to the document at the following location:
http://www.cisco.com/warp/public/121/txringlimit_6142.html
•
Symptoms: E1 R2 calls may fail on a Cisco router.
Conditions: This symptom is observed on a Cisco AS5850 router that is running Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is performing tag imposition, it may reload because of a bus error.
Conditions: This symptom is observed when you create a new generic routing encapsulation (GRE) tunnel after the router has booted up and when GRE packets are received through this GRE tunnel and forwarded as Multiprotocol Label Switching (MPLS) packets.
Workaround: Enter the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command on the newly-created GRE tunnel interface.
•
Symptoms: The timeouts ringing {seconds | infinity} voice-port configuration command is used to determine the value of the ring, no answer timer. The timer is limited by the H.323 timer when the call is using H.323. The timer will always be stopped on call cleanup procedures. The H.323 connect timer that is configured under the voice class h323 tag global configuration command is always started on the originating gateway after reception of an Alerting or Progress message. The default value is 180 seconds with a range of 60 to 360 seconds. Upon triggering this timer, the cleanup procedures for the call are invoked. If the ring, no answer timer exceeds the H.323 connect timer, it will have no affect.
Conditions: This symptom is observed for ISDN-H.323 calls.
Workaround: There is no workaround. The best solution is to configure the H.323 connect timer to the maximum value of 360.
•
Symptoms: A Cisco IAD2420 series may not collect digits properly. One number 2 may become two number 4s in the dialed digits that are detected by a voice telephony service provider (VTSP).
Conditions: This symptom is observed on a Cisco IAD2420 series that is interconnected via a digital interface to a BTS10200 softswitch that runs software release 3.5.1v01. When the Cisco IAD2420 series is rebooted and sends Restart in Progress (RSIP) messages to the call agent (CA), the trunks are automatically brought back into service. The symptom occurs when a PBX goes off-hook, then on-hook (without dialing digits), then off-hook again on the same channel, and then begins dialing.
Workaround: There is no workaround.
•
Symptoms: When a provider edge (PE) router that is running IP version 6 (IPv6) in a Multiprotocol Label Switching (MPLS) environment (also referred to as a 6PE router) is switching traffic, low performance may occur. The output of the show alignment EXEC command displays spurious memory accesses (one per packet) at a low address (around 17).
Conditions: This symptom is observed on the 6PE router when an IP version 4 (IPv4) output feature is configured on any interface or when an IPv4 input feature is configured on the MPLS interface that is used by 6PE traffic. Enter the show mpls interfaces [interface] [detail] privileged EXEC command, and check the output for the presence of the phrase "MPLS feature vector."
Workaround: Ensure that on the 6PE router, no IPv4 output feature is configured on any interface and that no input feature is configured on an MPLS interface on which 6PE traffic is traversing.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: An interface of a Cisco router may not be able to receive traffic that is destined for an address that is configured on the router.
Conditions: This symptom is platform independent and occurs only when there is a route in a different VPN routing and forwarding instance (VRF) that is attached or connected to the interface. This may occur when the route has been exported from one VRF to another or when a static route in a VRF points to the interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: A Cisco AS5850 that is configured with two DS0 groups may select the DS0 group that is not defined on any plain old telephone service (POTS) dial peer for outgoing calls.
Conditions: This symptom is observed when one of the DS0 groups is already in use, causing the gateway to select the DS0 group that is not defined on a POTS dial peer.
Workaround: There is no workaround.
•
Symptoms: A call setup failure may occur for high-delay links with a round-trip time greater than 300 milliseconds.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.2(16) but may also occur in other releases.
The call fallback subsystem hard-codes the amount of time it will wait for the response to probes to 300 milliseconds. The probes fail if the round-trip time is more than 300 milliseconds, even though the network is a high-bandwidth network.
Workaround: There is no workaround.
•
Symptoms: During an onramp fax call, a Cisco router may take up to 40 seconds to clear a channel.
Conditions: This symptom is observed on a Cisco 2600 series when the fax call was terminated during the fax negotiation. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform that functions as a gateway may report a "destination out of order" cause code for a call that is disconnected in a normal way.
Conditions: This symptom is observed when an H.245 TCP connection close request reaches the gateway before the H.225 release complete message (RLC), which causes the gateway to assume that the H.245 connection is terminated and to tear down the call with a "destination out of order" cause code. This situation may occur with semirouted gatekeeper signaling, when the H.225 connection runs via a gatekeeper and the H.245 connection runs directly between the gateway and the third-party vendor endpoint. This situation may also occur when a race condition occurs between the connection close request and the RLC.
Workaround: Ensure that the third-party vendor endpoint sends an end session command (an H.245 message) before tearing down the H.245 connection.
•
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
•
Symptoms: In a T.38 fax relay test environment, the accounting records display an 8 second difference in the disconnection time between the IP leg and the telephony leg of the call.
Conditions: This symptom is observed when an originating fax machine loses power or its connection while a fax is being transmitted.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that has an interface with an output service policy attached may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router when the bandwidth interface configuration command or the fair-queue interface configuration command is configured in the policy map that is attached via the service-policy router configuration command and when traffic is flowing through the interface at a fast rate. The router reloads under any of the following conditions:
- The interface has the ip rsvp bandwidth interface configuration command configured, and the router reloads when you enter the no ip rsvp bandwidth interface configuration command.
- The interface does not have the ip rsvp bandwidth interface configuration command configured, and you enter the ip rsvp bandwidth interface configuration command.
- You enter the ip rtp reserve lowest-udp-port range-of-ports interface configuration command.
In all three situations, a service policy that is configured with the bandwidth or fair-queue command is attached to the interface.
Workaround: Shut down the interface before entering the above commands. Enable the interface again after you have entered the commands.
•
Symptoms: If an originating gateway (OGW) advertises payload type 13 or 19 for comfort noise in Session Description Protocol (SDP) of an "Invite" message, and the terminating gateway (TGW) does not indicate its support in SDP of its response to the OGW, the OGW may continue to generate comfort-noise packets to fill up periods of silence.
Conditions: This symptom is observed when an outbound Voice over IP (VoIP) dial peer has voice activity detection (VAD) configured and when the OGW advertises payload type 13 or 19 in SDP of its "Invite" message.
Workaround: Disable comfort-noise generation on the OGW by entering the no vad dial-peer configuration command. However, doing so does not facilitate the negotiation of comfort-noise packet generation.
•
Symptoms: A call setup to an IP network may be delayed or rejected.
Conditions: This symptom is observed when a Tool Command Language (Tcl) interactive voice response (IVR) application attempts to set up a call without specifying the incoming leg. A call setup without an incoming call leg results in an H.225 "setup" message or Registration, Admission, and Status (RAS) protocol admission message with zeros in the callIdentifier field.
Workaround: Set up a call with an incoming leg.
Alternate Workaround: Assuming that the generated globally unique identification (GUID) does not affect the billing system or the remote endpoint, enter the set callinfo TCL IVR API command to generate a new conference ID and call ID.
•
Symptoms: A Cisco router may reload with a "pppoa_set_error" when the PPP over ATM (PPPoA) context is freed (poisoned) while sessions are being established.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(15)T2. There are two situations in which this symptom can occur:
- When there is high CPU utilization that is caused by the vtemplate background manager that occurs because a large number of PPPoA sessions are brought up and down quickly.
- When sessions are coming up, but after the vtemplate request is sent and before the response is received, the permanent virtual circuit (PVC) is deconfigured. When the vtemplate response comes back, the pppoa_context is already freed.
Workaround: There is no workaround.
•
Symptoms: The main High-Speed Serial Interface (HSSI) interface flaps when you enter the map-class frame-relay global configuration command on a subinterface.
Conditions: This symptom is observed only when map class contains both traffic shaping and Random Early Detection (RED).
Workaround: Use only traffic shaping under the map-class.
•
Symptoms: A label may not be assigned for a peer provider edge (PE) router.
Conditions: This symptom is observed on a Cisco 7500 series and a Cisco 12000 series in a Virtual Private Network (VPN) configuration with multiple route reflectors (RRs) and label controlled ATM (LC-ATM) links between PE routers. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the show ip cef non-recursive detail EXEC command.
Conditions: This symptom is observed when any show command attempts to display information about tag rewrite entries while the tag rewrite entries are being deleted by route updates.
Workaround: Do not enter any show command to display tag rewrite entries when many route updates occur.
•
Symptoms: When the radius-server attribute 8 include-in-access- req global configuration command is entered on a RADIUS server, attribute 8 (Framed-IP-Address) is not included in the access request.
Conditions: This symptom is observed on a RADIUS server that is running Cisco IOS Release 12.2(15)T5.
Workaround: There is no workaround.
•
Symptoms: A Media Gateway Control Protocol (MGCP) gateway may send Restart In Progress (RSIP) messages with a very low delay to a call agent (CA), and with a low delay between the RSIP messages. The delay may be much less than one second, which is the minimum value that is permitted by the MGCP standard. The resulting flood of RSIP messages may cause the CA to overload, and may prevent the overloaded CA from recovering.
Conditions: These symptoms are observed on a Cisco AS5400 that has not received a timely acknowledgement (ACK) response to a delete connection (DLCX) message that the Cisco AS5400 sent to the call agent (CA); an overloaded CA may send highly delayed responses.
Workaround: There is no workaround.
•
Symptoms: When a gateway that is in Media Gateway Control Protocol (MGCP) fallback mode reloads, no calls can be made, nor can calls be received. When the gateway comes up again, all controllers including a serial controller are automatically shut down. When you turn off auto configuration and reload the router again, you can make calls, but you still cannot receive calls.
Conditions: This symptom is observed on a Cisco 3700 series that functions as a gateway when all Cisco CallManagers (including the primary and the backup Cisco CallManager) are down, when the TFTP server is still up, and when the gateway is reloaded. This situation causes an E1 or T1 controllers to be shut down. This caveat is platform independent and may occur on another Cisco router that functions as a gateway.
Workaround: Enter the no shutdown controller configuration command on the affected E1 or T1 controller.
•
Symptoms: An outgoing label may not be installed in the Label Forwarding Information Base (LFIB) for an IP version 4 (IPv4) prefix.
Conditions: This symptom is observed when the prefix is learned via a Border Gateway Protocol (BGP) session. This situation may occur when the prefix is deleted in the Label Information Base (LIB) and not allocated to any local label binding.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), the Label Distribution Protocol (LDP) peer address table may become corrupted and cause the router to reload.
Conditions: This symptom may be observed in situations where three or more routers have advertised the same IP address in LDP address messages. This normally happens when routers have been misconfigured but in very rare circumstances may be done deliberately.
The circumstance can be recognized by the presence of the following error message:
%TAGCON-3-DUP_ADDR_RCVD: Duplicate Address 10.0.0.1 advertised by peer 10.2.2.2:0 is already bound to 10.1.1.1:0If only one such message is seen for a given IP address—10.0.0.1 in the above example—then only two routers have advertised the IP address, and only the second is being treated as a duplicate. At least one more such message should be seen if at least three routers have advertised the IP address in question.
Workaround: The symptom does not occur in typical configurations because duplicate addresses are not configured. If such a configuration is accidentally done, the failure may be avoided if the configuration is corrected before the LDP session to any of the involved peers goes down. If the configuration is deliberate, there is no workaround.
•
Symptoms: A multilink interface may stop processing received packets.
Conditions: This symptom is observed on a Cisco 7500 series when Multilink PPP (MLP) is configured and when a lot of traffic is forwarded to the process-switching path.
Workaround: To clear the symptom, move the physical interfaces to a new multilink interface with a new interface number.
•
Symptoms: A Cisco Catalyst 4224 Access Gateway Switch may reload with a segmentation violation (SegV) exception when a Tool Command Language (Tcl) interactive voice response (IVR) script is used.
Conditions: This symptom is observed on a Cisco Catalyst 4224 Access Gateway Switch that is running Cisco IOS Release 12.2(15)T5, Release 12.3, or Release 12.3 B.
Workaround: There is no workaround.
•
Symptoms: A 1-port multichannel STM-1 port adapter (PA-MC-STM-1) may report huge numbers of degraded minutes on an E1 controller. For example, after 15 minutes of operation since startup, 35,000,000 degraded minutes may be reported and these values may increase every second. Code violations may also be reported.
Conditions: These symptoms are observed on a Cisco router in which a PA-MC-STM-1 is installed.
Workaround: There is no workaround. However, the traffic is not affected, and the symptom is of a cosmetic nature.
•
Symptoms: A Foreign Exchange Office (FXO) port on a Cisco 3600 series may lock up and not process any calls.
To determine if the port is locked up, enter the show voice port summary EXEC command and look for a port that is in the "up, up, idle, on-hook" state, as in the following example:
IN OUT
PORT CH SIG-TYPE ADMIN OPER STATUS STATUS EC
========= == ============ ===== ==== ======== ======== ==
2/0/0 -- fxo-ls up up idle on-hook yConditions: This symptom is observed when the port processes a moderate traffic load.
Workaround: Enter the shutdown port configuration command followed by no shutdown port configuration command on the affected port.
•
Symptom: A Cbus Complex may occur and the packet memory may be recarved, causing a temporary disruption in service.
Conditions: This symptom is observed on a Cisco 7500 series when you install an 8-port multichannel T1/E1 PRI port adapter (PA-MC-8TE1+) or an enhanced 2-port T1/E1 high-capacity port adapter (PA-VXC-2TE1+) and when you configure the port adapter via the command-line interface (CLI) for E1 or T1.
Workaround: There is no workaround. Try to install the port adapter during a maintenance window.
•
Symptoms: A Cisco 7200 series with a Network Service Engine (NSE) and a Cisco 7401 may reload.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7401 router that have an ATM or serial interface configured for multilink and that have Parallel Express Forwarding (PXF) enabled.
Workaround: Disable the PXF microcode.
•
Symptoms: A Cisco router that is running IP over Multiprotocol Label Switching (MPLS) may reload when the Label Distribution Protocol (LDP) responds to the creation of a new session.
Conditions: This symptom is observed when the router is operating under extremely stressful conditions that cause the CPU utilization to be close to 100 percent. This situation rarely occurs.
Workaround: There is no workaround.
•
Symptoms: Subinterfaces that are not configured for policing may randomly drop packets.
Conditions: This symptom is observed when modular QoS CLI (MQC) class-based policing is configured on an Inter-Switch Link (ISL) subinterface and when there are other ISL subinterfaces that are not configured for policing.
Possible Workaround: Remove the quality of service (QoS) policy with class-based policing from the ISL subinterface.
•
Symptoms: All packets that enter a router through a Multiprotocol Label Switching (MPLS) over Multilink PPP (MLP) interface may be switched via process switching instead of via Cisco Express Forwarding (CEF) switching.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a Route/Switch Processor (RSP) and that has CEF enabled.
Workaround: There is no workaround.
•
Symptoms: Gateways may not be able to register with the gatekeeper.
Conditions: This symptom is observed when the security password is enabled on the gatekeeper.
Workaround: There is no workaround. If you remove the security password, there is no authentication.
•
Symptoms: A Cisco terminating gateway (TGW) may fail to send the correct generic transparency descriptor (GTD) for calls that are reattempted when a glare condition occurs. The TGW attempts to set up the connection by sending an NI2-SETUP message. When this message does not go through, the TGW reattempts to set up the connection and sends another NI2-SETUP message. However, the format of the second setup message is not the same as the format of the first setup message.
Conditions: This symptom is observed when a Cisco platform that functions as a TGW sends an NI2-SETUP message to a Cisco PGW 2200 Softswitch. The public switched telephone network (PSTN) on the egress side sends an Initial Address Message (IAM) in response, and this IAM causes a glare condition. The Cisco PGW 2200 Softswitch sends a message with cause value 15 to the TGW because it is configured to do in the NI2 DISC message. Because the TGW is configured to reattempt the call upon receiving a message with cause value 15, the TGW sends a second NI2-SETUP message to the Cisco PGW 2200 Softswitch.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series may reload when one of the physical multilink member interfaces is shut down while traffic passes through the interface of the multilink member.
Conditions: This symptom is observed on a Cisco 7500 series and is specific to a tag switching configuration (and not to a VPN routing/forwarding [VRF] configuration) on a multilink interface that is based on Versatile Interface Processor (VIP) channels or serial interfaces in the distributed mode. For example, the symptom may occur only if a provider (P)-to-provider edge (PE) link is implemented over the multilink interface.
Workaround: First, shut down the Multilink PPP (MLP) interface. Then, shut down the MLP physical subinterface as needed.
•
Symptoms: A Cisco IAD2420 may reload unexpectedly when a watchdog timeout occurs in the voice telephony service provider (VTSP) process.
Conditions: This symptom is observed during normal processing of calls in the local-bypass mode.
Workaround: There is no workaround.
•
Symptoms: A Cisco router (router 1) with a digital modem is connected over a public switched telephone network (PSTN) to another router (router 2) with a digital modem. Router 1 is configured to check the basic connectivity to router 2. When router 1 tries to ping router 2, router 1 reloads.
Conditions: This symptom is observed on a Cisco 3725 router with a digital modem that is configured to test the digital modem connectivity between the two routers.
Workaround: There is no workaround.
•
Symptoms: On a Cisco router that is configured with a Multilink PPP (MLP) interface, the available processor memory may decrease rapidly because of a memory leak.
Conditions: This symptom is observed when the MLP interface flaps repeatedly.
Workaround: There is no workaround. You must resolve the cause of the flapping MPL interface.
Further Problem Description: A QoS configuration is the key cause of this memory leak. The problem does not happen without a QoS configuration. Note that if PPP multilink interleave is configured, this configuration does trigger QoS memory allocation.
•
Symptoms: A terminating gateway rejects incoming Voice over IP (VoIP) calls that carry Field Compatibility Information (FDC) national calling party category (CPC) information in the generic transparency descriptor (GTD) message.
Conditions: This symptom is observed on an H.323 version 4 (V4) Cisco gateway that terminates T1 channel-associated signaling (CAS). Calls that originate from Signaling System 7 (SS7) and R2 trunks that carry national CPC vales are affected.
Workaround: There is no workaround.
•
Symptoms: A gateway does not send an H.225 progress (PROG) Information Element (IE) when it receives an ISDN call proceeding (callp) with a progress indicator (PI).
Conditions: This symptom is observed when an ISDN public switched telephone network (PSTN) switch returns a callp message with a PI IE in response to the setup message from the terminating gateway. The callp does not trigger any H.225 message from the terminating gateway to the originating gateway.
Workaround: There is no workaround.
•
Symptoms: An originating gateway (OGW) may incorrectly insert the calling number information element (IE) in an H.225 call setup message to the terminating gateway (TGW).
Conditions: This symptom is observed on a Cisco AS5400 that functions as an OGW. The symptom occurs only for calls from an H.323-Version 4 OGW to an H.323-Version 2 TGW when the following conditions are present:
- The OGW and TGW use different gatekeepers.
- The gatekeeper that is used by the OGW is connected to a route server for call routing.
- The route server is configured for Gatekeeper Transaction Message Protocol (GKTMP).
Workaround: There is no workaround.
•
Symptoms: Incorrect tags may be imposed after a route has flapped.
Conditions: This symptom is observed on a Cisco router that functions in a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment.
Workaround: There is no workaround.
•
Symptoms: One-way audio may occur during a phone call: a user on the public switched telephone network (PSTN) side may not hear a Cisco IP SoftPhone user.
The output of debug command and sniffer traces do not indicate any packets drops, and when you listen to the sniffer trace, there seems to be two-way audio.
Conditions: This symptom is observed when the Cisco IP SoftPhone calls the PSTN via a Cisco VG200 series that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2(11)T2.
•
Symptoms: A Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router that is running distributed Cisco Express Forwarding (dCEF) may have high memory usage and memory allocation failures when dCEF is disabled and then reenabled.
Conditions: This symptom is observed on a PE router that has a large number of VPN routes (over 30,000) in a VPN routing/forwarding (VRF) table when CEF is disabled and then reenabled.
Further Problem Description: View the output of the show processes memory EXEC command to verify that the CEF process memory usage increases.
Workaround: Reload the router.
•
Symptoms: A Cisco 2691XM router that is configured as an H.323 gatekeeper may reload when the gatekeeper functionality is shut down and when the dynamic zone prefix gatekeeper configuration command is configured.
Conditions: This symptom is observed on a Cisco 2691XM that is running Cisco IOS Release 12.2(15)T5 or Release 12.3(2)T when the dynamic zone prefix gatekeeper configuration command is enabled by default on both the gateway and the gatekeeper, and when the following conditions occur:
–
–
For example:
This symptom is observed when the gateway and the gatekeeper have the following configurations (the same destination pattern and zone prefix):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 385....Gatekeeper configuration:
zone prefix zone-1 385 ....
gw-priority 10 GW1The symptom is not observed when the gateway and the gatekeeper have the following configurations (the destination pattern and the zone prefix are different):
Gateway configuration (with dynamic prefix registration enabled):
dial-peer voice 1 pots
destination-pattern 555....Gatekeeper configuration:
zone prefix zone-1 385....
gw-priority 10 GW1For information on how to disable dynamic zone prefixes, refer to the following URL: http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_h323_configuration_guide/old_archives_h323/4gwconf.html
•
Symptoms: An incorrect MAC encapsulation string in a Multiprotocol Label Switching (MPLS) forwarding table on a provider edge (PE) router causes traffic to go down.
Conditions: This symptom is observed on a cell-based Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) that rebuilds the MPLS forwarding table after traffic stops on a PE router.
Workaround: Enter the clear ip route network EXEC command on the PE router that has the traffic problem.
Alternate Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface command on the MPLS interfaces of the problem PE.
•
Symptom: When multiple dial peers are configured with different translation rules that are used one the same call, the authentication, authorization, and accounting (AAA) accounting records do not show accurate information of the translated called number.
Conditions: This symptom is observed on a Cisco AS5350 and a Cisco AS5400 when the outbound dial peers have translation rules configured and when multiple dial peers are used for and outbound call because of dial-peer hunting. The symptom does not occur on a Cisco AS5300.
Workaround: Analyze the call by using the correct number that is contained in the gw-final-xlated-cgn vendor-specific attribute (VSA) that is part of the stop record for the RADIUS server.
Further Problem Description: When a universal gateway such as a Cisco AS5350 or Cisco AS5400 receives a call via time-division multiplexing (TDM), and this call needs to be forwarded via Voice over IP (VoIP), the universal gateway tries the first dial peer, which translates the called number and adds a prefix to it. When this call does not go through, the universal gateway tries a second dial peer via dial-peer hunting. This second dial peer translates the number and adds a different prefix to it.
There is a start and stop record for each dial peer:
- The start record for the first dial peer contains the called station ID with the translated number and the first prefix, and there a stop record for the first dial peer.
- There is a start record for the second dial peer, but it contains the called station ID with the prefix of the first dial peer.
Although the number is translated and properly sent, the AAA records are incorrectly populated.
•
Symptoms: There may be no memory for the expanded TFIB PSA. The label allocation may fail with error messages that are shown below and may be followed by a memory traceback.
%TAGCON-3-LCLTAG_ALLOC: Cannot allocate local tag %TFIB-2-MEMORY: No memory for expanded TFIB PSA -Traceback=Conditions: This symptom is only observed on an MPLS-capable Cisco platform and only when the label space has been exhausted to the maximum level supported by the platform or is about to be exhausted (only a few hundred labels are available) and when the TFIB table is expanded further.
Workaround: Enter the mpls label range 16 101900 command at the conf-t level to avoid the error messages.
•
Symptoms: There may be a format difficulty when you save digital signal (DS) power-level information onto the NVRAM of a Cisco uBR900.
Conditions: This symptom is observed on a Cisco uBR900 that runs Cisco IOS Release 12.2(15)T7, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco router repeatedly displays the following error message:
%PXF-2-TALLOCFAILConditions: This symptom is observed on a Cisco 7200 series with a Network Service Engine (NSE-1) or on a Cisco 7401 router whenever the router turns on any routing protocol.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series pauses indefinitely in the middle of a link control protocol (LCP) negotiation. The PPP over ATM (PPPoATM) session receives a "Sending Acct Event [Reneg]" message and terminates the LCP phase. The remote peer renegotiates another PPP session and uses the same PPP ID. This causes a continuous LCP state for that user.
Conditions: This symptom is observed on a Cisco 7200 series that is configured for PPPoATM and that runs Cisco IOS Release 12.2(15)T9. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A router may reload when the police policy-map class configuration command is enabled under a policy map.
Conditions: This symptom has been observed rarely and is not easily reproduced.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5xx0 platform that is equipped with a particular third-party vendor E1/T1 framer may bring down the controller immediately upon receiving an alarm indication signal (AIS).
Conditions: This symptom is observed when noisy line conditions that last less than 2 seconds cause T1 links to go down or when outages or cable difficulties that last less than 2 seconds cause the controller to go down.
Workaround: There is no workaround.
•
Symptoms: The maximum MTU with a DF set across an L2TP MPLS VPN is 1460 while the physical layer MTU is 1500; any ping larger than 1460 may fail.
Condition: This symptom is observed on a LES platform such as a Cisco 3600 series or a Cisco 4500 series when the router performs MPLS operations and functions as an L2TP Network Server (LNS). The incoming MPLS packet is dropped while the router attempts to inject the packet into the L2TP tunnel.
Workaround: Traffic of packets between 1460 and 1500 bytes can be made possible by fragmenting the tagged packets before the transmission.
Enter the mpls mtu 1450 command on the router in the MPLS cloud before the MPLS packet reaches the router that injects the packet into the L2TP tunnel.
•
Symptoms: A router may reload unexpectedly because of a bus error when it accesses a low address during the translation of TCP port 514.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(5) and that is configured for Network Address Translation (NAT).
Workaround: Prevent the translation of TCP port 514.
•
Symptoms: R2 International Telecommunication Union (ITU) base variants do not apply the correct mapping for the following two ISDN or ISDN User Part (ISUP) cause values (CVs):
- CV#04 - Send Special Information Tone
- CV#28 - Invalid Number Format (Address Incomplete)
Conditions: This symptom is observed on Cisco gateways that are configured with ISDN and Redundant Link Manager (RLM) and that have R2-ITU trunks.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 series that functions as a provider edge (PE) router may fail to receive an Internet Control Message Protocol (ICMP) echo message on a Multilink PPP (MLP) ingress interface.
Conditions: This symptom is observed on a Cisco 7500 series when Virtual Private Network (VPN) routing/forwarding (VRF) is configured on the MLP interface.
Workaround: There is no workaround.
•
Symptoms: The node of a local Label Switch Controller (LSC) that is part of a Multiprotocol Label Switching (MPLS) cell-based network may observe the following symptoms:
–
–
–
–
–
–
Conditions: These symptoms are observed on the LSC of a Cisco MGX Route Processor Module (MGX-PRM-PR-512) that is running Cisco IOS Release 12.2(15) T4a.
Workaround: From the node of the local LSC that is observing the symptoms, enter the clear ip route network EXEC command.
•
Symptoms: A gateway that receives a mid-call invite message with a missing contact header may respond with a "400 Bad Request" message, causing the call to be terminated. This is improper behavior.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.2(15)T, 12.3, or 12.3 T.
Workaround: There is no workaround.
•
Symptoms: Some PPP sessions may not come up and become stuck in the link control protocol (LCP) negotiation state.
Conditions: This symptom is observed on a Cisco 6400 series Node Route Processor (NRP). A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec49097. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco Session Initiation Protocol (SIP) gateway does not use calling information that is contained in the Remote-Party-ID header. A traceback may be observed and the following error is displayed in the output of the debug ccsip error privileged EXEC command:
sippmh_parse_remote_party_id: syntax error in Remote-Party -ID headerConditions: This symptom is observed on a Cisco SIP gateway that runs Cisco IOS Release 12.2(13)T, 12.3, or 12.3 T and occurs when the gateway receives an initial INVITE message with a Remote-Party-ID header that contains the "other" parameters in the header. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: An output wedge and drops may occur on the multilink interface of a Cisco 7200 series. The output of the show interfaces privileged EXEC command may display the following information:
.
.
.
Multilink3 is up, line protocol is up
.
.
.
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 5526
Queueing strategy: fifo
Output queue: 31/40 (size/max)
.
.
.Conditions: This symptom is observed on a multilink interface that has two E1 interfaces in a multilink bundle when there is a low traffic rate.
Workaround: Use the physical interface without a multilink bundle.
•
Symptoms: Some virtual circuit (VC) information is missing in the Simple Network Management Protocol (SNMP) MIB object cAal5VccEntry from the output of the snmpwalk router configuration command. The ATM VCs 0/100, 0/200 and 0/500 exist on the router but are missing in the MIB.
Conditions: This symptom is observed on a Cisco 7513 router that is running a special image of Cisco IOS Release 12.2(15)T5. The symptom may also occur in other releases.
Workaround: Enter the show atm vc privileged EXEC command on the same device to obtain a complete list of all the VCs.
•
Symptoms: Tag entries may be missing on a Versatile Interface Processor (VIP).
Conditions: This symptom is observed on a Cisco 7500 series that has distributed Cisco Express Forwarding (dCEF) enabled.
Workaround: Enter the clear cef linecard user EXEC or privileged EXEC command.
•
Symptoms: When you enter the undebug all privileged EXEC command on a Cisco 3700 series, all traffic that passes through an encrypted generic routing encapsulation (GRE) tunnel may stop.
Conditions: This symptom is observed on a Cisco 3700 series that is configured with a GRE tunnel that is secured via IP Security (IPSec) and that is using Cisco Express Forwarding (CEF) switching.
Workaround: Reinitialize CEF switching by entering the no ip cef global configuration command followed by the ip cef global configuration command.
Alternate Workaround: Do not enter the undebug all privileged EXEC command. Rather, individually disable each debug command.
•
Symptoms: Hairpin voice calls that are made via recEive and transMit (E&M) wink on multiple channels may cause digital signal processors (DSPs) to time out. The output of the show voice dsp privileged EXEC command may show "-1" followed by "DSP_TIMEOUT."
Conditions: This symptom is observed on a Cisco IAD2420 series. The symptom does not occur with plain old telephone system (POTS) calls, nor does it occur on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.
Workaround: Enter the voice dsp allocation round-robin global configuration command.
•
Symptoms: A terminating gateway (TGW) that receives a group B backward signal 5 (B5 signal) from a terminating switch that is configured for R2 signaling may map the B5 signal to cause value 42 ("Switching equipment congestion") in the H.225 Release Complete message. This is improper behavior: the B5 signal should be mapped to cause value 1 ("Unallocated [unassigned] number").
Conditions: This symptom is observed on a Cisco platform that functions as a TGW.
Workaround: There is no workaround.
•
Symptoms: A gatekeeper that is configured for H.323 version 4 (H.323v4) may not insert service IDs in an Admission Rejection (ARJ) message to an H.323v4 gateway.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that receives service IDs from a route server but does not include the service IDs in the ARJ message to the H.323v4 gateway.
Workaround: There is no workaround.
•
Symptoms: When an originating gateway (OGW) receives an R2 Group II signal that is equal to 5 from an incoming E1 R2 trunk, the OGW may map this signal to a generic transparency descriptor (GTD) ISDN User Part (ISUP) calling party category (CPC) that is equal to 6. This is improper behavior: the R2 Group II signal that is equal to 5 should be mapped to a GTD ISUP CPC that is equal to 29.
Conditions: This symptom is observed on a Cisco AS5xxx platform that functions as an OGW with an R2 interface and that uses GTD for signaling transparency across an H.323 Voice over IP (VoIP) network.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when packets are tag switched.
Conditions: This symptom is observed when a Bridge-Group Virtual Interface (BVI) is created after the router has booted up, when IP packets are received through the BVI, and when these IP packets are forwarded as Multiprotocol Label Switching (MPLS) packets through another interface.
Workaround: Disable tag switching on the BVI interface by entering the tag-switching ip interface configuration command followed by the no tag-switching ip interface configuration command.
•
Symptoms: At 12 cps, the following message is displayed on a V4 gatekeeper:
ASSERT failed: line 9900 in file ../mm/gk/gk_rassrv_util.cConditions: This symptom is observed when an external server is using the GKTMP interface to communicate with the gatekeeper and when the gatekeeper is configured with "send-cisco-circuit-info."
Workaround: There is no workaround.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) network server (LNS) may not remove a per-user access control list (ACL) from the configuration. This situation may cause the memory of the LNS to be depleted, and the output of the show processes memory EXEC command may indicate that the "AAA Per-User" process holds most of the allocated memory.
Conditions: This symptom is observed on a Cisco router that functions as an LNS in a Large-Scale Dial-Out (LSDO) configuration when a per-user ACL is present in the RADIUS profile of the user.
Temporary Workaround: To free up memory, manually remove the per-user ACL by entering the no ip access-list extended virtual-access number global configuration command. The number argument consists of the numbers (for example, 2003#671) that are assigned by the Cisco IOS software when the ACL is created.
•
Symptoms: A router may reload unexpectedly after it attempts to access a low memory address.
Conditions: This symptom is observed after ACLs have been updated dynamically or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon successful exploitation.
More details can be found in the security advisory, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtml.
•
Symptoms: In Cisco IOS software that is running Multiprotocol Label Switching (MPLS), a router may reload after accessing a freed Label Information Base (LIB) entry. When the symptom occurs, an error message similar to the following is likely to precede the reload:
%TIB-3-LCLTAG: 10.10.10.10/10.10.10.10, tag advert; unexpected tag state=13Conditions: This symptom is observed when a very uncommon timing of a Label Distribution Protocol (LDP) events occurs. The symptom may occur with LDP or Tagswitching Distribution Protocol (TDP).
Workaround: There is no workaround.
•
Symptoms: The show flash-filesystem EXEC command and the dir filesystem EXEC command may not work properly on a Cisco 2600XM, preventing you from seeing the flash images.
In addition, the copy destination url flash: EXEC command may fail when the erase option is not selected (that is, you type in no when you are asked if you want to erase the device). The copy destination url flash: EXEC command functions fine when you do select the erase option.
Conditions: These symptoms are observed on a Cisco 2600XM that is configured with a particular third-party vendor 16-MB SIMM. Note that the router is still functional with this SIMM; you can boot or reload the router, perform a TFTP download operation, and similar actions without any difficulty.
Workaround: There is no workaround.
•
Cisco Internetwork Operating System (IOS) Software releases trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload.
The vulnerability is only present in certain IOS releases on Cisco routers and switches. This behavior was introduced via a code change and is resolved with CSCed68575.
This vulnerability can be remotely triggered. A successful exploitation of this vulnerability may cause a reload of the device and could be exploited repeatedly to produce a Denial of Service (DoS).
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-snmp.shtml
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptoms: A router experiences a software-forced crash.
Conditions: This symptom is observed right after entering the no match dscp 3 or service output level 2 commands.
Workaround: There is no workaround.
•
Symptoms: The outgoing label for a prefix that is received through Border Gateway Protocol (BGP) IP version 4+ (IPv4+) labels may not be installed in the Tag Forwarding Information Base (TFIB).
Conditions: This symptom is observed if the router that performs a BGP IPv4+ label exchange receives a label withdraw request for an MPLS label from a BGP peer that is followed by a readvertisement of the label. This symptom occurs if the no mpls ip global configuration command followed by the mpls ip global configuration command is executed on the peer router; however, the label withdraw request may be triggered in other ways also.
Workaround: Enter the clear ip route prefix EXEC command to correct the symptom.
•
Symptoms: A Cisco 7206VXR may reload when there is a high E1 PRI call load.
Conditions: This symptom is observed on a Cisco 7206VXR that runs the c7200-is-mz image of Cisco IOS Release 12.3(3) or Cisco IOS Release 12.3(2)T.
Workaround: There is no workaround.
•
Symptoms: A boot flash image upgrade using Flash MIB may fail.
Conditions: This symptom is observed on Cisco uBR905 and Cisco uBR925 routers and Cisco Cable Voice Adapter (CVA) modems.
Workaround: There is no workaround.
•
Symptoms: An enhanced ATM port adapter (PA-A3) may display an increasing "rx_no_buffer" counter in the output of the show controllers atm privileged EXEC command, and some PVCs configured on the PA-A3 port adapter may stop receiving traffic.
Conditions: This symptom is observed when there is a high-traffic load on the PA-A3. Certain types of PA-A3s are impacted by this problem (PA-A3-OC3/T3/E3 are impacted, but PA-A3-OC12 and PA-A3-8T1/8E1 IMA are not). Also, any platform supporting these types of PA-A3s may be impacted.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the PA-A3.
•
Symptoms: dCRTP does not work on a STM port adapter.
Conditions: This fix adds dCRTP support. Without this fix, dCRTP will not work on a STM PA.
Workaround: There is no workaround.
•
Symptoms: A provider edge (PE) router may reload when packets are forwarded while a remote Virtual Private Network (VPN) prefix is being reresolved.
Conditions: This symptom is observed when the MPLS VPN—Inter-AS—IPv4 BGP Label Distribution feature is configured for option 4, that is, for a non-VPN transit provider and a multi-hop external Border Gateway Protocol (eBGP) connection between route reflectors (RRs).
Workaround: For the exchange of PE loopback addresses between autonomous systems, do not use eBGP with IPv4 label distribution. Rather, configure redistribution into Interior Gateway Protocol (IGP) or static routes.
•
Symptoms: A T.37 off-ramp fax call may disconnect without a T.30 data communications network (DCN). The fax is received correctly, but the call does not disconnect properly. The following error message is displayed:
T.30 flow error: DCN signal not received before session end.Conditions: This symptom is observed on a Cisco AS5350 router during fax off- ramp call testing.
Workaround: There is no workaround.
•
Symptoms: Interfaces of a serial port adapter may not be recognized.
Conditions: This symptom is observed on a Cisco 7200 series, Cisco 7500 series, and Cisco 7600 series that run Cisco IOS Release 12.3 or 12.3 T and that have any the following port adapters installed:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: "Calling Party Number" is not seen in the ISDN setup message on the terminating gateway while verifying whether the remote party ID information is properly passed to the Q931 interface.
Conditions: This symptom occurs when there is calling party information coming from the SIP leg and privacy is not set.
Workaround: There is no workaround.
•
Symptoms: If an online insertion and removal (OIR) occurs on the slot of a line card with interprocess communications (IPC) traffic running, the forwarding information base (FIB) on the other slots or on a secondary route processor (RP) may be disabled.
The following error messages are logged on the router:
%OIR-6-REMCARD: Card removed from slot 0, interfaces disabled
%HA-5-SYNC_NOTICE: OIR sync started.
%HA-5-SYNC_NOTICE: OIR sync completed.
%OIR-6-INSCARD: Card inserted in slot 0, interfaces administratively s hut down
%SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 4043F544 404D667C 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 404D6680 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (6000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 4043F56C 404D667C 404D7698 404EEB94 404E01B4
%SYS-3-CPUHOG: Task is running for (8000)msecs, more than (2000)msecs
(1/1),process = OIR Handler.
-Traceback= 404D6680 404D7698 404EEB94 404E01B4
%HA-5-SYNC_NOTICE: OIR sync started.
%FIB-3-FIBDISABLE: Fatal error, slot/cpu 2/0: IPC Failure: timeout <<< <<<<<<< !!!!Conditions: This symptom is observed on a Cisco Route Switch Processor (RSP) router that is running Cisco IOS software.
Workaround: There is no workaround. The FIB may be reenabled by entering the no ip cef distributed global configuration command followed by the ip cef distributed global configuration command.
•
Symptoms: When the Cisco Call Connection Manager (CCM) resets a Media Gateway Control Protocol (MGCP)-controlled gateway, some Foreign Exchange Office (FXO) cards remain shut down.
Conditions: This symptom is observed on Cisco 2651XM and Cisco 3745 routers that run Cisco IOS Release 12.2(15)T5. CCM sends an extensible markup language (XML) configuration file to the gateway, but some commands are not processed by the routers. The symptom may also occur in other releases.
Workaround: Enter the no shutdown interface configuration command on the FXO cards.
Wide-Area Networking
•
Symptoms: A router may reload when it tries to add a permanent virtual circuit (PVC) to a bundle link.
Conditions: This symptom is observed when a normal Local Management Interface (LMI) frame is received without the User-Network Interface (UNI) fragmentation header. This causes the frame to be processed on the bundle link instead of on the bundle.
Workaround: There is no workaround.
•
Symptoms: When call clearing is initiated on a Cisco gateway that has the isdn switch-type primary-net5 interface configuration or global configuration command enabled, the following symptoms may occur:
- A restart message is sent after 30 seconds instead of after 120 seconds.
- The B channel is released instead of entering the maintenance state.
- The restart procedure is terminated after the second T316 timer expires.
These symptoms may cause state inconsistencies on the B channel and a low level of automatic speech recognition (ASR) on the gateway.
Conditions: These symptoms are observed when the user and the network protocol emulation are not in compliance with the European Telecommunications Standards Institute (ETSI).
Workaround: There is no workaround.
•
Symptoms: A PPP renegotiation may fail with a Subscriber Service Switch (SSS) on legacy sessions.
Conditions: This symptom is observed on the serial line of a Cisco 7200 series or on a Cisco 2600 series that is configured with the (vpdn enable global configuration command when the configuration is changed. The PPP renegotiation fails when the peer does not correctly switch the post-link-control-protocol (post-LCP) configuration requirements.
Workaround: Shut down the interface before changing the configuration.
•
Symptoms: A router may experience a memory leak in the vtemplate background process. This symptom may be confirmed by entering the show processes memory EXEC command to monitor memory usage.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.2(13)T5.
Workaround: There is no workaround.
•
Symptoms: A network access server (NAS) that runs Microsoft CHAP (MS-CHAP) or Microsoft CHAP version 2 (MS-CHAPv2) may reload unexpectedly.
Conditions: This symptom is observed on a Cisco AS5400 that functions as a NAS but may be platform independent.
Workaround: There is no workaround.
•
Symptoms: Software interface description blocks (IDBs) may become exhausted after an interface flaps repeatedly.
Conditions: This symptom is observed under the following conditions:
- PPP sessions go down.
- The same PPP sessions come back up and make use of a new IDB rather than the previously used IDB.
- A virtual-access interface is used rather than a virtual-access subinterface.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(3e)
Cisco IOS Release 12.3(3e) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3e) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: Enhanced Interior Gateway Routing Protocol (EIGRP) next-hop self- routes are incorrectly deleted from a Routing Information Base (RIB).
Conditions: This symptom is observed when the no ip next-hop-self eigrp interface configuration command is used in a dual hub Dynamic multipoint VPN (DMVPN) network. Routes are learned for the same destination from two different sources over the DMVPN network directly from the spokes and from the other hub. These routes in the EIGRP topology table have the same IP- next-hop, but different metrics. The routes learned from the spokes have a lower metric and are used to populate the routing table. If this hub loses the other hub as an EIGRP neighbor, then EIGRP correctly removes the topology entries from the EIGRP topology table that are learned from the other hub. But EIGRP then deletes these routes from the routing table. EIGRP should not remove the routes from the routing table since the removed topology entries are not used to populate the routing table in the first place.
Workaround: EIGRP does not restore these routes to the routing table until the clear ip route * EXEC command is entered on the router.
Miscellaneous
•
Symptoms: An unnecessary resource accounting stop message is sent for async calls that are running over MGCP even though the authentication is successful.
Conditions: This symptom is observed on a Cisco router when the aaa accounting resource default stop-failure command is given.
Workaround: There is no workaround.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog resetConditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that is running Cisco IOS Release 12.2(14)S3. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOS® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
Resolved Caveats—Cisco IOS Release 12.3(3c)
Cisco IOS Release 12.3(3c) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3c) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptom: Cisco IOS software may accept and process a "RESPONDER_LIFETIME" notify message from an unauthenticated peer.
Conditions: This symptom is observed when a "RESPONDER_LIFETIME" notify message arrives before a "Main Mode 6" message. Internet Key Exchange (IKE) packets can arrive out of order because IKE relies on User Datagram Protocol (UDP) as the transmission protocol.
Workaround: Ensure that the IKE peers have matching lifetimes. Doing so makes the "RESPONDER_LIFETIME" notify message unnecessary and prevents Cisco IOS software from sending this message.
•
Symptom: A Cisco 3600 series or Cisco 3700 series may reload because of an unexpected exception.
Conditions: This symptom is observed on Cisco 3600 series and Cisco 3700 series that run Cisco IOS Release 12.3(3) and that are configured with a DES/3DES/AES VPN Encryption and Compression Module (AIM-VPN/EPII or AIM-VPN/HPII). The symptom may occur during Internet Security Association and Key Management Protocol (ISAKMP) tunnel negotiation in all of the following conditions:
–
–
–
Workaround: For the first and second conditions there are no workarounds. For the third condition, match the IKE SA lifetimes on both peers.
Resolved Caveats—Cisco IOS Release 12.3(3b)
Cisco IOS Release 12.3(3b) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: A Cisco Service Selection Gateway (SSG) router may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router when Cisco Express Forwarding (CEF) is enabled and access list configurations on the router are changed.
Workaround: Disable CEF.
•
Symptoms: A Cisco router may generate a "SYS-2-GETBUF" message during the "Tag Input" process and may subsequently reload unexpectedly.
Conditions: This symptom is observed when the router fragments a Multiprotocol Label Switching (MPLS) packet.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 router may have high CPU usage in the IP input process because voice packets are punted from the line cards to the Route Switch Controller (RSC) card. To verify this symptom, enter the show interface type number stat EXEC command. The following output from the show interface command indicates that the entry for packets out (Pkts Out) in the "Distributed cache" field is 0.
Router#show interface g6/0 stat
GigabitEthernet6/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 752 56786 25 3267
Route cache 0 0 3120 666090
Distributed cache 3019 644372 0 0
Total 3771 701158 3145 669357Conditions: This symptom is observed on a Cisco AS5850 that handles voice calls. The symptom is not observed on the Cisco AS5850 with modem calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload unexpectedly during a service-policy configuration.
Conditions: This symptom is observed when you attach a level 2 policy map as a child of a level 1 policy map and when the level 1 policy map is already attached to an interface.
Workaround: Create a level 3 policy map, and attach it to the interface.
•
Symptoms: Virtual private dial-up network (VPDN) authorizations fail to send a request for domain authorization to the RADIUS servers.
Conditions: This symptom is observed for PPP connections that begin on an EXEC connection with VPDN turned on for the user.
Workaround: Use PPP connections instead of EXEC connections.
•
Symptoms: When authorization is defined under the aaa dnis map dnis-number authorization network group server-group-name global configuration command, a Cisco router sends an access request for the user to the RADIUS server with service outbound. The RADIUS server refuses the authorization with an "authentication failure" message, and the user is disconnected.
Conditions: This symptom is observed after an upgrade to Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T when a specific authentication, authorization, and accounting (AAA) dialed number identification service (DNIS) for authorization is configured, as in the following example:
aaa dnis map enable
aaa dnis map 999999 authorization network group my_groupWorkaround: Suppress the authorization under the aaa dnis map dnis-number authorization network group server-group-name global configuration command, and use the main AAA authorization.
•
Symptoms: A single modem that is marked as bad may prevent an adjacent modem from successfully accepting calls. The call is rejected with "no answer."
Conditions: This symptom is observed on a Cisco AS5800 when a modem module has a hardware difficulty and is marked as bad. Other modems on the same module are not marked as bad but may fail to accept calls.
Workaround: When a modem on a module is marked as bad during the bootup process or during normal use, busyout the entire modem module.
•
Symptoms: A Cisco 7200 series router with a VPN Accelerator Module 2 (VAM2) may reload because of stack corruption.
Conditions: This symptom is not observed under normal router operation. The symptom occurs only when the VAM2 is disabled and enabled through the command-line interface (CLI) (for example, by entering the no crypto engine accelerator global configuration command followed by the crypto engine accelerator global configuration command) or when a physical online insertion and removal (OIR) of the VAM2 is performed.
Workaround: There is no workaround.
•
Symptoms: set commands that are used with a service policy can cause a router to reload in some circumstances. The set cos policy-map class configuration command can cause reloads in addition to other set commands.
Conditions: This symptom may be observed with configurations that have a service policy with the set command on the interface in combination with one or all of the following three configurations:
access-list filtering
unicast rpf
multicast routing
Under these circumstances, configuration changes of the set-based policy map can cause the router to reload.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error, and the following message appears:
PC 0x616F0B80, address 0x3C.Conditions: This symptom is observed on a Cisco 3660 router that has low memory.
Workaround: There is no workaround.
•
Symptoms: A Cisco router with a VPN Accelerator Module 2 (VAM2) may not be fully compliant with the Federal Information Processing Standards specifications for power-up self-tests (FIPS-140-2). There are no operational symptoms that are apparent.
Conditions: This symptom is observed on a Cisco 7200 series with a G1 Network Processing Engine (NPE-G1) and a VAM2 that is enabled for IP Security (IPSec) acceleration.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway that runs a voice extensible markup language (VXML) application may pause indefinitely.
Conditions: This symptom is observed when the following two conditions are met:
–
–
In addition, one of the following conditions must also be present:
–
<prompt cisco-vcrprompt="true">
<audio src="http://px1-sun/audio/DUCF_33_httpg711ulaw.au"/>
<audio src="http://px1-sun/audio/DUCF_33_httpg711ulaw.au"/> </prompt>–
Workaround: Turn off HTTP streaming by entering the no ivr prompt streamed http global configuration command or the ivr prompt streamed none global configuration command.
Alternate Workaround: Turn off HTTP caching by entering the http client cache memory pool 0 global configuration command.
•
Symptoms: The CPU usage on a Cisco AS5850 may be close to 100 percent with a moderate number of voice calls with any Voice over IP (VoIP) device that uses the User Datagram Protocol (UDP) checksum (for example, Cisco Analog Telephone Adapter [ATA] devices, and the Cisco 7900 series IP phones).
Conditions: This symptom is observed on a Cisco AS5850 when VoIP devices that use the UDP checksum are installed in a client network as a peer VoIP gateway that uses the Session Initiation Protocol (SIP) and that has the ip udp checksum dial-peer configuration command enabled. This causes the Cisco AS5850 to punt packets to the Route Switch Controller (RSC) and have high CPU usage at the RSC with only a moderate number of calls.
Workaround: Disable the UDP checksum option in the client network by entering the no ip udp checksum dial-peer configuration command. If this is not possible, there is no workaround.
•
Symptoms: Users fail to authenticate on a Cisco router when the CiscoSecure authorization (CSAuth) service module fails on a primary Access Control Server (ACS).
Conditions: This symptom is observed on a Cisco router when the CSAuth services fail on the primary ACS server. When the primary ACS server is unavailable because CSAuth services stop, the ACS server returns the "Authserver is Down" error message but the router does not detect this and fails to submit the authentication CSAuth request to the secondary server.
Following is an example of the current server configuration:
aaa group server tacacs+ x
server x.x.x.x
server y.y.y.y
aaa authen ppp def group-x
Workaround: If there are only several servers in a group, the servers may be inserted in separate groups and those groups may be included as separate methods.
For example:
aaa group server tacacs+ x
server x.x.x.x
aaa group server tacacs+ y
server y.y.y.y
aaa authen ppp def group-x group-y
•
Symptoms: It is not possible to change to the default value of 64 milliseconds (ms) when you enter the echo-cancel coverage voice-port configuration command.
Conditions: This symptom is observed when the following steps are taken to change to the default value (64) of the echo-cancel coverage voice-port configuration command.
–
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when a VoiceXML (VXML) dialog is initiated.
Conditions: This symptom is observed on a Cisco AS5350 router when a VXML dialog is initiated and standard VXML events (for example, help, nomathc, noinput, and error) are sent.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(3a)
Cisco IOS Release 12.3(3a) is a rebuild release for Cisco IOS Release 12.3(3). The caveats in this section are resolved in Cisco IOS Release 12.3(3a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Interfaces and Bridging
•
Symptoms: IP does not function on a third-party access server in a Token Ring topology.
Conditions: This symptom is observed when IP routing is configured on an access server in a token ring topology.
Workaround: There is no workaround.
•
Symptoms: The following error message appears on a Cisco router:
SYS-2-BADSHAREConditions: This symptom is observed on a Cisco 7200 series with an ATM port adapter (PA-A3) that is running Cisco IOS Release 12.2(15)B when the router is configured with 100 PPP over ATM (PPPoA) sessions and bidirectional traffic is sent across the ATM port adapter.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Cisco 7206VXR periodically reloads when Network Address Translation (NAT) is configured and L4 Internet Locator Service (ILS) Lightweight Directory Access Protocol (LDAP) entries are translated.
Conditions: This symptom is observed on a Cisco 7206VXR router with a Network Processing Engine (NPE-G1) that is running the c7200-is-mz image of Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: When configuring Routing Information Protocol (RIP) version 2 on a Cisco router, tracebacks may be displayed.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: set commands that are used with a service policy can cause a router to reload in some circumstances. The set cos policy-map class configuration command can cause reloads in addition to other set commands.
Conditions: This symptom may be observed with configurations that have a service policy with the set command on the interface in combination with one or all of the following three configurations:
–
–
–
Under these circumstances, configuration changes of the set-based policy map can cause the router to reload.
Workaround: There is no workaround.
•
Symptoms: A Cisco uBR905 or Cisco uBR925 router may lose the configuration of the crypto map map-name local-address interface-id global configuration command from its startup configuration.
Conditions: This symptom is observed when the router reloads and is related to the use of the Cable DHCP Proxy feature.
Possible Workaround: Set up a permanent lease for the loopback interface in the Dynamic Host Configuration Protocol (DHCP) server by using the `ethernet0' MAC address and assigning a fixed IP address on the DHCP server.
•
Symptoms: PPP authentication credentials may not be authenticated on a network access server (NAS) if the if-needed keyword is configured in the ppp authentication if-needed interface configuration command and the autoselect during-login line configuration command is configured while login authentication is set to RADIUS.
Conditions: This symptom is observed on a Cisco access server that runs Cisco IOS Release 12.3.
Workaround: Remove the if-needed keyword from the ppp authentication if-needed interface configuration command.
Alternate Workaround: Remove the autoselect during-login line configuration command. Doing so enables the PPP authentication to proceed normally.
•
Symptoms: When interim accounting packets are sent by the Service Selection Gateway (SSG), the difference between the start time and the interim time may be as much as 60 seconds.
Conditions: This symptom is observed on all Cisco platforms and in all versions of Cisco IOS software when the ssg accounting interval seconds global configuration command is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 6400 series Node Route Processor 2 (NRP2) may reload.
Conditions: This symptom is observed when the Cisco 6400 series NRP2 is running Cisco IOS Release 12.2(13)T1 and the Service Selection Gateway (SSG) is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router intermittently experiences a high CPU load because of a Service Selection Gateway (SSG) timeout.
Conditions: This symptom is observed after a Cisco router is upgraded to Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco router that has a quality of service (QoS) service policy attached to an interface may generate memory alignment errors or reload unexpectedly because of a bus error during normal operation.
Conditions: This symptom is observed when the policy map of the service policy has a set action configuration and when traffic is being processed.
Workaround: Remove the set action configuration from the policy map.
•
Symptoms: When the CSAdmin or CSAuth services fail on a primary Access Control Server (ACS), authentication does not failover to the secondary server as it should.
Conditions: This symptom is observed on a Cisco ACS that acts as the primary server.
Workaround: Configure CSAuth.
•
Symptoms: In a non-RADIUS proxy mode, a Service Selection Gateway (SSG) does not include attribute 25 (class) in the host accounting packets. In RADIUS proxy mode, SSG functions correctly, and attribute 25 is included in the host and connection accounting packets.
Example of attribute 25:
RADIUS(00000000): Send Accounting-Request to 192.168.69.7:1813 id 21659/178, len 228
RADIUS: Class [25] 12
RADIUS: 31 34 30 34 39 36 32 37 31 30 [1404962710]
RADIUS: Service-Type [6] 6 Framed [2]Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2(16)B.
Workaround: There is no workaround when you are unable to use SSG in RADIUS proxy mode.
•
Symptoms: A start accounting request is not sent for a redundant dial peer when the primary dial peer fails.
Conditions: This symptom is observed on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: Network authorizations may fail for locally authenticated sessions.
Conditions: This symptom is observed for network authorizations for PPP sessions if the user is authenticated locally and the authorization method list contains the radius keyword.
Workaround: Use separate lists for local and RADIUS authorization.
•
Symptoms: In a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) environment, if you enter the ping vrf EXEC command toward the directly connected interfaces of a neighbor's provider edge (PE) router, the ping may fail.
Conditions: This symptom is observed when aggregate routes on Cisco routers are pinged.
Workaround: The ping will be successful if you select options when you enter the ping vrf EXEC command.
•
Symptoms: Data packets may be punted to the process path when user logon and logoff activity occurs.
Conditions: This symptom is observed in all of the Service Selection Gateway (SSG) images of Cisco IOS software under heavy load conditions.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error if a quality of service (QoS) class map or policy map is renamed through modular QoS CLI (MQC) and a subsequent show memory EXEC command is issued.
Conditions: This symptom is observed in all Cisco IOS software releases on all Cisco platforms where the rename command is available under class map and policy map modes. It is observed in Cisco IOS Release 12.1(14)E, Release 12.2(12) and later releases. This symptom is not observed in Release 12.1. The symptom occurs after a global class map or policy map is renamed and a subsequent show memory EXEC command is issued.
Workaround: Avoid use of the rename command. Remove and recreate the class map or policy map instead.
•
Symptoms: A memory allocation failure may occur on compiled access control list (ACL) tables. There may be continued attempts to recompile the ACLs that fail.
Conditions: This symptom is observed when compiled ACLs are enabled by entering the access-list compiled global configuration command, and the total number of ACL entries is relatively large (over 1500 lines). Random or constantly changing traffic patterns may cause the compiled ACL tables to grow to the point at which memory fragmentation causes the memory allocation failure.
Workaround: Disable and then reenable the compiled ACLs by entering the no access-list compiled global configuration command followed by the access-list compiled global configuration command.
Alternate Workaround: Completely disable the compiled ACLs.
Second Alternate Workaround: ACLs may sometimes be rearranged to make the list shorter or less complex. This will reduce the memory requirements. Large ACLs used for Border Gateway Protocol (BGP) route prefixes may be converted to use a prefix list configuration instead.
•
Symptoms: When a Cisco router boots up, the following messages appear and the router is unusable:
Process= "MIPC Periodic Timer", ipl= 0, pid= 32
%PIF-3-READ_IMEM_ERROR: NULL response for READ_IMEM MIPC msg to, XPIF2 Process= "FDM Forwarding Stats Process", ipl= 0, pid= 35
%PIF-3-READ_PHY_ERROR: NULL response for PIF_PHY_REG_SEND_CMD MIPC msg to, XPIF2Conditions: This symptom is observed on a Cisco AS5850 gateway that has a Route Switch Controller (RSC) card with revision 8.9 or later, and that is running Cisco IOS Release 12.2(11)T4, Release 12.2(11)T9, Release 12.3(1), Release 12.3(1a), or Release 12.3(3a).
Workaround: Load a working 5850 image of Cisco IOS software (images other than those listed in the Conditions section) and then reload the gateway with the newer image of the software without turning off power and turning on power to the router.
•
Symptoms: A software-forced reload may occur on a Cisco router.
Conditions: This symptom is observed on a Cisco 2691, Cisco 3660, Cisco 3725, or Cisco 3745 router if a Gigabit Ethernet Network Module (NM-1GE) is present in the router and the show interfaces EXEC command is entered after the show tech EXEC command has been entered.
Workaround: There is no workaround.
•
Symptoms: If an access control list (ACL) is recompiled under heavy load conditions, CPUHOG messages may be generated.
Conditions: This symptom is observed when compiled ACLs are enabled by entering the access-list compiled global configuration command, and the total number of ACL entries is relatively large (over 1500 lines). Random or constantly changing traffic patterns may cause the CPUHOG messages. A side effect of this symptom is that not enough time is provided for other processes, and areas such as keepalives or Cisco Express Forwarding (CEF) management may be impacted.
Workaround: Disable and then reenable the compiled ACLs by entering the no access-list compiled global configuration command followed by the access-list compiled global configuration command.
Alternate Workaround: Disable the compiled ACLs completely.
•
Symptoms: An Internet Key Exchange (IKE) fails when multiple trustpoints are configured with the crl optional router configuration command. A ping does not go through after authentication and enrollment has occurred successfully.
Conditions: This symptom is observed in Cisco IOS Release 12.3(3)fc2.
Workaround: Use the no crl optional router configuration command, or use only one trustpoint.
•
Symptoms: A Cisco Node Route Processor 2 (NRP2) that acts as a Service Selection Gateway (SSG) either does not process or does not clear the interface input queue buffer of SSG packets that come in. SSG packets that get stuck are requests that are sent by the Subscriber Edge Services Manager (SESM) server during SSG and SESM interactions. This eventually causes a wedged interface.
Conditions: This symptom is observed on a Cisco NRP2 that is running a special version of Cisco IOS Release 12.3(3) with SESM version 3.1.7.
Workaround: There is no workaround.
•
Symptoms: A large memory leak occurs when you enter the write memory command-line interface (CLI) command on a Cisco router.
Conditions: This symptom is observed on a Cisco router when the following global configuration commands are in the router configuration:
service compress-config
boot config c:auto_config_slot09 nvbypass
Workaround: Do not use the two commands together.
•
Symptoms: A Cisco router may pause indefinitely when it attempts to play a nonexistent audio file.
Conditions: This symptom is observed on a Cisco 3660 when it attempts to get a nonexistent audio file from a Real-Time Streaming Protocol (RTSP) server.
Workaround: There is no workaround.
•
Symptoms: When you enter the radius-server attribute nas-port format e global configuration command, the expected behavior is that the network access server (NAS) port attribute in the RADIUS access request equals the session ID and is different for each session. However, this behavior may not occur; the RADIUS access request may remain 0.
Conditions: This symptom is observed on a Cisco 7206 router that functions as a NAS, a Service Selection Gateway (SSG), and a digital subscriber line (DSL) aggregator.
Workaround: There is no workaround.
•
Symptoms: A router may pause indefinitely if you enter the show crypto ca cert trustpoint-label EXEC command.
Conditions: This symptom is observed on a Cisco router if the trustpoint-label argument is not defined in the router's running configuration, or if multiple trustpoint-label arguments are defined in the running configuration.
Workaround: Use the show crypto ca cert EXEC command without a trustpoint.
•
Symptoms: In an authentication, authorization, and accounting (AAA) configuration, an EXEC user is unable to start a PPP session when EXEC authorization is used.
Conditions: This symptom is observed on a Cisco router when double authentication occurs. PPP authentication is configured and AAA authentication is also configured.
If the aaa authorization global configuration command is included in the AAA configuration, the router has the ability to support server provided autocommands (the autocommand push feature). An exec user who starts a PPP session fails because the router attempts to authenticate the PPP session even though the user has already been authenticated at login when the aaa authentication ppp default if-needed command is configured.
Workaround: Disable the aaa authorization EXEC command. This action disables the ability to support the autocommand push feature from the TACACS+ server.
Alternate Workaround: Use a RADIUS server instead of a TACACS+ server.
•
Symptoms: A Cisco router may reload when processing a voice call.
Conditions: This symptom is observed on a Cisco 2600 series, a Cisco 3600 series, or a Cisco 3700 series and is caused by an illegal data pointer access.
Workaround: There is no workaround.
•
Symptoms: A cable modem pauses indefinitely when an H.323 voice call is received.
Conditions: This symptom is observed on a cable modem that is running Cisco IOS Release 12.3.
Workaround: There is no workaround with Release 12.3.
Alternate Workaround: Use any 12.2 T release other than Release 12.2(15)T7, or use a release that is later than Release 12.3(3a).
•
Symptoms: It is not possible to configure the Easy Virtual Private Network (VPN) remote feature on a Cisco router.
Conditions: This symptom is observed on a Cisco 2691 router that is running the c2691-adventerprisek9-mz image of Cisco IOS software.
Workaround: Use the classic 2691 k9 image of Cisco IOS software.
•
Symptoms: A Cisco gateway displays the following error message when a call agent sends a Modify Connection (MDCX) request:
%HPI-3-CODEC_NOT_LOADED: channel:3:0 (63) DSP ID:0x1342, command failed as codec not loadedConditions: This symptom is observed on all Cisco platforms.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A Cisco access server may reload under a high call volume.
Conditions: This symptom is observed on a Cisco access server that has a call volume of approximately 600 analog PPP calls and 300 digital Multilink PPP (MLP) calls.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(3)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(3). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(3). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Access Server
•
Symptoms: Cisco Modem ISDN channel aggregation (MICA) modems that are attached to a Cisco AS5300 may suddenly download MICA portware. The download fails and out-of-service (OOS) error messages occur.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.2(2)XB10.
Workaround: There is no workaround.
Basic System Services
•
Symptoms: Difficulties may occur when you attempt to log in to a Cisco 6400. After you have established a Telnet connection to a Node Route Processor 2 (NRP-2) and press the Enter key, the following user access verification sequence may be displayed, and you cannot log in:
Password:
Password:
Password:
% Bad passwordsConditions: This symptom is observed on a Cisco 6400 that is running Cisco IOS Release 12.2(4)B3 only after an interactive ATM ping has occurred. The occurrence of the symptom may depend on the Telnet client.
Workaround: Instead of using an interactive ATM ping, enter the ping atm interface atm interface vpi vci [seg- loopback | end-loopback] [repeat [timeout]] privileged EXEC command.
•
Symptoms: When an entry in the ciscoPingTable MIB variable is set to be valid, high memory utilization may occur gradually because memory is not released by the "dead*" process of a Simple Network Management Protocol (SNMP) ping.
Conditions: This symptom is observed on a Cisco 12000 series after the router has been upgraded from an earlier Cisco IOS release to Cisco IOS Release 12.2(23)S.
Workaround: Exclude the ciscoPingTable MIB variable from the configuration by entering the snmp-server view view name ciscoPingTable excluded global configuration command.
•
Symptoms: A Cisco router may reload when two port adapters are inserted in the router.
Conditions: This symptom is observed on a Cisco 7206 router when two port adapters are inserted in the router within several seconds of each other.
Workaround: Wait for the first inserted port adapter to come up and then insert the second port adapter.
•
Symptoms: Open Shortest Path First (OSPF) database packets may be exchanged with an invalid length. Error messages may indicate an invalid packet length and bad checksum.
Conditions: This symptom is observed on a Cisco 7500 series that is running the rsp-js-mz image of Cisco IOS Release 12.2(13)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may generate a "%SYS-2-LINKED: Bad requeue" message. Following this message and after a time of operation, memory fragmentation occurs and the router reloads.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.2(11)T.
Workaround: There is no workaround.
•
Symptoms: The memory that is held by the "RTT Responder" process may increase, as is indicated by the amount of memory in the "Hold" column in the output of the show processes memory include {rtt | pid} EXEC command.
Conditions: This symptom is observed when many jitter probes are sent simultaneously to the same destination port.
Workaround: Do not use the same destination port for all the probes.
First Alternate Workaround: To free memory once in a while, enter the no rtr responder global configuration command followed by the rtr responder global configuration command.
Second Alternate Workaround: Lower the duration of the probes.
•
Symptoms: Customers of a service provider may be able to display all routes of all Virtual Private Networks (VPNs) by walking a MIB from a network management station (NMS) on their own VPN.
Conditions: This symptom is observed when Simple Network Management Protocol (SNMP) MIB variables are available without restriction to VPN routing/forwarding (VRF) interfaces on a Cisco MGX 8000 series Route Processor Module (RPM) that is running Cisco IOS Release 12.2(8)T4.
Provider edge (PE) router access for control traffic that is associated with VRF interfaces should be limited to Internet Control Message Protocol (ICMP), Border Gateway Protocol (BGP), and Address Resolution Protocol (ARP).
Workaround: Create an access control list (ACL) that filters out all User Datagram Protocol (UDP) packets on the SNMP port using the access- list access-list-number deny udp any any eq snmp global configuration command, and apply this ACL to the interface on which the VRF is configured.
•
Symptoms: The following message appears on a Cisco router when you run the Cisco Security Device Manager (SDM) version 1.0:
%SYS-3-CPUHOG: Task ran for 2484 msec
(0/0), p
process = HTTP CP, PC = 606B39EC.
-Traceback= 606B39F4 604FD040 604FD024Conditions: This symptom is observed on a Cisco 2600 series that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may generate the following error message:
<interface name> is a static pool and cannot be tunedNote that instead of "<interface name>," an actual interface name will be stated in the message.
Conditions: This symptom is observed when you display the running configuration.
Workaround: There is no workaround.
•
Symptoms: You may not be able to load Channel Interface Processor (CIP) microcode from any Flash device type, and, the following error messages may appear:
...
%CIP2-0-MSG: slot4 %LOADER-0-HEADER: Loading file slot0:cip218-120.CSCea27903_seg_eca:
%CIP2-3-MSG: slot4 %LOADER-3-FOPENER: Error: file (slot0:cip218-120.CSCea27903_seg_eca) open failure code -2
%CIP2-3-MSG: slot4 %LOADER-3-FOPEN: Error: Cannot open the input file "slot0:cip218-120.CSCea27903_seg_eca".
%CIP2-3-MSG: slot4 %LOADER-3-LOADRC: Error: Return code is 8(8)
%CIP2-0-MSG: slot1 %LOADER-0-HEADER: Loading file slot0:cip218-120.CSCea27903_seg_pca:
%CIP2-3-MSG: slot1 %LOADER-3-FOPENER: Error: file (slot0:cip218-120.CSCea27903_seg_pca) open failure code -2
%CIP2-3-MSG: slot1 %LOADER-3-FOPEN: Error: Cannot open the input file "slot0:cip218-120.CSCea27903_seg_pca".
%CIP2-3-MSG: slot1 %LOADER-3-LOADRC: Error: Return code is 8(8)
%CIP2-0-MSG: slot1 %LOADER-0-HEADER: Loading file slot0:cip218-120.CSCea27903_seg_eca:
%CIP2-3-MSG: slot1 %LOADER-3-FOPENER: Error: file (slot0:cip218-120.CSCea27903_seg_eca) open failure code -2
%CIP2-3-MSG: slot1 %LOADER-3-FOPEN: Error: Cannot open the input file "slot0:cip218-120.CSCea27903_seg_eca".
%CIP2-3-MSG: slot1 %LOADER-3-LOADRC: Error: Return code is 8(8)
%CIP2-0-MSG: slot4 %LOADER-0-HEADER: Loading file slot0:cip218-120.CSCea27903_seg_eca: %CIP2-3-MSG: slot4
%LOADER-3-FOPENER: Error: file (slot0:cip218-120.CSCea27903_seg_eca) open failure code -2
%CIP2-3-MSG: slot4 %LOADER-3-FOPEN: Error: Cannot open the input file "slot0:cip218-120.CSCea27903_seg_eca".
%CIP2-3-MSG: slot4 %LOADER-3-LOADRC: Error: Return code is 8(8) ...The number of errors and file names that fail will depend upon the configuration of the CIP.
Conditions: This symptom is observed on a Cisco Route Switch Processor (RSP).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload because of a watchdog timeout condition when you poll the ciscoEnvMonTemperatureStatusValue MIB variable.
Conditions: This symptom is observed when the MIB variable has an index that is larger than 6. Indexes 0 to 6 are valid indexes; indexes that are larger than 6 are not valid indexes.
Workaround: There is no workaround.
•
Symptoms: A router may reload when the asynchronous queue (async-queue) is not empty and you enter the show line async-queue or clear line async-queue EXEC command. The following error message appears:
%Software-forced reload
Unexpected exception, CPU signal 23, PC = 0x6043BFC4Conditions: This symptom is observed when the async-queue is not empty and you enter the show line async-queue or clear line async-queue EXEC command. If the async-queue is empty, the router does not reload, and the show line async-queue or clear line async-queue EXEC commands work correctly.
Workaround: If the async-queue is not empty, enter the show line async-queue rotary-group and clear line async-queue rotary-group EXEC commands.
EXEC and Configuration Parser
•
Symptoms: When the show parser cache EXEC command is executed, a router may reload when bringing up a PPP over Ethernet (PPPoE) or PPP over ATM (PPPoA) session. The reload may occur when there is more than one session accessing the parser cache and one of the sessions executes the show parser cache EXEC command.
Conditions: This symptom is observed when more than one session executes the show parser cache EXEC command and the other session is creating the cache entry. During the creation of the cache entry when there is not enough space in the cache, old entries may be replaced with new entries and old entries may be freed. There is the possibility that freed and invalid entries may be accessed by the session that is issuing the show parser cache EXEC command.
Workaround: Disable the parser cache by using the no parser cache global configuration command.
IBM Connectivity
•
Symptoms: The router log indicates that the Bisync interface is going up and down and that the router may reload.
Conditions: This symptom is observed when Bisync is configured on the serial interface of a Cisco 2600 series router.
Workaround: There is no workaround.
•
Symptoms: After an MGX Route Processor Module (RPM-PR) is upgraded from Cisco IOS Release 12.3(1.7)T1 to Release 12.3(1.9)T1, the RPM-PR continually reboots and generates tracebacks and crashinfo files.
Conditions: This symptom is observed on an RPM-PR that is configured as a P router in a Multicast Virtual Private Network (MVPN) setup. Both the customer and the core use the Protocol Independent Multicast (PIM) Source Specific Multicast (SSM) protocol.
Workaround: Before the software upgrade, save the configuration on the RPM-PR. To clear the entire configuration on both the RAM and the disk of the RPM-PR, enter the clrsmcnf switch configuration command on the RPM-PR and then upgrade the PR image. After the RPM-PR comes up with the new image, reload the saved configuration.
Interfaces and Bridging
•
Symptoms: A Cisco 7200 series router may reload because the packet cleanup is not performed completely in the interrupt path of an enhanced ATM port adapter (PA-A3).
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2 and that is configured with a PA-A3 port adapter.
Workaround: There is no workaround.
•
Symptoms: A router may reload when the access list is deleted on the transparent bridging interface.
Conditions: This symptom is observed on a Cisco 3640 router only.
Workaround: There is no workaround.
•
Symptoms: The routing table may be incomplete on a Cisco router that is configured with InterSwitch Link (ISL) encapsulation.
Conditions: This symptom is observed on a Cisco router that is configured with a Network Service Engine 1 (NSE-1) and that runs Cisco IOS Release 12.3, Release 12.3 B, or Release 12.3 T.
Workaround: There is no workaround.
•
Symptoms: Even though a bridge domain is configured, it may not function. A root bridge is placed over the domain that should have been configured. This tree topology problem in the bridge group does not affect any traffic transmission.
Conditions: This symptom is observed on a Cisco 2600 series router that is running Cisco IOS Release 12.2.
Workaround: There is no workaround.
•
Symptoms: You may see numerous spurious accesses when you configure source-route bridging (SRB) and source-route translational bridging (SRTLB) on the same LAN Emulation (LANE) client.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(6f).
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Switch Processor (RSP) that is configured as a bridge may not pass bridged traffic, regardless of the protocols that are configured on Ethernet interfaces. This situation can lead to a loss of connectivity.
Conditions: This symptom is observed on a Cisco RSP that is running an rsp-jsv-mz image of Cisco IOS Release 12.2(17.10)S, Release 12.2(19), or Release 12.3(2.2).
Workaround: There is no workaround.
•
Symptoms: An ATM interface may remain administratively down.
Conditions: This symptom is observed when commands do not have any effect because the command-line interface (CLI) does not function. The symptoms are platform independent.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may report improper DS3 service-level agreement (SLA) counters.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an enhanced ATM port adapter (PA-A3).
Workaround: There is no workaround.
•
Symptoms: A router may not recognize an ATM WAN OC-3 port adapter.
Conditions: This symptom is observed when an ATM WAN OC-3 port adapter is installed in slot 1 of a Cisco 7200 series router that has a Network Processing Engine 150 (NPE-150).
Workaround: There is no workaround.
•
Symptoms: The Fast Ethernet (FE) switching performance on a Cisco 7200 series may be considerably slower than you would expect.
Conditions: This symptom is observed on any normal FE switching path on a Cisco 7200 series.
Workaround: There is no workaround.
•
Symptoms: The following message may be observed many times on a router console:
interface info was deleted by another sessionConditions: This symptom is observed when traffic is sent on a PA-A3 port adapter with an ATM interface on a Route Processor Module (RPM). If the ATM interface is reset, this message may be observed on the console, and the PA-A3 may lose the Rx buffers.
Workaround: There is no workaround.
•
Symptoms: Back-to-back pings with a packet size greater than the configured maximum transmission unit (MTU) may fail.
Conditions: This symptom is observed on the PA-A2 port adaptor of a Cisco 7200 series router that is running Cisco IOS Release 12.2(16a).
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Cisco Internet router may reload with a bus error.
Conditions: This symptom is observed on a Cisco 12000 series Internet router after you enter the show ip bgp regexp regexp EXEC command.
Workaround: There is no workaround.
•
Symptoms: Border Gateway Protocol (BGP) may lose non-IP version 4 (non-IPv4) configurations after a Cisco router has reloaded.
Conditions: This symptom is observed under either one of the following two conditions:
–
–
Workaround for configurations that have the autonomous system configured in the peer group: Take the following three steps:
1.
2.
3.
Workaround for configurations that have the autonomous system configured in the neighbor: Take the following two steps:
1.
2.
•
Symptoms: A Cisco 7401ASR router may pause indefinitely after you enter the more system: running-config EXEC command or the show running-config EXEC command.
Conditions: This symptom is observed on a Cisco 7401ASR router that is configured with Stateful Network Address Translation (SNAT).
Workaround: There is no workaround.
•
Symptoms: Toggling between the bgp suppress-inactive command and the no bgp suppress-inactive command may prevent routes from being advertised.
Conditions: This symptom is observed on routes that have mismatched next hops.
Workaround: Enter the clear ip bgp * privileged EXEC command.
•
Symptoms: The Multi Exit Discriminator (MED) that is received from a confederation external peer may be ignored in best path selection. The output of the show ip bgp longer-prefixes EXEC command does not indicate that any MED values were received.
Conditions: This symptom is observed when Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) configurations are present.
Workaround: There is no workaround.
•
Symptoms: When you enter the distribute-list in router configuration command on a Cisco Route Switch Processor 4+ (RSP4+), the system returns to ROM by bus error at PC 0x605FBA3C, address 0xEF4321D9.
Conditions: The symptom is observed on a Cisco RSP4+ in the generic IP routing table code, and occurs across all routing protocols. It is a day one race condition situation and may occur when the CPU is under severe load.
Workaround: There is no workaround.
•
Symptoms: The changes implemented by CSCdy29423 changed and eliminated some commands to reflect their correct usage. This caveat (CSCea15407) describes the modifications that have been made to the command-line interface (CLI) of these commands to cause them to appear in the same manner before CSCdy29423 was implemented. The following are the affected commands:
- neighbor group-name activate address family configuration command
- neighbor ip-address peer- group peer-group-name address family configuration command
Conditions: In Cisco IOS software releases that contain the fixes for CSCdy29423:
–
–
In Cisco IOS software releases that contain the fixes for CSCea15407:
–
–
The changes implemented by CSCea15407 will allow the output of the show running-config EXEC command to be backward compatible with earlier versions of Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: Multicast traffic may get dropped by a Cisco router that is running in dense mode. (Note that all routers have the multicast group in a pruned state even though interested receivers are present.)
Conditions: This symptom is observed when a T-flag is incorrectly set on an (S,G) entry.
A process that is used by dense mode and that is called an Assert process (referred to as Assert) is triggered, causing a designated forwarder (referred to as an Assert winner) to be elected. The Assert winner forwards multicast traffic onto a multiaccess segment when there is more than one router on the segment. If the router that becomes the Assert winner has the T-flag incorrectly set because traffic arrives on its outgoing interface (OIF) rather than on its incoming interface (IIF), multicast traffic is dropped as a result of Reverse Path Forwarding (RPF).
The Assert winner is based on the lowest administrative distance that is required to reach the source. When administrative distances are equal, the Interior Gateway Protocol (IGP) metric is used to determine how to reach the source. When both the administrative distance and the IGP metric are equal, the router with the highest IP address is used as a tiebreaker.
Possible Workaround: Disable Protocol Independent Multicast (PIM) on the interface of the Assert winner that has incorrectly set the T-flag on its (S,G) entry as a result of receiving traffic on its OIF rather than on its IIF.
First Possible Alternate Workaround: Enter the ip mroute source-address rpf-address distance global configuration command with a value of 255 for the distance argument on the Assert winner.
Second Possible Alternate Workaround: Configure the ip pim sparse- mode interface configuration command on the interface of the Assert winner to prevent the interface from operating in dense mode.
•
Symptoms: Spoke-to-spoke data packets may be dropped in a Dynamic Multipoint Virtual Private Network (DMVPN).
Conditions: This symptom is observed while Next Hop Resolution Protocol (NHRP) and IP Security (IPSec) are resolving the remote spoke addresses and building the IPSec security associations (SAs). This process may take from 3 to 8 seconds to complete.
Workaround: Use process switching on the spoke routers.
•
Symptoms: A Cisco router may reload when you the show ip route vrf vrf-name EXEC command is entered.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: The Multilayer Switch Feature Card (MSFC) of a Cisco Catalyst 6000 may reload with the following error message:
System was restarted by bus error at PC 0x40DFEE54, address 0xB0D0B7DConditions: This symptom is observed on a Cisco Catalyst 6000 that is running Cisco IOS Release 12.1(13)E4 and that is configured for Network Address Translation (NAT).
Workaround: There is no workaround.
•
Symptoms: The interface of a Cisco router that functions as a Protocol Independent Multicast (PIM) Rendezvous Point may stop receiving traffic. The output of the show interfaces privileged EXEC command may show input queue drops.
Conditions: This symptom is observed after the interface has received PIM register packets with the Router Alert option.
Workaround: Reload the port adapter or line card with the affected interface.
•
Symptoms: A Cisco 7500 series that is functioning as a provider edge (PE) router in a Multicast Virtual Private Network (MVPN) environment may stop sending Protocol Independent Multicast (PIM) register messages for the default multicast distribution tree (MDT) to its Rendezvous Point (RP). This situation prevents PE routers from establishing PIM adjacencies with other PE routers in the MVPN.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.0(24)S and that has the ip pim register-rate-limit global configuration command enabled. The symptom is not observed in Release 12.0(23)S or in earlier releases.
Workaround: Enter the clear ip mroute group-address EXEC command for the default MDT group address.
Alternate Workaround: Do not use the ip pim register-rate-limit global configuration command.
•
Symptoms: A Session Initiation Protocol (SIP) call cannot be completed on a Cisco SIP gateway. The following error message appears when you enter the debug ccsip error SIP debug command:
CCSIP-SPI-CONTROL: sipSPICheckFromToResponse: Compare From/To failed - IGNORE IF HAIRPIN CALLConditions: This symptom is observed only when there is a Network Address Translation (NAT) device between two Cisco SIP gateways that are making calls to each other and NAT Overload is configured between the gateways. The NAT device fails to correctly translate certain fields used in the SIP messages.
Workaround: Disable NAT Overload.
•
Symptoms: During a switchover from the role as primary router to secondary router and back again, a Cisco router may pause indefinitely with the following error message and traceback:
Unexpected exception to CPUvector 1200, PC = 80B4643C
-Traceback= 80B4643C 80B46A54 80B46D80 80B409CC 80B40C90 80B40D34 8038FC3
File flash:crashinfo_19930301-000125 open failed (-1)
*** System received a SegV exception ***
signal= 0xb, code= 0x1200, context= 0x8268cc98
PC = 0x80b4643c, Vector = 0x1200, SP = 0x82d28f90
*** Unexpected Console tx-ready interrupt ***
PC = 0xfff03fc4, Vector = 0x500, SP = 0x8268de3cThe router may pause indefinitely again when trying to recover the router or to capture information from the console.
Conditions: This symptom is observed on a Cisco 2621 router in a test environment when failover capabilities are being tested.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when the tunnel bandwidth is changed at the ingress point of a Multiprotocol Label Switching (MPLS) traffic engineering (TE) tunnel.
Conditions: This symptom is observed in a multivendor environment. Another Cisco router serves as the ingress point of the MPLS TE tunnel.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may be unable to set up a Frame Relay or an ATM permanent virtual connection (PVC). When you enter the debug ip rsvp traffic-control EXEC command, the following message is displayed:
RSVP-TC: Unable to determine resource provider for tcsbConditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A Resource Reservation Protocol (RSVP) reservation may be torn down when a routing change occurs.
Conditions: This symptom is observed on Cisco routers that are running Cisco IOS Release 12.2(11)T or later releases with Voice over IP (VoIP) configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured with IP multicast may reload because of a bus error.
Conditions: This symptom is observed when a router sends (S,G) R join overrides to a neighbor, and the neighbor times out because of link flaps or because of another reason. The symptom is caused by a timing difficulty and is most likely to occur when you enter the ip pim spt-threshold infinity global configuration command on all routers in the network.
For a list of the affected releases, go to the following location: http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCds31596. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Delete the ip pim spt-threshold infinity global configuration command from all routers in the network to minimize the occurrence of the symptom.
•
Symptoms: An Enhanced Interior Gateway Routing Protocol (EIGRP) network fails to query some routes for the second and following topology changes. This results in routing problems.
Conditions: This symptom is observed in redundant EIGRP networks. The EIGRP neighbor fails to send a query for some routes in the second topology change. The first topology change functions correctly. When the neighbor does not get a reply, the neighbor removes the first route even if the redundant route exists in the network.
Workaround: Enter the clear ip eigrp neighbors EXEC command on all EIGRP routers.
•
Symptoms: The EIGRP Stub Routing feature may be missing from the configuration.
Conditions: This symptom is observed when a Cisco router on which the EIGRP Stub Routing feature is enabled is reloaded, or when the Enhanced Interior Gateway Routing Protocol (EIGRP) process is restarted.
Workaround: There is no workaround; you must reenable the EIGRP Stub Routing feature.
•
Symptoms: A Cisco router may not resend a registration request (RRQ) packet when the first one is lost during the initial IPSec tunnel setup. The tunnel is prevented from passing end-to-end traffic for the duration between initial tunnel setup and the next periodic RRQ.
Conditions: This symptom occurs when using Next Hop Resolution Protocol (NHRP) with tunnel protection.
Workaround: There is no workaround.
•
Symptoms: An Open Shortest Path First (OSPF) interface may be reported to be in the "down" state while the interface and the line protocol may be reported to be in the "up" state. This situation causes missing OSPF neighbor adjacencies on the OSPF interface that is in the "down" state.
Conditions: This symptom is observed when there are a large number of active interfaces and one of the following events has occurred:
–
–
–
–
–
Workaround: Use one of the following methods to recover the OSPF interface:
–
–
–
•
Symptoms: A Cisco router may reload after 10 minutes when the number of translations reaches around 60,000.
Conditions: This symptom is observed on a Cisco 7206VXR router that is running Cisco IOS Release 12.2(15)T1 when Stateful NAT (SNAT) is configured with Hot Standby Routing Protocol (HSRP).
Workaround: There is no workaround.
•
Symptoms: When a Network Address Translation (NAT) pool is created for subranges, the NAT pool may not show up in the configuration when you enter the show running-config privileged EXEC command, although the output of the show ip nat statistics EXEC command indicates that the pool is in use.
Conditions: This symptom is observed only for the NAT pools created with the "outside source list."
Workaround: There is no workaround.
•
Symptoms: A Border Gateway Protocol (BGP) peer may not come up after you have disabled message digest 5 (MD5) authentication for BGP neighbors.
Conditions: This symptom is observed when, on a router that is running BGP, you disable MD5 authentication for a BGP peer by using the no neighbor ip-address password router configuration command. The BGP session does not become established, even when you reset the BGP connection by entering the clear ip bgp neighbor-address privileged EXEC command or the clear ip bgp * privileged EXEC command.
Workaround: After you have entered the no neighbor ip-address password router configuration command, reconfigure the BGP session for the neighbor at both sides of the connection.
Alternate Workaround: Reload the router that is running BGP.
•
Symptoms: Hot Standby Router Protocol (HSRP) may cause a standby Stateful Network Address Translation (SNAT) router to become the primary router. The standby router then changes its timeout from 1 minute to 24 hours. Ultimately the router times out, but the abandoned NAT in a busy router can consume all the memory resources.
Following is an example of the symptom immediately after switchover:
Router#show ip nat trans verb
Pro Inside global Inside local Outside local Outside global
--- 0.0.0.18 0.0.6.64 --- ---
create 00:31:19, use 00:31:19,
flags:
static, use_count: 0
tcp 10.32.5.109:3058 10.32.5.101:3058 10.209.2.66:443 10.209.2.66:443
create 00:09:13, use 00:08:15, left 23:51:44, Map-Id(In): 1,Conditions: This symptom may be observed any time a standby router switches over and becomes the primary router.
Workaround: There is no workaround.
•
Symptoms: For each data packet that is handled on a Cisco router, spurious memory accesses may occur at addresses 0x1D and 0x22. When the traffic rate is high, the console may become unresponsive, and the router may pause until the call is cleared. The output of the show alignment EXEC command displays the following information:
Total Spurious Accesses 3984, Recorded 8
Address Count Traceback
1D 775 0x610CFA2C 0x60420754 0x60432D98
24 775 0x610CFA38 0x60420754 0x60432D98
3 775 0x610CFCF4 0x60420754 0x60432D98
3 775 0x610B5D5C 0x610CFD20 0x60420754 0x60432D98
22 221 0x610CFA2C 0x60429D48 0x60432D98
24 221 0x610CFA38 0x60429D48 0x60432D98
8 221 0x610CFCF4 0x60429D48 0x60432D98
8 221 0x610B5D5C 0x610CFD20 0x60429D48 0x60432D98Conditions: This symptom is observed on a Cisco router that has a single physical interface that is configured for Resource Reservation Protocol (RSVP) over ATM switched virtual circuits (SVCs) on one subinterface and RSVP over ATM permanent virtual connections (PVCs) on another subinterface. The symptom is related to a timing difficulty because the symptom occurs only when the PVC is set up after the SVC.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you simultaneously enter the same command to terminate a router protocol through two different sessions. For example, one session may run via the console and the other session may run via a Virtual Terminal Protocol (VTP). Examples of commands that terminate a router protocol are the no router bgp global configuration command, the no router isis global configuration command, the no router ospf global configuration command, and so on.
Conditions: This symptom is platform independent.
Workaround: Do not simultaneously enter the same command to terminate a router protocol through two different sessions.
•
Symptoms: An interface cannot send Resource Reservation Protocol (RSVP) messages.
Conditions: This symptom is observed after you have reloaded a Cisco router and RSVP is enabled on an interface just after you have entered the no shutdown interface configuration command on the interface.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface. This workaround is not effective for an unattended router.
•
Symptoms: A Cisco router may pause indefinitely on reload with a traceback and bus error exception.
Conditions: This symptom may be observed with a Cisco Open Shortest Path First (OSPF) router that is doing redistribution.
Workaround: There is no workaround.
•
Symptoms: A router may reload when you enter the router ospf global configuration command, followed by the no network ip-address wildcard-mask area area-id router configuration command, and you enter 0.0.0.0 255.255.255.255 for the ip-address wildcard-mask arguments.
Conditions: This symptom is observed when you use sham links.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload if it is low on processor memory and Simple Network Management Protocol (SNMP) get operations are performed on Open Shortest Path First (OSPF) MIBs.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(8)YW, Release 12.2(8)YY, Release 12.2 T, Release 12.3, or Release 12.3 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 may reload during a bootup with a "software forced" reload.
Conditions: This symptom is observed on a Cisco AS5850 that is running a 12.3 image of Cisco IOS software that is later than Release 12.3(1.9).
Workaround: There is no workaround.
•
Symptoms: A Reverse Path Forwarding (RPF) lookup may cause a Route Processor (RP) to reload because of a stack overflow.
Conditions: This symptom is observed on a Cisco 12000 series when there is a unicast routing loop and when a static multicast route (mroute) has been configured. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when the tunnel interface is shut down or one of the following NHRP interface configuration commands under the tunnel interface is removed from the router's configuration:
–
–
–
Conditions: This symptom is observed on a Cisco 1600 series router that has Next Hop Resolution Protocol (NHRP) configured on a multipoint generic routing encapsulation (GRE) tunnel interface.
Workaround: There is no workaround.
•
Symptoms: The Rendezvous Point mapping may not be updated in an existing multicast route state.
Conditions: This symptom is observed when you change the hash mask length on a bootstrap router (BSR).
Workaround: There is no workaround. Note that the symptom does not cause any traffic interruption.
•
Symptoms: A Cisco 3660 router may reload after an online insertion and removal (OIR) of an Analog Modem Network Module (NM-16AM).
Conditions: This symptom is observed on a Cisco 3660 router when either an OIR is tested using "test oir x 0" and "test oir x 1" or a manual removal and insertion of the NM-16AM occurs.
Workaround: The router does not reload if there are no static routes configured on the interface that undergoes the OIR before the OIR occurs.
ISO CLNS
•
Symptoms: The following error message may be generated on a Cisco router:
%CLNS-3-BADPACKET: ISIS: L1 LSP, option 222 tlv length 2 is badConditions: This symptom is observed in a multi-topology configuration when IP version 6 (IPv6) Intermediate System-to-Intermediate System (IS-IS) is enabled.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptoms A: Intermediate System-to-Intermediate System (IS-IS) may generate an incorrect link-state packet (LSP) format for type length value (TLV) 2.
Conditions A: This symptom is observed when you use metric narrow for IS-IS.
Workaround A: There is no workaround.
Symptoms B: IS-IS may generate an incorrect LSP format for TLV 222 and 237.
Conditions B: This symptom is observed when you use a multitopology IS-IS for IP version 6 (IPV6).
Workaround B: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2, Release 12.2 S, Release 12.2 T, Release 12.3 or Release 12.3 T and that is configured with Multiprotocol Label Switching (MPLS) traffic engineering and Intermediate System-to-Intermediate System (IS-IS).
Workaround: Enter the following command on the router:
router isis mpls traffic-eng max-children 0
•
Symptoms: A Cisco 10720 may reload unexpectedly.
Conditions: This symptom is observed when IP version 6 (IPv6) Intermediate System-to-Intermediate System (IS-IS) is configured.
Workaround: There is no workaround.
•
Symptoms: A router may reload with a bus error when you enter the no router bgp router configuration command.
Conditions: This symptom is observed on a Cisco router when you remove the Border Gateway Protocol (BGP) configuration.
Workaround: Do not issue the no router bgp router configuration command.
Miscellaneous
•
Symptoms: A Cisco router may stop sending data randomly across any switched virtual circuits (SVCs); in addition, when you enter the debug atm errors EXEC command, the "encapsulation error2" failure messages appear.
Conditions: This symptom is observed on a Cisco router with approximately 100 SVCs.
Workaround: Remove the SVC from the map group, and add the SVC back again.
•
Symptoms: A Cisco router may reload if you enter the no mpls traffic-eng tunnels command.
Conditions: This symptom is observed on a Cisco router with about 500 or more tunnels that are configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when the firmware of an Integrated Services Adapter (ISA) generates an error message that indicates that the firmware is no longer synchronized with Cisco IOS software.
Conditions: This symptom is observed on a Cisco 7200 series that is running the IMIX (a mixed-packet definition) pattern with 1400-byte packets.
Workaround: There is no workaround.
•
Symptoms: Multiprotocol encapsulation over ATM adaptation layer 5 (AAL5) (RFC1483) routed point-to-point IP numbered subinterfaces may take an extended time to reload, to write a configuration to memory, or to display the command output when the show running-config EXEC command is entered.
Conditions: This symptom is observed when IP numbered and protocol IP are configured on a large number of multiprotocol encapsulation over AAL5 routed point-to-point ATM subinterfaces.
Workaround: There is no workaround.
•
Symptoms: On a router, the Systems Network Architecture switching services (SNASw) port may transition to an inactive state and all sessions may be lost.
The router may generate CLSInvalid messages, and SNASw may start to consume memory. If there are sufficient downstream devices, the router may run out of memory and possibly reload.
Conditions: These symptoms are observed when a SNASw router is using a Hot Standby Router Protocol (HRSP) MAC address for downstream connections, two standby MAC addresses are in use, and a downstream Physical Unit 2.1 (PU2.1) has two link stations, one each to the standby MAC addresses. The symptoms occur when both HSRP MAC addresses are active on the same interface and the downstream device has links active to both MAC addresses.
Workaround: Move one of the MAC addresses to an internal port, for example to a virtual Token Ring port.
Alternate Workaround: Configure a second Service Advertising Protocol (SAP) on a second port and configure one of the links of the downstream device to use the second SAP.
•
Symptoms: A router that is Simple Network Management Protocol (SNMP)-polled via an IP security (IPSec) tunnel that terminates on the same router; may display the following error message, and the SNMP reply may never get through the tunnel:
%SYS-2-GETBUF: Bad getbuffer, bytes= -41
-Process= "IP SNMP", ipl= 0, pid= 92
-Traceback= 605FB078 611F4584 611F4918 611F49C4 611F4A40 611F134C 611F1A7C 61212450 607471D4 60746350 60746784 60715A80 60772EEC 607735D8 6063834C 60638338Conditions: This symptom is observed on a Cisco 7200 series router that is configured with SNMP.
Workaround: Enter the following command to bind the maximum size of the SNMP replies so that no fragmentation is required:
snmp-server packetsize 1300
Alternate workaround: Disable prefragmentation by entering the crypto ipsec fragmentation after-encryption global configuration command. Make sure that the command is not overridden by an interface prefragmentation configuration.
•
Symptoms: In a sniffer trace, the IP header checksum is incorrect and displays an incorrect IP version of 10 instead of 4.
Conditions: This symptom is observed when IP traffic is destined out of the native (untagged) VLAN and when matching policies that rewrite the class of service (CoS) value to 5 corrupt the IP header.
Workaround: Do not use the native VLAN.
•
Symptoms: A Cisco AS5300 that is functioning as a voice gateway may reload because of an incoming bus error exception.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.2(6d).
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: A Cisco router may reload when you remove a Label Distribution Protocol (LDP) configuration before an Ethernet over Multiprotocol Label Switching (EoMPLS) configuration.
Conditions: This symptom is observed in rare situations on a router that is configured for EoMPLS when you enter the no mpls l2transport route interface configuration command.
Workaround: There is no workaround.
•
Symptoms: Directly-connected neighbors may be displayed in the "Targeted Hellos" field in the output of the show mpls ldp discovery privileged EXEC, which is incorrect behavior. This situation does not impact routing functionality.
Conditions: This symptom is observed in an Any Transport over Multiprotocol Label Switching (AToM) environment and is platform independent.
Workaround: There is no workaround.
•
Symptoms: Configuring a bind statement multiple times under a serial interface causes the existing ISDN Q.921-User Adaptation (IUA) configurations to be removed.
Conditions: This symptom is observed on a Cisco AS5850 that is running the C5850-p9-mz.122-11.T image.
Workaround: There is no workaround.
•
This caveat consists of three symptoms, three conditions, and three workarounds, all of which are related to the configuration of Multicast Distributed Switching (MDS) on subinterfaces:
1.
Multicast distributed switching is not allowed on sub-interfaces
Condition 1: This symptom is observed when MDS is already configured on the main interface.
Workaround 1: There is no workaround.
2.
Condition 2: This symptom is observed in the output of the show ip pim interface count EXEC command. The command output is incorrect.
Workaround 2: There is no workaround.
3.
Condition 3: This symptom is observed when the main interface is not configured for MDS and you attempt to configure MDS on a subinterface.
Workaround 3: There is no workaround.
•
Symptoms: A file that is copied from a remote server to the running configuration file using secure file transfer (SCP) may fail with an error 26 (internal error).
Conditions: This symptom is observed if the remote server is running the Linux operating system.
Workaround: Use another file transfer method (for example, FTP).
•
Symptoms: When a customer edge (CE) router link fails, a remote provider edge (PE) router may not be notified. This may cause the CE link to remain in an "up" state.
Conditions: This symptom is observed on a Cisco router that is configured with Any Transport over Multiprotocol Label Switching (MPLS) [AToM], and ATM cell relay over MPLS, and has the port mode feature enabled.
Workaround: There is no workaround.
•
Symptoms: An integrated service adaptor (ISA) card resets itself intermittently. The IP Security (IPSec) connections are affected because of the switchover between the hardware crypto engine and the software crypto engine.
Conditions: This symptom is observed on a Cisco 7200 series router that is configured with an ISA card.
Workaround: There is no workaround.
•
Symptoms: A redirecting dialed number (RDNIS) fax call is not completed. When a fax call is made, the terminating telephony equipment does not receive the fax.
Conditions: This symptom is observed when the fax call goes through the originating gateway but does not come through the terminating gateway.
Workaround: There is no workaround.
•
Symptoms: For a Session Initiation Protocol (SIP) protocol, after a T.38 fax has been sent successfully, call fails to switch back gracefully to audio, although audio calls worked fine before the fax was sent.
Conditions: This symptom is observed in Cisco IOS Release 12.2(13)T and later releases in a topology in which a fax endpoint sends a fax via two connected gateways to another fax endpoint. Both gateways are properly configured for SIP and for T.38 using the fax protocol t38 dial-peer configuration or voice service VoIP configuration command.
Workaround: After the fax has gone through and if the call does not switch back to audio, in order to continue the audio call, reestablish the audio call.
•
Symptoms: A Cisco router may reload because of a software condition when it receives a certificate revocation list (CRL) from an Lightweight Directory Access Protocol (LDAP) server during the certificate validation process.
Conditions: This symptom is observed on a Cisco 7200 series but may also occur on other Cisco routers.
Workaround: There is no workaround.
•
Symptoms: The mplsVrflfUp MIB notification from the PPVPN-MPLS-VPN-MIB MIB is not sent on certain interfaces.
Conditions: This symptom is observed on certain versions of T1, E1, or Packet over SONET (POS) interfaces.
Workaround: The linkUp notification from the interfaces MIB can be used to notify a user when an interface transitions to the "operationally up" state.
•
Symptoms: All static routes may get deleted, and digital subscriber line (DSL) routed bridge encapsulation (RBE) clients may lose their IP connectivity.
Conditions: This symptom is observed on a Cisco router when you edit the permanent virtual circuit (PVC) range on the subinterfaces for DSL RBE clients. The clients still have their Dynamic Host Configuration Protocol (DHCP) addresses and the router still has a DHCP binding to the clients, but the router does not have static routes or Address Resolution Protocol (ARP) entries to these clients, causing the clients to lose their connectivity.
Workaround: If a name handle has been associated with a PVC range, you can alter the size of the PVC range using the range range-name pvc start- vpi/start-vci end-vpi/end-vci subinterface configuration command. Typically, you would use this command to add more customers to a PVC range without disrupting the IP connectivity for customers that are already being serviced on the PVC range.
•
Symptoms: A fax resource on a Cisco AS5400 may not be deallocated after a call goes through, preventing further calls from being accepted on this resource.
Conditions: This symptom is observed during a fax test when the recEive and transMit (E&M) Feature Group-B (FGB) is configured on the trunk line of Cisco AS5400.
Workaround: Use T1 PRI signaling on the trunk line.
•
Symptoms: Errors may occur on the far end of a connection of a Cisco 2691 or a Cisco 3700 series, and the line protocol may never come up, or the line protocol may come up but go down again.
Conditions: This symptom is observed on a Cisco 2691 and a Cisco 3700 series when one or more WAN interface card (WIC) slots on the mainboard (that is, the native slots) are configured with any of the following WICs:
–
–
–
–
Workaround: For a configuration that includes a WIC-1T, WIC-2T, or WIC-2A/S, configure the WIC for DCE. There is no workaround for a configuration that includes a WIC-1DSU-T1.
•
Symptoms: A 2-port Foreign Exchange Office (FXO) voice and fax interface card that has battery reversal and caller ID (VIC-2FXO-M1) may not establish a call with an outside analog phone.
Conditions: This symptom is observed on a VIC-2FXO-M1 voice and fax interface card that is specified as a pulse dialer by entering the dial-type pulse voice-port configuration command.
Workaround: Configure the no battery-reversal voice-port configuration command.
•
Symptoms: After an interface is shut down, an untagged route may appear on a router that is functioning as a carrier supporting carrier provider edge (CSC- PE) router.
Conditions: This symptom is observed during a test with static routes. When the interface is shut down, the Tag Forwarding Information Base (TFIB) should be reconfigured to obtain the alternate route. However, because of difficulties with Tag Distribution Protocol (TDP), Border Gateway Protocol (BGP), and the tag for the alternate route, the alternate route becomes an untagged route.
Workaround: There is no workaround.
•
Symptoms: Data transfer may stop when the traffic bandwidth on a Route Processor Module-PRemium (RPM-PR) card is increased to 45 Mbps. The data transfer is normal when the traffic bandwidth is at 30 Mbps.
Conditions: This symptom is observed when there are multiple active Virtual Private Network (VPN) routing/forwarding (VRF) instances that are configured on the RPM- PR card.
Workaround: There is no workaround.
•
Symptoms: Use of the dir directory command at the router command prompt fails to list files stored on an Advanced Technology Attachment (ATA) Flash card. However, an equivalent command on a PC lists the stored files.
Conditions: This symptom is observed on an ATA Flash card that has been formatted as FAT16 in a PC that is running Windows 2000. The card can no longer be read or reformatted under Cisco IOS software.
Workaround: Reformat the ATA Flash card as FAT16 on a PC that is running Windows 95 or Windows 98.
•
Symptoms: The TCP Redirect feature may not function.
Conditions: This symptom is observed if the route of the TCP Redirect server is changed. The Service Selection Gateway (SSG) does not update its database, and downstream packets may not be reverse-mapped correctly. To check if this has occurred, use the show ssg tcp-redirect group group-name command-line interface (CLI) command.
Workaround: There is no workaround.
•
Symptoms: The selective packet discard (SPD) feature does not function correctly on the E0 interface of a Cisco AS5300 router.
Conditions: This symptom is observed on a Cisco AS5300 router.
Workaround: Increase the input hold queue.
•
Symptoms: A Cisco router that has a voice feature such as H.323 enabled may reload because of a bus error at address 0xD0D0D0B.
Conditions: This symptom is observed on a Cisco 3700 series but may also occur on other routers.
Workaround: There is no workaround.
•
Symptoms: Digital signal processor (DSP) tracebacks may be observed with fax calls:
%HPI-3-CODEC_NOT_LOADED: channel:0:D:20 DSP ID:0x1222, command failed as codec not loaded 1
-Traceback= 61489F38 6147F7D4 61708128 61708334 6186E688 6186F094 616F04B0 616F1274 61363424Conditions: This symptom may be observed during fax calls at the time of the DSP download of codecs.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2600XM router may generate the following error message:
ASSERTION FAILED: file "../les/if_dslsar.c", line 1041Conditions: This symptom is observed on a Cisco 2600XM router that is running Cisco IOS Release 12.2(13)T1.
Workaround: There is no workaround.
•
Symptoms: Entries in the tag forwarding table may disappear from a provider edge (PE) router.
Conditions: This symptom is observed on a Cisco 7513 and a Cisco 7200 series that is functioning in a cell mode Multiprotocol Label Switching (MPLS) over ATM (MPLSoA) environment with the Multi-VC mode enabled. The label protocol is Label Distribution Protocol (LDP).
Workaround: Enter the clear ip route network EXEC command on the affected PE router and enter the loopback address of the PE router as the network argument.
•
GRE implementation of Cisco IOS is compliant with RFC2784 and RFC2890 and backward compatible with RFC1701.
As an RFC compliancy this DDTS adds the check for bits 4-5 (0 being the most significant) of GRE header.
This issue does not cause any problem for router operation.
•
Symptoms: A digital signal processor (DSP) may time out on a Cisco IAD2420 series because of a Host Port Interface (HPI) error.
Conditions: This symptom is observed on a Cisco IAD2420 series that is running Cisco IOS Release 12.2(11)T4 every time a call is placed or received.
Workaround: Use the command-line interface (CLI) to issue the following command to the DSPs that have a timeout symptom:
[no] voice dsp waitstate ws dsp_id
where ws is in the range of 1 to 3 with 1 being the default and dsp_id is a 1-based DSP number. The recommended ws value to set in this particular case is 2. Do not set the ws value higher than 2. The issuance of the CLI command will not take effect until the next DSP reset occurs either through an automatic mechanism or through test commands.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may reload unexpectedly and report the following message:
System was restarted by reloadConditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that is running Cisco IOS Release 12.1(14)E.
Workaround: There is no workaround.
•
Symptoms: A Cisco 10720 may reload because of a software condition.
Conditions: This symptom is observed when you deconfigure the ipv6 access-list global configuration command.
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: IP commands that are sent in the Cisco Networking Services (CNS) config-changed event output may contain an extra ip prefix.
Conditions: This symptom is observed on a Cisco router when you enter both ip global configuration commands and the cns config notify diff global configuration command to capture commands that change configuration for the config-changed event output.
Workaround: Enter the all keyword in the cns config notify global configuration command. This workaround is not valid when the only changes in the configuration occur in the config-changed event output.
•
Symptoms: When integrated routing and bridging (IRB) is configured on a Cisco 805 router, a ping fails to the remote end because of the Address Resolution Protocol (ARP) entry not being properly added to the router.
The output form the debug arp command on the router shows that the ARP response received from the remote end is logged as coming on the physical interface rather than on the Bridge-Group Virtual Interface (BVI). This is the reason why a "wrong cable" error is logged and the ARP entry is left incomplete.
IP ARP: sent req src 192.168.168.200 0000.0c38.5bde, dst 192.168.168.1 0000.0000.0000 BVI1 IP: s=192.168.168.200 (local), d=192.168.168.1 (BVI1), len 100, encapsulation failed
IP ARP rep filtered src 192.168.168.1 0000.0c65.f687, dst 192.168.168.200 0000.0c38.5bde wrong cable, interface Serial0.1.Conditions: This symptom is observed on a Cisco 805 router that is running Cisco IOS Release 12.1(3)XG4, Release 12.1(18), Release 12.2(13a), or Release 12.2(15)T and that has the following configuration:
!
bridge irb
!
interface Serial0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type cisco
!
interface Serial0.1 point-to-point
no cdp enable
frame-relay interface-dlci 100
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.168.200 255.255.255.0
!
bridge 1 protocol ieee
bridge 1 route ip
!Workaround: Use other encapsulations such as PPP or High-Level Data Link Control (HDLC) instead of frame relay for Cisco 805 routers that are configured with IRB.
•
Symptoms: The RADIUS "Acct-Session-Id" attribute may not be sent correctly.
Conditions: This symptom is observed in a Service Selection Gateway (SSG) configuration that is running Cisco IOS Release 12.2(15)T or a later release when you enter the ip route-cache flow interface configuration command on a virtual template. The symptom may also occur in other conditions.
Workaround: In the above-mentioned conditions, deconfigure the ip route-cache flow interface configuration command.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: Two Cisco routers that are running Cisco fax relay over a Voice over IP (VoIP) connection may reload after approximately 8 hours of operation.
Conditions: This symptom is observed in a test using a Cisco 3640 router and a Cisco 3660 router, although the symptom may be platform independent.
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: Fax pass-through may fail on a Cisco 2600 series because the G.728br8 codec cannot switch to the G.711ulaw codec.
Conditions: This symptom is observed on a Cisco 2600 series that is running the c2600-is-mz image of Cisco IOS Release 12.2(15)T or a later release and that is configured with a digital T1 packet voice network module when you configure Voice over ATM (VoATM) encapsulation that uses the G.729br8 codec. The symptom is not observed in Cisco IOS Release 12.2(13)T.
Workaround: Instead of the G.729br8 codec, use any one of the following codecs:
–
–
–
–
–
•
Symptoms: A Cisco 7500 series router may unexpectedly reload with a bus error.
Conditions: This symptom is observed on a Cisco 7500 series router if Border Gateway Protocol (BGP), IP version 6 (IPv6), and distributed Cisco Express Forwarding (dCEF) are enabled concurrently.
Workaround: Disable dCEF and enable central CEF instead.
•
Symptoms: Encryption and decryption fail for maximum transmission unit (MTU) values between 1419 and 1420 (both inclusive), and the following error is generated:
%VPN_HW-1-PACKET_ERROR: slot: 2 Packet Encryption/Decryption error, Other error.The output of the show pas vam interface privileged EXEC command displays the "Other Errors" counter; "Other Errors" occur when fragments are reassembled before decryption occurs.
Conditions: This symptom is observed when you use a Cisco router that is configured with a Virtual Private Network (VPN) acceleration module (VAM) to encrypt traffic through generic routing encapsulation (GRE) tunnel endpoints, which are also configured for tag switching.
Workaround: To enable the router to fragment packets differently, reduce the value of the tunnel MTU on the router to 1420 using the ip mtu 1420 interface configuration command.
Note that the MTU values between 1419 and 1420 for which the failure occurs are from the endpoints.
•
Symptoms: The dsx1LineIndex variable for a channelized E1 interface may have an incorrect value for a 1-port multichannel E3 port adaptor (PA-MC-E3).
Conditions: This symptom is observed when you run the DS1-MIB MIB.
Workaround: There is no workaround.
•
Symptoms: The E3 controller of a Multi-Channel E3 port adapter (PA-MC-E3) card is missing from IF-MIB and DS3-MIB.
Conditions: This symptom is observed on a PA-MC-E3 in all releases of Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: A Tag Forwarding Information Base (TFIB) Virtual Private Network version 4 (VPNv4) entry on an Autonomous System Boundary Router (ASBR) for a prefix may not be reinstalled, causing traffic for this prefix to continue to flow to a provider edge (PE) router via the previous best path.
Conditions: This symptom is observed in a Multiprotocol Label Switching (MPLS) VPN interautonomous system environment in which ASBRs are performing VPNv4 exchanges and in which a Border Gateway Protocol (BGP) session is active.
The ASBR on which the TFIB VPNv4 entry is not installed should receive a prefix from a Route Reflector (RR) that selects the best of two available paths between the RR and two PE routers. Both PE routers should allocate the same label for the prefix. The PE router to which the best path leads should withdraw the prefix.
Workaround: Clear the BGP session on the ASBR that is connected to the RR.
Alternate Workaround: Withdraw the prefix from the ASBR and readvertise the prefix by clearing the prefix on the PE router that advertises the prefix.
•
Symptoms: PPP sessions are not stable with traffic. There are 1700 sessions over 300 Layer 2 Tunneling Protocol (L2TP) tunnels with one shaper. About 10 minutes after traffic begins, the sessions start going up and down. This fluctuation occurs for a long time, and all of the sessions do not come back again.
Conditions: This symptom is observed on a Cisco router when traffic shaping is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco Integrated Access Device 2420 (IAD2420) series does not respond to the Request Notify (RQNT) message from the call agent. Because there is no answer, the call agent blocks the port of the Cisco IAD2420 series.
Conditions: This symptom is observed on a Cisco IAD2420 series that is running Cisco IOS Release 12.2(11)T.
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: If Stack Group Bidding Protocol (SGBP) is used to bind Large-Scale Dial-Out (LSDO) calls into a single multilink bundle, the calls may fail due to the following error:
peer ip address X does not match LSDO map Y, where X == YConditions: This symptom occurs when you are running Cisco IOS Release 12.2 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 or a Cisco AS5400 may reload when you enter the dialer extsig interface configuration command on the dialer interface.
Conditions: This symptom is observed when integrated Signaling Link Terminal (SLT) is configured.
Workaround: There is no workaround.
•
Symptoms: It is not possible to use authentication mechanisms that are based on Distinguished Name (DN) fields in a public key infrastructure (PKI) certificate.
Conditions: This symptom is observed on PKI DN access control lists (ACLs).
Workaround: There is no workaround.
•
Symptoms: The Cisco gatekeeper load balancing feature may not function properly when there is an alternate gatekeeper within the cluster.
Conditions: This symptom is observed with the following configuration: a Cisco 3725 acts as the gatekeeper, a Cisco 3660 is used as the alternate gatekeeper, a Cisco AS5300 acts as the terminating gateway, and a third-party router acts as the originating gateway. The first call is handled correctly. When the second call is made, the primary gatekeeper rejects the admission request (ARQ) with an error message and sends along the alternate gatekeeper's IP address to contact.
Workaround: There is no workaround.
•
Symptoms: After applying the service-policy command that sets a CoS bit to an ethernet interface, the policy is set in motion as long as there is a subinterface that is performing 8021.Q or InterSwitch Link (ISL) trunking. Upon reload, however, the service-policy is removed from the configuration due to the following error message:
Process `set' action associated with class-map voip failed: Set cos supported only with IEEE 802.1Q/ISL interfaces
Conditions: This symptom is observed on a Cisco 2600 series router that is running Cisco IOS Release 12.2(13)T1.
Workaround: There is no workaround.
•
Symptoms: The following error message occasionally appears on a Cisco Node Route Processor (NRP):
NRP2 - RX FIFO was stuck - forced to reset MAC.Conditions: This symptom is observed periodically when heavy traffic is present. It is a cosmetic issue and does not affect performance.
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: A Cisco router that is about to relinquish its designated forwarding position may send "winner" messages instead of "pass" messages, preventing the router that is supposed to become the designated forwarder to actually become the designated forwarder. This situation prevents traffic from being forwarded.
Conditions: This symptom may be observed when bidirectional Protocol Independent Multicast (PIM) is enabled and you perform an online insertion and removal (OIR).
Workaround: To clear the affected multicast group, enter the clear ip mroute group-name EXEC command.
•
Symptoms: A Cisco AS5850 may reload after 4 to 5 hours of operation.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T and that has a call load of 8 calls per second.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400 encounters memory leaks when the stress regression test is run. Memory leakage also occurs when fax-related applications are run.
Conditions: This symptom is observed with the c5400-is-mz image of Cisco IOS Release 12.3(14.6)PI0.
Workaround: There is no workaround. Use the show proc mem switch command in privileged EXEC mode for details of the memory leakage.
•
Symptoms: A memory allocation failure (MALLOCFAIL) may be reported in the "ATM PVC Discovery" process.
Conditions: This symptom is observed on a Cisco 7200 series that is running the c7200-js-mz image of Cisco IOS Release 12.2(13)T1 and occurs because the Interim Local Management Interface (ILMI) input process does not free up the memory, which can be verified in the output of the show processes memory EXEC command.
Workaround: Reload the router.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: If the call setup time for an E1 R2 hairpin call takes a long time, the call is disconnected, but some of the resources associated with the voice telephony service provider (VTSP) may still show active call legs.
Conditions: This symptom is observed on E1 R2 hairpin calls that have a long call setup time and that have set the alert-wait-time command value to 5 under the cas-custom controller configuration command.
Workaround: There is no workaround.
•
Symptoms: A Frame Relay (FR) interface may go up and down continuously.
Conditions: This symptom is observed on an FR interface when the keepalive timeout is set to one second and fragmentation and traffic shaping are enabled on multiple permanent virtual circuits (PVCs).
Workaround: Increase the keepalive timeout to 5 seconds or more.
•
Symptoms: A Cisco Route Processor Module (RPM-PR) may reload with a bus error at 0x600ED128.
Conditions: This symptom is observed on a Cisco RPM-PR that is running Cisco IOS Release 12.2(16.5)T and that is configured with IP Header Compression (IPHC) on a PPP over ATM (PPPoATM) interface. Any configuration command sequence that involves the support of ATM permanent virtual circuits (PVCs) may cause the system to reload.
Workaround: Enter the no ip rtp header-compression format interface configuration command to remove IPHC from the configuration.
•
Symptoms: Modem-relay calls may fail to go through, and a gateway may not fall back to its modem pass-through configuration, preventing the call from going through as a modem pass-through call.
Conditions: This symptom is observed in an H.323 or Session Initiation Protocol (SIP) environment when modem relay is configured on both an originating and a terminating gateway and the modem call is originated on an endpoint that supports modem relay (for example, a T1 endpoint) to another endpoint that does not support modem relay (for example, an analog Foreign Exchange Station [FXS] endpoint).
The symptom occurs when the negotiation for modem relay is based only on the command-line interface (CLI) configuration. If modem relay is enabled via the CLI on both gateways, modem relay is selected; otherwise modem pass-through is selected. This selection occurs irrespective of whether or not the endpoints support modem relay. Next, the Cisco IOS software disables modem relay if one of the endpoints does not support modem relay. However, the terminating gateway is not notified that modem relay is disabled. This situation causes the originating and terminating gateway to lose their modem-relay synchronization.
Workaround: In an H.323 or SIP environment, do not use the CLI to configure modem relay; rather, configure modem pass-through.
Note that this caveat is not applicable to Media Gateway Control Protocol (MGCP) calls.
•
Symptoms: A Cisco router drops packets in the input queue of the router's interfaces.
Router# show interface serial 1/2
Serial1/2 is up,line protocol is up
Hardware is CD2430 in sync mode
Internet address is 10.1.0.1/30
MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive not set
LCP Open
Open: IPCP, CCP, CDPCP
Last input 00:00:06, output 00:00:37, output hang 2d00h
Last clearing of "show interface" counters 1d20h
Input queue: 0/75/9847/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
891420 packets input, 62654151 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
890285 packets output, 1175436268 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=upConditions: This symptom is observed on a Cisco router that uses hardware compression. The packet drops occur sporadically when there are no errors reported on the interface and CPU utilization is below 10 percent. The pace at which the packets are dropped accelerates over time and affects more and more traffic.
Workaround: There is no workaround.
•
Symptoms: Calls may pause on a Cisco AS5300 or a Cisco AS5400.
Conditions: This symptom is observed rarely on a Cisco AS5300 or a Cisco AS5400 and is associated with the Tool Command Language (TCL).
Workaround: There is no workaround.
•
Symptoms: After connections from a Cisco MGX Route Processor Module (RPM-XF) to a Cisco RPM-PR/B are added, the connection goes into mismatch.
Conditions: This symptom is observed on a Cisco RPM because the peak cell rate (PCR) value (in cells per second [cps]) that is entered via the hidden command-line interface (CLI) pcr command under the switch connection does not correspond to the PCR value (in kilobits per second [kbps]) that is specified under the permanent virtual circuit (PVC) CLI.
Workaround: Modify the PCR value (in cps) under the switch connection CLI to correspond to the local PCR value (in kbps). Turn on auto_synch and initiate a resynchronization.
•
Symptoms: A Cisco router may reload because of a bus error.
Conditions: This symptom may be observed on a Cisco router that has been configured with the aaa preauth global configuration command.
Workaround: There is no workaround except to not use the aaa preauth global configuration command.
•
Symptoms: The bearer capability (bearer cap) is changed for outgoing hairpin calls.
Conditions: This symptom is observed when the call is a hairpin call and the following bearer cap values indicate a data call (unrestricted digital):
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: Calls may pause indefinitely because of an incorrect state change.
Conditions: This symptom is observed on a Cisco AS5400 that is running a Toolkit Command Language (TCL) interactive voice response (IVR) 2.0 script.
Workaround: There is no workaround.
•
Symptoms: Two users may not be able to simultaneously display the output of the show policy-map user EXEC or privileged EXEC command.
Conditions: This symptom is observed when the first user displays the first screen of the command output while the second page is pending. However, the second user may successfully display the command output after the first user presses the Enter key and gets the user prompt back.
Workaround: There is no workaround.
•
Symptoms: A Systems Network Architecture Switching Services (SNASw) router that is configured with the snasw ipstrace global configuration command may reload.
Conditions: This symptom is observed when the show snasw ips EXEC command is entered immediately after the show snasw link EXEC command is entered.
Workaround: Do not configure the snasw ipstrace global configuration command. Always use the snasw start ipstrace EXEC command and the snasw stop ipstrace EXEC command in conjunction with the snasw ipstrace global configuration command.
•
Symptoms: Spurious memory access and traceback messages may be observed on an L2TP Access Concentrator (LAC) while PPP over X (PPPoX) Layer 2 Tunneling Protocol (L2TP) sessions are brought up.
Conditions: This symptom is observed in Cisco IOS Release 12.2(15)T1 and Release 12.2(15)T2 and may be observed on all Cisco platforms.
Workaround: There is no workaround.
•
Symptoms: A call may be rejected on the plain old telephone service (POTS) leg with cause code "0x2F" that indicates that there is no resource for the call.
Conditions: This symptom is observed on a Cisco AS5300 that is functioning as a terminating gateway when the call reaches the "progress/alerting" stage and the Cisco AS5300 has no available time-division multiplexing (TDM) resource to connect the call to the digital signal processor (DSP), which can be verified in the output of the show tdm pool privileged EXEC command:
Dynamic Backplane Timeslot Pool:
Req
------------------------
Grp ST Ttl/Free Cur/Ttl/Fail Deallocated
0 0-3 120 0 120 27726 3745 0
1 4-7 0 0 0 0 0 0The output of the show isdn active user EXEC command displays how many active calls there are. There should be one TDM resource in use for every active call. If the total number of TDM resources minus the total number of active calls does not indicate the correct number of available TDM resources, a TDM resource leak has occurred.
Workaround: Reload the Cisco AS5300.
•
Symptoms: A Cisco router that is configured for IP over ATM (RFC 1577) may display traceback messages and reload.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.3(1) but may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: In a test of hot redundancy deployment on Label Switch Controllers (LSCs) with 1:N redundancy configured, a data disruption delay of 10 seconds or more is observed when the LSC fails and the redundant MGX Route Processor Module (RPM-PR) takes over the role of the failed LSC.
Conditions: This symptom is observed on a Cisco RPM-PR and Cisco LSC in a test environment.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is functioning as an H.323 gatekeeper with authentication, authorization, and accounting (AAA) enabled may run out of memory and may reload unexpectedly.
Conditions: This symptom is observed on a Cisco 2620 that is functioning as a gatekeeper and that is running the c2600-is3x-mz image of Cisco IOS Release 12.2(13)T or Release 12.2(15)T when about 45 endpoints are registered on the gatekeeper.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is functioning as a gateway may place incorrect characters in the header of an "invite" message, causing a proxy server to respond with a "400 syntax error" message.
Conditions: This symptom is observed when the Cisco router changes "%40" in the header of an incoming "refer" message to "f" or "U" in the header of an outgoing "invite" message.
Workaround: There is no workaround.
•
Symptoms: Incoming calls via E1 R2 trunks may be disconnected inappropriately.
Conditions: This symptom is observed when the originating gateway receives a "connect" message without receiving a "progress" or "alert" message from the remote end.
Workaround: There is no workaround.
•
Symptoms: PPP over Ethernet (PPPoE) or PPP over ATM (PPPoA) sessions that go down may cause a leak of full virtual-access interfaces. The symptom is not observed with configurations that use virtual-access subinterfaces.
Conditions: This symptom is observed with PPPoE or PPPoA sessions that clear because of the PPP protocol going down (because of a termination request [TERMREQ] from a peer router or a PPP keepalive failure). The leaked virtual-access interfaces are not reused for new sessions. This results in the creation of new virtual-access interfaces for new sessions.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2600 series may unexpectedly reload, or report "badshare" tracebacks, or do both. When the router reloads, the router generates messages similar to the following:
Unexpected exception to CPUvector 1200, PC = 818C8B80
-Traceback= 818C8B80 818C9454 818C9848 818CD814 818CA814 818C7A28 818BC7B4 801E64B8 801E5D30 801D9A44 804F8CBC 8047FD74 804EB824 804EB824 8047FE34 804EBCC0When "badshare" tracebacks occur, the router generates messages similar to the following:
%SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=8316E0F8, count=0
-Traceback= 80406718 80407C38 818CC900 8026A9A0 80271EC4 8002258C 804FB374 804F8C84 8047FD74 804EB824 804EB824 8047FE34 80651388
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8316E0F8, count=0
-Traceback= 80403848 80407E68 818CC900 8026A9A0 80271EC4 8002258C 804FB374 804F8C84 8047FD74 804EB824 804EB824 8047FE34 80651388
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8316E0F8, count=0Conditions: These symptoms are observed when the following two conditions occur:
–
–
Workaround: Do not use onboard slots.
Alternate Workaround: Ensure that the router traffic rate is below the line rate.
•
Symptoms: A Cisco router that is used to fast-switch fragmented Multilink PPP (MLP) packets may corrupt the packets. The output from the debug ip error EXEC command shows the following error:
IP: s=10.254.254.25 (Multilink1), d=10.254.34.2, len 100, dispose
icmp.checksumerrA packet dump indicates that part of the MLP header has been inserted in the packet payload:
IP: s=10.254.254.25 (Multilink1), d=10.254.34.2 (Multilink1), len 100, rcvd 3 03845B50: FF030021 45000064 004A0000 ...!E..d.J.. 03845B60: FD018737 0AFEFE19 0AFE2202 00005804 }..7.~~..~"...X. 03845B70: 1EB81580 00000000 0159F8B4
ABCDABCD .8.......Yx4+M+M 03845B80: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 03845B90: ABCDABCD ABCDFF03 003D4000 1939ABCD
+M+M+M...=@..9+M 03845BA0: ABCDABCD ABCDABCD ABCDABCD ABCDABCD
+M+M+M+M+M+M+M+M 03845BB0: ABCDABCD ABCDABCD ABCDABCD 00 +M+M+M+M+M+M.Conditions: This symptom is observed on a Cisco router that is configured with fast switching. The symptom is not observed if the process switching path is used or if the packet is too small to fragment.
Workaround: There is no workaround.
•
Symptoms: When an IP phone generates a call and disconnects, a Cisco router does not send a complete release after the caller disconnects.
Conditions: This symptom is observed on a Cisco 1700 series.
Workaround: There is no workaround.
•
Symptoms: T.37 on-ramp fax calls may terminate in the middle of the call.
Conditions: This symptom is observed on a T.37 fax call when an inband alerting event or an inband progress event is received by a Cisco gateway without the preceding call being received.
Workaround: There is no workaround.
•
Symptoms: A 24E1 trunk card or STM-1 trunk card may reload during the bootup process of a Cisco AS5850, and the following error message is generated:
%FBINFO-3-CRASH: Feature board in slot <number>After the trunk card has reloaded, it recovers and operates normally. The entire bootup process may take up to 10 minutes.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T or a later release and that is configured for handover split mode. The symptom does not occur when the router is configured for classic split mode.
Workaround: If the Route Switch Controller (RSC) is installed in slot 6, install the 24E1 trunk card or STM-1 trunk card in slot 8 through slot 13. If the RSC is installed in slot 7, install the 24E1 trunk card or STM-1 trunk card in slot 0 through slot 5. Note that the bootup process may still take up to 8 minutes.
•
Symptoms: The following tracebacks may appear when CNS events are sent from a Cisco router:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x60B5D2A0 reading 0 x0 00:29:02: %ALIGN-3-TRACE: -Traceback= 60B5D2A0 60B74F5C 60B75230 60B71C04 60B738 6C 60B739D8 60B705F8 60B60F6C 00:29:02:
%ALIGN-3-TRACE: -Traceback= 60B5D2AC 60B74F5C 60B75230 60B71C04 60B738 6C 60B739D8 60B705F8 60B60F6CConditions: This symptom is observed on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: A Cisco IAD2420 series may not generate a crashinfo file and store in it the Flash disk.
Conditions: This symptom is observed when the Cisco IAD2420 series reloads unexpectedly.
Workaround: There is no workaround.
•
Symptoms: The input queue on a Bridge-Group Virtual Interface (BVI) is wedged when voice is configured.
Conditions: This symptom is observed on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: When ATM adaptation layer 2 (AAL2) trunks are configured, the T1 and E1 controllers that are connected to a PBX go down. The AAL2 alarms do not function correctly, and the far-end device is unaware of the condition and behaves as though the trunks are still up.
Conditions: This symptom is observed on a Cisco 3745. When the T1 and E1 controllers shut down, AAL2 alarm packets are supposed to be sent to the far-end device so that it can put the trunks in the out-of-service (OOS) state.
Workaround: There is no workaround.
•
Symptoms: A Cisco Session Initiation Protocol (SIP) gateway may not perform a "Call Hold" that is initiated by a SIP re-INVITE request when the Session Description Protocol (SDP) media port parameter is set to zero.
Conditions: This symptom is observed on a Cisco SIP gateway that is running Cisco IOS Release 12.2.
Workaround: Upgrade Cisco IOS software to Release 12.2(1.4).
•
Symptoms: A Cisco router may reload when it receives both T.37 on-ramp and T.37 off-ramp calls.
Conditions: This symptom is observed on a Cisco 3660, a Cisco AS5350, a Cisco AS5400, and other Cisco platforms under load conditions and abnormal call terminations.
Workaround: There is no workaround.
•
Symptoms: The G.Clear codec may not function in a Media Gateway Control Protocol (MGCP) voice environment, which can be verified in the output of the show call active voice brief privileged EXEC command.
Conditions: This symptom is observed on a Cisco AS5300, Cisco AS5400, and Cisco AS5850 when you make a voice call between two platforms that have configured the G.Clear codec.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway may send a Real-Time Protocol (RTP) frame with an incorrect sequence number in the RTP header. The incorrect sequence number will be in the first frame of the stream. The gap between the sequence numbers in the first and second RTP frames may result in a jitter condition in the terminating gateway (TGW). The TGW will play no audio to the user during this time period.
Conditions: This symptom is observed on a Cisco gateway that is running Cisco IOS Release 12.2(15)T1.
Workaround: There is no workaround.
•
Symptoms: A Flash Advanced Technology Attachment (ATA)-disk card may become corrupted because of simultaneous accesses to the card. The corruption may not be immediately obvious. Signs of corruption are:
–
–
Conditions: This symptom is observed when you enter the show file system EXEC command while a file is being written to the ATA-disk card or when you enter the dir filesystem: EXEC command while a file is being written to the same device as the target of the dir filesystem: EXEC command.
Workaround: Avoid using any commands that access the ATA-disk card while a file is being written to the ATA-disk card.
•
Symptoms: A caller on a channel-associated signaling (CAS) gateway may hear the second dial tone CHOM noise from the far-end router.
Conditions: This symptom is observed only with CAS calls.
Workaround: There is no workaround.
•
Symptoms: The selective packet discard (SPD) feature does not function correctly on the E0 interface of a Cisco AS5300 router.
Conditions: This symptom is observed on a Cisco AS5300 router.
Workaround: Increase the input hold queue.
•
Symptoms: Two-way voice may be lost after a modify connection (MDCX) message is sent.
Conditions: This symptom is observed on a Cisco AS5850 that is configured for Real-Time Transport Protocol (RTP) hairpinning after a two-way voice call is established and an MDCX message with any parameter setting is sent.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router may reload because of a bus error.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.2(13b).
Workaround: There is no workaround.
•
Symptoms: A DistributedDirector may reload when you enter the clear ip dir servers EXEC command.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(11).
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the PPP authorization process on a Cisco 7206VXR.
Conditions: This symptom is observed on a Cisco 7206VXR that is running Cisco IOS Release 12.2(16) and that is configured for PPP over Ethernet (PPPoE). The symptom may occur or any Cisco router that is running Cisco IOS Release 12.2 (16).
Workaround: There is no workaround.
•
Symptoms: When a Cisco AS5350 originates a call to another gateway and the call is released because the ringing timeout timer expires, and when the terminating gateway uses a nondefault "ringing time out" value, the originating Cisco AS5350 sends a telephony Call Data Record (CDR) leg to the RADIUS server with a cause code of 0x13; however, a Voice over IP (VoIP) CDR leg is not sent.
Conditions: This symptom is observed on a Cisco AS5350 that is running Cisco IOS Release 12.2(11)T06. The Cisco AS5350 terminating gateway (TGW) has a ringing time out set to 30 on the voice port. The Cisco AS5350 originating gateway (OGW) places a call to the TGW and lets the call ring. After 30 seconds, the TGW releases the call with the correct cause code (no user answer). The OGW sends only a telephone CDR leg to the RADIUS server. The TGW sends both the VoIP and the telephony leg CDRs.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may display many tracebacks and may stop authentication, authorization, and accounting (AAA) records reporting when you enter the no radius-server source-ports 1645-1646 command.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(16.1)B1.
Workaround: There is no workaround.
•
Symptoms: The output that is displayed for the conform-action argument from the show rate-limit conform-action conform-action EXEC command is incorrect.
Conditions: This symptom is observed on Cisco 3600 series, Cisco 7200 series, and Cisco 7500 series that are running Cisco IOS Release 12.3(0.5).
Workaround: There is no workaround.
•
Symptoms: A downstream physical unit (PU) may pause indefinitely in the "Pend ACTPU" state.
Conditions: This symptom is observed on a Systems Network Architecture (SNA) switch after a host initial program load (IPL) occurs when the SNA switch is busy activating PUs. The SNA switch does not send a REQACTPU response to the dependent logical unit server (DLUS).
Workaround: Redirect the PU to a redundant SNA switch.
Alternate Workaround: Stop and restart the SNA switch.
•
Symptoms: The startup configuration file may become corrupt.
Conditions: This symptom is observed when multiple Telnet sessions simultaneously execute the copy running-config startup-config EXEC command. Only one Telnet session at a time should execute the copy running-config startup-config EXEC command.
Workaround: To save the configuration properly, reenter the copy running-config startup-config EXEC command.
•
Symptoms: A Cisco gatekeeper does not send "InterfaceSpecificBillingID" information to a Gatekeeper Transaction Message Protocol (GKTMP) server.
Conditions: This symptom is observed on all Cisco gatekeepers (for example, Cisco 2600 series, Cisco 3600 series, and Cisco 7200 series) when the gatekeeper receives the information in an admission request (ARQ) nonstandard field from a voice gateway.
Workaround: There is no workaround.
•
Symptoms: Advanced voice busy-out (AVBO) may not function for ISDN-type switches that do not understand ISDN service messages.
Conditions: This symptom is observed when busyout conditions are met and AVBO shuts the ISDN channel. The ISDN protocol sends a service message to the remote PBX. Some of the PBXs (for example, primary-net5, primary-ntt, and primary-ts014a) do not understand service messages, and they do not realize that the gateway is in a busied-out state. The PBXs keep routing calls to the gateway, and the gateway ultimately rejects the calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running Multiprotocol Label Switching (MPLS) may reload after a message similar to the following is generated:
%SYS-3-OVERRUN: Block overrun at 5414B2C8 (red zone 00000000)Conditions: This symptom is observed when more than 672 Label Distribution Protocol (LDP) sessions are established simultaneously and when LDP cannot perform some background tasks for an advertised Label Information Base (LIB) entry before the local label is changed or withdrawn.
Workaround: There is no workaround.
•
Symptoms: When a remote Label Switch Controller (LSC) performs 1:N redundant switchovers, the local provider edge (PE) router may create some tailend label virtual circuits (LVCs) for the remote PEs after a 1:N failover occurs.
Conditions: This symptom is observed on an MGX Route Processor Module (RPM-PR) that has a 1:N redundant card with LSC hot redundancy configured, and when 1:N redundant switchovers have been performed a few times on a PE router.
Workaround: On the local PE router, use the clear ip route prefix EXEC command.
•
Symptoms: A committed access rate (CAR) output rule may not function on a Spatial Reuse Protocol (SRP) interface.
Conditions: This symptom is observed on a Cisco 7500 series, regardless if legacy quality of service (QoS) or modular QoS CLI (MQC) is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 may pause indefinitely when the physical link between a Cisco Secure server and the Cisco AS5850 is down.
Conditions: This symptom is observed in Cisco IOS Release 12.3 when the tacacs-server host x.x.x.x single-connection command is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload because of memory corruption on the MGX Route Processor Module (RPM-PR).
Conditions: This symptom is observed on a Cisco router that is configured with Multiprotocol Label Switching (MPLS). If the RPM-PR receives very high traffic (99%), the path check feature, which runs periodically, may cause a memory corruption.
Workaround: There is no workaround.
•
Symptoms: Virtual Private Network (VPN) routing/forwarding (VRF) IP Security (IPSec) may fail when Rivest, Shamir, and Adleman (RSA) encryption is configured.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: The Interior Gateway Protocol (IGP) label rewrite information for a remote provider edge (PE) router may be lost from a Cisco Express Forwarding (CEF) table on a local PE router.
Conditions: This symptom is observed when a failure or route flap occurs in the following configuration:
–
–
The following actions cause a failure or route flap:
–
–
–
Workaround: To recover from the situation, enter the clear ip route network EXEC command. Enter the loopback address of the remote PE router for which the label rewrite information is lost on the local PE router as the network argument.
•
Symptoms: A Cisco router may reload when an error occurs during the certificate enrollment.
Conditions: This symptom is observed on a Cisco 831 and occurs only when the router attempts to connect to the Certificate Authority (CA). The symptom may also occur on other platforms.
Workaround: There is no workaround. To minimize the chance that the symptom occurs, verify that the correct enrollment information is configured for the trustpoint that is used for the enrollment, and ensure that the CA is functioning properly before you initiate the certificate enrollment.
•
Symptoms: A Cisco gateway may reject a "subscribe" request with a "400" response, indicating a "Bad Request, Malformed/Missing Request Line."
Conditions: This symptom is observed when the Session Initiation Protocol (SIP) address in the Uniform Resource Identifier (URI) of the "subscribe" request does not contain a user portion.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series or Cisco 7500 series may drop Virtual Private Network (VPN) traffic for a period of time when one of the label switch controllers (LSCs) along a path is reset. The period of time is dictated by the time that a Label-Controlled ATM (LC-ATM) interface requires to reestablish the ATM label virtual circuit (LVC) by using the downstream-on-demand mode.
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series that functions in a Multiprotocol Label Switching VPN environment with a LC-ATM core that is configured with multiple paths to an egress provider edge (PE) router.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload because of a bus error at address 0x3.
Conditions: This symptom is observed on a Cisco 3660 router that has an Advanced Integration Modules-Virtual Private Network (AIM-VPN), an IP Security (IPSec) configuration, and that is running Cisco IOS Release 12.1(5)T10 or Release 12.2(16).
Workaround: There is no workaround.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) session is not forwarded to an L2TP network server 2 (LNS2) that is one of the members in a stack group.
Conditions: This symptom is observed when a Cisco 7200 series router is configured as an L2TP access concentrator (LAC) and an L2TP network server 1 (LNS1), and when a Cisco 3640 router is configured as an LNS2.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with Network Address Translation (NAT) does not behave correctly if outside source static is configured but no inside source static is configured. The symptom is not observed if there is at least one inside source static configured in addition to the outside source static.
Conditions: This symptom is observed on a router that is configured with NAT and is observed with Internet Control Message Protocol (ICMP) messages type 3 code 4 (ICMP unreachables with the DF bit set). A possibly related caveat is CSCds82679.
Workaround: There is no workaround.
•
Symptoms: An unexpected resource accounting stop record may be sent after the ISDN guard timer expires.
Conditions: This symptom is observed under the following very specific conditions:
The ISDN guard timer is configured with the isdn guard- timer milliseconds on-expiry accept interface configuration command.
The aaa accounting resource [name] stop-failure group global configuration command is configured.
Preauthentication is held up, for example, because of the unavailability of the authentication, authorization, and accounting (AAA) server.
Workaround: Use the aaa session-id unique global configuration command.
•
Symptoms: An L2TP access concentrator (LAC) may reload under the following circumstances:
PPP over Ethernet (PPPoE) sessions are cleared simultaneously on a LAC from a client and L2TP network server (LNS) and there are a large number of PPPoE sessions.
A command like the show ip dhcp pool EXEC command is used on a unit under test (UUT) router when the scroll window is small.
This symptom occurs because of a race condition between two threads that are clearing sessions simultaneously, or it occurs when a semaphore is obtained by one thread and the other thread tries to obtain the same semaphore and a block occurs during the deletion.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2T, Release 12.2(15)BX, or Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco uBR905 incorrectly sources a Dynamic Host Configuration Protocol (DHCP) request packet from a cable modem interface.
Conditions: This symptom is observed during the DHCP proxy process.
Workaround: There is no workaround.
•
Symptoms: Traffic may not be encrypted or decrypted on a Cisco Route Switch Processor (RSP).
Conditions: This symptom is observed on a Cisco RSP when fast switching, Cisco Express Forwarding (CEF), or flow switching is enabled.
Workaround: Use process switching. Do not use fast switching, CEF, or flow switching.
•
Symptoms: Media Gateway Control Protocol (MGCP) primary interface backhaul calls may not come up on an E1 controller of an STM-1 trunk card.
Conditions: This symptom is observed when an STM-1 trunk card is installed in slot 0 of a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T or a later release.
Workaround: There is no workaround.
•
Symptoms: REQACTPU is rejected with an 08060000 sense code. SNA Switching Services (SNASw) may not stop the link station so that the end device can try another data-link switching (DLSw) peer. The SNASw link and the DLSw TCP/IP circuit stay intact, so the physical unit (PU) keeps retrying on an invalid host, which affects sites that peer to multiple hosts.
Conditions: This symptom is observed in Cisco IOS Release 12.1(15) or Release 12.2(12) and later releases. A design change was introduced via CSCdw93088 to cause the circuit not to break.
Workaround: Manually break the circuit so that DLSw can use the other DLSw peer.
•
Symptoms: A Cisco Catalyst 4000 Access Gateway (C4GWY) may pause when bursty traffic is passed from a Gigabit Ethernet (GE) interface to a serial interface.
Conditions: This symptom is observed on a Cisco C4GWY because the main control card (MCC) driver does not handle the temporary loss of packets gracefully. The receive ring buffer descriptors are caught in an infinite loop and cause the C4GWY to pause.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that has keepalives turned on and that is configured with the cns event global configuration command may not correctly display the termination of the CNS. The output of the show cns event connection EXEC command still shows that the event agent is connected even though the connection has been terminated. Some outgoing events may be lost when this symptom occurs.
Conditions: This symptom is observed on a Cisco 3640 router that has CNS configured.
Workaround: Use the debug cns event privileged EXEC command to determine if the event agent is actually connected. When the connection is established, there will be regular activity associated with the keepalives.
•
Symptoms: Server Load Balancing (SLB) may not function on a Cisco 3725 router.
Conditions: The SLB functionality is no longer supported on the Cisco 3725 router in Cisco IOS Release 12.2(12)T.
Workaround: Do not upgrade to Cisco IOS Release 12.2(12)T or beyond.
•
Symptoms: Server Load Balancing (SLB) may not function on a Cisco 3725 router.
Conditions: The SLB functionality is no longer supported on the Cisco 3725 router in Cisco IOS Release 12.2(12)T.
Workaround: Do not upgrade to Cisco IOS Release 12.2(12)T or beyond.
•
Symptoms: It may take a long time for an Internet Key Exchange (IKE) tunnel to be set up.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Virtual Private Network (VPN) acceleration module (VAM) or VAM2 for hardware encryption and that has the authentication rsa- sig ISAKMP policy configuration command configured.
Workaround: Use software encryption.
•
Symptoms: When CNS commands fail authentication by an associated Cisco IE2100 series, two messages may be sent to the CNS event bus:
- The first message, which is the expected error message, misses a value for the identifier tag within the Extensible Markup Language (XML).
- The second message is an incorrect success message, and should be ignored by applications that are connected to the CNS event bus.
Conditions: This symptom is observed when the cns config initial ip-address global configuration command, cns config partial ip-address global configuration command, and cns config retrieve EXEC command fail authentication by the associated Cisco IE2100 series.
Workaround: There is no workaround.
•
Symptoms: A Label Distribution Protocol (LDP) module may attempt to access freed memory, and this may cause a Cisco router to reload.
Conditions: This symptom has only been observed in rare situations on a Cisco router that is running IP over Multiprotocol Label Switching (MPLS) when an interface, with hundreds of associated IP addresses, is administratively disabled.
Workaround: There is no workaround.
•
Symptoms: IP Security (IPSec) profiles disappear from the configuration of a Cisco router, even though they are configured.
Conditions: This symptom is observed in all versions of Cisco IOS software that have a fix for caveat CSCea27527.
Workaround: There is no workaround.
•
Symptoms: When the crash dump feature is configured to dump the crash info into Flash memory, and a digital signal processor (DSP) pauses indefinitely, the router reports a "software forced reload" and goes into a loop or reloads.
Conditions: This symptom is observed in Cisco IOS Release 12.3(0.5)T, only when a file exists that bears the same name as the new crash dump file. The symptom occurs whether or not there are active calls.
Workaround: Delete the DSP crash dump files after the router reloads.
•
Symptoms: Calls that originate from a public switched telephone network (PSTN) that is configured with E1 R2 protocol and go to channel-associated signaling (CAS) doing hairpin may not work.
Conditions: This symptom is observed with a PBX that is connected to a Cisco router with a CAS interface. The CAS interface works well with all remote sites. The router then connects to a PSTN by way of E1 R2. The calls work well from the PBX to the PSTN. Incoming calls from the PSTN ring the phone in the PBX once, and then the calls are dropped.
Workaround: There is no workaround.
•
Symptoms: The following error message is displayed on an Automated Teller Machine (ATM) when it is powered down:
%BSC-3-BADLINESTATEConditions: This symptom is observed on a Cisco router that has the following configuration:
A Cisco 2600 router is configured with a 1-port serial WAN interface card (WIC- 1T), and acts as a data terminal equipment (DTE) router and is running Cisco IOS Release 12.2(10a).
A router is connected to one ATM machine as a Binary Synchronous Communications (BSC) Block Serial Tunnel (BSTUN).
When the ATM is powered down, the "%BSC-3-BADLINESTATE" error message is displayed and then the ATM is powered back up. The BSC/BSTUN router does not start to send any frames, even sporadically.
The output from the show bsc EXEC command displays the message "Out of SYN-hunt mode." The output from the show interfaces serial EXEC command of the BSTUN encapsulations never displays increments of the output packet count.
Workaround: There is no workaround.
•
Symptoms: The following message and traceback may be generated many times (40 to 50) during bootup of a Cisco 3600 series router or a Cisco 3700 series router:
%SYS-2-INTSCHED: `suspend' at level 3 -Process= "Init", ipl= 3, pid= 3
-Traceback= 607CF0D8 61DED850 621DEF70 621E36CC 621E4474 621D7C10 621D9EE4 600BB384 600BC034 61DF79BC 60DCAB88 60DCADB4 61DD1100 61DD10E4Conditions: This symptom is observed on Cisco 3600 series routers or Cisco 3700 series routers that are running Cisco IOS Release 12.3(1) and that use either a Virtual Private Network (VPN) encryption and hardware advanced integration module AIM-VPN/EPII or an AIM-VPN/HPII.
Workaround: There is no workaround. The router eventually comes up without a loss of functionality.
•
Symptoms: After a "%VTSP-3-DSP_TIMEOUT" error message is generated, the affected digital signal processor (DSP) may not automatically recover.
Conditions: This symptom is observed on a Cisco IAD2420 series, but may not be platform specific.
Workaround: There is no workaround. To recover the affected DSP, reload the router.
•
Symptoms: After making changes to the zone prefix configuration, a Cisco gateway displays the wrong prefix in the prefix table.
Conditions: This symptom is observed on a Cisco gateway.
Workaround: There is no workaround.
•
Symptoms: During a regression test, a Cisco router may reload and the following error message and traceback may appear:
Unexpected exception to CPUvector 1200, PC = 410640
-Traceback= 410640 ECE8D0 ECF190 ECF7E8 ECFCC8 EE42C4 F047BC F041BC EC9D9C EC9FBC ECA9E0 ECAE94 ECB118 ECB2E0 ECCC7C 430628 434708Conditions: This symptom is observed on a Cisco IAD2420 series router and on a Cisco MC3810 access concentrator.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200VXR series with a Network Service Engine 1 (NSE-1) card may reload by bus error.
Conditions: This symptom is observed on a Cisco 7200VXR series that is running Cisco IOS Release 12.2(13)T.
Workaround: There is no workaround.
•
Symptoms: A user session may pause indefinitely, causing a Cisco router to become unresponsive.
Conditions: This symptom is observed when multiple simultaneous users enter modular QoS CLI (MQC) commands on the same router via separate vty sessions.
Workaround: Allow only one user at a time to enter MQC commands.
•
Symptoms: After you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on an interface, pings may fail on this interface.
Conditions: This symptom is observed on an interface that has both PPP and Intermediate System-to-Intermediate System (IS-IS) configured.
Workaround: There is no workaround.
•
Symptoms: A slow-start call may fail because a Cisco universal gateway that is functioning as an H.323 gateway may not send an Open Logical Channel (OLC) message, causing the call to time out.
Conditions: This symptom is observed in approximately one out of every 200 calls when the originating endpoint is a slow-start endpoint, such as Cisco CallManager.
Workaround: If possible, configure fast start on the originating endpoint. (In a fast-start configuration, no OLC messages are sent.)
•
Symptoms: Label Distribution Protocol (LDP) does not send a label release message in response to a label withdraw message.
Conditions: This symptom is observed in an Any Transport over Multiprotocol Label Switching (AToM) configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the dir EXEC command.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1) when you enter the dir EXEC command for a directory with a long name.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload because of a segmentation violation (SegV) exception, and the following error messages and tracebacks may be generated:
AppPushLegORConnection: Object(0x0)(0) NOT a Valid Framework Object
-Traceback= 81124770 8112ED20 81134B04 811049E0 81105048 811062A0 81107D84 81108284 80430CD8
AppPushLegORConnection:Object(0x0) NOT HANDLER: Is APP_NONE
-Traceback= 811247A8 8112ED20 81134B04 811049E0 81105048 811062A0 81107D84 81108284 80430CD8A8 8112ED20 81134B04 811049E0 81105048 811062A0 81107D84 81108284 80430CD8Conditions: This symptom is observed on a Cisco platform that is running an interactive voice response (IVR) application.
Workaround: There is no workaround.
•
Symptoms: A customer administrator is incorrectly given access to the system administrator graphical user interface (GUI) in version 2.1 of Cisco IOS Telephony Services (ITS).
Cisco ITS V2.1 divides administrative users into two classes: system administrators and customer administrators. System administrators may configure all ITS features system wide. Customer administrators are limited to a configurable subset of GUI functionality that is defined in an XML file. When logged on as the customer administrator (using the sample XML file) to reset a phone, the phone resets but the entire system administrator menu option appears. All of the options that are available to the system administrator are shown on the customer administrator screen.
Conditions: This symptom is observed in version 2.1 of Cisco ITS on a router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: The cns mib-access encapsulation xml global configuration command does not function.
Conditions: This symptom is observed in Cisco IOS Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco universal access server or Cisco universal gateway may drop calls that have cause code "0x2C". This cause code is generated because difficulties occur with the allocation of a digital signal processor (DSP).
Conditions: This symptom is observed when a "%VTSP-3-DSP_TIMEOUT: DSP timeout on channel" message appears, the DSP for which the message appears is blocked, and this blocked DSP is then allocated.
Workaround: To recover the blocked DSP, enter the clear spe EXEC command.
•
Symptoms: A Cisco router does not subscribe to the subject cisco.mgmt.cns.snmp.rqst when enabling CNS MIB access encapsulation Simple Network Management Protocol (SNMP).
Conditions: This symptom is observed in Cisco IOS Release 12.3 and disables the nongranular MIB access using CNS.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for IP over Multiprotocol Label Switching (MPLS) may reload. CPUHOG messages may be displayed on the console before the router reloads.
Conditions: This symptom is observed in configurations with many interfaces or IP addresses, or with a very large number of labelled prefixes.
Workaround: There is no workaround.
•
Symptoms: When the cns config notify diff interval global configuration command is configured on a Cisco router in the following manner, the router may pause and then reload:
–
–
–
–
–
The configuration changed event is not sent out by the router.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.3.
Workaround: There is no workaround. The symptom is fixed by caveat CSCea80355.
•
Symptoms: A Cisco IOS Domain Name System (DNS) server may drop DNS queries from clients. The following error message may appear:
%DNSSERVER-3-UDPDNSOVERLOAD: Excessive DNS query overloading:
dropping <packet-id> from <client-address >Conditions: This symptom occurs if the CPU load for the router is high when DNS queries come in.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when sending a large Simple Network Management Protocol (SNMP) get request.
Conditions: This symptom is observed when a granular MIB access using Simple Network Management Protocol (SNMP) over extensible markup language (XML) requests the result in a large SNMP over XML response. This may cause a watchdog timeout, and the router may reload unexpectedly.
Workaround: Do not request a large subtree.
Alternate Workaround: Turn off the cns mib-access encapsulation xml global configuration command.
Second Alternate Workaround: Use a version of Cisco IOS software that has the fix for CSCea82641, which also fixes this symptom.
•
Symptoms: A memory leak of approximately 20 bytes may occur on a Cisco platform that receives a CNS event.
Conditions: This symptom is observed when the length of CNS events is greater than 500 bytes.
Workaround: Limit the length of CNS events to less than or equal to 500 bytes.
•
Symptoms: The Label Distribution Protocol (LDP) session between two adjacent routers may fail to establish when you configure the seconds argument of the mpls ldp discovery hello interval seconds global configuration command for one router to be significantly shorter in duration than the seconds argument of the same command for the other router.
Conditions: This symptom is observed in an IP over Multiprotocol Label Switching (MPLS) configuration when the router that is configured with the seconds argument of longer duration is also configured to actively establish the TCP connection (in conformance with Section 2.5.2 of RFC 3036).
The output of the show mpls ldp discovery detail privileged EXEC command indicates that the associated discovery interface of the router that is configured to actively establish the TCP connection is stuck in the "xmit (not ready)" state.
The router that passively establishes the TCP connection may indicate via "NBRCHG" log messages that the LDP session comes up and immediately goes down repeatedly.
Workaround: For both routers, configure the seconds argument to be of similar duration by using the mpls ldp discovery hello interval seconds global configuration command or the mpls ldp discovery hello holdtime seconds global configuration command.
•
Symptoms: Calls from a Cisco AS5850 may be rejected by a Cisco Resource Policy Management System (RPMS) with following error message:
Msg:Error: Inconsistent session detected. No Active Call with Call-Id:Conditions: This symptom is observed when a Cisco AS5850 is configured for preauthentication and Virtual Private Dialup Network (VPDN) forwarding.
Debugging the failed call on the Cisco AS5850 indicates that no unique ID was used when the "access accept" for the preauthentication request was received.
Workaround: There is no workaround.
•
Symptoms: Removing crypto maps while traffic is running may cause a router to pause indefinitely.
Conditions: This symptom is observed when you enter the no crypto map global configuration command on the interface of a Cisco router that is configured with crypto maps, traffic is running, and the tunnels are up.
Workaround: Stop the traffic before removing the crypto maps.
•
Symptoms: A customer of a service provider (SP) may report poor performance across new long-distance (over 100 km) E3 lines with a file transfer rate of about 3 to 5 Mbps. Frame check sequence (FCS) errors may occur in G.751 frames, "Time to Live," "Transport Retransmission," and "TCP Connection Reset by Server" conditions, and other conditions may occur in the LAN. The symptoms are caused by difficulties with the clock signal.
Conditions: These symptoms are observed on a Cisco 7200 series, Cisco 7500 series, and Cisco 7600 series that are configured with a 1-port E3 serial port adapter (PA-E3), but these symptoms may also occur on a 2-port E3 serial port adapter (PA-2E3). The symptoms are not platform specific but port-adapter specific. The symptoms are not observed when short-distance E3 lines are used.
The clocking is not provided by the Plesichronous Digital Hierarchy (PDH)/Synchronous Digital Hierarchy (SDH) network of the SP but by the internal clock source of one of the routers of the SP customer (that is, the clock source internal controller configuration command is configured), while another router of the SP customer is configured as the clock slave (that is, the clock source line controller configuration command is configured). However, the symptom may also occur when the clocking is provided by the SP.
When a line interruption occurs, the PA-E3 on which the clock source line controller configuration command is configured may not switch back its transmitter clock (which should be synchronized from the incoming clock signal of the line) from internal clocking to line clocking. When the line is down, the router in which this PA-E3 is installed temporarily uses its internal clock signal. When the line comes back up again, the router should switch back to the line clock signal.
Long-distance lines are affected because the router that receives traffic over long-distance lines requires a relatively long time to synchronize its clock via line clock signal. The symptoms are observed during the initial link up and during line interruptions.
Workaround: Use enhanced 1-port ATM E3 port adapters (PA-A3-E3) on which the clocking difficulties do not occur.
Temporary Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the serial interface of the affected PA-E3. Doing so provides a workaround until the next line interruption.
•
Symptoms: If an error condition exists, all traffic throughput from a Cisco Route Processor Module (RPM-PR) may stop, the router stays in the error state, and is not reloaded by the Processor Switch Module (PXM).
Conditions: This symptom is observed on a Cisco RPM-PR if segmentation and reassembly (SAR) autorecovery is disabled. The heartbeat messages are processed in a priority fashion compared to regular data. Because of possible SAR or Cisco IOS software errors, if the data stops flowing through the RPM-PR, all protocols will go down. The RPM-PR will still respond to the heartbeat messages but will not be reloaded by the Processor Switch Module (PXM).
Workaround: Enable SAR autorecovery.
•
Symptoms: An IP Packet that is sent out from a Cisco AS5850 may not be switched by using Cisco Express Forwarding (CEF). This situation may cause performance difficulties and may impact the call success rate.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: When a CNS event agent uses the backup gateway, it is not possible to configure the backup gateway to use keepalives. The link should use the same keepalive settings that are used with the primary gateway.
Conditions: This symptom is observed on a Cisco gateway that has the CNS event agent connected to the backup gateway.
Workaround: There is no workaround.
•
Symptoms: Some of the XML tags in the output generated by the CNS image agent are misspelled. Some of the XML tags accepted for input by the CNS image agent are misspelled.
Conditions: This symptom is observed on a Cisco router that is configured to run the CNS Image Agent.
Workaround: Send messages to the router with the misspelled tag names, and accept output from the image agent with the misspelled tag names.
•
Symptoms: The interactive voice response (IVR) script aborts when the information tag infotag get evt_transfer_info transferDest command is executed after obtaining the evt_transfer_request event.
Conditions: This symptom is observed if the "transferDest" argument is used instead of the "transferTo" argument in the IVR script.
Workaround: Use the "transferTo" argument in the IVR script.
•
Symptoms: Control traffic may not be dequeued from a Parallel Express Forwarding (PXF) processor towards a Route Processor (RP).
Conditions: This symptom is observed on a Cisco MGX 8800 series Route Processor Module XF (RPM-XF) in a Multiprotocol Label Switching (MPLS) environment. In a cell-based MPLS network, the symptom occurs when an MPLS packet with a Time To Live (TTL) setting below 2 reaches a provider edge (PE) router. In a frame-based MPLS network, the symptom occurs when an MPLS packet with explicit null labels and with a TTL setting below 2 reaches a provider (P) or PE router.
Workaround: Configure the no mpls ip propagate-ttl global configuration command on all the routers in the MPLS network to prevent MPLS packets with a TTL setting below 2 from being generated.
•
Symptoms: The LED on a third-party vendor 911 operator simulator application may display that there are two key pulses (KPs) "KPKP911ST" for the dialed number identification service (DNIS) and two KPs "KPKP00<ani digits>ST" for the Automatic Number Identifier (ANI) digits (that is, for the number of the calling party). For correct operation, there should be only one KP at the beginning.
Conditions: This symptom is observed on a Cisco 5850 that is running Cisco IOS Release 12.3(1) when a 911 call is made through a channel-associated signaling (CAS) Feature Group-D (FGD) Multifrequency tones (MF) trunk to the 911 operator of the 911 operator simulator application.
Workaround: There is no workaround.
•
Symptoms: If Cisco Express Forwarding (CEF) is disabled, a router may reload with the following error message upon the receipt of a malformed generic routing encapsulation (GRE) packet:
%ALIGN-1-FATAL: Illegal access to a low address addr=0xA30, pc=0x40992D3C, ra=0x405E64B8, sp=0x43562838Conditions: This symptom is observed on a Cisco router that has CEF disabled. The symptom even occurs without a tunnel configuration on the router.
Workaround: Enable CEF on the router by entering the ip cef global configuration command.
•
Symptoms: A Cisco voice gateway that is configured for H.323 and Fast Start may not correctly negotiate the codec payload size upon a call transfer when the codec of the initial call is different from the codec for the transferred call.
The following additional symptoms may be observed:
There is no audio from the H.323 gateway to the IP phones after the call transfer.
From the Call Statistics screen on the IP phone, IP phone B reports the RxSize to be 0 ms and RxDisc rapidly increments.
Conditions: These symptoms are observed on a Cisco voice gateway that is running Cisco IOS Release 12.2(8)T5 and that has Cisco CallManager configured to receive H.323 Fast Start calls. These symptoms may not be limited to this configuration and may be observed in other environments as well.
The public switched telephone network (PSTN) caller's initial call to IP phone A uses G.711 ulaw as the codec, but the transferred call to IP phone B is configured for G.729.
Workaround: Disable Fast Start on the Cisco CallManager.
Alternate Workaround: Configure all calls for the same codec.
•
Symptoms: When configuration changes are made, a Cisco 7500 series Versatile Interface Processor (VIP) may pause indefinitely, produce large numbers of spurious memory accesses, or reload. This situation may cause the router to detect that interfaces on the VIP are not sending packets and to report that the output of the interfaces is stuck.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for fragmentation and shaping on a Frame Relay interface using modular QoS CLI (MQC).
Workaround: Before you make quality of service (QoS) policy or Frame Relay fragmentation changes on an interface of the VIP, enter the shutdown interface configuration command on the interface.
•
Symptoms: The following error message may be displayed on a router:
%ALIGN-3-SPURIOUS: Spurious memory access made at 0x50164CDC reading 0x0Conditions: This symptom is observed on a Cisco 12000 series.
Workaround: There is no workaround.
•
Symptoms: An ATM permanent virtual circuit (PVC) that is configured for autodetection of PPP over ATM (PPPoA) or PPP over Ethernet (PPPoE) protocols may drop the incoming PPPoA frames.
Conditions: This symptom may be triggered on a particular PVC, if the PPPoA session is brought up from the other end of the PVC, and if there is a change in the PVC state for any reason (for example, ATM Operation, Administration, and Maintenance [OAM] taking the VC down).
Workaround: Use one of the following workarounds:
–
–
–
Following is an example of the PVC configuration:
interface atm 4/0.1
no pvc 4/43
pvc 4/43
...If the VC is part of a range, first configure the pvc-in-range and then configure the encapsulation:
configure terminal
range pvc 6/43 6/1000
pvc-in-range 6/43
encapsulation aal5mux ppp virtual-Template 1•
Symptoms: A digital signal processor (DSP) resource and a time-division multiplexing (TDM) time slot may not be released after a fax call has disconnected, causing RADIUS accounting packets to continue to be sent for this call. This condition eventually triggers a long-duration alarm in a Cisco BTS 10200 Softswitch.
Conditions: This symptom is observed on a Cisco AS5400 but may also occur on other Cisco platforms.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on a Cisco 6400 series Node Route Processor 1 (NRP-1) during the installation of per-user access control lists (ACLs) that are downloaded from a RADIUS server.
Conditions: This symptom is observed on a Cisco 6400 series NRP-1 that is running Cisco IOS Release 12.2(13)T and that is configured for PPP over Ethernet (PPPoE) when there is a high-call setup rate and the CPU utilization of the NRP-1 exceeds 70 percent. The symptom may be platform independent.
Workaround: Disable the per-user ACLs.
Alternate Workaround: Decrease the call setup rate.
•
Symptoms: T.38 fax calls may fail if the terminating gateway sends fast start elements in multiple H.225 messages (for example, call_proceeding, alert, connect).
Conditions: This symptom is observed only with T.38 fax calls that go through an IP in IP (IPIP) gateway and is specific to fast start calls when non-Cisco gateways are used for the terminating gateway. The symptom is not observed on a Cisco gateway.
Workaround: Initiate the T.38 fax calls using H.323 slow start.
•
Symptoms: A call may fail because attributes may not be applied.
Conditions: This symptom is observed when the "template:ip-vrf," "template:ip- unnumbered," and "template:ip-addr" attributes are downloaded from the template authorization (that is, the aaa authorization template global configuration command is configured) but may not be applied.
Workaround: Configure the "template:ip-vrf," "template:ip-unnumbered," and "template:ip-addr" attributes under the virtual template.
Alternate Workaround: Configure the "lcp:interface-config" attribute in the per-user profiles.
•
Symptoms: In a configuration with multiple name servers, when one server times out, the other servers may not be contacted during name resolution.
Conditions: This symptom is observed when the ip domain- list name global configuration command is enabled.
Workaround: Replace the ip domain-list name global configuration command with the ip domain-name name global configuration command.
Alternate Workaround: Explicitly specify a domain when resolving a name. For example, enter "anyname.cisco.com" instead of "anyname".
•
Symptoms: Segmentation and reassembly (SAR) autorecovery may begin when a configuration is being saved on a Cisco Route Processor Module (RPM-PR) card. When this occurs, access to C: may not be possible; the router may pause and display an error message.
Conditions: This symptom is observed on a Cisco RPM-PR card that is running Cisco IOS Release 12.2(15)T3. When trying to save the configuration on one of the RPM-PR cards, the card can take 60 to 90 minutes to save the configuration. SAR autorecovery starts during this time period.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS Telephone Services (ITS) router sends successive NOTIFYs (carrying dual tone multifrequency [DTMF] digits) with the same command sequence (CSeq) number, and this results in the loss of a DTMF digit.
Conditions: This symptom is observed on a Cisco ITS router when the SUBSCRIBE/NOTIFY functionality is used to send DTMF events. If two DTMF events occur in quick succession, their respective NOTIFYs have the same CSeq number.
Workaround: There is no workaround.
•
Symptoms: It may not be possible to telnet from a node switch processor to a Node Route Processor 2 (NRP-2).
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1). The symptom is not observed in Cisco IOS Release 12.2(2) B7 or earlier releases.
Workaround: Clear the S0/0/0 interface on the NRP-2.
Alternate Workaround: Enable Cisco Discovery Protocol (CDP) if it is not enabled.
•
Symptoms: An STM-1 trunk card may not communicate properly with the Route Switch Controller (RSC) when path tracing for the 64/16-byte format (j1) is configured using the overhead j1 length {16 | 64} {receive- message | transmit-message} message SONET controller configuration command.
The following error message may be generated when the STM-1 trunk card boots up:
%FIB-3-FIBDISABLE: Fatal error, slot <number>: No window message, LC to RP IPC is non-operationalWhen you enter the execute-on slot slot- number privileged EXEC command, the command may fail to execute for the STM-1 trunk and the following error message may be generated:
%DSIP-6-NIP_SEND_BUF: DSIP send data failed, slot 2 nip client id 0No response from remote host
Conditions: These symptoms are observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T or a later release.
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Processor Module (RPM-PR) router that is configured as an Edge Label Switch Router (ELSR) may reset when you use the show queue sw1 EXEC command when there is a Multiprotocol Label Switching (MPLS) interface.
Conditions: This symptom is observed on a Cisco RPM-PR when multiple virtual circuits (VCs) are enabled under an MPLS interface.
Workaround: There is no workaround.
•
Symptoms: A fax call over Session Initiation Protocol (SIP) may fail when the originating gateway (OGW) is configured for T.38 fax protocol and the terminating gateway (TGW) is configured for fax pass-through protocol.
Conditions: This symptom is observed on a Cisco AS5400 that is functioning as an OGW when a fax call is made to a Cisco 3660 that is functioning as a TGW.
Workaround: Configure both gateways for either T.38 fax relay or T.38 fax pass- through.
•
Symptoms: A Cisco IAD2420 series may reload when it is processing calls.
Conditions: This symptom is observed when an analog port receives two incoming calls simultaneously.
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Switch Controller (RSC) may pause indefinitely while making voice calls if the terminating side is not configured properly.
Conditions: This symptom is observed on a Cisco RSC when a voice call enters the gateway through E1 R2 signaling, goes out as a Signaling System 7 (SS7) call, reenters as an IP call, and goes out as an SS7 call. If the terminating side is not configured properly, the originating side may pause indefinitely.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1700 series router with a 1-port T1 multi-flex voice/WAN interface card (MFT-T1 VWIC) sometimes fails to create the voice port.
Conditions: This symptom is observed on a Cisco 1700 series router when you enter the following configuration commands very rapidly:
no call-manager fallback
pri-group timeslots 1-24
Workaround: There is no workaround.
•
Symptoms: It may not be possible to send a fax to a mail server on a Cisco AS5350 or a Cisco AS5400. The mail server may fail to receive an e-mail when a fax is sent by using E1-R2 signaling.
Conditions: This symptom is observed on a Cisco AS5350 or a Cisco AS5400 when a fax is sent by using E1-R2 signaling.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX Route Processor Module (RPM-XF) router that is configured as an Edge Label Switch Router (ELSR) may reload when deleting Multiprotocol Label Switching (MPLS) type subinterfaces.
Conditions: This symptom is observed on a Cisco RPM-XF when you remove the routes and stray label virtual circuits (LVCs) are not removed; then when you delete the MPLS subinterfaces, the RPM-XF may be reset.
Workaround: There is no workaround.
•
Symptoms: The core router Multiprotocol Label Switching (MPLS) forwarding entry has the correct outgoing interface but has an incorrect label to use for sending traffic to the edge router. The incorrect label is identical to the label that is sent by another core router for the same prefix through another interface.
Conditions: This symptom is observed in a service provider network when the route to the prefix that has the incorrect MPLS forwarding entry is configured using a static recursive route and the specific IP address that is specified in the ip route prefix mask ip-address global configuration command is changed by topology changes to go through a different adjacent router. The incorrect outgoing Label Distribution Protocol (LDP) or Tag Distribution Protocol (TDP) label corresponds to the router that was adjacent prior to the routing change.
Workaround: To clear this condition, enter the clear ip route {network [mask] | *} EXEC command to cause MPLS to create a new forwarding entry that has the correct interface and label for the prefix.
To prevent this condition from occurring, advertise the route to the prefix in question using an Interior Gateway Protocol (IGP).
Alternate Workaround: Configure a static nonrecursive route to the prefix and IP address of the next-hop router by entering the ip route prefix mask ip-address interface-type interface-number global configuration command.
•
Symptoms: Cisco IOS Server Load Balancing (SLB) packets that are switched at the process level instead of at the Forwarding Information Base (FIB) level may be dropped by a Cisco router.
Conditions: This symptom is observed when the virtual IP destination address is a dynamic alias, which occurs when the virtual IP destination address is a member of a subnet on the interface of a router.
Workaround: Enable Cisco Express Forwarding (CEF) switching by entering the ip cef global configuration command, and enter the ip route-cache cef interface configuration command on the destination interface.
•
Symptoms: An access list may fail to work as configured.
Conditions: This symptom may be observed when virtual circuits (VCs) are torn down and recreated. The symptom occurs after the switch subinterface is shut down and then brought up.
Workaround: Remove the access list and add it again.
•
Symptoms: The NetFlow microcode may be flawed and cause the Parallel Express Forwarding (PXF) engine to reload with the following error message:
IHB Exception - watchdog timer expiredConditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine (NSE) and on a Cisco 7401.
Workaround: Disable PXF if this is an option. Otherwise, there is no workaround.
•
Symptoms: A call may pause indefinitely when an application makes a disconnect request before the "proceeding" message for the outgoing leg is received.
Conditions: This symptom is observed only when the trunk group rotary is enabled on a router.
Workaround: There is no workaround.
•
Symptoms: The following message may appear when the same Hot Standby Router Protocol (HSRP) IP address is used in different Virtual Private Network (VPN) routing/forwarding (VRF) instances:
% x.x.x.x is assigned to other application on GigabitEthernet1/0Conditions: This symptom is observed when you attempt to configure the same HSRP IP address on different VRF instances.
Workaround: There is no workaround.
•
Symptoms: PPP over ATM (PPPoA) may not process configuration changes.
Conditions: This symptom is observed when you change the quality of service (QoS) for ATM.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS Release 12.2 T does not send the nsp-ip address but instead uses the nrp-ip address for radius-server attribute 4, even when the configuration means nsp-ip should be used.
Conditions: This symptom is observed on a Cisco 6400 series with a node route processor 1 (NRP-1) that is running Cisco IOS Release 12.2(13)T through Release 12.2(15)T1. The nsp-ip address with radius-server attribute nas-port format d configured should be sent, but instead, the nrp-ip address that is configured with ip radius source interface interface-x is incorrectly sent.
The nrp-ip attribute should be sent only in these conditions: when radius-server attribute nas-port format d is not configured or when radius-server attribute 4 nrp and radius-server attribute nas-port format d are configured.
Workaround: There is no workaround for Release 12.2 T. The symptom is not observed in Release 12.2(4)B3 to Release 12.2(4)B7.
•
Symptoms: Reducing or increasing the virtual channel identifier (VCI) range several times on an Multiprotocol Label Switching (MPLS) partition under an ATM interface partition on a provider edge (PE) router can cause the router to reload.
Conditions: This symptom is observed on a Cisco 7200 series router or a Cisco Route Processor Module (RPM) that is configured as a provider edge (PE) router in a cell-based MPLS Virtual Private Network (VPN).
Workaround: The router will not reload if you shut down the ATM interface before you make any changes in the configuration (for example, changing the VCI range).
•
Symptoms: It may be difficult to make an Inverse Multiplexing over ATM (IMA) link between a Cisco router and other vendor equipment.
Conditions: This symptom is observed on Cisco 2600 series and Cisco 3600 series routers. When an IMA link is configured between the Cisco 2600 series and the Cisco 3600 series and other vendor equipment, the Cisco routers keep sending the test link command (set to 1) in the IMA Control Protocol (ICP) cell regardless of the ima test interface configuration command. Both the Cisco 2600 series and Cisco 3600 series platforms need the fix for the caveat CSCds55768 to eliminate this symptom.
Workaround: There is no workaround.
•
Symptoms: A Cisco router reloads when the CNS image agent and CNS image agent password are unconfigured using the no cns image and no cns image password password global configuration commands.
Conditions: This symptom is observed on a Cisco router when the cns image global configuration commands are unconfigured.
Workaround: Do not unconfigure the cns image password password global configuration command after the image agent is unconfigured using the no cns image global configuration command.
•
Symptoms: A Cisco Route Processor Module (RPM-PR) runs out of buffers and causes a segmentation and reassembly (SAR) rx_no_buffers error. This causes the control protocols to flap and data throughput is affected.
Conditions: This symptom is observed if the input data rate to the RPM-PR is much higher than what can be moved out of the system. Cisco IOS will eventually run out of data buffers, and this will cause SAR to run out of buffers also. This symptom may occur when there are high-speed ingress virtual circuits (VCs) going to low-speed egress VCs. This results in severe congestion on the router.
Workaround: There is no workaround.
•
Symptoms: IP sockets are not cleared properly by the router when a call to a terminating gateway (TGW) is not completed successfully. This may lead to a socket leak that could use all the resources of the originating gateway (OGW).
Conditions: This symptom is caused when alternate endpoints are configured in the gatekeeper. If the OGW does not successfully complete a call to the TGW provided in the Admission Confirm (ACF), the OGW will then try the alternate endpoint. However, the socket that is used to send the SETUP message to the first TGW is not cleared properly.
Workaround: Configure the gatekeeper without the use of alternate endpoints, and then reboot the router. There is no way to clear the sockets that are left behind.
•
Symptoms: A router may reload while recording to RAM.
Conditions: This symptom is observed on a Cisco router if the recording occurs after Automatic Speech Recognition (ASR) occurs.
Workaround: Enter the no voice-fastpath enable global configuration command.
•
Symptoms: A Cisco gateway does not send open logical channel (OLC) messages to the Cisco H.323 Signaling Interface (HSI) for tunneled H.245 calls.
Conditions: This symptom is observed in a test situation on a Cisco 3640 that is running Cisco IOS Release 12.2(11)T8 and that has H.245 enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS Dynamic Host Configuration Protocol (DHCP) client may reuse the IP lease information for another new address request. It does not update the client context. This may cause the router to reload.
Conditions: This symptom is observed on a Cisco router that is configured with DHCP.
Workaround: There is no workaround.
•
Symptoms: A Route Reflector (RR) that receives a prefix for a customer edge (CE) router may advertise this prefix to one of its clients, causing an erroneous route to be established.
Conditions: This symptom is observed on a Cisco 7200 VXR series and a Cisco 7500 series that are running Cisco IOS Release 12.2(14)S1, that function as provider edge (PE) routers that are running IP version 6 (IPv6) in a Multiprotocol Label Switching (MPLS) environment (also referred to as 6PE routers), and that also function as RRs.
Workaround: There is no workaround.
•
Symptoms: On a Cisco AS5850 Enhanced Route Switch Controller (ERSC), the utilization of the processor is very low during a stress test with ISDN digital Multilink PPP (MLP) calls.
Conditions: This symptom is observed on a Cisco AS5850 that acts as an ERSC.
Workaround: There is no workaround.
•
Symptoms: An E1 controller does not come up when the hardware loopback cable is connected or is in loopback mode.
Conditions: This symptom is observed on a Cisco AS5850 universal gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR may encounter the following authentication, authorization, and accounting (AAA) message errors:
%SYS-2-CCA_INT_ERR: CCA Detected Logic Error, code = 16
-Traceback= 607E1108 607E2888 607E06D4 607E0734 607E0920 606DF050 606DF094 606D3E04 606D7DC4 606C9378 606DBC60 6Conditions: This symptom is observed on a Cisco 7206VXR that is running Cisco IOS Release 12.2(16.4)T.
Workaround: There is no workaround.
•
Symptoms: The Cisco IOS TACACS+ is not able to communicate with a TACACS+ server.
Conditions: This symptom occurs when no authentication and encryption key has been configured.
Workaround: Define a key.
•
Symptoms: After a Cisco AS5850 router is reloaded, the first 911 call sends two KP tones to mark the beginning of the Automatic Number Identification (ANI) and the Digital Number Identification Service (DNIS) digits, instead of one KP tone.
Conditions: This symptom is observed after the Cisco AS5850 has been reloaded or after Media Gateway Control Protocol (MGCP) has been explicitly restarted by issuing the no mgcp router configuration command followed by the mgcp router configuration command. The symptom will not occur again until MGCP is restarted again.
Workaround: There is no workaround.
•
Symptoms: The output of the CNS exec command indicates that the reply subject is being mapped by the name space mapper within the event gateway.
Conditions: This symptom is observed on a Cisco router that has CNS configured and that is running any version of Cisco IOS Release 12.2 T or Release 12.3.
Workaround: There is no workaround. The name space mapper appends the device ID of the router to the subject provided by the event agent.
•
Symptoms: A basic ping fails on the port channel interface.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.2(15)T3.
Workaround: There is no workaround.
•
Symptoms: The "Class-Based RTP and TCP Header Compression" feature introduced in Cisco IOS Release 12.2(13)T permits the configuration of Real-Time Protocol (RTP) and TCP header-compression within MQC. On the Cisco 2691 platform, this feature is configurable in Release 12.2(13)T but is not configurable from Release 12.2(13.4)T forward, or in the current mainline builds of Release 12.3 or Release 12.3T.
Conditions: This symptom is observed on a Cisco 2691 router. The feature is configurable in Cisco IOS Release 12.3(1) on the Cisco 1760, Cisco 2600, Cisco 3640, Cisco 3745, and Cisco 7200 series platforms, but not on the Cisco 2691 for the same Cisco IOS release. See the following information for the Cisco 2691:
c2691#
c2691#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c2691(config)#!
c2691(config)# class-map match-any voice-rtp
c2691(config-cmap)# match ip rtp 16384 16383
c2691(config-cmap)# class-map match-any voice-tcp
c2691(config-cmap)# match access-group 100
c2691(config-cmap)#!
c2691(config-cmap)#!
c2691(config-cmap)# policy-map llq_voice
c2691(config-pmap)# class voice-rtp
c2691(config-pmap-c)# priority 512
c2691(config-pmap-c)# class voice-tcp
c2691(config-pmap-c)# bandwidth 16
c2691(config-pmap-c)# class class-default
c2691(config-pmap-c)# fair-queue
c2691(config-pmap-c)#!
c2691(config-pmap-c)#class voice-rtp
c2691(config-pmap-c)#?
QoS policy-map class configuration commands:
bandwidth Bandwidth
drop Drop all packets
exit Exit from QoS class action configuration mode
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
<cr>
c2691(config-pmap-c)#compression ?
% Unrecognized command
c2691(config-pmap-c)#compression header ip rtp ^
% Invalid input detected at '^' marker.
c2691(config-pmap-c)#
c2691(config-pmap-c)#^Z
c2691#
%SYS-5-CONFIG_I: Configured from console by vty0 (64.102.50.34)Workaround: Configure the RTP and TCP header-compression directly on the interface of interest.
Also, see the related caveat, CSCeb26383 "c3725: MQC IPHC compression header CLI commands are not accepted".
Alternate Workaround: Cisco IOS Release 12.2(13)T through Release 12.2(13)T3 are not affected by this software defect.
•
Symptoms: Calls between Voice over IP (VoIP) or a public switched telephone network (PSTN) and an IP telephone that is connected to a Cisco IOS Telephony Services (ITS) have only one-way audio when VLAN 802.1q or Inter-Switch Link (ISL) is used.
Conditions: This symptom is observed on a Cisco 2600 series that is running Cisco IOS Release 12.3(1.4). The symptom is caused by a malformed Layer 2 VLAN encapsulation header on all voice packets that are sent by the router to the IP telephone.
Workaround: Use Cisco IOS Release 12.2(11)YT2, Release 12.2(15)Tx, or Release 12.2(15)ZJ for Cisco ITS and Survivable Remote Site Telephony (SRST) products.
•
Symptoms: A Gigabit interface bounces when a bridge group is either added or removed from the Gigabit subinterface. Traffic stops on all other subinterfaces until the interface comes back up again.
See the following example:
interface GigabitEthernet0/1
no ip address
duplex full
speed 1000
media-type gbic
no negotiation auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
!
interface GigabitEthernet0/1.11
encapsulation dot1Q 11
bridge-group 11
!
interface GigabitEthernet0/1.12
encapsulation dot1Q 12
bridge-group 12
NPE-G1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
NPE-G1(config)#interface GigabitEthernet0/1.10
NPE-G1(config-subif)#bri
NPE-G1(config-subif)#bridge-group 10
NPE-G1(config-subif)#At this point, the corresponding switchport shows the following:
%ETHC-5-PORTFROMSTP:Port 1/1 left bridge port 1/1
%DTP-5-NONTRUNKPORTON:Port 1/1 has become non-trunk
%DTP-5-TRUNKPORTON:Port 1/1 has become dot1q trunk
%ETHC-5-PORTTOSTP:Port 1/1 joined bridge port 1/1Conditions:Conditions: This symptom is observed on a Cisco 7200 series Network Processing Engine NPE-G1 (NPE-G1).
Workaround: There is no workaround. Use the set spantree portfast mod_num/port_num enable command in privileged mode to configure "spanning tree PortFast" on a trunk on the switchport to reduce the duration of the outage.
•
Symptoms: ISDN, authentication, authorization, and accounting (AAA), and I/O memory leaks may occur when virtual profile synchronization calls are made. Gradually, the memory depletes.
Conditions: This symptom is observed on a Cisco AS5850 when virtual profile synchronization calls are made.
Workaround: There is no workaround.
•
Symptoms: A compatibility issue exists with Cisco IOS software, VPN3000 series concentrators, and a third-party vendor certificate authority (CA). The VPN3000 and Cisco IOS software interpret the certificates of the third-party vendor differently.
Both the VPN3000 and the Cisco IOS software use the "OU=...." field in the certificate to determine which group the connecting client belongs to. The group corresponds to the Cisco IOS crypto isakmp client configuration group group-name IKE security protocol command, in which the certificate must contain "OU=VPN-CUSTOMER-A" to match this group (in this example, VPN-CUSTOMER-A is the group-name).
Conditions: This symptom is observed only in mixed VPN3000 and Cisco IOS environments. A certificate of the third-party vendor has many OU fields that mean different things (for example, OU=xxx, OU=yyyy, OU=zzzz), but Cisco IOS software picks another OU field (the last) and the VPN3000 picks the first OU field. It is not possible to use the third-party vendor CA in a mixed environment that has both a VPN3000 and Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: When you enter the show ip dhcp binding EXEC command, a router can reload if there is at least one Dynamic Host Configuration Protocol (DHCP) pool that is configured with the vrf command.
Conditions: This symptom is observed on a Cisco 7200 series.
Workaround: Remove the vrf command from the DHCP pool.
Alternate Workaround: Do not execute the show ip dhcp binding EXEC command while there is a VRF-associated DHCP pool.
•
Symptoms: The CNS exec agent configuration is lost after a Cisco router reloads.
Conditions: This symptom is observed on all Cisco routers that are running Cisco IOS Release 12.3.
Workaround: Always configure a host name or an IP address for the CNS exec agent, even if one is not needed. Use an IP address that is not known to have a device at that address or a string name that will fail upon DNS lookup.
•
Symptoms: IP security (IPSec) security associations (SAs) on a router are deleted exactly 30 seconds after the Internet Security Association and Key Management Protocol (ISAKMP) SA rekey. This results in a short loss of connectivity over the tunnel.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15)T or Release 12.3(1), that has the crypto isakmp keepalive command in its configuration and that is connected to another router that is running Cisco IOS Release 12.2.
Workaround: There is no workaround. Most of the time, connectivity is restored within the several seconds needed to negotiate a new pair of IPSec SAs.
•
Symptoms: When a VPN Services Module (VPNSM) is used on the Cisco Catalyst 6000, Internet Key Exchange (IKE) traffic is not marked as precedence 6 (it is marked as precedence 0). IKE traffic may be lost under heavy congestion even when quality of service (QoS) is enabled.
Conditions: This symptom is observed on a Cisco Catalyst 6000 that is using a VPNSM and that has QoS enabled.
Workaround: There is no workaround to mark this traffic for egress interfaces that are LAN interfaces on a Supervision Engine 2 (Sup2). Only ingress policies are supported on this platform. For WAN interfaces, IKE traffic may be marked on egress with precedence 6 via a service policy configuration as follows:
policy-map vpn-wan-qos
class IKE-Traffic
bandwidth percent 10
random-detect
set ip precedence 6
class HP-traffic
bandwidth percent 10
random-detect
class LL-traffic
priority percent 20
class-map match-all IKE-Traffic
match access-group 105
class-map match-any LL-traffic
match ip precedence 4 5
class-map match-all HP-traffic
match ip precedence 6 7
access-list 105 permit udp any eq isakmp any eq isakmp
interface POS7/0/0
mtu 4500
no ip address
service-policy output vpn-wan-qos
crypto connect vlan 53
end•
Symptoms: A Cisco gatekeeper may output the following debug event if it sends a location request (LRQ) to a directory gatekeeper who in turn sends out multiple LRQs to destination gatekeepers, and if one of the destination gatekeepers responds with a location reject (LRJ):
ASSERT failed: line 7950 in file ../mm/gk/gk_rassrv.c.Conditions: This symptom is observed if the directory gatekeeper is configured in blast mode. The directory gatekeeper sends out multiple LRQs with the same sequence number, and all the responses come back directly to the leaf gatekeeper. If the leaf gatekeeper receives an LRJ followed by a Routing Information Protocol (RIP) message for a given LRQ, the LRJ stops the LRQ timer. Once the RIP message is processed, the ASSERT response is reported because it is expecting the LRQ timer to be running.
Workaround: This debug event is more of an annoyance than an issue that impacts service. As a workaround, the directory gatekeeper may be configured for sequential mode, but this may not be an option for all situations.
•
Symptoms: The following error message may be displayed continuously on the console of a Cisco router, and the router will need to be rebooted:
00:35:58: IPSECcard: an error coming back 0x0006Conditions: This symptom is observed on a Cisco router when a Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM-VPNII) is used under heavy stress (over 90-percent CPU utilization) and is configured with a large number of generic routing encapsulation (GRE) tunnels.
Workaround: Use the following workarounds:
–
–
–
•
Symptoms: A Cisco 3660 router that is used as a gatekeeper in Signaling System 7 (SS7) interconnect solutions fails to process calls. Memory held by the gatekeeper process increases considerably after 12 to 24 hours of a light load. The gatekeeper starts sending admission request reject (ARJ) and location reject (LRJ) messages for all admission request (ARQ) and location request (LRQ) messages with the cause code "Resource Unavailable, 47."
Conditions: This symptom is observed on a Cisco 3660 that is running the c3660-ix-mz.123-1.4 image of Cisco IOS Release 12.3(1.4).
Workaround: There is no workaround.
•
Symptoms: A Cisco Node Route Processor 1 (NRP-1), with 2000 PPP over Ethernet (PPPoE) over VLAN sessions, and the multi virtual terminal (VT) feature enabled, pauses indefinitely when sending traffic. CPU utilization reaches 100 percent, and the NRP-1 stops responding.
Conditions: This symptom is observed on a Cisco NRP-1 in heavy traffic.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: An H.323 gateway may reload when the no gateway and gateway global configuration commands are entered. This symptom will occur if anything causes the unregistration and registration of the gateway with the Cisco gatekeeper.
Conditions: This symptom is observed only if a plain old telephone service (POTS) dial peer is configured with a "destination-pattern T" (terminator).
Workaround: Do not used the "destination-pattern T" configuration.
•
Symptoms: A Gigabit Ethernet IP (GEIP) controller on a Cisco 7500 series router does fast-switching of Multiprotocol Label Switching (MPLS) packets received on an Inter-Switch Link (ISL) subinterface instead of using distributed Cisco Express Forwarding (dCEF), even though dCEF is enabled.
Conditions: This symptom is observed on the GEIP controller of a Cisco 7500 series. The symptom is not observed on a GEIP+ controller.
Workaround: There is no workaround.
•
Symptoms: Network Address Translation Traversal (NAT-T) and prefragmentation do not function correctly on a Cisco router. Traffic goes through but all the packets are process switched, regardless of the type of switching that is configured.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1.3)T.
Workaround: There is no workaround.
•
Symptoms: H.323 vendor-specific attributes (VSAs) are absent on a RADIUS server.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1.7) when T.37 off-ramp calls occur.
Workaround: There is no workaround.
•
Symptoms: Under a heavy call load, a Foreign Exchange Station (FXS) port fails to return to the DORMANT state.
Conditions: This symptom is observed on a Cisco IAD2420 series, Cisco 2600 series, and a Cisco 3600 series when a call setup fails. The FXS port is left in an UP state after the call is cleared.
Workaround: Use the shutdown interface configuration command followed by the no shutdown interface configuration command to restore the function of the FXS port.
•
Symptoms: Even though distributed Cisco Express Forwarding (dCEF) is enabled, a spatial reuse protocol (SRP) controller may not use dCEF but may use fast switching instead.
Conditions: This symptom is observed on a Cisco 7500 series when a Multiprotocol Label Switching (MPLS) packet is received.
Workaround: There is no workaround.
•
Symptoms: A unit under test (UUT) router may reload after a fingerprint configuration is issued.
Conditions: This symptom is observed on a Cisco 805 router that is running Cisco IOS Release 12.3(1.7).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may delay the transmission of the RADIUS Accounting-On message for too long.
Conditions: This symptom is observed on a Cisco router that is terminating PPP sessions. The delay in the transmission of the RADIUS Accounting-On message clears the accounting data related to the PPP sessions that are already up from the RADIUS server.
Workaround: Reset the PPP over X (PPPoX) clients that connected too early.
•
Symptoms: The same local label may be allocated to two different prefixes, which may be learned via two different routing protocols.
The Cisco Express Forwarding (CEF) entry for these two prefixes shows the same local label. Depending on how the route was learned, the local label in the Border Gateway Protocol (BGP) or Label Distribution Protocol (LDP) database may show the same label or two different labels for the two prefixes.
The Multiprotocol Label Switching (MPLS) forwarding table has only one entry that matches the last prefix that used the local label, and there is no entry for the other prefix. This situation may lead to a connectivity failure for the prefix that does not have an entry in the MPLS forwarding table.
Conditions: These symptoms are observed on a Cisco router that is configured with the MPLS VPN Carrier Supporting Carrier IPv4 BGP Label Distribution feature and that has both BGP IP version 4 (IPv4) label distribution entries and LDP entries in the Routing Information Base (RIB).
The symptoms occur when a route is learned via both BGP IPv4 label distribution and Interior Gateway Protocol (IGP) (for example via Open Shortest Path First [OSPF] or Intermediate System-to-Intermediate System [IS- IS]), and the route that is learned via BGP IPv4 label distribution replaces the route that is learned via IGP in the RIB.
A list of the affected releases can be found at http://www.cisco.com/cgi- bin/Support/Bugtool/onebug.pl?bugid=CSCdx74321. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Ensure that the local label is reallocated for the first prefix that does not have an entry in the MPLS forwarding table:
–
–
•
Symptoms: After a "submit" element with "post" method in a Voice XML (VXML) document, the "submit" element with the "get" method no longer works.
Conditions: This symptom is observed on all Cisco gateways that support VXML.
Workaround: There is no workaround.
•
Symptoms: A directed Label Distribution Protocol (LDP) session between two provider edge (PE) routers may not come up in an Any Transport over Multiprotocol Label Switching (AToM) configuration.
Conditions: This symptom is observed when the value of the seconds argument in the mpls ldp discovery targeted-hello holdtime seconds global configuration command differs on both PE routers.
Workaround: Ensure that the value of the seconds argument is equal on both PE routers.
•
Symptoms: A VoiceXML (VXML) application that is configured on the plain old telephone service (POTS) dial peer is not invoked when a call is made that matches the called parameters.
Conditions: This symptom is observed on a Cisco router that is using Cisco IOS Release 12.3(1.7) and that tries to use a VXML application with a matching Multimedia Mail over IP (MMoIP) dial peer for incoming calls.
Workaround: Shut down the MMoIP dial peer or use a nonmatching MMoIP dial peer.
•
Symptoms: When the cached access control list (ACL) filter feature is used on a Cisco router, the ACLs are not correctly installed.
Conditions: This symptom is observed on a Cisco router that uses the cached ACL filter feature. It does not affect other uses of ACL.
Workaround: There is no workaround.
•
Symptoms: An STM-1 feature board will not boot because of an initialization failure.
Conditions: This symptom is observed on a Cisco AS5850 with a Revision 3 STM-1 feature board that does not have the engineering fields of the serial EEPROM programmed.
Workaround: Program the engineering fields of the serial EEPROM on the STM-1 feature board.
•
Symptoms: A Cisco 3660 router may have a memory leak in the crypto Internet Key Management Protocol (IKMP) process after repeated attempts are made to connect to the Certificate Authority (CA) server that holds the certificate revocation list (CRL).
Conditions: This symptom is observed on a Cisco 3660 router that is running Cisco IOS Release 12.2(15)T2.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for IP over Multiprotocol Label Switching (MPLS) may reload.
Conditions: This symptom is observed when Label Distribution Protocol (LDP) peers of the Cisco router advertise a large number of IP addresses because interfaces flap or are configured.
Workaround: There is no workaround.
•
Symptoms: On PRI and BRI interfaces, the translation rule that is applied on the voice port for the calling number does not function when the calling number information element (IE) is not present in the setup message from the private automatic branch exchange (PABX).
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(13)T or Release 12.2(15)T2 if the plain old telephone service (POTS) dial peer that corresponds to the voice port is set with a wildcard.
Workaround: There is no workaround.
•
Symptoms: When a voice interactive response (IVR) application that runs on a Cisco gateway turns on the connect event interception feature during call setup, the call setup fails because IVR applications cannot receive the "ev_setup_done" event that contains the results of the setup.
Conditions: This symptom is observed on a Cisco gateway when a call setup is placed with the connect event that is being intercepted.
Workaround: Turn off the connect event interception feature.
•
Symptoms: When you enter the copy running-config startup- config EXEC command or any other command that affects the configuration, the copy process may not be successful or the configuration may not be saved, and a "File table overflow" error message may be generated. After this situation has occurred, any other file-operation attempts will fail too with a "File table overflow" error message.
Conditions: This symptom is observed on a Cisco router that is configured with dual Route Processors (RPs) and that runs Cisco IOS Release 12.0(23)S2 when you enter any command that affects the configuration while the show running-config EXEC command is being executed, which takes a relatively long time when the running configuration is large.
To clear the symptom, reload the router.
Workaround: Do not enter any command that affects the configuration while the show running-config EXEC command is being executed.
•
Symptoms: Data calls may not be authenticated with authentication, authorization, and accounting (AAA) on a Cisco AS5850.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(1.7).
Workaround: There is no workaround.
•
Symptoms: Calls on an E1 controller within an STM-1 trunk card using Media Gateway Control Protocol (MGCP) and PRI backhaul may not come up.
Conditions: This symptom is observed with a STM-1 trunk card on a Cisco AS5850 that is running Cisco IOS Release 12.3 or Release 12.3 T.
Workaround: Configure a PRI group under the E1 controller after the system and the STM-1 card are up. If the system reloads, unconfigure the PRI group and add the group again.
•
Symptoms: A Cisco router may pause when it makes a T.37 off-ramp fax call.
Conditions: This symptom is observed if there is no outgoing plain old telephone service (POTS) dial peer that is configured for a T.37 off-ramp fax call on the Cisco gateway. Instead, an outgoing Voice over IP (VoIP) dial peer is configured whose destination pattern matches the called number of the T.37 off-ramp fax call.
Workaround: Correct the misconfiguration on the router.
•
Symptoms: The no battery-reversal [answer] voice-port configuration command on Foreign Exchange Office (FXO) voice ports is recognized as an ambiguous command and is rejected with the following error messages:
>c3725a(config-voiceport)#no battery-reversal?
>battery-reversal battery-reversal-delay
>
>c3725a(config-voiceport)#no battery-reversal
>% Ambiguous command: "no battery-reversal"
>c3725a(config-voiceport)#Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.3(1.6), Release 12.3(1.6)T, or later releases. The symptom has been observed since the battery-reversal-delay voice-port configuration command was introduced in caveat CSCdz88312.
Workaround: There is no workaround.
•
Symptoms: The use of the clear interface EXEC command on a PPP over ATM (PPPoA) virtual access interface may cause a performance routing engine 2 (PRE2) to reload.
Conditions: This symptom is observed on a PRE2 when the conditional debug feature is turned on.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series or Cisco 3700 series router that uses a Virtual Private Network card (AIM-VPN/EPII or AIM-VPN/HPII) and that is configured with Advanced Encryption Standard (AES) wide-keys (192- or 256-bit) may stop encrypting or decrypting traffic. The output from the show processes cpu sorted EXEC command indicates that the "Crypto Delete Manager" process is hogging the CPU.
Conditions: This symptom is observed on a Cisco 3600 series or a Cisco 3700 series router that is running Cisco IOS Release 12.3(1), that uses a Virtual Private Network card (AIM-VPN/EPII or AIM-VPN/HPII), and that is configured with AES transform with wide-keys (192- or 256-bit).
Workaround: Use 128-bit AES.
•
Symptoms: A router may pause indefinitely when making E1 R2 fax calls.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.3(1.7).
Workaround: There is no workaround.
•
Symptoms: When clients move from one subnet to another subnet on a Cisco 6500 series, the clients retain the old addresses rather then getting new addresses.
Conditions: This symptom is observed on a Cisco 6500 series with a Multilayer Switch Feature Card (MSFC) that acts as a Dynamic Host Configuration Protocol (DHCP) server. Sniffer traces reveal that when clients request the use of the old address in the new subnet with a DHCP request, the MSFC does not send a negative acknowledgement (NAK) and then the clients retain the old address. This symptom is observed on wireless and wired clients.
Workaround: Clear the binding of the DHCP client on the DHCP server.
•
Symptoms: Calls can no longer be made on a Cisco AS5400 router that is configured with Non-Facility Associated Signaling (NFAS) after the primary D channel is shut down and the router is forced to switch over to the backup D channel.
Conditions: This symptom is observed on a Cisco AS5400 router that is configured with NFAS.
Workaround: There is no workaround.
•
Symptoms: Use of the show version EXEC command still shows the L3 cache in use even though the configuration includes the cache L3 bypass diagnostic command-line interface (CLI) command and the MGX Router Processor Module (RPM-XF) has been reloaded.
Conditions: This symptom is observed on a Cisco RPM-XF when a no redundancy switchover is performed.
Workaround: Perform a 1:N redundancy switchover.
•
Symptoms: A memory leak may occur on a Versatile Interface Processor (VIP) because buffers are not returned, which can be verified through the output of the show memory summary EXEC command: the first lines in the output display the processor memory and indicate that free memory is decreasing and that the largest contiguous memory block is decreasing.
Conditions: This symptom is observed on a Cisco 7500 series when the VIP is configured with the ip mroute-cache distributed interface configuration command, when there are at least two outgoing interfaces, and when the bandwidth of the incoming traffic exceeds that of the outgoing interfaces.
Possible Workaround: Disable the ip mroute-cache distributed interface configuration on the VIP. To free up the held memory, reload the microcode onto the VIP.
•
Symptoms: If a session is preauthenticated by use of a preauthorization configuration, virtual private dial-up networks (VPDNs) fail to authorize a tunnel via RADIUS.
Conditions: This symptom is observed for tunnel users who are preauthenticated using Calling Line ID (CLID) dialed number identification service (DNIS). Once they are authenticated, subsequent tunnel authorization fails when a request is sent to RADIUS.
Workaround: Authorize the tunnels locally or avoid preauthorization, if possible.
•
Symptoms: A Cisco router reloads intermittently after one or two days of work.
Conditions: This symptom is observed on a Cisco 3745 router. There appear to be no special conditions necessary for the router to reload.
Workaround: There is no workaround.
•
Symptoms: A Node Route Processor 1 (NRP-1) on a Cisco 6400 series may reload.
Conditions: This symptom is observed on a Cisco 6400 series that is configured with a Fast Ethernet interface. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCin44735. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router tries to produce a RADIUS packet, the following error message is produced:
%AAA-3-BUFFER_OVERFLOW: Radius I/O buffer has overflowedThe error message is followed by a traceback and is produced even if the packet contains only a small number of attributes that are not large enough to overflow the temporary buffer used to construct the packet.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2.
Workaround: There is no workaround.
•
Symptoms: A Cisco router drops calls intermittently or prevents some calls from connecting.
Conditions: This symptom is observed on a Cisco router when Cisco Express Forwarding (CEF) with Real-Time Protocol (RTP) header compression is enabled. This symptom occurs because the header compression packets get out of synchronization. If RTP header compression with process switching is used, CPU utilization goes too high.
Workaround: There is no workaround.
•
Symptoms: During an online insertion and removal (OIR) of feature boards (FBs) on a Cisco AS5850 router, the router may pause indefinitely.
Conditions: This symptom is observed on a Cisco AS5850 router that is running a c5850-p9-mz image of Cisco IOS Release 12.2(15)T5.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3660 router may reload when an e-mail is sent from a mail server to the Cisco 3660, and the router attempts to convert the e-mail into a TIF fax.
Conditions: This symptom is observed on a Cisco 3660 router that uses T1 channel-associated signaling (CAS) to make T.37 off-ramp calls.
Workaround: There is no workaround.
•
Symptoms: The interfaceSpecificBillingId field in the admission request (ARQ) nonstandard message needs to be copied and included in the location request (LRQ) nonstandard message.
Conditions: This symptom is observed on all Cisco gatekeepers (for example, Cisco 2600 series, Cisco 3600 series, Cisco 7200 series) when they get ARQ nonstandard field information from a voice gateway.
Workaround: There is no workaround.
•
Symptoms: Digital signal processor (DSP) statistics are not passed in a Delete Connection (DLCX) message acknowledgement at the end of a call.
Conditions: This symptom is observed on a Cisco router that has Media Gateway Control Protocol (MGCP) configured.
Workaround: There is no workaround.
•
Symptoms: The cns config initial and cns config partial global configuration commands may not completely apply a configuration. An error message and traceback may appear on the router.
Conditions: This symptom is observed on a Cisco AS3550 router when the cns config initial or cns config partial global configuration commands are used to apply the configuration and the configuration contains a policy map command.
Workaround: There is no workaround.
•
Symptoms: The plain old telephone service (POTS) leg of a call gets stuck. The call remains active even though a disconnect message is sent toward the POTS leg.
Conditions: This symptom is observed when a script with a Tool Command Language (TCL) syntax error is used on the incoming POTS leg.
Workaround: There is no workaround.
•
Symptoms: An H.225 connect message with a Frame Station (FS) element from a third-party proxy is not forwarded to the originating gateway (OGW) and results in one-way voice calls.
Conditions: This symptom is observed on a Cisco IP to IP (IPIP) gateway that has tunneling enabled.
Workaround: Disable tunneling.
•
Symptoms: A Cisco router may pause indefinitely because of memory corruption.
Conditions: This symptom is observed on a Cisco router whenever the show atm svc [vpi/vci | name | interface atm interface-number] EXEC command or the show atm vc [vcd | interface interface-number] EXEC command is entered.
Workaround: There is no workaround.
•
Symptoms: When the tx-ring-limit interface configuration command is used and the value is set at 3, packets are dropped.
Conditions: This symptom is observed on a Cisco router that is configured with QoS and that uses digital subscriber line (DSL) interfaces.
Workaround: Remove the tx-ring-limit 3 command for non-QoS configurations. When a QoS configuration is required, use Cisco IOS Release 12.2(15)T or a later release, or use Release 12.3(1).
•
Symptoms: TACACS+ and Network Control Program (NCP) authorization do not work for EXEC authenticated users who then start PPP.
Conditions: This symptom is observed on a Cisco router for all users who perform EXEC authentication and then start PPP.
Workaround: Require all users to do PPP authentication.
•
Symptoms: When the debug tacacs packet EXEC command is enabled, a Cisco router may unexpectedly reload.
Conditions: This symptom is observed on a Cisco router when TACACS+ accounting is enabled.
Workaround: Do not use the debug tacacs packet EXEC command.
•
Symptoms: When generic routing encapsulation (GRE) is protected with IP security (IPSec) by use of the tunnel protection router configuration command and the peer loses its security associations (SAs), the peer that lost its phase 2 SAs does not act upon invalid service profile identifier (SPI) events as it should. This symptom also occurs if the crypto policy is dynamically constructed and the peer loses its phase 2 SAs. This behavior could be tunnel protection for multipoint GRE (mGRE), dynamic crypto maps, crypto profiles for Layer 2 Tunneling Protocol (L2TP) traffic, or Easy VPN connections.
Conditions: This symptom is observed when the original delete notification is not sent because at that time there is no active Internet Key Exchange (IKE) SA between the peers. However, when a new IKE SA is subsequently established and traffic continues to be sent on the old SAs, the peer that does not have the phase 2 SAs still does not generate the necessary delete notifications.
Dead-Peer Detection (DPD) cannot cure either symptom and the tunnel remains unusable until either the SAs are cleared on the peer that has the phase 2 SAs or the SAs time-out normally.
Workaround: There is no workaround.
•
Symptoms: An integrated service adaptor (ISA) card may cease to process commands and packets, which results in a crypto-processing deadlock. An error "1510" will typically result, and packet flow through the card will cease.
Conditions: This symptom is observed on a Cisco 7200 series router that is using Cisco Express Forwarding (CEF) or fast switching. The router is using an ISA card and is configured such that a single packet requires multiple passes through the ISA (such as a hub router terminating multiple tunnels and/or using generic routing encapsulation [GRE] with IP Security [IPSec]). Under these conditions a burst of traffic, or generally medium-to-high traffic levels (above 40Mbps), may trigger the symptom.
Workarounds:
–
–
•
Symptoms: An Enterprise Systems Connection (ESCON) Channel Port Adapter (ECPA), Parallel Channel Port Adapter (PCPA), or ECPA version 4 (ECPA4) fails to reactivate after a microcode reload or an online insertion and removal (OIR) and displays the following messages:
Router#microcode reload ecpa4 slot 4
Reload microcode? [confirm]
%PA-4-IMPROPER_REMOVAL: Improper removal for slot 2.
%PA-3-DEACTIVATED: port adapter in bay [2] powered off.Conditions: This symptom is observed on a Cisco 7200 series that has an ECPA, PCPA, or ECPA4 configured.
Workaround: Reload the router.
•
Symptoms: When a Cisco router is configured for both internal Border Gateway Protocol (iBGP) load balancing and Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN), incorrect MPLS labels may be installed. When one of the load-balancing links flaps, connectivity may be lost between the VPN sites.
Conditions: This symptom is observed in the Cisco IOS releases that are listed in the "First Fixed-in Version" field at the following location:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdy76273.
Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Disable iBGP load balancing.
•
Symptoms: A router may reload at "ipaccess_checksum_on."
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.3(1a) or Release 12.3(1.8)PI2.
Workaround: There is no workaround.
•
Symptoms: When the integrated Signaling Link Terminal (SLT) functionality is running on a Cisco AS5350 or Cisco AS5400, the Signaling System 7 (SS7) links will not come into service. Using an SS7 analyzer indicates that Link Status Signal Units (LSSUs) are not being transmitted from the Cisco AS5350 or Cisco AS5400 to the SS7 network.
Conditions: This symptom is observed when an 8-port (8PRI) board that contains the D4 version of the MPC860 processor is used. The version of the MPC860 may be verified by using the show chassis slot detail EXEC command. If the board hardware version is 4.0 or greater, this symptom will occur.
Workaround: Use an 8PRI board with a board hardware version less than 4.0.
•
Symptoms: The following error message appears on a Cisco router:
Invalid memory action (malloc) at interrupt levelConditions: This symptom is observed on a Cisco 7500 series or Cisco 7600 series when you enter the clear counter EXEC command.
Workaround: There is no workaround.
•
Symptoms: Service Selection Gateway (SSG) is unable to resolve a Domain Name System (DNS) query.
Conditions: This symptom is observed on a Cisco 6400 series router.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that is configured for IP Security (IPSec) Virtual Private Networks (VPNs) and that has hardware acceleration enabled on a service adapter VPN Acceleration Module (SA-VAM) may reload because of a software condition.
Conditions: This symptom is observed on a Cisco 7200 series that has operated normally for a period of time.
Workaround: Enter the crl optional ca-trustpoint configuration command on the router.
•
Symptoms: When multiple trunk groups are used with ISDN Two B-Channel Transfer (TBCT), Cisco IOS software is unable to guarantee that the outgoing call for TBCT will be routed to the same trunk group as the incoming call.
Conditions: This symptom is observed when there are multiple trunk groups configured on the router and each trunk group can support TBCT for the two Digital Signaling Zeros (DS0s) going through it but not across the trunk group.
Workaround: Do not use multiple trunk groups.
•
Symptoms: A Cisco router may pause indefinitely when a PPP over Ethernet over Ethernet (PPPoEoE) session is initiated.
Conditions: This symptom is observed on a Cisco Node Route Processor 2 (NRP-2).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely when the no telephony-service and no call-manager-fallback global configuration commands are continuously entered on the router.
Conditions: This symptom is observed in a test environment when the router is stressed by continuously entering the no telephony-service and no call-manager-fallback global configuration commands.
Workaround: Do not continuously enter the no telephony-service and no call-manager-fallback global configuration commands.
•
Symptoms: A voice connectivity test may fail.
Conditions: This symptom is observed on a Cisco 1751 router that is running the c1700-sv3y-m image of Cisco IOS Release 12.3(2)T. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds.
Symptoms A: The interface commands in the CNS configuration notify changed message contain unexpected data.
Conditions A: This symptom is observed when you configure the CNS cns config notify diff global configuration command and you configure interface global configuration commands on the Cisco IOS device.
Workaround A: There is no workaround if only the changes in the configuration are expected in the CNS configuration notify changed message.
Alternate Workaround A: Specify the all option for the cns config notify global configuration command.
Symptoms B: Once the cns config notify command is configured, the router may not detect a newly created interface.
Conditions B: This symptom is observed when the diff option in the cns config notify global configuration command is selected and a new dynamic interface is created.
Workaround B: There is no workaround.
•
Symptoms: A router that is configured with VPN routing and forwarding (VRF) aware IP security (IPSec) does not route packets in the given VRF; instead, the packets are routed using the default routing table.
Conditions: This symptom is observed on a Cisco router if Cisco Express Forwarding (CEF) is enabled, and if there is a subinterface configured with VRF aware IPSec and another subinterface configured with VRF.
Workaround: Turn off CEF switching on the IPSec aggregator.
•
Symptoms: A Label Distribution Protocol (LDP) session may not be established and may cause network connectivity problems (a ping may fail). The local LDP identifier is set to 0.0.0.0:0 instead of a valid identifier.
Conditions: This symptom is observed in Multiprotocol Label Switching (MPLS) configurations when LDP is enabled.
Workaround: Enter the no mpls ip router configuration command followed by the mpls ip router configuration command.
•
Symptoms: Packets that are received from the Multiprotocol Label Switching (MPLS) backbone by a provider edge (PE) router are not encrypted and are forwarded to the customer edge (CE) router. A traceback appears.
Conditions: This symptom has been observed on a Cisco 2650 router that is configured to terminate IP security (IPSec) tunnels with Virtual Private Network (VPN) routing and forwarding (VRF).
Workaround: There is no workaround.
•
Symptoms: A Cisco feature board may not come up after a system reload.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(1.9)T3.
Workaround: There is no workaround.
•
Symptoms: Bulk updates on a Cisco router do not occur.
Conditions: This symptom is observed on a Cisco router if the configuration is downloaded from the auto configuration (auto_config) file on the Processor Switch Module (PXM).
Workaround: Switch over to a redundant Route Processor Module (RPM).
•
Symptoms: A Cisco router that uses RSA-SIG authentication for Internet Key Exchange (IKE) stops responding because of a watchdog timeout of the crypto certificate authority (CA) process.
Conditions: This symptom is observed if the watchdog timeout occurs when the router receives a sudden barrage of certificate revocation list (CRL) update requests from several peers simultaneously.
Workaround: Make sure that the CRL update requests from the peers are staggered.
•
Symptoms: The output from the show diag EXEC command indicates that a voice interface card (VIC-1J1) is an unknown card.
Conditions: This symptom is observed on a Cisco router that has a VIC-1J1.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reserve the incorrect amount of bandwidth in the flow reservation procedure. This can lead to incorrect Call Access Control (CAC) calculations and voice quality problems.
Conditions: This symptom is observed on a Cisco router that is configured with Resource Reservation Protocol (RSVP) in order to perform CAC and provide quality of service (QoS) to the Voice over IP (VoIP) traffic.
Workaround: Use another QoS feature instead of RSVP.
•
Symptoms: Internet Key Exchange (IKE) fails if the crl optional ca-identity configuration command is configured on a Cisco router.
Conditions: This symptom is observed on a Cisco router that has IKE configured. If the crl optional command is changed to the crl mandatory command on an nsca-r1 trustpoint, IKE does not fail.
Workaround: Do not configure the crl optional command.
•
Symptoms: The Calling Line ID (CLID) and dialed number identification service (DNIS) information reported in the authentication, authorization, and accounting (AAA) accounting records for RADIUS as Calling-Station-ID and Called-Station-ID may not be accurate.
Conditions: This symptom is observed in a mixed dial-in and dial-out environment in which Large-Scale Dial-Out (LSDO) is used. Some LSDO accounting records contain the number of a different dial-in call. Some dial-in calls report the Called-Station-ID from a previous dial-out call as their Calling-Station-ID.
These symptoms are caused by the network access server (NAS) allocating the same AAA ID to different calls. The output from the debug radius privileged EXEC command sometimes shows the same AAA ID for both calls.
Workaround: There is no workaround.
•
Symptoms: After a Cisco gateway reloads, only the first 24 channels initialize.
Conditions: This symptom is observed on a Cisco gateway that uses Media Gateway Control Protocol (MGCP).
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 with a Synchronous Transport Module 1 (STM1) board cannot support a network access server (NAS) on more than 29 Engine 1 (E1) controllers.
Conditions: This symptom is observed on a Cisco AS5850 with an STM1 that is configured for use with the Media Gateway Control Protocol (MGCP). The STM1 has a total of 63 E1 controllers. The system correctly accepts the configuration up to 29 E1 controllers. Starting from the thirtieth E1, the system does not apply the extsig mgcp controller configuration command. The system accepts the command without giving an error message, but the command is not applied to the controller.
Workaround: There is no workaround.
•
Symptoms: The Media Gateway Control Protocol (MGCP) is too slow in acknowledging the delete connection (DLCX) parameter on a Cisco AS5400. The output of the show mgcp stat EXEC command indicates that the CreateConn rx counter is increasing.
Conditions: This symptom is observed when a DLCX is received on a Cisco AS5400 under a heavy call volume with calls on different slots but on the same port number and DS0 number.
Workaround: There is no workaround. The symptom will clear when the call volume decreases.
•
This caveat exhibits several symptoms, each of which has a distinct cause and workaround. All symptoms have the following precondition: The router is configured with the Per VRF AAA feature and is downloading information from a RADIUS server. The aaa authorization template global configuration command is used.
Symptoms 1: A Cisco router may return to ROM monitor (ROMmon) by bus error.
Conditions 1: This symptom occurs when a RADIUS server vendor-specific attribute (VSA) in a user profile is not fully parsed. This can happen if the RADIUS server VSA is malformed, or if the router is unable to allocate storage for one of many data structures associated with the method list, server group, or server.
Workaround 1: If VSA is malformed, correct the RADIUS user profile so that the RADIUS server VSA is correctly formatted. Permissible formats are:
Cisco:Cisco-Avpair = N: "aaa:rad-serv=A.B.C.D auth-port X acct-port Y
key Z retransmit V timeout W"
Cisco:Cisco-Avpair = :N: "aaa:rad-serv=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"
Cisco:Cisco-Avpair = "aaa:rad-serv#N=A.B.C.D auth-port X
acct-port Y key Z retransmit V timeout W"The following parameters must be present in order to ensure proper function:
–
–
The following parameters are optional, provided that a global default is configured on the router:
–
–
Symptoms 2: The router uses the retransmit value from the RADIUS server VSA as the timeout, and the timeout from the RADIUS server VSA as the number of retransmits.
Conditions 2: This symptom occurs any time the router receives a RADIUS server VSA containing the retransmit or timeout parameters or both.
Workaround 2: Either omit the retransmit and timeout parameters from the VSA, using the global defaults on the router, or swap the two values.
Symptoms 3: The show memory | inc AAA Server handle command will show a steadily increasing number of server handles allocated. Roughly 800 bytes will be consumed for each RADIUS server attribute parsed as part of a downloaded template. An additional roughly 900 bytes will be consumed for each downloaded template in Cisco IOS images which have CSCea85517 integrated. Eventually, all memory on the router will be consumed.
Conditions 3: This symptom occurs any time the RADIUS server VSA is used in a downloaded template to tell the router which RADIUS server to use.
Workaround 3: If you are using a Cisco IOS image which does not have CSCea85517 integrated, and the configuration of local templates is practical, then you can configure local templates instead of downloading them from a RADIUS server.
For example, if you had a template defined on your RADIUS server as:
example.com Password = "EXAMPLE"
Service-Type = Outbound,
Cisco:Cisco-Avpair = "aaa:rad-serv#1=a.b.c.d auth-port XXXX acct-port YYYY key ZZZZZ"
Cisco:Cisco-Avpair = :1:"aaa:rad-serv-vrf=examplevrf",
Cisco:Cisco-Avpair = "template:ppp-authen-type=chap"
Cisco:Cisco-Avpair = "template:ppp-authen-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-author-list=group 1",
Cisco:Cisco-Avpair = "template:ppp-acct-list=start-stop group 1",
Cisco:Cisco-Avpair = "template:ip-vrf=examplevrf"
Cisco:Cisco-Avpair = "template:ip-unnumbered=Loopback 1"you would instead configure the following:
aaa authorization network default local
radius-server host a.b.c.d auth-port XXXX acct-port YYYY
aaa group server radius example_servers
server a.b.c.d
ip vrf forwarding examplevrf
aaa authentication ppp example_list group example_servers
aaa authorization network example_list group example_servers
aaa accounting network example_list group example_servers
template example.com
ppp authentication chap example_list
ppp authorization example_list
aaa accounting delay-start
aaa accounting send stop-record authentication failure
interface virtual-template 1
ip vrf forwarding examplevrf
ip unnumbered Loopback 1
ppp authentication chap
•
Symptoms: A device is unable to authenticate itself to the PPP peer using local authentication if the interface is not configured with authentication parameters (username and password).
Conditions: This symptom is observed if the peer requests that the device authenticate itself and the corresponding protocol configuration is not present on the interface (for example, ppp pap sent- username or ppp chap password). The session is not established.
Workaround: Enable ppp pap sent-username or ppp chap password on the interface.
Alternate Workaround: Use T+ for mutual bidirectional authentication.
•
Symptoms: A Cisco AS5850 router with a channelized T3 port adapter (CT3) controller shows the incorrect D channel interface name.
Conditions: This symptom is observed on a Cisco AS5850 router that is configured with a CT3 controller and that is running Cisco IOS Release 12.3(2)T or Release 12.3(3).
Workaround: There is no workaround.
•
Symptoms: A Cisco router has a software-forced reload when it receives a malformed H.225 setup message.
Conditions: This symptom is observed on a Cisco 1700 series that is running Cisco IOS Release 12.2(13c). The symptom occurs if you have the following debug privileged EXEC commands turned on:
–
–
–
Workaround: There is no workaround.
•
Symptoms: A standby Enhanced Route Switch Controller (ERSC) reloads when a multichannel STM-1 port adapter car is configured.
Conditions: This symptom is observed on a Cisco ERSC when the extsig mgcp controller configuration command is entered.
Workaround: Save the configuration and reload the router.
•
Symptoms: When a preexisting Data Encryption Standard (DES) key is changed, the block of memory that holds the old key is not cleared before the memory block is returned to the heap.
Conditions: This symptom is observed when the user changes a preexisting DES key. The key is changed by entering the following command in router configuration mode:
key config-key 1 [somestring] where [somestring] is 8 characters
Workaround: There is no workaround.
•
Symptoms: After authenticating and successfully enrolling with the Certificate Authority (CA), the Internet Key Exchange (IKE) fails to establish. The following error message appears:
%CRYPTO-3-QUERY_KEY: Querying key pair failed. process_rsa_sig: Querying key pair failedConditions: This symptom is observed between two Cisco routers (router1 and router2) when the following conditions are observed:
4.
router1 gen cisco.com:
msca-root root mandatory cep 00 no-proxy
msca-sub1 identity mandatory cep 00 no-proxy
router2 gen2048 cisco.com:
msca-root root mandatory cep 00 no-proxy
msca-sub1 identity mandatory cep 00 no-proxy5.
Router1:
authenticate msca-root
authenticate msca-sub1
enroll msca-sub1
Router2:
authenticate msca-root
authenticate msca-sub1
enroll msca-sub16.
7.
Workaround: There is no workaround.
•
Symptoms: The CNS event agent does not detect when the connection to the server breaks.
Conditions: This symptom is observed when the CNS event agent service is configured by the cns event keepalive configuration command.
Workaround: There is no workaround.
•
Symptoms: Two routers that perform IP security (IPSec) with certificates fail to establish an Internet Security Association and Key Management Protocol (ISAKMP) tunnel, and the following error message may appear:
CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.0.1 is bad: CA request failed:Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(3).
Workaround: Use Cisco IOS Release 12.3(1.9).
•
Symptoms: Traffic from one Service Selection Gateway (SSG) host to another is routed directly to the second host.
Conditions: This symptom is observed for traffic from one subscriber to another subscriber. It occurs when the second subscriber's address falls into the service network to which the first subscriber is connected. The traffic is forwarded directly to the second subscriber instead of going to the service network. If the connections are Network Address Translation (NAT) connections, then NAT is not applied to user traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the show atm map privileged EXEC command.
Conditions: This symptom is observed on all Cisco routers after you have first deleted a subinterface on which a static map bundle was configured.
Workaround: First remove the static map bundle; then, delete the subinterface.
•
Symptoms: A cable modem interface may reset because of a Dynamic Host Configuration Protocol (DHCP) renewal failure during an FTP event. The "DHCP RENEW FAILED" and "DHCP REBIND FAILED" messages may appear when the cable modem interface resets.
Conditions: This symptom is observed under the following conditions:
–
–
Workaround: Configure the DHCP lease-time duration for a longer period than before.
Alternate Workaround: Configure a higher hold-queue value than the default value for the outgoing interface. For example, enter a value of 100 for the length argument instead of using the default value of 40 for the length argument in the hold-queue length out interface configuration command.
•
Symptoms: The input queue of an interface that is connected to a default network may increase and eventually become full, causing the interface to be no longer usable.
Conditions: This symptom is observed during a service logon when the connection activation takes a long time, for example, because of an authentication, authorization, and accounting (AAA) failure or a delay in a tunnel activation.
Workaround: There is no workaround.
•
Symptoms: The controller of a 1-port multichannel STM-1 multimode port adapter (PA-MC-STM-1) may remain in the shutdown state. Even after you enter the no shutdown controller configuration command, the interface does not come up.
Conditions: This symptom is observed on a PA-MC-STM-1 that is installed in a Cisco 7500 series when a large number of interfaces are configured on the PA- MC-STM-1.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for Any Transport over Multiprotocol Label Switching (AToM) may send AToM packets that are missing control words, even though control-word imposition is enabled. When another Cisco router receives such malformed packets, the router does not handle these packets properly during disposition.
Conditions: This symptom may occur on all Cisco routers that employ software switching with AToM enabled. This symptom has specifically been observed on a Cisco 7200 series, Cisco 7400 series, and Cisco 7500 series that are configured for AToM.
On a 7200 series router that is processing a heavy traffic load, the reception of malformed packets may cause the router to pause indefinitely.
Workaround: There is no workaround.
•
Symptoms: A line card may reload when header compression is disabled.
Conditions: This symptom occurs when header compression is disabled when the show ip rtp header-compression command is executed from another window and is waiting on "more."
Workaround: Do not disable header compression in the middle of enabling the show ip rtp header-compression command.
•
Symptoms: Traffic may stall on a few channels of certain port adapters.
Conditions: This symptom is observed on the following Cisco port adapters:
–
–
–
–
Workaround: Reprovision the affected channels on the port adapters.
•
Symptoms: A Cisco 805 may not boot up.
Conditions: This symptom is observed on a Cisco 805 that is running the c805- y6-mw image of Cisco IOS Release 12.2(15)T and that is configured with the default 4-MB of Flash memory.
Workaround: Upgrade the Flash memory to 8 MB.
Alternate Workaround: Upgrade to Release 12.2(15)T2.
•
Symptoms: When the user profile on an authentication, authorization, and accounting (AAA) server contains an access profile, telnet sessions from the client to a network access server (NAS) may fail.
Conditions: This symptom is observed on a Cisco router if the user profile is configured with an access profile feature.
Workaround: There is no workaround.
•
Symptoms: When a call is made to a Cisco router loaded with a VoiceXML (VXML) document that is executing authentication using an authentication object, a traceback may appear at vapp_authenticate.
Conditions: This symptom is observed in a test environment on a Cisco router that is running Cisco IOS Release 12.2(15)T1.
Workaround: There is no workaround.
•
Symptoms: Traffic loss may occur when you configure the no ip cef global configuration command.
Conditions: This symptom is observed on a Cisco router that has Cisco Express Forwarding (CEF) enabled by default, but that does not have the no ip cef global configuration command configured in the startup configuration.
Workaround: After CEF has been enabled by default, disable CEF.
•
Symptoms: When a virtual circuit (VC) is removed, the following message may be displayed:
atm_remove_vc: Error removing vc from vc-listConditions: This symptom is observed when you delete a permanent virtual circuit (PVC) or release a tagged virtual circuit (TVC).
Workaround: There is no workaround.
•
Symptoms: A VoiceXML (VXML) recording over HTTP may not work if the maxtime parameter is used to terminate the recording.
Conditions: This symptom is observed in Cisco IOS Release 12.3(0.3) and later releases.
Workaround: Do not use the maxtime parameter to terminate the recording.
•
Symptoms: A Cisco Service Selection Gateway (SSG) may reload when it has a large number of prepaid connections.
Conditions: This symptom is observed on a SSG that has a large number of prepaid sessions in use (about 20,000). The SSG may run out of memory.
Workaround: There is no workaround.
•
Symptoms: The following error messages may appear on a Cisco 7200 series with a Network Service Engine (NSE-1) and on a Cisco 7401 router when the serial interface is configured as a multilink group:
%SYS-2-LINKED: Bad requeue of 6381CBC0 in queue 637EFCC4 -Process= "<interrupt level>", ipl= 1, pid= 28
-Traceback= 6059325C 60593330 60A9B020 60593DCC 60506CAC 6050867C 6011F15C 601249A0Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 7401 router that are configured with Parallel Express Forwarding (PXF). The symptom occurs only in the first few minutes when traffic is being sent.
Workaround: Turn off PXF.
•
Symptoms: After a Media Gateway Control Protocol (MGCP) channel-associated signaling (CAS) call is established, there may not be voice-path continuity; the call signaling is properly terminated, but there is only one-way voice traffic.
Conditions: This symptom is observed on a Cisco router that uses an MGCP CAS call flow.
Workaround: There is no workaround.
•
Symptoms: The creation of an ATM permanent virtual circuit (PVC) fails, and a multiple user configuration error message appears:
Interface ATM4/0/0.15 is no longer valid. Possibly multiple users configuring IOS simultaneously or due to OIR
The pvc info under the atm interface was not accepted.Conditions: This symptom is observed on any Cisco platform that supports configuration of hardware on the interface before the hardware is physically present.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the Media Resource Control Protocol (MRCP) client process on a Cisco 5400.
Conditions: This symptom is observed during a stress test.
Workaround: There is no workaround.
•
Symptoms: In a test environment, an initialization memory leak may occur at "AppSaveGtdMsg" in VoiceXML (VXML).
Conditions: This symptom is observed on a Cisco router that is running a VXML application.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload.
Conditions: This symptom is observed when you enter the verify EXEC command on a Flash card device.
Workaround: There is no workaround.
•
Symptoms: It is not possible to configure variable bit rate nonreal time (VBR-nrt) service using the class-range router configuration command.
Conditions: This symptom is observed on a Cisco Node Route Processor (NRP).
Workaround: Use a simple permanent virtual circuit (PVC) for VBR-nrt.
•
Symptoms: An output service policy with a police feature may be rejected, and the following error message may be generated:
Cannot attach flat policy to pvc/sub-interface. Hierarchical policy with shape in class-default is recommended
Conditions: This symptom is observed when the output service policy is attached to multiple subinterfaces.
Workaround: There is no workaround.
•
Symptoms: When packets are intercepted and replicated with IP version 6 (IPv6) encapsulation, packets that are replicated to the Mediation Device (MD) may be process switched at the MD interface instead of being switched by using Cisco Express Forwarding (CEF). This situation may affect the performance of the router.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3 and occurs when the intercepted packets are replicated with IPv6 encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform that functions as a gatekeeper may reload.
Conditions: This symptom is observed when you deconfigure the zone local gatekeeper configuration command.
Workaround: There is no workaround.
•
Symptoms: An accounting stop record that is sent by a Cisco gateway for the second alternate endpoint does not contain all of the attribute-value (AV) pairs.
Conditions: This symptom is observed on a Cisco AS5400 universal gateway that is running Cisco IOS Release 12.2(15)T2. The symptom is not observed in Cisco IOS Release 12.2(15)T1 or Release 12.3(0.5).
Workaround: There is no workaround.
•
Symptoms: If you configure the radius-server host x.x.x.x backoff exponential key SomeKey command and then enter the copy run start command, the configuration that is stored will be as follows:
radius-server host x.x.x.x key SomeKey backoff exponential
As a result, the router will use "SomeKey backoff exponential" as the key for communicating with the RADIUS server instead of "SomeKey."
This prevents the RADIUS server from communicating with the router and results in the following symptoms:
–
–
–
If the service password-encryption global configuration command is configured, you will see an error message that resembles the following message:
%Invalid encrypted key: 02050D480809 backoff exponential max-delay 3 backoff- retry 8Conditions: This symptom is observed any time you configure a RADIUS server with backoff exponential and a per-server key.
Workaround: Perform the following steps:
1.
2.
3.
4.
Alternate Workaround: Do not configure a per-server key. Use a global key instead.
•
Symptoms: When you configure a RADIUS server and generate some RADIUS traffic, then configure a second RADIUS server with the same IP address but different ports, and then reconfigure the first RADIUS server, the router stops sending RADIUS packets. When you then try to reconfigure the second RADIUS server, the router generates a traceback error message.
Conditions: This symptom is observed on an authentication, authorization, and accounting (AAA) server when the server method list is configured.
Workaround: Reconfigure the first RADIUS server and then configure the second RADIUS server.
•
Symptoms: The "VFC: filesystem" option is missing as a selectable option from the context-sensitive help feature of the command-line interface (CLI).
Conditions: This symptom is observed when you enter "?" after the copy src filesystem privileged EXEC command.
Workaround: There is no workaround.
•
Symptoms: A traceback and register display the following cause:
Cause 0000041C (Code 0x7): Data Bus Error exceptionConditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(17), and is associated with a router that is operating outside its temperature parameters. Other physical or hardware associated issues could lead to this condition.
Workaround: There is no workaround.
•
Symptoms: When the T1 channel-associated signaling (CAS) channels of the Cisco Access Gateway Module (AGM) are in the "EM_PARK" state, and the clear counters privileged switch command is entered, the AGM may pause indefinitely.
Conditions: This symptom is observed on a Cisco AGM that is running the c4gwy-isx3-mz image of Cisco IOS Release 12.3(1.4)T.
Workaround: Do not issue the clear counters privileged switch command on the AGM when T1 CAS channels are in the "EM_PARK" state.
•
Symptoms: A router may pause indefinitely after you enter the modem privileged EXEC command.
Conditions: This symptom is observed after you enter the modem privileged EXEC command on a Cisco 2600 series or a Cisco 3600 series that has an analog network module installed in its network module slot.
Workaround: There is no workaround.
•
Symptoms: The ATM interface on a Cisco Node Route Processor 2 (NRP-2) may go into the down state.
Conditions: This symptom is observed when 8000 PPP over ATM (PPPoA) sessions are loaded on a redundant NRP-2 and the NRP-2 is reloaded.
Workaround: Flap the interface for the sessions to go up.
•
Symptoms: The per-user router does not get installed with TACACS+. When the TACACS+ server is configured to send an IP address with the value of 255.255.255.254 and a netmask of 255.255.255.240 to the network access server (NAS), the NAS does not update its routing table with a per-user route, as occurs when the same attributes are returned from a RADIUS server.
Conditions: This symptom is observed on a Cisco TACACS+ server.
Workaround: There is no workaround.
•
Symptoms: Priority queueing does not deliver the expected bandwidth on a Cisco router.
Conditions: This symptom is observed on a Cisco router if Parallel Express Forwarding (PXF) is enabled.
Workaround: Turn off PXF.
•
Symptoms: A Cisco router may experience a loss of packets.
Conditions: This symptom is observed on a Cisco AS5850 that is running the Virtual Profile feature in distributed Cisco Express Forwarding (dCEF) switching mode.
Workaround: Turn off dCEF switching.
•
Symptoms: Per-user access control lists (ACLs) that are downloaded from an authentication, authorization, and accounting (AAA) server may not be applied. The following debug message appears when this symptom occurs and the debug aaa per-user privileged EXEC command is turned on:
Vi2 AAA/PER-USER/access-group: acl Virtual-Access2#21 for proto IP does not existConditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.3(1.3).
Workaround: There is no workaround.
•
Symptoms: A Cisco network access server (NAS) may enter an infinite loop, produce CPUHOG error messages similar to the following, and then reload:
%SYS-3-CPUHOG: Task is running for (112000)msecs, more than (2000)msecs (1/0),process = RADIUSConditions: This symptom is observed on a Cisco NAS that is running Cisco IOS Release 12.3(0.5)T. The NAS is configured with "radius-server retry method reorder" and nonzero deadtime, and the "radius-server transaction max-tries" is set to an exact multiple of the number of servers in the server group. The servers in the group are configured using "server-private" instead of "server".
If "radius-server retry method reorder" is not configured, the router may neglect to transmit RADIUS packets to servers after the "server-private" server if the "server-private" server does not respond. In addition, the reference count of a server, as shown by the output of the debug aaa server-ref-count EXEC command, may improperly drop to zero. This results in no packets being transmitted to the server unless it is unconfigured and reconfigured.
Workaround: There is no workaround.
•
Symptoms: In a PPP over Ethernet (PPPoE) over permanent virtual circuit (PVC) configuration on a Cisco router, the PPPoE session on the server does not clear when the PPPoE session terminates on the client side.
Conditions: This symptom is observed when the PPPoE client unconfigures its dialer using the no pppoe-client dial-pool-number number interface configuration command.
Workaround: Clear the PPPoE session on the server.
•
Symptoms: Time division multiplexing (TDM) hairpinned calls are using digital signal processor (DSP) resources. The TDM hairpinned call should not continue using DSP resources and will release the resources once the call gets hairpinned.
Conditions: This symptom is observed on a Cisco AS5350 universal gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may pause indefinitely if it has the following configuration:
crypto isakmp profile p keyring defaultIf this profile is later removed by use of the no crypto isakmp profile p router configuration command, and the user attempts to save or view the configuration by use of the show running-config EXEC command, the router pauses indefinitely with the following error message and traceback:
Unexpected exception, CPU signal 10, PC = 0x620FF8D0
-Traceback= 620FF8D0 61FC8D24 606B7080 606B70F4 60648AC8 60627D68 60628250 60658D00 60658E18 6064AC18 6065BFA0 606D6C5C 606D6C40.Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3.
Workaround: Do not configure the isakmp profile command with the default keyring argument. Use a specific keyring for Internet Security Association and Key Management Protocol (ISAKMP) profiles by use of the crypto keyring keyring-name router configuration command.
•
Symptoms: A Create Connection (CRCX) to a terminating gateway fails with the following error message when Media Gateway Control Protocol (MGCP) calls are made:
Error code 400 - SetUp FailedConditions: This symptom is observed on a Cisco gateway that is running Cisco IOS Release 12.2(15)T5, Release 12.3(1.8)T, or Release 12.3(1.9).
Workaround: There is no workaround.
•
Symptoms: Packets received from or going to unauthenticated users may get punted to the process path.
Conditions: This symptom is observed on all Service Selection Gateway (SSG) images of Cisco IOS software. If there is high unauthorized user traffic on the network, this symptom may cause a load on the process path (the IP input), but it does not break the functionality of the network.
Workaround: Configure the SSG TCP Redirect feature for unauthenticated users and unauthorized services. With this configuration, there are no unauthenticated packets punted to the process path, and all packets are handled in the Cisco Express Forwarding (CEF) path.
•
Symptoms: Domain Name System (DNS) packets may take more time than normal to process.
Conditions: This symptom is observed on all Service Selection Gateway (SSG) images of Cisco IOS software.
Workaround: If the number of domains is large, provide Internet service to each user and let the domains be resolved through the Internet DNS service.
•
Symptoms: A PPP over Ethernet (PPPoE) session may not come up when delivering the PPPoE configuration to the customer premises equipment (CPE). This symptom occurs even though the Internet service provider (ISP) router is configured for a PPPoE profile. The session comes up only when you enter the clear pppoe all EXEC command.
Conditions: This symptom is observed in Cisco IOS Release 12.3 and prevents PPP and IP connectivity.
Workaround: Upgrade to Cisco IOS Release 12.3(2)XA.
•
Symptoms: Data packets gets punted to the process path when the Service Selection Gateway (SSG) timeout process is scheduled.
Conditions: This symptom is observed in all SSG images of Cisco IOS software.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 router pauses indefinitely when the Media Gateway Control Protocol (MGCP) regression feature is tested. Even the "send break" feature may not function, and the only solution is to turn the router off and on. This symptom occurs only one out of four or five times.
Conditions: This symptom is observed in a test environment on a Cisco AS5350 router that has MGCP enabled.
Workaround: There is no workaround.
•
Symptoms: A server reference count may incorrectly reach zero when all servers are dead. After the reference count of the server reaches zero without the server being unconfigured, the following error message may appear:
AAA/SG/REF_COUNT attempt to decrement ref count of invalid server handle XXXXXXXXwhere `xxxxxxxx' is a seemingly random hexadecimal number.
In some releases of Cisco IOS software, particularly those with the -g4js- feature set, the router may return to rommon or reload instead of displaying the error message.
Conditions: This symptom is observed when there are two or more servers in a server group, and all the servers in that group are dead, and transactions are being sent to those servers because the server group that they are in (including the special groups RADIUS and TACACS) is the last method in a method list. The reference count of one server in the group increases dramatically while the reference count of another server in the group is reduced to zero.
Further Problem Description: You can observe the changes in the server reference count when you enter the debug aaa server-ref-count privileged EXEC command.
Workaround: Pick one particular server from the group as your server of last resort. Configure a special server group that contains only that server, and configure that special server group as the last method in your method list.
For example, if you had:
aaa new-model
radius-server host x.x.x.x
radius-server host y.y.y.y
radius-server host z.z.z.z
radius-server key SECRET
aaa group server radius foo
server x.x.x.x
server y.y.y.y
server z.z.z.z
aaa authentication login default group fooYou would instead configure:
aaa new-model
radius-server host x.x.x.x
radius-server host y.y.y.y
radius-server host z.z.z.z
radius-server key SECRET
aaa group server radius foos
server x.x.x.x
server y.y.y.y
server z.z.z.z
aaa group server radius bar
server z.z.z.z
aaa authentication login default group foo group bar•
Symptoms: A cable modem does not respond to any Simple Network Management Protocol (SNMP) queries.
Conditions: This symptom is observed on a Cisco uBR900 cable modem.
Workaround: There is no workaround.
•
Symptoms: A gateway may reload unexpectedly while unconditional call forwarding to a voice mail system is in progress.
Conditions: This symptom is observed on a Cisco gateway that functions as a transferee (XEE) and transfer target (XTO).
Workaround: There is no workaround.
•
Symptoms: A router that is configured with Hot Standby Router Protocol (HSRP) may respond with the incorrect MAC address to an Address Resolution Protocol (ARP) request for an HSRP virtual IP address.
Conditions: This symptom is observed on a Cisco router if local proxy ARP is enabled and the virtual IP address in not active, or the HSRP group is not configured locally. This caveat prevents the nonactive router from giving an incorrect response.
Workaround: To ensure that only the active router responds to ARP requests, every HSRP group on the network must be configured on every router that has local proxy ARP enabled.
•
Symptoms: A telephone subscriber has call waiting enabled and has one active call and an alert of a second incoming call. The subscriber hangs up the first call and the callback functionality is invoked for the second incoming call. There is no speech path when the subscriber answers the second call.
Conditions: This symptom is observed when a custom Tool Command Language (TCL) interactive voice response (IVR) application script is used to provide call waiting functionality on a Cisco IOS voice gateway. Whether this behavior is observed depends upon the specific implementation of the custom TCL IVR script.
Workaround: There is no workaround.
•
Symptoms: IP version 6 (IPv6) static routes that point to the Null0 interface are not installed in the Routing Information Base (RIB).
Conditions: This symptom is observed on a Cisco router for which the ipv6 route ipv6-prefix /prefix-length {ipv6-address | interface-type interface-number [ipv6-address]} global configuration command is accepted but the specified route does not get installed in the routing table and the show ipv6 route EXEC command does not show the route.
Workaround: There is no workaround.
•
Symptoms: When you save a configuration first to the standby Performance Routing Engine (PRE) and then to the active PRE, the configuration may not be saved and the following error message may be generated:
startup-config file open failed (Device or resource busy)Conditions: This symptom is observed on a Cisco 10000 series that is configured with redundant PREs and that runs Cisco IOS Release 12.0(26)S.
Workaround: There is no workaround.
Novell IPX, XNS, and Apollo Domain
•
Symptoms: IPX Enhanced Interior Gateway Routing Protocol (EIGRP) discovery packets may be stuck in the input queue and wedge the queue.
Conditions: This symptom is observed on a router that does not have IPX EIGRP configured and that receives such updates from a remote router that does have the protocol configured. IPX EIGRP updates may be identified by the socket number "85BE" in the output of the show buffers input-interface ethernet0/0 dump EXEC command.
Workaround: Turn on IPX EIGRP on the router that experiences the wedged input queue using the same autonomous system as the routers that send the updates.
Alternate Workaround: Use an access control list (ACL) to block this traffic.
Second Alternate Workaround: Disable IPX EIGRP on the routers that send the updates.
TCP/IP Host-Mode Services
•
Symptoms: A memory leak may occur on a router after TCP-to-X.25 translation is configured.
Conditions: This symptom is observed if a user attempts to use TCP-to-X.25 translation while a router is already performing translation for the maximum number of configured users. The additional user will not be able to use translation, and the router will leak memory.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running Label Distribution Protocol (LDP) may leak memory at a rate of up to 100 KB per day, resulting in the gradual reduction of the available memory. This situation may be caused by applications that use TCP as the transport protocol.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.0(23)S or a later release.
Workaround: There is no workaround.
•
Symptoms: The following error message appears in the log of a Cisco router:
%TCP-6-TOOBIG: Tty0, too many bytes of options (44).Conditions: This symptom is observed when numerous TCP options are configured on the router.
Workaround: Reduce the number of TCP options used (for example, selective-ack, timestamps, or BGP md5-password).
•
Symptoms: The following error message appears when a router receives a connection request on command shell (TCP, 514) and Kerberos shell (kshell) (TCP, 544) ports:
%RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 192.168.2.2This message appears when the remote shell (rsh) is disabled on the router.
Conditions: This symptom is observed on a Cisco router that has disabled rsh.
Workaround: Traffic that is destined for these ports can be filtered with the following router configuration:
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 172.16.1.1 YES NVRAM up up
Ethernet1/0 unassigned YES NVRAM administratively down down
Serial2/0 192.168.2.1 YES NVRAM up up
Serial3/0 192.168.3.1 YES NVRAM up up
Loopback0 1.1.1.1 YES NVRAM up upCreate an access control list (ACL) for the router that appears as follows:
access-list 177 deny tcp any host 172.16.1.1 eq 514
access-list 177 deny tcp any host 172.16.1.1 eq 544
access-list 177 deny tcp any host 192.168.2.1 eq 514
access-list 177 deny tcp any host 192.168.2.1 eq 544
access-list 177 deny tcp any host 192.168.3.1 eq 514
access-list 177 deny tcp any host 192.168.3.1 eq 544
access-list 177 deny tcp any host 1.1.1.1 eq 514
access-list 177 deny tcp any host 1.1.1.1 eq 544
access-list 177 permit ip any anyThis ACL needs to be applied on all interfaces with the ip access-group 177 in router configuration command.
•
Symptoms: Cisco IOS Release 12.3 has a new command-line interface (CLI) extension for the ip helper-address address redundancy vrg-name interface configuration command. There is no space between the IP address and the keyword redundancy. The router ignores the command after reboot and Dynamic Host Configuration Protocol (DHCP) breaks in the network.
Conditions: This symptom is observed in Cisco IOS Release 12.3 when an attempt is made to enable the Virtual Router Group feature for User Datagram Protocol (UDP) forwarding.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A router may reload unexpectedly. The following message may be displayed when the show version EXEC command is entered:
System returned to ROM by bus error at PC 0x604B9720, address 0xFFFFFFFFConditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(8)T.
Workaround: There is no workaround.
•
Symptoms: The negotiated IP address is not cleared from an asynchronous interface when a call ends, even though the IP address is returned properly to the IP peer pool.
Conditions: This symptom is observed when the peer is configured to dial in to the network access server (NAS) and to obtain an IP address through IP Control Protocol (IPCP) negotiations with the NAS. The NAS is configured with pools of IP addresses to be allocated to the peer when the peers generate a PPP call to the NAS. The NAS is also configured to authenticate the peer through RADIUS.
Workaround: There is no workaround.
•
Symptoms: Incoming packets on a Cisco 3640 router are destined for a Cisco 2651 Modular Access Router via a Dial-on-Demand Routing (DDR) and BRI circuit. During failed BRI connection attempts (destination interface is shut), the memory in use increases steadily, incrementing with roughly every 3 to 6 packets sent.
Conditions: This symptom is observed on a Cisco router and the memory leak is seen only when isdn fast-rollover delay xy is configured at the interface and the call fails at the first dial attempt.
Workaround: Remove the isdn fast-rollover delay xy configuration.
•
Symptoms: Digital signal processor (DSP) calls are shown to be in "current state bad." This bad state appears to be due to an H.323 call sent to Cisco CallManager. The CCM generates a second new call from CCM to the router. The second call disconnects with a progress indicator indicating that inband information is available. Call 1 then gets sent to the CCM. CCM attempts to blind-transfer the call to a public switched telephone network (PSTN) destination. CCM sends an H.323 setup message to the router with an invalid PSTN number, but the PSTN switch goes to the ISDN call_proceeding state, which allows CCM to complete the transfer and connect the original calling party to the new outbound call. The second outbound call fails with the ISDN message sequence:
ISDN Se2/0:15 Q931: RX <- DISCONNECT pd = 8 callref = 0x826
Cause i = 0x8081 - Unallocated/unassigned number
Progress Ind i = 0x8088 - In-band info or appropriate now available
ISDN Se2/0:15 Q931: TX -> RELEASE pd = 8 callref = 0x0268The progress indicator in the disconnect message attempts to cut through the audio so that the calling party hears the message: "We're sorry your call cannot be completed as dialed."
These messages are sent back to CCM and then from CCM back to the original inbound call through the same gateway. This action causes the DSP channel associated with the original inbound call to get stuck in the bad state.
An example of the show voice dsp output indicating the bad state follows:
3660# show voice
dsp DSP DSP DSPWARE CURR BOOT PAK TX/RX
TYPE NUM CH CODEC VERSION STATE STATE RST AI VOICEPORT TS ABORT PACK COUNT
==== === == ===== ======= ===== ===== === == ========= == ===== ============
C549 006 01 {medium)4.1.26 bad idle 0 0 2/0:15 01 0 990946/18452After the DSP goes into the bad state, all subsequent calls on the timeslot (TS) associated with that DSP channel will fail with the error message:
Cause i = 0x80AF - Resource unavailable, unspecifiedConditions: This symptom is observed on a Cisco 2610 router that is running Cisco IOS Release 12.2(11)T5 or Release 12.2(13)T.
Workaround: Configure "disc_pi_off" on the router. This will prevent callers from hearing the "We're sorry your call cannot be completed as dialed" message.
•
Symptoms: A router may pause indefinitely when the copy tftp run global configuration command is issued using the same file that was created with the copy run tftp command previously.
Conditions: This symptom is observed on a Cisco AS5300 router.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5800 may reload.
Conditions: This symptom is observed during a period of inconsistent RADIUS service that causes sessions to flap.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with PPP over Ethernet (PPPoE) and Layer 2 Tunneling Protocol (L2TP) may pause indefinitely. The following symptoms are also observed:
–
–
–
Conditions: This symptom is observed on a Cisco 6400 series router that is running a c6400r-g4p5-mz image of Cisco IOS Release 12.2(13)T1 and has PPPoE configured and IP per-user attributes are being passed down through RADIUS.
Workaround: There is no workaround.
•
Symptoms: When a user connects to an access control list (ACL) that is applied inbound on a virtual template, the ACL fails to deny traffic if the deny ip any any router configuration command has been configured and fails to register a match (hit counts) on the ACL.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(11)T3 or Release 12.2(13)T1. The symptom occurs with inbound ACLs not with outbound ACLs.
Workaround: There is no workaround.
•
Symptoms: The dialer watch may stall, and a Cisco router may pause indefinitely.
Conditions: This symptom is observed when an ISDN link flaps.
Workaround: There is no workaround.
•
Symptoms: Incoming packets that are destined for the IP address of a dialer interface on a router may not be handled properly, and there may be no connectivity when you attempt to ping the other side of the dialer connection.
Conditions: This symptom is observed when a dialer interface is configured in a Virtual Private Network (VPN) routing and forwarding (VRF) instance on the router.
Workaround: Configure the ppp multilink interface configuration command on the dialer interface and on the physical interfaces on both sides of the dialer connection.
Alternate Workaround: If this is an option, downgrade to Cisco IOS Release 12.2 (8)T5.
•
Symptoms: A Cisco router may reload while you attempt to set up a Frame Relay switched virtual circuit (SVC).
Conditions: This symptom is observed when you attempt to set up a Frame Relay SVC by using a data-link connection identifier (DLCI) that is already in use; for example, when a permanent virtual circuit (PVC) is configured by using the same DLCI.
Workaround: When a PVC is configured by using the same DLCI, remove the PVC configuration before you attempt to set up the Frame Relay SVC.
•
Symptoms: The information element (IE) of a calling party number in an outgoing call setup message may be corrupted. When you use the Q.931 Translator, the log files may display that the calling party number in the outgoing call setup message is "0x00," as in the following example:
ISDN Se0:23: TX -> SETUP pd = 8 callref = 0x0005
Bearer Capability i = 0x8890
Channel ID i = 0xA98397
Calling Party Number i = 0x00, (null),
Plan:Unknown, Type:Unknown
Calling Party SubAddr i = 0x80, '9876'
Called Party Number i = 0x80, '2222',
Plan:Unknown, Type:UnknownConditions: This symptom is observed after an IE for a calling party subaddress is received.
Workaround: There is no workaround.
•
Symptoms: Rare X.25 reset events and an "X.25 Data packet, Bad P(S), Receive window violation" error message may occur on a router. The "P(S)" value, however, is in sequence and within the receive window.
Conditions: This symptom is observed under rare circumstances when there is a heavy X.25 transmit load on the router.
Workaround: There is no workaround.
•
Symptoms: The IP Control Protocol (IPCP) times out on a link control protocol (LCP) negotiation.
Conditions: This symptom is observed when dial-up networking (DUN) is used to connect to a Cisco router. Subsequent calls will fail in LCP. The symptom is not observed if the user is using only PPP.
Workaround: There is no workaround if both dialing methods are requested.
•
Symptoms: PPP Network Control Protocol negotiation may fail on a Cisco router.
Conditions: This symptom is observed for most PPP protocols on all platforms that are running an image of Cisco IOS Release 12.3 when PPP encapsulation is used via a serial interface.
Workaround: Complete the configuration of PPP protocols at both ends of a connection before you bring up the connection.
Alternate Workaround: After you have completed the configuration of PPP protocols, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the serial interface.
•
Symptoms: Cisco dialer software needs to be modified to display "disconnect timer/timeout" instead of the current "disable timer/timeout".
Conditions: This symptom is observed in Cisco IOS software that has the fix for the caveat CSCdw94370.
Workaround: There is no workaround.
•
Symptoms: On a Layer 2 Tunneling Protocol (L2TP) network server (LNS) load balancing and failover may not work properly when remote virtual private dialup network (VPDN) author via RADIUS is used on an L2TP access concentrator (LAC) with a combination of tagged ip-addresses attributes and an untagged tunnel-type attribute. In this situation, the tunnel-type setting is ignored and defaults to Layer 2 Forwarding (L2F). The load balancing and failover works correctly if they are configured locally.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(15)T.
Workaround: Any of the following workarounds may be used:
–
–
–
•
Symptoms: In a Multichassis Multilink PPP (MMLP) scenario, if the PPP callback option is configured and calls intended for the same multilink bundle are accepted by different members of a Stack Group Bidding Protocol (SGBP) group, callback negotiation for the second channel is bypassed.
Conditions: This symptom is observed on a Cisco router that is configured for MLP.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3810 router reloads whenever a callback is attempted.
Conditions: This symptom is observed on a Cisco 3810 router because only the line configuration is present for the auxiliary interface.
Workaround: Configure the auxiliary interface (even a simple "no IP address" on the interface will do) with the line configuration.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) may reload during the "dialer pending" process.
Conditions: This symptom is observed only when the virtual private dialup network (VPDN) tunnel is torn down prematurely.
Workaround: There is no workaround.
•
Symptoms: An analog call to a digital service 0 (DS0) line may fail.
Conditions: This symptom is observed when an analog call is placed to a digital service 0 (DS0) line that has just serviced a digital call. The analog call may fail because of unavailable resources.
Workaround: There is no workaround.
•
Symptoms: When calls are made from a softswitch to a Cisco gateway, some of the channels remain in a `maintenance pending' state.
Conditions: This symptom was observed on a Cisco AS5300 gateway when the Continuity Test (COT) failed. The COT_TP_IN test failed right after a reload and the router did not receive the COT_TP_OUT from the softswitch. The timer in the COT_TP_IN test should have brought the channel to idle even if it did not receive the COT_TP_OUT from the softswitch.
Workaround: There is no workaround.
•
Symptoms: An asynchronous dialer interface may not come up as expected.
Conditions: This symptom is observed when a service policy is attached to an asynchronous dialer interface.
Workaround: Use a dialer rotary configuration instead of a dialer profile configuration for the service policy on the dialer interface.
•
Symptoms: The configuration of the pri-group timeslots timeslot-range service mgcp controller configuration command that is defined under an E1 controller may be deleted when you boot up a Cisco platform.
Conditions: This symptom is observed on a Cisco AS5400 that is running Cisco IOS Release 12.3 but may occur on any Cisco platform that is capable of supporting a Media Gateway Control Protocol (MGCP) PRI E1 connection.
Workaround: There is no workaround.
•
Symptoms: The ppp pap sent-username username password password interface configuration command is missing after a Cisco router reloads if the configured username is blank.
Conditions: This symptom is observed on a Cisco router.
Workaround: There is no workaround.
•
Symptoms: Frame Relay traffic shaping may become inactive.
Conditions: This symptom is observed when the IP maximum transmission unit (MTU) is changed on a serial subinterface that is configured for Frame Relay and traffic shaping.
Workaround: There is no workaround.
•
Symptoms: ISDN may fail to respond to an attempt to establish an association.
Conditions: This symptom is observed on a Cisco AS5300 series.
Workaround: Reload the Cisco AS5300.
•
Symptoms: An IP phone does not display the calling party name for an inbound call through an H.323 gateway that uses a primary Digital Multiplex System (DMS-100).
Conditions: This symptom is observed when a call is sent to a router on an ISDN primary DMS-100 trunk where the "displayIE" does not start with the special leading character required by the DMS specification. The call flow is from Plain Old Telephone Service (POTS) to Voice over IP (VoIP).
Workaround: Use Cisco IOS Release 12.2(10a) or any Cisco IOS release without the fix for CSCdx12421. CSCdz86750 addresses this issue in the VoIP-to-POTS direction.
•
Symptoms: A router may reload because incorrect information is sent in information elements (IEs).
Conditions: This symptom is observed if the generic transparency descriptor (GTD) message built by ISDN exceeds 255 bytes. The GTD message is sent in a Facility IE instead of an extended Facility IE. This results in incorrect parsing and may result in memory corruption.
Workaround: If the GTD message contents are not required, use the no isdn gtd interface configuration command on the ISDN D channel interface.
•
Symptoms: A router that is configured with a channelized E1 or T1 controller may reload.
Conditions: This symptom is observed when you deconfigure the time slot on a channelized E1 or T1 controller that has an active interface (that is using X.25 encapsulation) before the active interface that is using X.25 encapsulation is removed.
Workaround: Administratively disable the active interface before you deconfigure the corresponding time slot on the E1 or T1 controller.
•
Symptoms: A Cisco gateway does not acknowledge the group service message from a public switched telephone network (PSTN) gateway (PGW) if the gateway is configured with both an ISDN User Adaptation (IUA) Stream Control Transmission Protocol (SCTP) Non-Facility Associated Signaling group and a Redundant Link Manager (RLM) NFAS group.
Conditions: This symptom is observed on a Cisco gateway when the IUA SCTP NFAS group is configured first and then the RLM NFAS group is added.
Workaround: Configure the RLM NFAS group first and then add the IUA SCTP NFAS group.
•
Symptoms: An ISDN Facility information element (IE) is duplicated on a Cisco terminating gateway (TGW). The TGW now has two Facility IEs; one contains the ISDN calling name data, and the other contains all ISDN generic transparency descriptor (GTD) data. Only one Facility IE with the calling name data should be present.
Conditions: This symptom is observed on a Cisco gateway if a GTD is enabled at the other end of the gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may unexpectedly reload under rare circumstances.
Conditions: This symptom is observed on a Cisco router that acts as a Layer 2 Tunneling Protocol (L2TP) network server.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router may occasionally send START-CONTROL-REPLY control messages with the reserved field set to a value other than zero.
Conditions: This symptom is observed on a Cisco 7200 series router that is setting up Point-to-Point Tunneling Protocol (PPTP) tunnels.
Workaround: There is no workaround.
•
Symptoms: A configured PPP session is permitted to come online without a successful Microsoft Point-to-Point Encryption (MPPE) negotiation.
Conditions: This symptom is observed when the ppp encrypt mppe 128 required interface configuration command is configured on the router, and the PPP client at the other end does not respond to MPPE negotiation.
Workaround: There is no workaround.
•
Symptoms: When you enter the show frame-relay pvc privileged EXEC command, a Cisco router may reload because of a bus error.
Conditions: This symptom is observed when two users simultaneously edit the same data-link connection identifier (DLCI).
Workaround: Ensure that only one person at a time edits a DLCI.
•
Symptoms: The information element (IE) for the called number is missing when there are no digits to be sent.
Conditions: This symptom is observed on a router when there are no digits to be sent.
Workaround: There is no workaround.
•
Symptoms: The primary Non-Facility Associated Signaling (NFAS) span goes down on a Cisco 7206VXR, and the backup span becomes the active span. Once this action occurs, many channel resets occur on the carrier.
Conditions: This symptom is observed on a Cisco 7206VXR that is configured for NFAS and that is running Cisco IOS Release 12.2(15)T1. The symptom was not observed in Cisco IOS Release 12.2(11)T6, Release 12.2(13)T3, or Release 12.2 (16).
Workaround: There is no workaround.
•
Symptoms: A Cisco router or Cisco universal gateway may reload when you enter the show ppp multilink EXEC command.
Conditions: This symptom is observed when Multilink PPP (MLP) bundles transition between the "up" and "down" state.
Workaround: Do not enter the show ppp multilink EXEC command.
•
Symptoms: A memory leak may occur during the PPP events process.
Conditions: This symptom is observed when PPP is configured on a router.
Workaround: There is no workaround.
•
Symptoms: A Cisco router replies to the QSIG SETUP message that comes from the BRI interface with a CALL_PROC that has an invalid call reference value.
Conditions: This symptom is observed on a Cisco 3640 that is running Cisco IOS Release 12.2(5a).
Workaround: There is no workaround.
•
Symptoms: If Multilink PPP (MLP) is negotiated, an IP Control Protocol (IPCP) authorization request may be sent twice for each link.
Conditions: This symptom is observed in Cisco IOS Release 12.3(0.1).
Workaround: There is no workaround.
•
Symptoms: When a client tries to authenticate the called system by using Challenge Handshake Authentication Protocol (CHAP), the client may fail to achieve connectivity over a Virtual private dialup network (VPDN).
Conditions: This symptom is observed in very rare situations. Most clients do not try to authenticate the called system.
Workaround: Reconfigure the client so as not to challenge the system that the client is calling.
•
Symptoms: The frame-relay map {protocol protocol-address dlci} ietf payload-compression frf9 stac interface configuration command may not function. When you use this command, the following message appears:
couldn't find map! Compression state not changed!Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1.2) or Release 12.3(1.2)T.
Workaround: Use the frame-relay payload-compression command that is available under point-to-point subinterfaces instead.
•
Symptoms: A Cisco router may reload while attempting to create a Multilink PPP (MLP) bundle.
Conditions: This symptom is observed when there is constant Layer 2 Tunneling Protocol (L2TP) call churn on the order of 8 calls per second on the router.
Workaround: There is no workaround.
•
Symptoms: A public switched telephone network gateway (PGW) network access server (NAS) sigpath is in an out of service (OOS) status after a failover occurs.
Conditions: This symptom is observed after a PGW failover for ISDN User Adaptation (IUA) Non-Facility Associated Signaling (NFAS) groups.
Workaround: There is no workaround.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) session may flap intermittently because of wedged interfaces.
Conditions: This symptom is observed on a Cisco 7500 series after a few days of proper operation. With the exception of the Cisco 3600 series, Cisco 7200 series, and Cisco 7400 series, the symptom may also occur on other platforms.
Workaround: Reload the router.
•
Symptoms: Virtual private dial-up network (VPDN) calls that are based on PPP Password Authentication Protocol (PAP) authentication may not be able to establish a VPDN tunnel.
Conditions: This symptom is observed when the autodetect encapsulation ppp v120 interface configuration command is enabled and occurs only for ISDN-based PPP calls.
Workaround: Enter the ppp authentication pap chap interface configuration command on the D channel of the serial lines.
First Alternate Workaround: Disable the autodetect encapsulation ppp v120 interface configuration command. Doing so may prevent the symptom from occurring, but will prevent V.120 calls from being accepted. This workaround may not always be valid.
•
Symptoms: Some Cisco ISDN switches do not support Redirecting Number (RDN) information element (IE) from user to network.
Conditions: This symptom is observed on Cisco NTT, DMS100, and NET5 switches.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload with a bus error when the authentication, authorization, and accounting (AAA) server experiences severe delays (several seconds) in the response to IP Control Protocol (IPCP) authorization requests.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.3(1.5) and that is configured as an L2TP Network Server (LNS). The symptom is observed only when there is a significant AAA delay.
Workaround: There is no workaround.
•
Symptoms: The authentication, authorization, and accounting (AAA) per user configuration may not be applied correctly for users who dial in and are EXEC authenticated, and start PPP.
Conditions: This symptom is observed when you use RADIUS to authorize dial in PPP users.
Workaround: Disable the EXEC login; to configure the asynchronous interfaces, enter the async mode dedicated interface configuration command.
•
Symptoms: A Cisco AS5400 may reload immediately after bootup if the incoming cells per second (CPS) are more than 5. A similar reload is observed when calls are cleared from the network access server (NAS).
Conditions: This symptom is observed on a Cisco AS5400 with calls made with authentication, authorization, and accounting (AAA).
Workaround: There is no workaround.
•
Symptoms: ATM switched virtual circuit (SVC) calls that are routed to a Cisco 7200 series router from a third party switch may fail.
Conditions: This symptom is observed when calls originate from a third party switch that includes the ATM adaptation layer 5 (AAL5) parameter information element (IE) with specified forward and backward call processing control system (CPCS) service data unit (SDU) sizes. The Cisco router is currently not compliant with RFC 2225 paragraph 7.2. This behavior makes it fail with systems that comply with RFC 2225.
Workaround: There is no workaround.
•
Symptoms: The "change password" feature may not work when using Cisco Secure and Windows Client.
Conditions: This symptom occurs when the client times out and sends multiple change password requests before it gets a response for the first request.
Workaround: There is no workaround.
•
Symptoms: Callbacks may fail with Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) on a network access server (NAS) that is configured for compression because the callbacks may interrupt Microsoft Callback Control Protocol (MSCB) and Call-Back Control Protocol (CBCP) early.
Conditions: This symptom is observed on a Cisco AS5400 that is configured for MSCHAP V2 authentication.
Workaround: There is no workaround.
•
Symptoms: When a Cisco router is configured to do Microsoft Point-to-Point Compression (MPPC) and when a client connects and requests MPPC by using a null set of supported bits (which is the client's way of specifying that it does not want to do MPPC), then the network layer connectivity is not achieved.
Conditions: This symptom is observed on a Cisco router that is configured with MPPC.
Workaround: Disable MPPC on the router.
Alternate Workaround: Enable MPPC on the client.
•
Symptoms: PPP may cause unnecessary authentication, authorization, and accounting (AAA) IDs to be allocated.
Conditions: This symptom is observed on a Cisco router that has a lot of traffic with many sessions going up and down. Over time, this symptom can cause a memory leak that will deplete the system memory.
Workaround: Do not overload the router.
•
Symptoms: A Cisco router may pause indefinitely after issuing the ppp multilink router configuration command on virtual template 1, and issuing the ppp authentication pap or ppp authentication chap router configuration commands under dialer interface 0.
Conditions: This symptom is observed on a Cisco AS5400 router when heavy traffic is present.
Workaround: There is no workaround.
•
Symptoms: Data packets fail to flow if Multilink PPP (MLP) calls use compression with virtual profile based calls with compression.
Conditions: This symptom is observed on all Cisco platforms that are running Cisco IOS Release 12.2 or Release 12.3.
Workaround: Turn off hardware compression or remove the compression adaptor.
•
Symptoms: The dialer-list dialer-group protocol protocol-name global configuration command displays duplicate options.
Conditions: This symptom is observed only for non-IP protocol options.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200VXR with a PRI group configuration may reload with a bus error exception.
Conditions: This symptom is observed if the PRI group is removed when all B channels of the PRI group are up and bidirectional traffic is being passed.
Workaround: There is no workaround.
•
Symptoms: The IP Control Protocol (IPCP) may fail when a multilink PPP (MLP) link attempts to reestablish itself after it is terminated.
Conditions: This symptom is observed when a MLP link attempts to reestablish itself after it is terminated on a Cisco 827.
Workaround: There is no workaround.
•
Symptoms: A Cisco router reloads at the end of a call.
Conditions: This symptom is observed on a Cisco AS5350 router.
Workaround: There is no workaround.
•
Symptoms: A link control protocol (LCP) negotiation may fail as a network access server (NAS) discards the packets and displays the following message:
Lower layer not up, discarding packetConditions: This symptom is observed when a ping from a client to an NAS fails with an authentication, authorization, and accounting (AAA) configuration.
Workaround: Do not configure anything that will cause a virtual-profile to be created (for example, an AAA per user configuration or a `virtual-profile virtual- template' configuration).
•
Symptoms: A router may reload after you enter the ppp multilink interface configuration command.
Conditions: This symptom occurs when multilink is configured on an active serial interface and neither the ppp multilink group interface configuration command nor the multilink virtual-template global configuration command is entered. Under these conditions, multilink normally fails to create a bundle because of the lack of a configuration source for the bundle interface, but in this instance, it causes the router to reload.
Workaround: Use the shutdown interface configuration command to shut down the serial interface until it is configured with the ppp multilink group interface configuration command.
•
Symptoms: Virtual private dialup network (VPDN) sessions cannot be established at the Layer 2 Tunneling Protocol (L2TP) network server (LNS).
Conditions: This symptom is observed on a Cisco LNS that is running Cisco IOS Release 12.3 because PPP does not allow packets to be processed. The following debug message appears:
195: ppp4 LCP: Lower layer not up, discarding packetWorkaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(1a)
Cisco IOS Release 12.3(1a) is a rebuild release for Cisco IOS Release 12.3(1). The caveats in this section are resolved in Cisco IOS Release 12.3(1a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. BGP MD5 is a valid workaround for this problem.
Cisco has made free software available to address this problem. For more details, please refer to this advisory, available at http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml.
•
Symptoms: A Cisco AS5300 that is functioning as a voice gateway may reload because of an incoming bus error exception.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.2(6d).
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: Cisco IOS software may cause a Cisco router to reload unexpectedly when the router receives a malformed H.225 setup message.
Conditions: This symptom is observed on a Cisco 1700 series that runs Cisco IOS Release 12.2(13c). The symptom occurs when the following debug privileged EXEC commands are enabled:
–
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco router that has a voice feature such as H.323 enabled may reload because of a bus error at address 0xD0D0D0B.
Conditions: This symptom is observed on a Cisco 3700 series but may also occur on other routers.
Workaround: There is no workaround.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Cisco products running IOS contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Symptoms: A Frame Relay (FR) interface may go up and down continuously.
Conditions: This symptom is observed on an FR interface when the keepalive timeout is set to one second and fragmentation and traffic shaping are enabled on multiple permanent virtual circuits (PVCs).
Workaround: Increase the keepalive timeout to 5 seconds or more.
•
Symptoms: A 24E1 trunk card or STM-1 trunk card may reload during the bootup process of a Cisco AS5850, and the following error message is generated:
%FBINFO-3-CRASH: Feature board in slot <number>After the trunk card has reloaded, it recovers and operates normally. The entire bootup process may take up to 10 minutes.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T or a later release and that is configured for handover split mode. The symptom does not occur when the router is configured for classic split mode.
Workaround: If the Route Switch Controller (RSC) is installed in slot 6, install the 24E1 trunk card or STM-1 trunk card in slot 8 through slot 13. If the RSC is installed in slot 7, install the 24E1 trunk card or STM-1 trunk card in slot 0 through slot 5. Note that the bootup process may still take up to 8 minutes.
•
Symptoms: A Cisco Session Initiation Protocol (SIP) gateway may not perform a "Call Hold" that is initiated by a SIP re-INVITE request when the Session Description Protocol (SDP) media port parameter is set to zero.
Conditions: This symptom is observed on a Cisco SIP gateway that is running Cisco IOS Release 12.2.
Workaround: Upgrade Cisco IOS software to Release 12.2(1.4).
•
Symptoms: A Cisco gateway may reject a "subscribe" request with a "400" response, indicating a "Bad Request, Malformed/Missing Request Line."
Conditions: This symptom is observed when the Session Initiation Protocol (SIP) address in the Uniform Resource Identifier (URI) of the "subscribe" request does not contain a user portion.
Workaround: There is no workaround.
•
Symptoms: An L2TP access concentrator (LAC) may reload under the following circumstances:
–
–
This symptom occurs because of a race condition between two threads that are clearing sessions simultaneously, or when it occurs a semaphore is obtained by one thread and the other thread tries to obtain the same semaphore and a block occurs during the deletion.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2 T, Release 12.2(15)BX, or Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that has keepalives turned on and that is configured with the cns event global configuration command may not correctly display the termination of the Cisco Networking Services (CNS). The output of the show cns event connection EXEC command still shows that the event agent is connected even though the connection has been terminated. Some outgoing events may be lost when this symptom occurs.
Conditions: This symptom is observed on a Cisco 3640 router that has CNS configured.
Workaround: Use the debug cns event privileged EXEC command to determine if the event agent is actually connected. When the connection is established, there will be regular activity associated with the keepalives.
•
Symptoms: The following message and traceback may be generated many times (40 to 50) during bootup of a Cisco 3600 series router or a Cisco 3700 series router:
%SYS-2-INTSCHED: 'suspend' at level 3 -Process= "Init", ipl= 3, pid= 3
-Traceback= 607CF0D8 61DED850 621DEF70 621E36CC 621E4474 621D7C10 621D9EE4 600BB384 600BC034 61DF79BC 60DCAB88 60DCADB4 61DD1100 61DD10E4Conditions: This symptom is observed on Cisco 3600 series routers or Cisco 3700 series routers that are running Cisco IOS Release 12.3(1), and that use either a Virtual Private Network (VPN) encryption and hardware advanced integration module AIM-VPN/EPII or an AIM-VPN/HPII.
Workaround: There is no workaround. The router eventually comes up without a loss of functionality.
•
Symptoms: Multiple simultaneous operators that use modular QoS CLI (MQC) related commands may cause the system to become unresponsive.
Conditions: This symptom is observed when multiple simultaneous operators use MQC commands.
Workaround: Allow only one operator at a time.
•
Symptoms: A memory leak of approximately 20 bytes may occur on a Cisco platform that receives a Cisco Networking Services (CNS) event.
Conditions: This symptom is observed when the length of CNS events is greater than 500 bytes.
Workaround: Limit the length of CNS events to less than or equal to 500 bytes.
•
Symptoms: When a Cisco Networking Services (CNS) event agent uses the backup gateway, it is not possible to configure the backup gateway to use keepalives. The link should use the same keepalive settings that are used with the primary gateway.
Conditions: This symptom is observed on a Cisco gateway that has the CNS event agent connected to the backup gateway.
Workaround: There is no workaround.
•
Symptoms: Some of the XML tags in the output generated by the Cisco Networking Services (CNS) image agent are misspelled. Some of the XML tags accepted for input by the CNS image agent are misspelled.
Conditions: This symptom is observed on a Cisco router that is configured for CNS.
Workaround: Send messages to the router with the misspelled tag names, and accept output from the image agent with the misspelled tag names.
•
Symptoms: The LED on a third-party vendor 911 operator simulator application may display that there are two key pulses (KPs) "KPKP911ST" for the dialed number identification service (DNIS) and two KPs "KPKP00<ani digits>ST" for the Automatic Number Identifier (ANI) digits (that is, for the number of the calling party). For correct operation, there should be only one KP at the beginning.
Conditions: This symptom is observed on a Cisco 5850 that is running Cisco IOS Release 12.3(1) when a 911 call is made through a channel-associated signaling (CAS) Feature Group-D (FGD) Multifrequency tones (MF) trunk to the 911 operator of the 911 operator simulator application.
Workaround: There is no workaround.
•
Symptoms: When configuration changes are made, a Cisco 7500 series Versatile Interface Processor (VIP) may pause indefinitely, produce large numbers of spurious memory accesses, or reload. This situation may cause the router to detect that interfaces on the VIP are not sending packets and to report that the output of the interfaces is stuck.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for fragmentation and shaping on a Frame Relay interface using modular QoS CLI (MQC).
Workaround: Before you make quality of service (QoS) policy or Frame Relay fragmentation changes on an interface of the VIP, enter the shutdown interface configuration command on the interface.
•
Symptoms: A call may fail because attributes may not be applied.
Conditions: This symptom is observed when the "template:ip-vrf," "template:ip- unnumbered," and "template:ip-addr" attributes are downloaded from the template authorization (that is, the aaa authorization template global configuration command is configured) but may not be applied.
Workaround: Configure the "template:ip-vrf," "template:ip-unnumbered," and "template:ip-addr" attributes under the virtual template.
Alternate Workaround: Configure the "lcp:interface-config" attribute in the per-user profiles.
•
Symptoms: It may not be possible to telnet from a node switch processor to a Node Route Processor 2 (NRP2).
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1). The symptom is not observed in Cisco IOS Release 12.2(2)B7 or earlier releases.
Workaround: Clear the S0/0/0 interface on the NRP2.
Alternate Workaround: Enable Cisco Discovery Protocol (CDP) if it is not enabled.
•
Symptoms: A Cisco router reloads when the Cisco Networking Services (CNS) image agent and CNS image agent password are unconfigured using the no cns image and no cns image password password global configuration commands.
Conditions: This symptom is observed on a Cisco router when the cns image global configuration commands are unconfigured.
Workaround: Do not unconfigure the cns image password password global configuration command after the image agent is unconfigured using the no cns image global configuration command.
•
Symptoms: An E1 controller does not come up when the hardware loopback cable is connected or is in loopback mode.
Conditions: This symptom is observed on a Cisco AS5850 universal gateway.
Workaround: There is no workaround.
•
Symptoms: The Cisco Networking Services (CNS) exec agent configuration is lost after a Cisco router reloads.
Conditions: This symptom is observed on all Cisco routers that are running Cisco IOS Release 12.3.
Workaround: Always configure a host name or an IP address even if one is not needed. Use an IP address that is not known to have a device at that address or a string name that will fail upon DNS lookup.
•
Symptoms: The following error message may be displayed continuously on the console of a Cisco router and the router will need to be rebooted:
00:35:58: IPSECcard: an error coming back 0x0006Conditions: This symptom is observed on a Cisco router when a Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM-VPNII) is used under heavy stress (over 90-percent CPU utilization) and is configured with a large number of generic routing encapsulation (GRE) tunnels.
Workaround: Use the following workarounds:
–
–
–
•
Symptoms: An STM-1 feature board will not boot due to an initialization failure.
Conditions: This symptom is observed on a Cisco AS5850 with a Revision 3 STM-1 feature board that does not have the engineering fields of the serial EEPROM programmed.
Workaround: Program the engineering fields of the serial EEPROM on the STM-1 feature board.
•
Symptoms: When older versions of TACACS+ servers are used to authenticate PPP users, authentication may stall and never complete. This behavior prevents users from connecting to the network.
Conditions: This symptom is observed in Cisco IOS Release 12.2(16.1)T and later releases. The symptom is not observed in Cisco IOS Release 12.2(15)T and earlier releases.
Workaround: Use a newer version of the TACACS+ server that implements version 193 of the TACACS+ protocol.
•
Symptoms: Traffic from one Service Selection Gateway (SSG) host to another is routed directly to the second host.
Conditions: This symptom is observed for traffic from one subscriber to another subscriber. It occurs when the second subscriber's address falls into the service network to which the first subscriber is connected. The traffic is forwarded directly to the second subscriber instead of going to the service network. If the connections are Network Address Translation (NAT) connections, NAT is not applied to user traffic.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: If an ISDN link flaps, a Cisco router may observe a dialer watch stall and permanently pause.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(13a) or Release 12.2(14.1).
Workaround: There is no workaround.
•
Symptoms: An IP Control Protocol (IPCP) times out on a link control protocol (LCP) negotiation.
Conditions: This symptom is observed when dial-up networking (DUN) is used to connect to a Cisco router. Subsequent calls will fail in LCP. The symptom is not observed if the user is only using PPP.
Workaround: There is no workaround if both dialing methods are requested.
•
Symptoms: A Cisco router or Cisco universal gateway may reload when you the show ppp multilink EXEC command is entered.
Conditions: This symptom is observed when Multilink PPP (MLP) bundles transition between the "up" and "down" state.
Workaround: Do not enter the show ppp multilink EXEC command.
•
Symptoms: If Multilink PPP (MLP) is negotiated, an IP Control Protocol (IPCP) authorization request may be sent twice for each link.
Conditions: This symptom is observed in Cisco IOS Release 12.3(0.1).
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(1)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(1). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(1). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Difficulties may occur when you attempt to log in to a Cisco 6400. After you have established a Telnet connection to a Node Route Processor 2 (NRP-2) and press the Enter key, the following user access verification sequence may be displayed, and you cannot log in:
Password:
Password:
Password:
% Bad passwordsConditions: This symptom is observed on a Cisco 6400 that is running Cisco IOS Release 12.2(4)B3 only after an interactive ATM ping has occurred. The occurrence of the symptom may depend on the Telnet client.
Workaround: Instead of using an interactive ATM ping, enter the ping atm interface atm interface vpi vci [seg-loopback | end-loopback] [repeat [timeout]] privileged EXEC command.
•
Symptoms: After a Versatile Interface Processor (VIP) has reloaded, there does not seem to be a crashinfo file because the crashinfo file is not closed; therefore, it is not visible or accessible. If the same VIP reloads again, both the first and second crashinfo files are accessible.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.2(6f).
Workaround: There is no workaround.
•
Symptoms: The memory that is held by the "RTT Responder" process may increase, as is indicated by the amount of memory in the "Hold" column in the output of the show processes memory include {rtt | pid} EXEC command.
Conditions: This symptom is observed when many jitter probes are sent simultaneously to the same destination port.
Workaround: Do not use the same destination port for all the probes.
First Alternate Workaround: To free memory once in a while, enter the no rtr responder global configuration command followed by the rtr responder global configuration command.
Second Alternate Workaround: Lower the duration of the probes.
•
Symptoms: The following error message and tracebacks may be generated when you boot up a router:
%SYS-3-CPUHOG: Task ran for 3032 msec (0/0), process = CDP Protocol, PC = 4078429C. -Traceback= 407842A4 4043F458 4043F43CConditions: This symptom is observed on a Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: The cardIfTable table is not correctly populated for channelized interfaces. All of the entries return a value of "-1".
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.0(22)S.
Workaround: There is no workaround.
IBM Connectivity
•
Symptoms: After the sdlc poll-pause-timer 10 interface configuration command is configured on a serial interface, a Cisco router that is the primary DTE sends a poll frame to a secondary DCE station at intervals of 150 to 180 ms.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.1(17).
Workaround: There is no workaround.
•
Symptoms: Data-link switching (DLSw) may cause a buffer leak in the small buffer pool of a Cisco router.
Conditions: This symptom is observed when DLSw Ethernet redundancy is configured and the end system starts the communication by sending an exchange identification (XID) frame to a destination service access point (DSAP) other than zero. (The symptom is not observed when the end system starts the communication by sending a test frame or an XID frame to DSAP zero.) The symptom is most likely to occur when the dlsw timer explorer-wait-time time global configuration command is configured. The larger the value of the time argument, the faster the buffers leak.
Note that the symptom does not occur when DLSw is configured with either source-bridging, transparent bridge groups, Synchronous Data Link Control (SDLC), or Qualified Logical Link Control (QLLC), but the symptom occurs only when DLSw Ethernet redundancy is configured.
Workaround: To minimize the impact of the buffer leak, either reduce the time argument to 1 second or disable the dlsw timer explorer-wait-time time global configuration command. This workaround does not completely resolve the symptom but minimizes the rate at which the buffers leak.
•
Symptoms: A Cisco router that is running data-link switching (DLSw) may reload because of a bus error.
Conditions: This symptom is observed only when a Cisco router functions as a peer to a non-Cisco router.
Workaround: Remove the third-party router from the DLSw network.
•
Symptoms: Data-link switching (DLSw) Ethernet redundancy may not function; two routers may not be able to establish a master-slave relationship.
Conditions: This symptom is observed on a Cisco 7200 series that is running Cisco IOS Release 12.2(17) and that is configured with Fast Ethernet or Gigabit Ethernet interfaces on which Inter-Switch Link (ISL) or dot1q trunking encapsulation is enabled.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: Subinterface counters may increment more slowly than expected when the show interface atm EXEC command is entered on a subinterface.
Conditions: This symptom is observed when a user enters the show interface atm EXEC command on the subinterface of a Cisco router while traffic is going through the interface.
Workaround: There is no workaround.
•
Symptoms: Interfaces may not be created when a channel group is configured on a Cisco 7500 series or a Cisco 7600 series.
Conditions: This symptom is observed only if channel groups are created on an 8-port multichannel T1 port adapter (PA-MC-8T1) and the PA-MC-8T1 is replaced with an enhanced 8-port multichannel T1/E1 PRI port adapter (PA-MC-8TE1+) by performing an online insertion and removal (OIR). After the port adapters are switched, the channel-group configuration on the PA-MC-8TE1+ does not work as expected.
Workaround: Remove the channel-group configuration on a port adapter before performing an OIR and replacing the port adapter with another port adapter.
•
Symptoms: The Link Monitoring feature may not function.
Conditions: This symptom is observed for a Fast Serial Interface Processor (FSIP) that is installed in a Cisco 7500 series. The Link Monitoring feature may not be able to communicate with the FSIP, preventing debugging logs and traps from being generated.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A significant memory leak may occur on a Cisco router.
Conditions: This symptom is observed when you configure and disable IP routing repetitively by using the ip routing global configuration command followed by the no ip routing global configuration command.
Workaround: There is no workaround.
•
Symptoms: An interface that is defined in an Enhanced Interior Gateway Routing Protocol (EIGRP) network statement may fail to come up in the EIGRP topology table.
Conditions: This symptom is observed after a Cisco router has reloaded. The occurrence of the symptom depends on the type of interface to which the router is connected and on the timing of the interface activation.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: Memory fragmentation may occur on a router.
Conditions: This symptom is observed when a large number of Open Shortest Path First (OSPF) routes are flapped on a Cisco router.
Workaround: There is no workaround.
•
Symptoms: A packet to which Network Address Translation (NAT) has been applied may not be properly processed by policy-based routing (PBR).
Conditions: This symptom is observed after NAT has been applied to a packet in the Cisco Express Forwarding (CEF) path and the packet is then sent by another feature to the process path. PBR in the process path may not handle the packet as expected because the source or destination of the packet, or both, have been changed by NAT.
Workaround: Disable CEF.
•
Symptoms: Network Address Translation (NAT) and Virtual Private Network (VPN) routing/forwarding (VRF)-aware NAT may not function.
Conditions: This symptom is observed when the ip nat inside source global configuration command is configured on a subinterface that is enabled for Multiprotocol Label Switching (MPLS).
Workaround: Configure the ip nat inside source global configuration command on both the subinterface and the main interface.
•
Symptoms: It may take up to 5 minutes for a traffic engineering (TE) label switched path (LSP) tunnel to come up.
Conditions: This symptom is observed when you change the encapsulation from High-Level Data Link Control (HDLC) to PPP or when you shut down an interface on which PPP encapsulation is configured.
Workaround: To enable the TE LSP tunnel to come up immediately, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that functions as the TE LSP tunnel head.
•
Symptoms: A Network Address Translation (NAT) static network configuration may not function for multicast packets.
Conditions: This symptom is observed when the ip nat inside source global configuration command is configured with the static keyword and multicast packets are being processed.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the clear ip bgp * soft out privileged EXEC command.
Conditions: This symptom is observed when a Network Address Translation (NAT) static network is configured to process multicast packets.
Workaround: There is no workaround.
•
Symptoms: One of two redundant route reflectors (RRs) that are part of the same cluster may reload and may cause a Virtual Private Network (VPN) routing/forwarding (VRF) table to contain incomplete routes. Routes that originated elsewhere in network are in the Route Descriptor table but not in the VRF table, despite import statements and the fact that the routes were in the VRF table previously.
Conditions: This symptom is observed in a cell mode Multiprotocol Label Switching (MPLS) VPN network.
Workaround: To restore the missing routes, reset the Border Gateway Protocol (BGP) neighbor session to the RR that did not reload.
•
Symptoms: A router may reload.
Conditions: This symptom is observed when a Border Gateway Protocol (BGP) policy list is used on a Cisco 7200 series.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the ip nhrp authentication string interface configuration command, and the string argument exceeds eight characters.
Conditions: This symptom is observed on a Cisco 3662 that is running Cisco IOS Release 12.2(13)T1.
Workaround: Limit the string argument to eight characters or less.
•
Symptoms: Multicast traffic may get dropped by a Cisco router that is running in dense mode. (Note that all routers have the multicast group in a pruned state even though interested receivers are present.)
Conditions: This symptom is observed when a T-flag is incorrectly set on an (S,G) entry.
A process that is used by dense mode and that is called an Assert process (referred to as Assert) is triggered, causing a designated forwarder (referred to as an Assert winner) to be elected. The Assert winner forwards multicast traffic onto a multiaccess segment when there is more than one router on the segment. If the router that becomes the Assert winner has the T-flag incorrectly set because traffic arrives on its outgoing interface (OIF) rather than on its incoming interface (IIF), multicast traffic is dropped as a result of Reverse Path Forwarding (RPF).
The Assert winner is based on the lowest administrative distance that is required to reach the source. When administrative distances are equal, the Interior Gateway Protocol (IGP) metric is used to determine how to reach the source. When both the administrative distance and the IGP metric are equal, the router with the highest IP address is used as a tiebreaker.
Possible Workaround: Disable Protocol Independent Multicast (PIM) on the interface of the Assert winner that has incorrectly set the T-flag on its (S,G) entry as a result of receiving traffic on its OIF rather than on its IIF.
First Possible Alternate Workaround: Enter the ip mroute source-address rpf-address distance global configuration command with a value of 255 for the distance argument on the Assert winner.
Second Possible Alternate Workaround: Configure the ip pim sparse- mode interface configuration command on the interface of the Assert winner to prevent the interface from operating in dense mode.
•
Symptoms: A one-way voice path may occur on up to 30 percent of the calls that are made from IP telephones that connect to a Cisco CallManager that is located behind a customer edge (CE) router that performs Network Address Translation (NAT) for H.323 signaling. This symptom is specific to a multiservice Virtual Private Network (VPN) solution that involves a third- party vendor gatekeeper and to the calls that traverse the CE router.
Conditions: This symptom is observed on all Cisco CE routers that are running Cisco IOS Release 12.2(13)T when calls are made from enterprise IP telephones in the following topology:
IP telephones connect to a Cisco CallManager that connects to a Cisco 3660 customer edge (CE) router that is running NAT for the Cisco CallManager's private address and NAT-overload for the IP telephones. The CE router connects via an H.323 link to the third-party vendor gatekeeper.
The symptom occurs with no voice path in the direction from the PSTN to the IP telephone when the CE router handles messages at the call rate of two calls per second. When there is no load on the CE router, the symptom occurs in one out of every 25 calls.
Workaround: There is no workaround.
•
Symptoms: If the default-information originate router configuration command is entered on the Virtual Private Network (VPN) routing/forwarding (VRF) instance of a Cisco 12000 series that has the address-family ipv4 vrf command configured using the Border Gateway Protocol (BGP), the default route is learned correctly but the default route is entered incorrectly in the BGP routing table. This behavior may result in unexpected behavior on the other router if the other router does not have a correct default route.
The default static route of the VRF is not advertised by BGP after the default static route is configured under the VRF, and BGP may advertise the incorrect default route that is in the BGP routing table.
Conditions: This symptom is observed on a Cisco 12000 series that is running BGP.
Workaround: Perform either of the following steps:
–
–
•
Symptoms: The Multilayer Switch Feature Card (MSFC) of a Cisco Catalyst 6000 may reload with the following error message:
System was restarted by bus error at PC 0x40DFEE54, address 0xB0D0B7DConditions: This symptom is observed on a Cisco Catalyst 6000 that is configured for Network Address Translation (NAT).
Workaround: There is no workaround.
•
Symptoms: A change in the length of Source Discovery Protocol (SDP) may not be correctly reflected. This situation may cause difficulties when non-Cisco proxies process SDP.
Conditions: This symptom is observed when the change in length of SDP occurs after Network Address Translation (NAT) has been processed.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may be unable to set up a Frame Relay or an ATM permanent virtual connection (PVC). When you enter the debug ip rsvp traffic-control EXEC command, the following message is displayed:
RSVP-TC: Unable to determine resource provider for tcsbConditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: The EIGRP Stub Routing feature may be missing from the configuration.
Conditions: This symptom is observed when a Cisco router on which the EIGRP Stub Routing feature is enabled is reloaded, or when the Enhanced Interior Gateway Routing Protocol (EIGRP) process is restarted.
Workaround: There is no workaround; you must reenable the EIGRP Stub Routing feature.
ISO CLNS
•
Symptoms: Intermediate System-to-Intermediate System (IS-IS) loadbalancing may not function correctly.
Conditions: This symptom is observed in a topology in which three routers—router A, router B, and router C—reside on a broadcast media. Router A is the root node that performs Shortest Path First (SPF) and has a direct path to both router B and router C. There is also an additional path between router A and router B. When you configure IS-IS to enable router A to reach router C along two equal-cost paths, router A may not use the direct path (that is, one of the two equal-cost paths) to router C but may only use the additional path via router B to reach router C.
Workaround: There is no workaround.
•
Symptoms: The following error message may be generated on a Cisco router:
%CLNS-3-BADPACKET: ISIS: L1 LSP, option 222 tlv length 2 is badConditions: This symptom is observed in a multi-topology configuration when IP version 6 (IPv6) Intermediate System-to-Intermediate System (IS-IS) is enabled.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A Cisco router or switch may display the following error message periodically:
%SONET-4-ALARM: POS4/11: APS disabling channelConditions: This symptom is observed when an automatic protection switching (APS) protect interface is configured for PPP encapsulation. In these conditions, the error is message is cosmetic.
Workaround: Change the encapsulation from PPP to High-Level Data Link Control (HDLC).
•
Symptoms: The automatic number identification (ANI)/dialed number identification service (DNIS) delimiter feature does not work correctly for outgoing calls. The configured template to process the ANI/DNIS delimiter selects the default template instead of the configured template.
Conditions: This symptom is observed for outgoing calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when the firmware of an Integrated Services Adapter (ISA) generates an error message that indicates that the firmware is no longer synchronized with Cisco IOS software.
Conditions: This symptom is observed on a Cisco 7200 series that is running the IMIX (a mixed-packet definition) pattern with 1400-byte packets.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5800 may reload because of a bus error when it attempts to access an invalid address.
Conditions: This symptom is observed on a Cisco AS5800 that is running Cisco IOS Release 12.1(15).
Workaround: There is no workaround.
•
Symptoms: You cannot use a show command to display a Virtual Private Network (VPN) routing/forwarding (VRF)-IP Security (IPSec) configuration, preventing troubleshooting in such a configuration.
Conditions: This symptom is observed when you attempt to troubleshoot a Cisco router that functions as the IPSec concentrator of several VPNs that are defined by their respective VRFs.
Workaround: There is no workaround.
•
Symptoms: During an ISDN Multilink PPP (MLP) call, the following error message may appear on the console or in the syslog of a Cisco 3660 router:
ALIGN-3-SPURIOUS: Spurious memory access made at 0x... reading 0x0Conditions: This symptom is observed on a Cisco 3660 router that is configured with a Compression Advanced Interface Module (CAIM) module and that is running Cisco IOS Release 12.2(7c).
Workaround: There is no workaround. Information about alignment errors may be found at the following location: http://www.cisco.com/warp/public/63/spuraccess.html.
•
Symptoms: The Low Latency Queuing (LLQ) for IPSec Encryption Engines feature may not function. The output of the show crypto engine qos EXEC command may be incorrect and does not list all configured priority class entries.
Conditions: This symptom is observed on all Cisco routers that are running Cisco IOS Release 12.2(13)T and that use the Low Latency Queuing (LLQ) for IPSec Encryption Engines feature. LLQ may not initialize correctly for some policy map configurations.
Workaround: Define all priority class entries in the policy map before you define any nonpriority class entry.
•
Symptoms: Traceback messages are displayed when Secure Shell (SSH) generates a server key during SSH initialization. The server key generation fails, and an SSH server function failure occurs.
Conditions: This symptom is observed when a server key is generated during SSH initialization on a Cisco uBR7200 series.
Workaround: There is no workaround.
•
Symptoms: A Fast Ethernet (FE) interface resets after you enter the no ip igmp join-group group-address interface configuration command and the link state goes down temporarily.
Conditions: This symptom is observed on a Cisco 2691, Cisco 3725, or Cisco 3745 router when you enter the ip igmp join-group group-address interface configuration command followed by the no ip igmp join-group group-address interface configuration command several times in succession on the FE interface.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on a Cisco gatekeeper when gatekeeper accounting is configured.
Conditions: This symptom is observed under heavy stress conditions and upon sending an admission rejection (ARJ) in response to an automatic repeat request (ARQ).
When you suspect a memory leak, enter the show gatekeeper performance stats EXEC command to determine if any ARJs have been recorded.
Workaround: There is no workaround. Note that the symptom does not occur in Cisco IOS Release 12.2(11)T.
•
Symptoms: Even though the resume and suspend capacity is configured by default, a 911 call may go off-hook before the operator ringback is detected. When the call agent (CA) sends a "resume" message, the signal is not properly propagated.
Conditions: This symptom is observed on a Cisco 3660 that is functioning as a Media Gateway Control Protocol (MGCP) and that is configured with T1 recEive and transMit (E&M) channel-associated signaling (CAS) and Feature Group-D Operator Services (FGD-OS) protocol.
When the caller places a 911 call, the caller dials outbound, goes on-hook, the CA sends a "suspend" message, and the signal is propagated to the Cisco Internet Operations Support System (OSS). Before the operator ringback is detected, the caller goes off-hook, the CA sends a "resume" message, but the signal is not propagated to the OSS.
Workaround: There is no workaround.
•
Symptoms: The sccp local interface-type interface-number global configuration command binds the IP address of the interface that is specified in the command to the Transcoder or Conference Bridge. However, if you enter loopback for the interface-type argument and 0 for the interface-number argument, a Digital Signal Processor (DSP) farm cannot function.
Conditions: This symptom is observed when you enter the sccp local loopback 0 global configuration command to generate the Skinny Client Control Protocol (SCCP) packets that use the IP address of the loopback interface for service provider deployment.
Workaround: Instead of the loopback interface, use the outgoing interface that is used by the packets of the DSP farm to reach the Cisco CallManager interface. For example, if this interface is a Fast Ethernet interface with interface number 0/0, enter the sccp local fastethernet 0/0 global configuration command.
•
Symptoms: When the service-policy interface configuration command has been configured on any of its interfaces, a Cisco router may reload during the bootup process, and the following error message is logged on the console of the router:
%ALIGN-1-FATAL: Corrupted program counter pc=0xABCD, ra=0xFJHK, sp=0xLMNOPQRSNote: Pc represents the program counter; ra represents the return address; sp represents the stack pointer.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.2(15) or Release 12.2(15)T.
Workaround: Disable the configuration of the service policy before you reload the router and reapply the configuration of the service policy after the router has been booted up.
•
Symptoms: An integrated service adaptor (ISA) card resets itself intermittently. The IP Security (IPSec) connections are affected because of the switchover between the hardware crypto engine and the software crypto engine.
Conditions: This symptom is observed on a Cisco 7200 series router that is configured with an ISA card.
Workaround: There is no workaround.
•
Symptoms: A block serial tunnel (BSTUN) Binary Synchronous Communications (Bisync) connection to several ATMs pauses sporadically.
Conditions: This symptom is observed on a Cisco 3662 router that is running Cisco IOS Release 12.2(12a) and that is configured with NM-2W and WIC-2T cards as the DTE. This symptom applies to all WAN interface cards (WICs) in NM-xFE-2W modules, and includes the NM-2W, NM-1FE-2W, NM-2FE-2W, and NM-1R-1FE-2W modules because all of these modules incorporate the DSCC4 serial communications controller.
The output of the show interfaces serial slot/port privileged EXEC command on the Bisync interface displays that input packets increase slowly, but output packets have stopped increasing.
The output of the show controllers serial slot/port privileged EXEC command on the Bisync interface displays that tx interrupts do not continue to increase, but indicates that the transmitter has paused on the serial interface.
When you enter debug bsc packet EXEC command during the pause, the following information appears:
%BSC-3-BADLINESTATE: Line state Tx when receiving INVALID on line Serial3/1
%BSC-3-BADLINESTATE: Line state Tx when receiving INVALID on line Serial3/1
%BSC-3-BADLINESTATE: Line state Tx when receiving INVALID on line Serial3/1
%BSC-3-BADLINESTATE: Line state Tx when receiving INVALID on line Serial3/1
%BSC-3-BADLINESTATE: Line state Tx when receiving INVALID on line Serial3/1or
%BSC-3-BADLINESTATE: Line state Tx when receiving EOT on line Serial3/0
%BSC-3-BADLINESTATE: Line state Tx when receiving PLSL on line Serial3/0
%BSC-3-BADLINESTATE: Line state Tx when receiving EOT on line Serial3/0
%BSC-3-BADLINESTATE: Line state Tx when receiving PLSL on line Serial3/0
%BSC-3-BADLINESTATE: Line state Tx when receiving EOT on line Serial3/0Workaround: Use the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected serial interface.
•
Symptoms: When you enter the use-proxy gatekeeper configuration command, a Cisco router may reload because of a bus error.
Conditions: This symptom is observed only when calls are handled by the Multimedia Conference Manager (MCM) proxy. The symptom is related to the H.245 facility message; if the endpoints do not generate facility messages, the symptom does not occur.
Workaround: Disable the MCM proxy.
•
Symptoms: A 36-port 10/100 EtherSwitch High Density Service Module (NMD-36-ESW) EtherSwitch may report the following errors:
ERROR Interrupt: PCI Fatal Error ON DMA CH0 ERROR Interrupt: PCI Fatal Error ON DMA CH1Conditions: This symptom is observed on the NMD-36-ESW EtherSwitch of a Cisco 3745 router.
Workaround: Power the router down, and then power the router back up again.
•
Symptoms: A terminating multiservice route processor (MRP) that is configured as a Media Gateway Control Protocol (MGCP) media gateway (MG) does not report the on-hook event for a certain period of time that can vary from about 5 seconds to minutes, even though the connection has been deleted. The analog port being used will stay off-hook, and the next call cannot be made during this entire period.
Conditions: This symptom may be observed during regular analog calls as well as during automated testing using a call generator (CallGen) for analog ports. When the remote end goes on-hook first, the local port will stay off-hook for a certain period of time that can vary from about 5 seconds to minutes, even though the telephone physically goes on-hook.
Workaround: There is no workaround.
•
Symptoms: Tag Distribution Protocol (TDP) may not convey the label change information for a prefix that is learned via an exterior Border Gateway Protocol plus (EBGP+) label to its TDP peers.
Conditions: This symptom is observed on a Cisco 7500 series when TDP is used. The symptom does not occur when Label Distribution Protocol (LDP) is used.
Workaround: There is no workaround.
•
Symptoms: A Versatile Interface Processor 4-80 (VIP4-80) may reload during normal operation.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.2 or Release 12.2 T when Real-Time Transport Protocol (RTP) and distributed switching are enabled.
Workaround: Disable distributed switching using the no ip cef distributed global configuration command.
•
Symptoms: A spurious memory access may occur on the Versatile Interface Processor (VIP) of a Cisco 7500 series.
Conditions: This symptom is observed when Multiprotocol Label Switching (MPLS) forwarding is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is functioning as a Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) provider edge (PE) router may reload with an "address error" message.
Conditions: This symptom is observed at bootup time when the PE and customer edge (CE) interfaces are coming up. The symptom occurs when a locally learned VPN routing/forwarding (VRF) route temporarily loses its local label. This condition leads to some data structures being cleaned up but still retaining references to the local label. It may also occur after bootup in the cases of interface flaps. The reload is not a common occurrence, however, and may need additional triggers. Cisco IOS releases without the fix for the caveat CSCdv49909 are unlikely to encounter this symptom.
Workaround: There is no workaround.
•
Symptoms: A fax resource on a Cisco AS5400 may not be deallocated after a call goes through, preventing further calls from being accepted on this resource.
Conditions: This symptom is observed during a fax test when the recEive and transMit (E&M) Feature Group-B (FGB) is configured on the trunk line of Cisco AS5400.
Workaround: Use T1 PRI signaling on the trunk line.
•
Symptoms: I/O memory corruption may occur in the Cisco CallManager software during the bootup process of a Cisco IOS platform that is functioning as a gateway.
Conditions: This symptom is observed only rarely and occurs when a call-load generator is already generating calls to the gateway when the gateway is still booting up.
Workaround: There is no workaround.
•
Symptoms: An Address Resolution Protocol (ARP) difficulty may occur in a Virtual Private Network (VPN) routing and forwarding (VRF) instance, causing traffic to stop flowing.
Conditions: This symptom is observed on an IP Security (IPSec) concentrator in a Multiprotocol Label Switching (MPLS) environment when the remote IP addresses that are configured on the interface that is facing an MPLS provider edge (PE) router and the pool addresses belong to the same subnet.
Workaround: Add a static ARP entry for the IP address of the MPLS-PE on the IPSec concentrator.
•
Symptoms: A Cisco 7400 series router that is used as an L2TP network server (LNS) and that is configured with Parallel Express Forwarding (PXF) shows the virtual-interface output counter; and the RADIUS Acct-Output-Octets at approximately 2.5 times less than reality. If PXF is disabled, the virtual- interface output counter functions correctly.
Conditions: This symptom is observed on a Cisco 7400 series router that is running Cisco IOS Release 12.2(4B5), Release 12.2(4B6), or Release 12.2(4B7).
Workaround: Disable PXF.
•
Symptoms: When you enter the debug cas EXEC command, no debug messages are generated.
Conditions: This symptom is observed on a Cisco AS5400 when you attempt to display debug messages for T1 channel-associated signaling (CAS) calls. The symptom may also occur on a Cisco AS5300.
Workaround: There is no workaround.
•
Symptoms: Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) traffic may be dropped as ignored traffic.
Conditions: This symptom is observed on a Cisco 7500 series that is running Cisco IOS Release 12.2 when all the following conditions are present:
–
–
–
–
The number of "ignored" in the output of the show interfaces privileged EXEC command should match the "ChkSum_Err" field in output of the show cef drop EXEC command or the checksum error information in the output of the show ip traffic EXEC command.
Workaround: Do not use DCEF; rather, use CEF.
•
Symptoms: Dropouts are heard during music on hold (MOH) playback from Flash memory.
Conditions: This symptom is observed if the Flash memory is formatted using the disk operating system file system (DOSFS).
Workaround: Use the low end file system (LEFS) Flash file system and format for this mode by entering the erase flash command.
Note
•
Symptoms: The crypto map global configuration command that is installed under the BRI interface of a Cisco 2600 series may cause segmentation violation (SegV) exceptions or unexpected exceptions to the CPU vector when the router is booting up.
Conditions: This symptom is observed on a Cisco 2600 series that has a network module and a WAN interface card. This symptom is observed only when the Cisco 2600 series is booting up. This symptom does not occur if the crypto map global configuration command is installed under a different interface and does not occur if the BRI interface is configured after the router has booted up.
Workaround: It is possible to configure the BRI interface without causing this symptom to occur. However, if the router reboots with the configuration in NVRAM, it may continue to experience SegV exceptions and fail to boot completely.
•
Symptoms: A universal access server may display memory allocation (MALLOC) failures, may consistently decrease its memory, and eventually reload because of a low memory condition.
Conditions: This symptom is observed on a Cisco AS5300, Cisco AS5350, or Cisco AS5400 that has channel-associated signaling (CAS) asynchronous or synchronous calls and occurs when authentication, authorization, and accounting (AAA) preauthentication is invoked.
Every time a call is placed to a dialed number identification service (DNIS) that is not on the DNIS bypass list or in the AAA database, memory is not released. This situation eventually causes the universal access server to reload.
Workaround: Create a resource pool with a wildcard DNIS. However, do not provide resources in this resource pool. This workaround effectively rejects calls on the basis of resources rather than on the basis of AAA preauthentication.
•
Symptoms: A first call into the standard prepaid Tool Command Language (TCL) application version 2.0.2.6 is successful, but all subsequent calls may encounter a busy signal.
Conditions: This symptom is observed when the application is configured on E1R2 trunks. The application works fine with PRI trunks.
Workaround: There is no workaround.
•
Symptoms: A Real-Time Transport Control Protocol (RTCP) packet may cause an input queue wedge on a universal access server.
Conditions: This symptom is observed on a Cisco AS5300 that is used as a voice gateway in a Signaling System 7 (SS7) solution. The Cisco AS5300 is used as an originating gateway in a gatekeeper environment.
Workaround: There is no workaround.
•
Symptoms: A loss of link adjacency that occurs on a provider edge (PE) interface may cause the improper cleanup of related data structures. When this behavior occurs, an error message that is similar to the following may be generated and the router may reload:
%SYS-2-NOTQ: unqueue didn't find 43D7B8E8 in queue 43B0C8CC - Process= "LDP", ipl= 0, pid= 174Conditions: This symptom is observed on a router that is running the Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) Carrier Supporting Carrier (CsC) feature.
Workaround: There is no workaround.
•
Symptoms: A multilink PPP (MLP) interface does not CEF-switch incoming Multiprotocol Label Switching (MPLS) packets. Instead, it switches them in the process-switching path. Outgoing MPLS packets are correctly handled in the Cisco Express Forwarding (CEF) path.
Conditions: This symptom is observed on a Cisco 7200 VXR router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured with a content engine network module (NM-CE-BP) may pause indefinitely and not recover on its own.
Conditions: This symptom is observed when the router-side interface of the NM- CE-BP is subjected to some bursty incoming traffic.
Workaround: There is no workaround.
•
Symptoms: A segmentation violation (SegV) reload may be observed on a cable access router.
Conditions: This symptom is observed on a Cisco uBR900 series.
Workaround: There is no workaround.
•
Symptoms: The ignore-dcd interface configuration command does not allow an interface to come up when it is connected to a device that sends a data set ready (DSR) signal instead of a data carrier detect (DCD) signal. The interface will remain in the up/down state.
Conditions: This symptom is observed on a 1-port serial WAN interface card (WIC-1T) or a 2-port serial WAN interface card (WIC-2T) that is installed on a 1-port Fast Ethernet network module with two WAN card slots (NM-1FE2W) or a 2- port Fast Ethernet network module with two WAN card slots (NM-1FE2W or NM- 2FE2W) on a Cisco 2600 series, Cisco 3600 series, or Cisco 3700 series that is running Cisco IOS Release 12.2(13)T.
Workaround: To enable the interface to come into the up/up state, shorten the DSR signal to a DCD signal using a breakout device.
•
Symptoms: Two routers that are connected via serial interfaces may reload unexpectedly. The following message may be displayed when the show version EXEC command is entered:
System was restarted by bus error at PC 0x6103B948, address 0xFFFFFFFCConditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: Systems Network Architecture switching services (SNASw) logical units (LUs) may fail to establish a session with their virtual telecommunications access method (VTAM) application. The session fails with sense code 0855000F, which indicates the following information:
Route Setup procedure failure: An intermediate or destination node was unable to successfully complete the processing of a high-performance routing (HPR) Route Setup request or reply.
The route setup request completed unsuccessfully. The route setup reply was not received in the allotted time (as determined by the IOPURGE start option).Conditions: This symptom is observed when the SNASw router is connected upstream via High-Performance Routing (HPR)/IP links to two network nodes (NNs) and occurs after repeated Logical Data Link Control (LDLC) timeouts and "RSETUP" HPR pipe timeouts occur upstream to an NN.
Further Details 1: SNASw receives the route-setup request via the RSETUP HPR pipe and sends its route-setup reply via Intermediate Session Routing (ISR) back to the VTAM NN. However, the VTAM does not receive the route-setup reply, and consequently the session fails with a sense code 0855000F.
The symptom occurs when both NNs activate the RSETUP Rapid Transport Protocol (RTP) connection at the same time. Note that this is a valid condition with two active RSETUP RTP connections, one in each direction. However, because these RTP connections are independent, one connection may time out and be deactivated while the other may continue to be active. When the RSETUP connection that is activated by SNASw times out first, the SNASw router continues to receive route-setup requests on the other RSETUP connection. SNASw then attempts to send the route-setup replies as non-RTP data, but these replies are discarded. Eventually the remaining RTP connection times out at the remote node.
Further Details 2: When SNASw (CPNAME SNASW001) receives a route-setup request general data stream (GDS) variable (x'12CE') on an RSETUP HPR pipe from "NETWORKA.MVSBBB" while the origin of the route-setup request was "NETWORKA.MVSAAA," the output of the snasw dlctrace global configuration command displays the following information:
34191 MVSLINKB In sz:203 HPR RtSetup
TCID(E A7000000) DL(A6) BSQ(1EF27) SR SM EM ARB(RQ)
0000 C60880FF 00000000 0EA70000 003C0400 *F........x......*
0010 08000000 A60001EF 27032281 50004EDD *....w......a&.+.*
0020 A0000000 0000A612 CE000200 00000000 *......w.........*
0030 00000000 00140EF3 D5C5E3E6 D6D9D2C1 *.......3NETWORKA*
0040 4BC4E3E5 F1F1F0F0 F9342B02 021A4618 *.DTV11009.......*
0050 80150FD5 C5E3E6D6 D9D2C14B D4E5E2C2 *...NETWORKA.MVSB*
0060 C2C22100 00002516 46118015 08E2D5C1 *BB...........SNA*
0070 E2E6F0F0 F1218000 00250388 800A2C02 *SW001......h....*
0080 067BC9D5 E3C5D91A 60FE63CD 2E72D562 *.#INTER.-.....N.*
0090 190FD5C5 E3E6D6D9 D2C14BD4 E5E2C1C1 *..NETWORKA.MVSAA*
00A0 C12A8040 00000005 A7000001 5000000F *A.. ....x...&...*
00B0 A0000000 0016670A 00807900 66000000 *..........`.....*
00C0 000A0080 6404A400 *......u. *When SNASW001 sends back an HPR status segment acknowledging the receipt of the route-setup request, the output of the snasw dlctrace global configuration command displays the following information:
34192 MVSLINKB Out sz:64 HPR Stat Rpy ARB
TCID(2BF94FB8 8BC) DL(0) BSQ(0) ST(1EFCE) ARB(RP)
0000 C600D200 00000000 0000FF00 2BF94FB8 *F.K..........9..*
0010 000008BC 0004000D 00000000 00000000 *................*
0020 050E0000 00000234 0001EFCE 00000000 *................*
0030 00000000 03224105 00000000 00000000 *................*When SNASW001 generates the route-setup reply GDS and sends it back to NETWORKA.MVSAAA via NETWORKA.MVSBBB and via ISR, the output of the snasw dlctrace global configuration command displays the following information:
(Note that NETWORKA.MVSBBB probably does not receive this route-setup reply because the reply should be sent via the HPR RSETUP pipe on which the route-setup request is received.)
34193 MVSLINKB Out sz:184 ISR Rq RtSetup
0000 2D000000 00002B00 001000AE 12CE9002 *................*
0010 A0000001 D4C00000 00000A2C 02067BC9 *....M{........#I*
0020 D5E3C5D9 1A60FE63 CD2E72D5 62190FD5 *NTER.-.....N...N*
0030 C5E3E6D6 D9D2C14B C9C4E2D7 C9C12A80 *ETWORKA.IDSPIA..*
0040 40000000 05A70000 01500000 0FA00000 * ....x...&......*
0050 00001667 0A008079 00660000 00000A00 *.......`........*
0060 806404A4 00000000 1A2B0100 16461480 *...u............*
0070 150FD5C5 E3E6D6D9 D2C14BD4 E5E2C2C2 *..NETWORKA.MVSBB*
0080 C221140E F4C9C4C3 D5C5E3E6 D24BE2D5 *B...4NETWORKA.SN*
0090 C1E2E6F0 F0F10326 800639C2 10ECC819 *ASW001.....B..H.*
00A0 80C00000 0005AA00 00004B00 003E6600 *.{..............*
00B0 00000005 67030091 *.......j *Workaround: First terminate the SNASw link on which the route-setup request is received; then, restart the same link; enter the snasw stop link linkname privileged EXEC command followed by the snasw start link linkname privileged EXEC command.
The resolution for this caveat ensures that in case either one of the RSETUP RTP connections fails, processing continues as if there is only one RTP connection. The resolution for this caveat also resolves a minor memory leak, in which a buffer was lost every time an RSETUP or control point-to-control point (CP-CP) RTP connection was disconnected.
•
Symptoms: A Cisco router or Cisco switch may reload when the group mode changes from the Protocol Independent Multicast dense mode to the PIM bidirectional mode.
Conditions: This symptom is observed when the PIM Dense-Mode State Refresh feature is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router that is configured with Systems Network Architecture Switching Services (SNASw) and enterprise extender uplinks to a mainframe permanently pauses during the mainframe initial program load (IPL). The show process cpu EXEC command indicates that the router is at 99 percent CPU utilization during the IPL.
Conditions: This symptom is observed on a Cisco 7200 series router.
Workaround: There is no workaround.
•
Symptoms: Memory corruption may cause a router to reload.
Conditions: This symptom is observed on a Cisco 3600 series that is handling Voice over IP (VoIP) T.38 fax calls under load conditions.
Workaround: There is no workaround.
•
Symptoms: While updating PRI endpoints S1/DS1-0 with a new clock source setting and then resetting the gateway, extensible markup language (XML) reconfigures the endpoints but then shuts down the controller when the XML download is complete.
Conditions: This symptom is observed on Cisco routers that are configured with XML when auto-configuration is used.
Workaround: Do not use an XML configuration.
Alternate workaround: Enter the no shutdown controller configuration command on the affected controller.
•
Symptoms: The atm abr rate-factor interface configuration command cannot be configured on an interface.
Conditions: This symptom is observed when an available bit rate (ABR) connection is added to a Route Processor Module-PRemium (RPM-PR) card on a Cisco MGX 8850 Processor Switch Module (PXM1) card that has Cisco WAN Manager (CWM) carrier module (CM) or when you configure the atm abr rate- factor interface configuration command under the interface.
Workaround: Use the command-line interface to add an ABR connection to the RPM- PR on the Cisco MGX 8850 PXM1 card.
•
Symptoms: The "Non-Bargainable" prompt can be bargained with speech input. This symptom does not occur with dual tone multifrequency (DTMF) input.
Conditions: This symptom is observed when speech input is entered while the "Non-Bargainable" prompt is played with the attribute setting of "bargein=false."
Workaround: There is no workaround.
•
Symptoms: A dialin user who is connected to a Cisco AS5850 may be unable to reach external destinations. The packets are sent, but the return packets that enter through the Gigabit Ethernet (GE) egress interfaces are silently dropped on the Cisco AS5850.
The dropped packets are not reported in the output of the show cef drop EXEC command, nor do any of the interface drop counters increase. The incoming packet counter on the GE ingress interface and the outgoing packet counter on the virtual access interface increase when the packets arrive, but the packets do not arrive at the user. All Cisco Express Forwarding (CEF) entries, Forwarding Information Base (FIB) entries, and adjacency entries look normal.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(2)XB10 or Release 12.2(11)T. The symptom is not observed on other platforms.
Workaround: There is no workaround. The dialin user must disconnect and reconnect to restore proper connectivity.
•
Symptoms: Modem calls may fail to connect when modem pass-through or modem relay is used. This behavior occurs because the gateway does not detect an answer tone on the called modem and therefore does not switch to the modem pass-through or modem relay mode.
Conditions: This symptom is observed in a connection trunk environment when Cisco fax relay is used on the connection trunks.
Workaround: Use T.38 fax relay instead of the default Cisco fax relay.
•
Symptoms: The following local Resource Pool Management (RPM) command-line interface (CLI) commands may not be recognized:
–
–
Conditions: This symptom is observed during the bootup of any Cisco AS5xx0 platform.
Workaround: Enter the commands manually after the bootup.
•
Symptoms: Difficulties with downloading may occur when you download digital signal processor (DSP) firmware to DSP 0 on a Cisco 1751-V voice gateway during bootup, and the following error messages may be generated:
%IPM_C54X-3-INIT_CONFIG_FAILED: DSP 0 Sending alarm indication
%IPM_DSPRM-3-ERROR_DSP_INIT: BAD init config response received from dsp 0 in dsp group 0
%IPM_DSPRM-3-SLIC_VIC_POWER: Vic card in slot 1 is unusable as DSP 0 in group 0 failed to come upConditions: This symptom is observed on a Cisco 1751-V voice gateway that is running the IP VOX/PLUS image of Cisco IOS Release 12.2(8)YN, Release 12.2(11)YV, or any release in between, and that is configured with a 4-channel packet voice/fax data DSP module (PVDM-256K-4) and a 4-port Foreign Exchange Station (FXS) or direct inward dial (DID) voice/fax interface card with caller ID support (VIC-4FXS/DID).
Workaround: There is no workaround.
•
Symptoms: A Cisco uBR7100 series may reload and generate the following error message:
%SYS-2-INTSCHED: `suspend' at level 4Conditions: This symptom is observed on a Cisco uBR7100 series that is running Cisco IOS Release 12.1(14)E or Release 12.1(14)E1. The symptom may also occur on other platforms.
Workaround: There is no workaround.
•
Symptoms: A quality of service (QoS) policy may not function when a second B channel comes up in an ISDN configuration.
Conditions: This symptom is observed when a QoS policy is attached remotely through an authentication, authorization, and accounting (AAA) server.
Workaround: Apply the QoS policy locally on the router.
•
Symptoms: After a terminating PBX sends a setup acknowledgement (SETUP_ACK) message with a Progress Indicator (PI) with the value 8, there is no dial tone.
Conditions: This symptom is observed on a terminating gateway that is connected to an ISDN PBX. The gateway may not process the SETUP_ACK message with the PI with the value 8. The ISDN PBX sends the SETUP_ACK message in response to a setup (SETUP) message that does not include a "called number." The PI with the value 8 is to provide the dial tone and collect the digits.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload during the bootup process because of insufficient stack memory. When this situation occurs, the router generates messages similar to the following:
c
urrent memory block, bp = 0x63903D80,
memory pool type is Processor
data check, ptr = 0x63903DA8
bp->next(0x605C57C0) not in any mempool
previous memory block, bp = 0x200039E1,
memory pool type is Processor
data check, ptr = 0x20003A09
%SYS-3-BADMAGIC: Corrupt block at 63903D80 (magic 61DEC941)Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.2 T when the network configuration contains ATM permanent virtual circuit (PVC) configurations, the router is configured to retrieve its configuration from a TFTP server, and the first attempt to retrieve its configuration fails.
Workaround: Move the no shutdown interface configuration command for the ATM interface to the end of the network configuration file on the TFTP server, as is shown in the following example:
interface ATM4/0
no ip proxy-arp
no atm ilmi-keepalive
ntp disable
interface ATM4/0.102 point-to-point <-- add the ATM subinterfaces here
pvc 0/102
interface ATM4/0 <--- repeat the ATM main interface for the no shutdown command
no shutdown•
Symptoms: A gateway does not stop generating a ringback tone on a connected voice call.
Conditions: This symptom is observed on a call that originates from a Cisco AS5350 and terminates on an H.323 endpoint that uses the H.225 information message with the signal information element (IE) value of "1" to start the ringback tone and the signal IE value of "63" to stop the ringback tones.
Workaround: There is no workaround.
•
Symptoms: The "input queue size" in the output of the show interface display EXEC command may display a negative number when hardware encryption is used. This symptom may eventually lead to a permanent pause of Virtual Private Network (VPN) connections.
Conditions: This symptom is observed on a Cisco uBR905 and a Cisco uBR925 with static IP Security (IPSec) and Easy VPN (EZVPN) configurations when hardware encryption is used.
Workaround: Reload the router.
•
Symptoms: It may not be possible to configure IP on serial subinterfaces.
Conditions: This symptom may be observed on serial subinterfaces for all platforms that are running Cisco IOS Release 12.2(15)T and where High-Level Data Link Control (HDLC) encapsulation is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5300 may not display some Calltracker information for a modem call.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.2(2)XB10 or Release 12.2(13)T and that is configured for channel-associated signaling (CAS) with modem pooling, in particular when the call is routed to a configured modem pool instead of to the default modem pool. The Calltracker messages look like the following messages:
CALLTRKR-6-CALL_RECORDand
CALLRECORD-3-MICA_TERSE_CALL_RECHowever, when the symptom occurs, the first message is omitted.
Workaround: Configure the Cisco AS5300 for ISDN (PRI) instead for CAS.
First Alternate Workaround: Do not configure modem pooling.
Second Alternate Workaround: Ensure that the call is routed to the default modem pool.
•
Symptoms: A Cisco router that has a voice feature such as H.323 enabled may reload because of a bus error at address 0xD0D0D0B.
Conditions: This symptom is observed on a Cisco 3700 series but may also occur on other routers.
Workaround: There is no workaround.
•
Symptoms: An analog port may no longer be operational after the first fax call. After the first fax call, the analog port does not generate a dial tone for Foreign Exchange Station (FXS) or Foreign Exchange Office (FXO) calls and the output of the show voice call summary EXEC command indicates that the analog port is in the parked state for recEive and transMit (E&M) calls.
Conditions: This symptom is observed on a Cisco router that functions as an outgoing gateway when Cisco fax relay is used.
Workaround: Instead of Cisco fax relay, use fax pass-through.
•
Symptoms: A Cisco gateway may reload if too many failures occur during a TFTP download.
Conditions: This symptom is observed when you use a TFTP server to download voice extensible markup language (VXML) scripts.
Workaround: Ensure that the TFTP server has a light load.
•
Symptoms: A Cisco router that is configured with IP Security (IPSec) may reload.
Conditions: This symptom is observed on a Cisco router that is configured with IPSec if Cisco Express Forwarding (CEF) is enabled.
Workaround: Do not enable CEF.
•
Symptoms: High-Performance Routing (HPR) disruptions may occur when you transfer large files.
Conditions: This symptom is observed in an HPR IP network when there is heavy data traffic and a significant loss of packets occurs.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you enter the tacacs-server host global configuration command.
Conditions: This symptom is observed when TACACS is already logging commands to a server.
Workaround: There is no workaround.
•
Symptoms: A Cisco IAD2420 series that is processing calls may reload.
Conditions: This symptom is observed when the local bypass mode is configured.
Workaround: There is no workaround.
•
Symptoms: After an hour of normal operation, an encryption module may go down and the following error messages are generated:
%C1700_EM-1-ERROR: packet-tx error:tx ring full. Head 93, Tail 92, Avail 1, buf 1 %C1700_EM-6-SHUTDOWN: C1700_EM shutting downConditions: This symptom is observed on a Cisco 1720 router that is configured with a hardware encryption module that is used to terminate Cisco Easy Virtual Private Network (EzVPN) tunnels that run from a Cisco PIX Firewall.
Workaround: Use software encryption by configuring IP Security (IPSec).
•
Symptoms: A Gigabit Interface Converter (GBIC) that has not been certified by Cisco may unintentionally be recognized by a Cisco router and may operate when it is inserted into a 1-port Gigabit Ethernet network module (NM-1GE).
Conditions: This symptom is observed on a Cisco 3600 series that is configured with a NM-1GE but may also occur on other platforms that are configured with a NM-1GE.
Workaround: There is no workaround. Because of safety and reliability concerns, uncertified GBICs should not be recognized by a Cisco router.
•
Symptoms: The serial communication controller in an asymmetric digital subscriber line (ADSL)-ATM interface that is installed in an NM-FE2W or NM-2W network module may lock up in the receiving path and does not recover.
Conditions: This symptom is observed when the ADSL-ATM interface is stressed to 10 Mbps downstream.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: The execution of the cns config retrieve EXEC command may fail to complete and the console may lock up for several minutes.
Conditions: These symptoms are observed when you enter the cns config retrieve EXEC command while the event agent is active. The occurrence of the symptom depends on the network configuration.
Workaround: Stop the event agent before you enter cns config retrieve EXEC command by entering the no cns event global configuration command. Then, enter the cns config retrieve EXEC command. You can restart the event agent by entering the cns event hostname global configuration command.
•
Symptoms: An ISDN facility message may be missing on the outgoing leg of a hairpinned call.
Conditions: This symptom is observed on all platforms that support Cisco IOS Symphony architecture and on all ISDN connect messages that carry a facility information element (IE).
Workaround: There is no workaround.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may reload unexpectedly and report the following message:
System was restarted by reloadConditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-G1 and that is running Cisco IOS Release 12.1(14)E.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload because of a software condition when running the LDP-MIB MIB. The router reloads because of a process watchdog timeout in the "SNMP ENGINE" process and logs an entry similar to the following one and logs a traceback:
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SNMP ENGINE. %Software-forced reload
Unexpected exception, CPU signal 23, PC = 0x606F1FC4 ... Cause 00000024 (Code 0x9): Breakpoint exceptionConditions: This symptom is observed after the router ID has been changed and when Label Distribution Protocol (LDP) sessions have been added or removed.
Workaround: Do not change the router ID. If the router ID has been changed, do not run the LDP-MIB MIB.
•
Symptoms: A Cisco router may reload because of a bus error (Translational Lookaside Buffer [TLB] [load or instruction fetch] exception error), and an error message similar to the following is generated:
Unexpected exception, CPU signal 10, PC = 0x60695434
-Traceback= ...
Cause 80000008 (Code 0x2): TLB (load or instruction fetch) exceptionConditions: This symptom is observed when Simple Network Management Protocol (SNMP) runs the LDP-MIB MIB.
Workaround: Do not run the LDP-MIB MIB; rather, use one of the show mpls ldp commands to gather the required information.
•
Symptoms: A Cisco router may reload after Virtual Private Network (VPN) clients disconnect.
Conditions: This symptom is observed intermittently on a Cisco router that is running Cisco IOS Release 12.2(13)T or a later release when the IP Security (IPSec) Network Address Translation Transversal (NAT-T) mode is configured.
Workaround: There is no workaround.
•
Symptoms: On a network access server (NAS), you may not be able to initialize a new TCP connection to a TACACS+ server.
Conditions: This symptom is observed after the TACACS+ server has been rebooted.
Workaround: Deconfigure and then reconfigure tacacs-server host hostname global configuration command on the NAS.
•
Symptoms: Data Multicast Distribution Tree (MDT) mappings may be deleted too soon, causing a loss of data, or may not be deleted at all, causing unnecessary data to be transferred.
Conditions: These symptoms are observed on a receiving provider edge (PE) router.
Workaround: There is no workaround.
•
Symptoms: Open Logical Channel (OLC)-based fax pass-through may fail to upspeed to the G.711 codec.
Conditions: This symptom is observed on a Cisco AS5350 voice gateway that is configured with the fax protocol pass-through {g711ulaw | g711alaw} dial-peer configuration command.
Workaround: If this is an option, use named service event (NSE)-based pass- through by configuring the modem passthrough nse codec {g711ulaw | g711alaw} dial-peer configuration command.
•
Symptoms: When integrated routing and bridging (IRB) is configured on a Cisco 805 router, a ping fails to the remote end because of the Address Resolution Protocol (ARP) entry not being properly added to the router.
The output form the debug arp command on the router shows that the ARP response received from the remote end is logged as coming on the physical interface rather than on the Bridge-Group Virtual Interface (BVI). This is the reason why a "wrong cable" error is logged and the ARP entry is left incomplete.
IP ARP: sent req src 192.168.168.200 0000.0c38.5bde, dst 192.168.168.1 0000.0000.0000 BVI1
IP: s=192.168.168.200 (local), d=192.168.168.1 (BVI1), len 100, encapsulation failed
IP ARP rep filtered src 192.168.168.1 0000.0c65.f687, dst 192.168.168.200 0000.0c38.5bde wrong cable, interface Serial0.1.Conditions: This symptom is observed on a Cisco 805 router that is running Cisco IOS Release 12.1(3)XG4, Release 12.1(18), Release 12.2(13a), or Release 12.2(15)T and that has the following configuration:
bridge irb
interface Serial0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type cisco
interface Serial0.1 point-to-point
no cdp enable
frame-relay interface-dlci 100
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.168.200 255.255.255.0
bridge 1 protocol ieee
bridge 1 route ipWorkaround: Use other encapsulations such as PPP or High-Level Data Link Control (HDLC) instead of Frame Relay for Cisco 805 routers that are configured with IRB.
•
Symptoms: A Versatile Interface Processor (VIP) may reload.
Conditions: This symptom is observed on a VIP if Multiprotocol Label Switching (MPLS), Egress NetFlow, and distributed Cisco Express Forwarding (dCEF) are configured.
Workaround: Disable dCEF or Egress NetFlow.
•
Symptoms: When integrated routing and bridging (IRB) is configured on a Cisco 805 router, a ping fails to the remote end because of the Address Resolution Protocol (ARP) entry not being properly added to the router.
The output form the debug arp command on the router shows that the ARP response received from the remote end is logged as coming on the physical interface rather than on the Bridge-Group Virtual Interface (BVI). This is the reason why a "wrong cable" error is logged and the ARP entry is left incomplete.
IP ARP: sent req src 192.168.168.200 0000.0c38.5bde, dst 192.168.168.1 0000.0000.0000 BVI1
IP: s=192.168.168.200 (local), d=192.168.168.1 (BVI1), len 100, encapsulation failed
IP ARP rep filtered src 192.168.168.1 0000.0c65.f687, dst 192.168.168.200 0000.0c38.5bde wrong cable, interface Serial0.1.Conditions: This symptom is observed on a Cisco 805 router that is running Cisco IOS Release 12.1(3)XG4, Release 12.1(18), Release 12.2(13a), or Release 12.2(15)T and that has the following configuration:
bridge irb
interface Serial0
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type cisco
interface Serial0.1 point-to-point
no cdp enable
frame-relay interface-dlci 100
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.168.200 255.255.255.0
bridge 1 protocol ieee
bridge 1 route ipWorkaround: Use other encapsulations such as PPP or High-Level Data Link Control (HDLC) instead of Frame Relay for Cisco 805 routers that are configured with IRB.
•
Symptoms: A Cisco 7200 series router may reload because of a bus error with PPP over ATM (PPPoA).
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.2(15)B and that is configured with PPPoA. The reload occurs when the PPPoA context is deleted when the "printf" is suspended inside the "pppoa_show_specific_vc_info" module.
Workaround: There is no workaround.
•
Symptoms: Inbound channel-associated signaling (CAS) calls may fail to set up on a gateway that is controlled by Media Gateway Control Protocol (MGCP).
Conditions: This symptom is observed only on a Cisco AS5850 that is configured with CAS trunks.
Workaround: There is no workaround.
•
Symptoms: The RADIUS "Acct-Session-Id" attribute may not be sent correctly.
Conditions: This symptom is observed in a Service Selection Gateway (SSG) configuration that is running Cisco IOS Release 12.2(15)T or a later release when you enter the ip route-cache flow interface configuration command on a virtual template. The symptom may also occur in other conditions.
Workaround: In the above-mentioned conditions, deconfigure the ip route-cache flow interface configuration command.
•
Symptoms: When more than 24 subprotocols of a protocol are configured, the traffic for these subprotocols is misclassified.
Conditions: This symptom is observed on all Cisco IOS software releases that support Network Based Application Recognition (NBAR).
Workaround: Do not configure more than 24 subprotocols of a protocol. If you do, delete the excess subprotocols and reload the router.
•
Symptoms: A Cisco IAD2420 series may reload when you change the configuration of a virtual circuit (VC).
Conditions: This symptom is observed when you enter the vc-class atm name global configuration command followed by the precedence 0-2 vc-class configuration command.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds.
1.
Conditions 1: This symptom is observed when you have used the cns id type number ipaddress global configuration command to set the value for "config ID" and when you have entered a virtual interface number for the type number argument.
Workaround 1: There is no workaround.
2.
Conditions 2: This symptom is observed when you have used the cns id type number ipaddress global configuration command to set the value for "event ID" and when you have entered a virtual interface number for the type number argument.
Workaround 2: There is no workaround.
•
Symptoms: Quality of service (QoS) policing and QoS marking may not function on a Cisco 7200 series Network Service Engine-1 (NSE-1).
Conditions: This symptom is observed when QoS policing and QoS marking are configured on the main interface of the NSE-1, but traffic is switched on the subinterfaces of this main interface.
Workaround: If this is an option, switch traffic on the main interface instead of on the subinterfaces.
•
Symptoms: A Cisco MGX 8000 series Route Processor Module-PRemium (RPM-PR) may reload.
Conditions: This symptom is observed when the RPM-PR is configured as an Edge Label Switch Router (ELSR) and you enter the show queue interface-name interface-number privileged EXEC command with "switch" for the interface-name argument and "1" for the interface-number argument on the RPM-PR subinterface that has Multiprotocol Label Switching (MPLS) enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you remove a service policy by entering the no service-policy input policy-map-name interface configuration command.
Conditions: This symptom is observed during performance tests while traffic is flowing through the router and marking action is configured in the policy map. The symptom is platform independent.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on both an originating gateway (OGW) and a terminating gateway (TGW).
Conditions: This symptom is observed when the OGW and TGW connect to a RADIUS server.
Workaround: There is no workaround.
•
Symptoms: A dialed number may be changed by a gatekeeper.
Conditions: This symptom is observed when the call is set up by a broadband telephony system (BTS) gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5300 may reload because of a TCP socket connection failure.
Conditions: This symptom is observed when you make asynchronous calls over an ISDN line to a network access server (NAS).
Workaround: There is no workaround.
•
Symptoms: Although a Cisco AS5400 gateway has a light traffic load of 50 calls and has run for only a few minutes, it may reload after tracebacks are generated.
Conditions: This symptom is observed while a voice extensible markup language (VXML) application for Automatic Speech Recognition (ASR) and Text-to-Speech (TTS) is used with third-party vendor servers and occurs only if the same IP address is used to access both the ASR and TTS servers in the VXML application.
Workaround: Use different host names for the ASR and TTS servers, even if they are pointing to the same physical device or address.
•
Symptoms: X.75 calls may fail authentication, authorization, and accounting (AAA) authentication because of an unexpected port data format.
Conditions: This symptom is observed when X.75 calls placed on a Cisco AS5400 or Cisco AS5800 and a RADIUS server is used for AAA authentication. Note that the symptom is not observed on a Cisco AS5300.
Workaround: If possible, use local authentication.
•
Symptoms: When an outgoing call is routed via an ISDN trunk group and does not go through, the call is reattempted but fails because the same channel that was selected during the first attempt is also selected during the second attempt. The call fails with cause code 41 (0x29).
Conditions: This symptom is observed in a Signaling System 7 (SS7) network when an incoming call from a terminating gateway to a Cisco PGW 2200 PSTN gateway is rejected because of glare conditions. Based on the maximum retry setup of a trunk group, the call may be resent from the same trunk group. However, based on a hunt scheme with sequential and least idle search method for a trunk group, the previous selected channel (if it is idle) may be selected again, causing the call to fail.
Workaround: If possible, define a hunt scheme with a round robin, random, and longest idle search method for a trunk group.
•
Symptoms: The peak cell rate (PCR) may not be applied to unspecified bit rate (UBR) ATM permanent virtual circuits (PVCs).
Conditions: This symptom is observed when RADIUS is used to apply the PCR to the UBR ATM PVCs.
Workaround: There is no workaround.
•
Symptoms: Features may not be applied correctly to packets that are switched by using Cisco Express Forwarding (CEF).
Conditions: This symptom is observed when the packets are switched out of Large-Scale Dial-Out (LSDO) Layer 2 Tunneling Protocol (L2TP) virtual-access interfaces.
Workaround: There is no workaround.
•
Symptoms: A service policy may be removed from a multilink interface after the router reloads or after you enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the multilink interface.
Conditions: This symptom is observed only when the sum of the total bandwidth in the service policy is equal to 100 percent of the total available bandwidth.
Workaround: Remove bandwidth from the class default, as indicated in the following command output:
policy-map generic
class Voice_MPLS
priority percent 20
class LowDelay_MPLS
bandwidth remaining percent 30
class BestEffort_MPLS
bandwidth remaining percent 35
class class-default
bandwidth remaining percent 35 <---- Remove this bandwidth configuration.
By default, class-default receives
the remaining 35% anyway.•
Symptoms: The Internet Key Exchange (IKE) aggressive mode may not function.
Conditions: This symptom is observed when the initiating router is unable to find the correct authentication method.
Workaround: There is no workaround.
•
Symptoms: You may not be able to copy or map the IP precedence or Differentiated Services Code Point (DSCP) from a class of service (CoS) configuration.
Conditions: This symptom is observed for IP version 6 (IPv6) traffic when dot1q encapsulation is enabled.
Workaround: There is no workaround.
•
Symptoms: Duplex settings on a port channel may not be propagated onto member interfaces.
Conditions: This symptom is observed when you change the duplex settings by using the duplex half or duplex full interface configuration command. The symptom is not observed when you change the duplex setting by using the half-duplex or full-duplex interface configuration command.
Workaround: Use the half-duplex or full-duplex interface configuration command to change the duplex settings.
•
Symptoms: Even though you can configure Distributed Link Fragmentation and Interleaving (DLFI) on a Multilink PPP (MLP) link on an 8-port serial port adapter (PA-8T), interleaving may not function, causing excessive latency on voice traffic.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a Versatile Interface Processor (VIP) and a PA-8T.
Temporary Workaround: Configure the tx-ring-limit 2 interface configuration command on the serial interface. Repeat the workaround after the router or the MLP bundle has been reset.
•
Symptoms: A Route Processor Module (RPM) may take about 9 minutes to execute the write memory privileged EXEC command or the show running-config privileged EXEC command.
Conditions: This symptom is observed on a Cisco MGX 8000 series RPM that is running Cisco IOS Release 12.2(13)T when 8000 subinterfaces with 8000 permanent virtual circuits (PVCs) are configured.
Workaround: There is no workaround.
•
Symptoms: An H.323 Voice over IP (VoIP) call to a PRI interface on a Cisco router may be disconnected if the transfer request is initiated from the VoIP side. This situation is especially true when the remote VoIP router is managing skinny telephones by Survivable Remote Site Telephony (SRST) or Cisco IOS Telephony Service (ITS) and initiates a transfer from one of those telephones.
Conditions: This symptom is observed on a Cisco 1700 series with a PRI interface.
Workaround: There is no workaround with a Cisco 1700 series. Replace the Cisco 1700 series with a Cisco 2600 series or a Cisco 3600 series and the symptom is not observed.
•
Symptoms: A Cisco router that is configured with a 2-port Token Ring InterSwitch Link 100BASE-TX port adapter (PA-2FEISL-TX) and a Network Processing Engine G1 (NPE-G1) may reload upon bootup or when you enter the no shutdown interface configuration command.
Conditions: This symptom is observed in Cisco IOS Release 12.1 E, Release 12.2 (4)BW, and Release 12.2 T because support for the PA-2FEISL-TX is missing from these releases.
Workaround: Instead of a PA-2FEISL-TX, use a 2-port Fast Ethernet 100BASE-TX port adapter (PA-2FE-TX).
•
Symptoms: A Cisco 7200 series or Cisco 7500 series router may reload because packet cleanup is not performed completely in the interrupt path of the High-Speed Serial Interface (HSSI) port adapter (PA).
Conditions: This symptom is observed on a Cisco 7200 series or Cisco 7500 series.
Workaround: Turn off Parallel Express Forwarding (PXF) by entering the no ip pxf global configuration command.
•
Symptoms: A Versatile Interface Processor (VIP) may reload when the distributed Link Fragmentation and Interleaving (DLFI) interface flaps.
Conditions: This symptom is observed on a Cisco 7500 series router that is running DLFI over ATM (DLFIoATM) when traffic is being processed.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you send a Server Load Balancing (SLB) ping through an ATM interface.
Conditions: This symptom is observed in Cisco IOS Release 12.2 T.
Workaround: There is no workaround.
•
Symptoms: A calling party may hear a burst of noise at the beginning of a call.
Conditions: This symptom is observed on a Cisco router that is configured for the G.729 codec when the router sends a single G.711ulaw packet when it terminates an H.323 Voice over IP (VoIP) call.
Workaround: There is no workaround.
•
Symptoms: Encryption and decryption fail for maximum transmission unit (MTU) values between 1419 and 1420 (both inclusive), and the following error is generated:
%VPN_HW-1-PACKET_ERROR: slot: 2 Packet Encryption/Decryption error, Other error.The output of the show pas vam interface privileged EXEC command displays the "Other Errors" counter; "Other Errors" occur when fragments are reassembled before decryption occurs.
Conditions: This symptom is observed when you use a Cisco router that is configured with a Virtual Private Network (VPN) acceleration module (VAM) to encrypt traffic through generic routing encapsulation (GRE) tunnel endpoints, which are also configured for tag switching.
Workaround: To enable the router to fragment packets differently, reduce the value of the tunnel MTU on the router to 1420 using the ip mtu 1420 interface configuration command.
Note that the MTU values between 1419 and 1420 for which the failure occurs are from the endpoints.
•
Symptoms: Tunnel Endpoint Discovery (TED) may not function.
Conditions: This symptom is observed when Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) is attempted with TED and occurs for all switching modes, both with and without the use of a crypto engine.
Workaround: There is no workaround.
•
Symptoms: IP Control Protocol (IPCP) may be rejected in the PPP negotiation between a remote end client and a Layer 2 Tunneling Protocol (L2TP) network server (LNS). The output of the show running-config virtual-access number privileged EXEC command displays that the virtual access interface that is assigned to the incoming call during the PPP negotiation does not have an IP address configured.
Conditions: This symptom is observed on an LNS when precloning is configured.
Workaround: Reload the LNS.
First Alternate Workaround: Reset the tunnel that contains all the sessions.
Second Alternate Workaround: Do not configure precloning.
•
Symptoms: The dial-peer trunk-group functionality may not work properly on E1R2 trunks.
Conditions: This symptom is observed on a Cisco AS5850.
Workaround: In the dial-peer configuration, use port groups instead of trunk groups.
•
Symptoms: A Cisco router may generate CPUHOG errors when it loads the configuration from NVRAM.
Conditions: This symptom is observed when the router has a large access control list (ACL) (with 300 or more entries) that is used within a crypto-map statement.
Workaround: Break up the large ACL into smaller ACLs, and refer to the smaller ACLS with multiple crypto-map statements.
•
Symptoms: A user-configured signaling class template may not be used during incoming and outgoing channel-associated signaling (CAS) calls. Instead, the default signaling template is used.
Conditions: This symptom is observed in Cisco IOS Release 12.2 and Release 12.2 T on a Cisco AS5350 and a Cisco AS5400.
Workaround: There is no workaround.
•
Symptoms: While reserving bandwidth for fax and modem calls, a router may not take Compressed Real-Time Transport Protocol (CRTP) into account and reserves a default bandwidth of 96 kbps for nonredundant pass-through fax or modem calls, which is more bandwidth than is required. This situation does not affect voice calls.
Conditions: This symptom is observed when a call switches to fax pass-through or modem pass-through by using the G.711 codec.
Workaround: There is no workaround.
•
Symptoms: Memory leaks may occur when a Voice Extensible Markup Language (VXML) Automatic Speech Recognition (ASR) or text-to-speech (TTS) application is executed on a Cisco AS5400.
Conditions: This symptom is observed during a stress test on a Cisco AS5400 that is running the c5400-is-mz image of Cisco IOS Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running the Home Agent (HA) feature may reload because of memory corruption.
Conditions: This symptom is observed when you disable the HA feature while mobile nodes (MNs) are configured.
Workaround: There is no workaround.
•
Symptoms: Cisco 3640 routers that are connected via a Voice over Frame Relay (VoFR) link may reload when a channel-associated signaling (CAS) call is sent via the VoFR link.
Conditions: This symptom is observed when Cisco-switched VoFR mode is used in the following topology:
The public switched telephone network (PSTN) connects via an E1 R2 trunk to a Cisco 3640 that is running Cisco IOS Release 12.2(13)T and that connects via a VoFR link to another Cisco 3640 that is also running Release 12.2(13)T and that connects via another E1 R2 trunk to the PSTN.
Possible Workaround: Change to a non-Cisco-switched VoFR mode. If this is not an option, there is no workaround.
•
Symptoms: A Cisco gateway general packet radio service (GPRS) support node (GGSN) reloads with a bus error while updating fast cache.
Conditions: This symptom is observed on a Cisco GGSN when fast switching is enabled and a request to delete the Protocol Data Packet (PDP) context is received.
Workaround: There is no workaround.
•
Symptoms: On a conference call that uses the NM-HDV-FARM module, one party in the conference can no longer be heard after 10 minutes into the conference.
Conditions: This symptom is observed on a Cisco 2600 series that is running Cisco IOS Release 12.2(13)T and Cisco CallManager Version 3.1.4b. The symptom may occur on Cisco routers that have the ability to perform hardware conferencing by using the High Density Voice network module (NM-HDV). The symptom does not depend on the Cisco CallManager version; however, you must configure the Cisco CallManager to use the digital signal processor (DSP) resources on the Cisco router. You must configure a Hardware Conference Bridge on the Cisco CallManager.
The symptom occurs in part because the default timer for checking idle Real-Time Transport Protocol (RTP) streams is 10 minutes.
Temporary Workaround: Increase the default timer for checking idle RTP streams to prevent the party in the conference from becoming disconnected prematurely; enter the dspfarm rtp timeout 172800 global configuration command.
•
Symptoms: CPUHOG messages and tracebacks may occur on a Cisco router when you attempt to register more than 10,000 gateways.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Processing Engine G1 (NPE-G1).
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 or a Cisco AS5400 may reload when you enter the dialer extsig interface configuration command on the dialer interface.
Conditions: This symptom is observed when integrated Signaling Link Terminal (SLT) is configured.
Workaround: There is no workaround.
•
Symptoms: Attribute 46 (indicating the account session time) may show a value of zero under the network stop records for asynchronous calls.
Conditions: This symptom is observed on a Cisco universal access server. If you use network stop records for billing purposes, the symptom may affect the service.
Workaround: There is no workaround.
•
Symptoms: If a codec filter is configured on the outbound dial peer of an IP in IP (IPIP) gateway, a fax call may fail.
Conditions: This symptom may be observed if the originating IPIP gateway proposes more than one codec in the FastStart list. The codec filter should be such that one or more codecs from the beginning of the proposed list are filtered.
Workaround: Do not use a codec filter configuration (for example, use a codec of transparent).
•
Symptoms: Modem ISDN channel aggregation (MICA) boardware failures may not be detected by Cisco IOS software, causing all modem calls to fail.
Conditions: This symptom is observed on a Cisco AS5300 that is configured with MICA modem modules.
Workaround: Enter the copy flash modem system:/ucode/mica_board_firmware privileged EXEC command.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
1.
Conditions 1: This symptom is observed when an interprocess communications (IPC) buffer is reused. A new buffer should be used each time an error message is sent. When multiple crashinfo files are generated, the available storage space in the bootflash memory may be used up.
Workaround 1: There is no workaround.
2.
Conditions 2: This symptom is observed when the RPM-XF functions as the primary module of a redundant pair of modules. After a switchover from the primary module to the secondary module occurs, and you then switch back from the secondary module to the primary module, the primary module does not become active because there is not enough storage space to load the configuration. After three switchover attempts, the Processor Switch Module (PXM) marks the first RPM-XF as "Failed."
Workaround 2: Before you attempt a switchover from the secondary module to the primary module, delete some crashinfo files to clear space in the bootflash memory.
•
Symptoms: Foreign Exchange Station (FXS) ports on a Cisco Catalyst 4000 Access Gateway Module (AGM) may stop responding completely, and the following errors may appear on the console of the gateway:
%VTSP-3-DSP_TIMEOUT: DSP timeout on channel 4/2 (2557), event 0x74: DSP ID=0x3: DSP Disc (call mode=0)
ERROR::chopin_dsprm_cmd_enqueue: Queue full, DSP=0,write_ptr=255,read_ptr=0Conditions: This symptom is observed on a Cisco Catalyst 4000 AGM that is running Cisco IOS Release 12.2(13)T2 and that is controlled by a Cisco CallManager that is using Media Gateway Control Protocol (MGCP).
Workaround: Reboot the AGM.
Alternate Workaround: To reboot the affected digital signal processor (DSP), enter the shutdown voice-port configuration command followed by the no shutdown voice-port configuration command on the voice port that contains the affected DSP.
•
Symptoms: CPUHOG messages and tracebacks may occur on a Cisco router when you attempt to register more than 10,000 gateways.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Processing Engine G1 (NPE-G1).
Workaround: There is no workaround.
•
Symptoms: When you enter the show processes memory sorted privileged EXEC command, a Cisco AS5400 may reload because of a software conditions.
Conditions: This symptom is observed on a Cisco AS5400 that is running a typical workload on dial modems.
Workaround: Do not enter the show processes memory sorted privileged EXEC command
•
Symptoms: A low call success rate (CSR) and high CPU usage may occur for voice calls.
Conditions: This symptom is observed on a Cisco AS5850 during a stress test with a call hold time of 3 minutes for 16 T1 voice calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206VXR router that is configured with a Network Process Engine (NPE-400) may reload unexpectedly.
Conditions: This symptom is observed while you unconfigure an ATM interface on the Cisco 7206VXR router.
Workaround: There is no workaround.
•
Symptoms: A race condition may occur when you enter the no cns event global configuration command, causing a Cisco router to reload.
Conditions: This symptom is observed when the Cisco Networking Services (CNS) event agent uses a Secure Socket Layer (SSL) connection.
Workaround: Do not enter the no cns event global configuration command, or only enter this command when there is no network traffic for the CNS event agent.
•
Symptoms: The set qos-group QoS policy-map configuration command may not function on a Multiprotocol Label Switching (MPLS) provider (P) router, and the counter for marked packets may overflow.
Condition: These symptoms are observed on a Cisco 7500 series that is functioning as an MPLS P router when the set qos-group QoS policy-map configuration command is configured for use in an incoming policy map that is applied to an ATM point-to-point virtual circuit (VC).
Workaround: There is no workaround.
•
Symptoms: It is possible for a user to enter a portion of a valid group name, and providing that this is part of a valid Extended Authentication (Xauth) username, gain access to another Virtual Private Network (VPN) group.
Conditions: This symptom is observed in Cisco IOS Release 12.2(13)T without the configuration of the Group Lock feature, and in Cisco IOS Release 12.2(15)T with the configuration of the Group Lock feature.
Workaround: There is no workaround.
•
Symptoms: When you boot up a Cisco 1700 series, the following error message may be generated continuously, and the router prompt may be inaccessible:
%PQUICC-1-CTSLOST: PQUICC(0/2), Clear to Send LostConditions: This symptom is observed on a Cisco 1700 series that is configured with an asymmetric digital subscriber line interface and that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is functioning as a gatekeeper may corrupt the gateway technology prefix table.
Conditions: This symptom is observed when you first configure the zone prefix gatekeeper-name gw-priority gatekeeper configuration command, then delete the command, and finally add the command again.
Workaround: There is no workaround.
•
Symptoms: The body of the log message may be missing from a Cisco Networking Services (CNS) event.
Conditions: This symptom is observed when the logging cns-events global configuration command is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is functioning as a gatekeeper may reject a registration request (RRQ) with the reason "securityDenial."
Conditions: This symptom is observed on a Cisco 3600 series that is functioning as a gatekeeper, that is running Cisco IOS Release 12.2(11)T5, and that has the security h323-id or security e164 gatekeeper configuration command configured. The gatekeeper expects the H.323 ID type alias or the E.164 type alias as the first field in the "terminalAlias" of the RRQ. When this does not occur, the gatekeeper rejects the RRQ.
Workaround: Depending on which security gatekeeper command is configured, ensure that the first field in the "terminalAlias" of the RRQ matches the H.323 ID type alias or the E.164 type alias.
•
Symptoms: Telnet and console access may be not be available on a Cisco Catalyst 4000 Access Gateway Module (AGM).
Conditions: This symptom is observed when a memory leak occurs and an error message similar to the following is displayed:
%SYS-2-MALLOCFAIL: Memory allocation of 259064 bytes failed from 0x802A3390Temporary Workaround: Reload the Cisco Catalyst 4000 AGM every other day.
•
Symptoms: A Cisco AS5850 may reload after 4 to 5 hours of operation.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.2(15)T and that has a call load of 8 calls per second.
Workaround: There is no workaround.
•
Symptoms: Authorization may fail for a terminal server login call.
Conditions: This symptom is observed on a Cisco AS5400 when authorization occurs through a RADIUS-assigned Domain Name System (DNS) server or Microsoft Windows Internet Naming Service (WINS) server.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload when both the RADIUS Packet of Disconnect (POD) feature and Multilink PPP (MLP) are configured and used.
Conditions: This symptom is observed on a Cisco AS5300 and a Cisco AS5800 but may also occur on other platforms.
Workaround: Disable MLP.
•
Symptoms: A Cisco router may reload when the configuration of the police QoS policy-map class configuration command is updated.
Conditions: This symptom is observed on a Cisco 800 series.
Workaround: There is no workaround.
•
Symptoms: Spurious memory access tracebacks may occur on a Cisco router that connects to a platform that is running Cisco Unity client (formerly referred to as "VPN 3000" client).
Conditions: This symptom is observed when the user of Cisco Unity client enters no password or an incorrect password during the Extended Authentication (Xauth) phase of the Internet Key Exchange (IKE) negotiation. The tracebacks occur only when the Cisco router is configured for RADIUS authentication of the users of Cisco Unity client.
Workaround: There is no workaround.
•
Symptoms: A Cisco 837 router may reload after you enter the crypto ca authenticate name global configuration command.
Conditions: This symptom is observed when the auto-enroll ca-trustpoint configuration command is configured.
Workaround: Remove the auto-enroll ca-trustpoint configuration command from the configuration.
•
Symptoms: A Cisco 3745 that functions as a network access server (NAS) may reload during the login authentication process.
Conditions: This symptom is observed when the tacacs-server host hostname single-connection global configuration command is configured, but the IP address of the NAS is not included in the client list of the CiscoSecure server.
Workaround: There is no workaround.
•
Symptoms: Transmit lockups, packet transmission delays, and unexplained packet losses may occur.
Conditions: These symptoms are observed on a Cisco 2691, Cisco 3725, Cisco 3745, and Cisco 3631 router that are configured with a 1-port serial WAN interface card (WIC-1T), 2-port serial WAN interface card (WIC-2T), 1-port T1 CSU/DSU WAN Interface Card (WIC-1DSU-T1), or T1/E1 voice/WAN interface card (VWIC-MFT) that is installed on a native WIC slot. The symptoms occur because the onboard serial controller handles underruns incorrectly. The output of the show controllers serial privileged EXEC command may show the following information:
.
.
.
.
Interface Serial0/0 <---Make sure it is on the "On-Board Slots"
Hardware is GT96K
DTE V.11 (X.21) TX and RX clocks detected.
idb at 0x637C0508, driver data structure at 0x637C82A4
wic_info 0x637C8800
Physical Port 5, SCC Num 5
.
.
.
0 input aborts on receiving flag sequence
0 throttles, 0 enables
0 overruns
0 transmitter underruns
0 transmitter CTS losts
3224973 rxintr, 5576097 txintr, 0 rxerr, 0 txerr
0 mpsc_rx, 11 mpsc_rxerr, 0 mpsc_rlsc, 0 mpsc_rhnt, 0 mpsc_rfsc
0 mpsc_rcsc, 11 mpsc_rovr, 0 mpsc_rcdl, 0 mpsc_rckg, 0 mpsc_bper
5 mpsc_txerr, 5 mpsc_teidl,*** 5 mpsc_tudr***, 0 mpsc_tctsl, 0 mpsc_tckg
0 sdma_rx_sf, 0 sdma_rx_mfl, 11 sdma_rx_or, 0 sdma_rx_abr, 0 sdma_rx_no
0 sdma_rx_de, 0 sdma_rx_cdl, 13 sdma_rx_ce, 0 sdma_tx_rl, ***1748 sdma_tx_ur***
0 sdma_rx_reserr, 0 sdma_tx_reserrWorkaround: There is no workaround.
•
Symptoms: A Cisco router may reload during the boot-up process and generate the following error message and traceback:
Unexpected exception to CPUvector 1200, PC = 80CEB9A0
-Traceback= 80 <address>Conditions: This symptom is observed on a Cisco 1720, Cisco 1750, Cisco 806, Cisco uBR925, Cisco 2420, and Cisco 2600.
Workaround: There is no workaround.
•
Symptoms: All traffic may match the class default instead of a defined class map.
Conditions: This symptom is observed on a Cisco MGX 8000 series Route Processor Module XF (RPM-XF) when the set ip precedence QoS policy-map configuration command is configured.
Workaround: There is no workaround.
•
Symptoms: When a crypto map is applied to a tunnel interface to perform pre-encapsulation (which is generic routing encapsulation [GRE] encapsulation after IP Security [IPSec] encapsulation of the packet), a redzone corruption may occur.
Conditions: This symptom is observed on a Cisco 7200 series when fast switching or Cisco Express Switching (CEF) is configured.
Workaround: Use hardware encryption.
Alternate Workaround: Use process switching with software encryption.
•
Symptoms: Downstream Systems Network Architecture switching services (SNASw) physical units (PUs) may be stuck in the "PendActPu" state.
Conditions: This symptom is observed after an initial program load (IPL) has occurred on the host.
Workaround: Stop and restart SNASw.
•
Symptoms: An ATM interface may be in the "down" state after you have entered the shutdown interface configuration command followed by the no shutdown interface configuration command on a Node Route Processor (NRP).
Conditions: This symptom is observed on a Cisco 6400 that has more than 3000 virtual circuit (VC) connections that are configured on the Node Switch Processor (NSP).
Workaround: If possible, use a virtual path (VP) switch.
Alternate Workaround: Do not exceed 3000 VC connections.
•
Symptoms: Calls that are queued to be answered may be dropped after 5 minutes.
Conditions: This symptom is observed when the maximum configurable value of the Session Initiation Protocol (SIP) session timer expires.
Workaround: There is no workaround.
•
Symptoms: Calls may pause indefinitely because of an incorrect state change.
Conditions: This symptom is observed on a Cisco AS5400 that is running a Toolkit Command Language (TCL) interactive voice response (IVR) 2.0 script.
Workaround: There is no workaround.
•
Symptoms: Two users may not be able to simultaneously display the output of the show policy-map user EXEC or privileged EXEC command.
Conditions: This symptom is observed when the first user displays the first screen of the command output while the second page is pending. However, the second user may successfully display the command output after the first user presses the Enter key and gets the user prompt back.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2600 series may unexpectedly reload, or report "badshare" tracebacks, or do both. When the router reloads, the router generates messages similar to the following:
Unexpected exception to CPUvector 1200, PC = 818C8B80
-Traceback= 818C8B80 818C9454 818C9848 818CD814 818CA814 818C7A28 818BC7B4 801E64B8 801E5D30 801D9A44 804F8CBC 8047FD74 804EB824 804EB824 8047FE34 804EBCC0When "badshare" tracebacks occur, the router generates messages similar to the following:
%SYS-2-BADSHARE: Bad refcount in pak_enqueue, ptr=8316E0F8, count=0
-Traceback= 80406718 80407C38 818CC900 8026A9A0 80271EC4 8002258C 804FB374 804F8C84 8047FD74 804EB824 804EB824 8047FE34 80651388
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8316E0F8, count=0
-Traceback= 80403848 80407E68 818CC900 8026A9A0 80271EC4 8002258C 804FB374 804F8C84 8047FD74 804EB824 804EB824 8047FE34 80651388
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=8316E0F8, count=0Conditions: These symptoms are observed when the following two conditions occur:
–
–
Workaround: Do not use onboard slots.
Alternate workaround: Ensure that the router traffic rate is below the line rate.
•
Symptoms: The following error message and tracebacks may be generated on a Cisco 3660 router that is configured with a Virtual Private Network/High Performance advanced interface module (AIM-VPN/HP):
%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=6344EB40, count=0
-Traceback= 60449944 61A9DCB4 61A9E000 61A9E898 61AA2CCC 61A96100 61A82EB8Conditions: This symptom is observed on a Cisco 3660 router that is running the c3660-ik9o3s-mz image of Cisco IOS Release 12.2(13)T but may also occur on other Cisco 3600 series routers that run other Cisco IOS images.
Workaround: Disable compression.
•
Symptoms: The G.Clear codec may not function in a Media Gateway Control Protocol (MGCP) voice environment, which can be verified in the output of the show call active voice brief privileged EXEC command.
Conditions: This symptom is observed on a Cisco AS5300, Cisco AS5400, and Cisco AS5850 when you make a voice call between two platforms that have configured the G.Clear codec.
Workaround: There is no workaround.
•
Symptoms: A Flash Advanced Technology Attachment (ATA)-disk card may become corrupted because of simultaneous accesses to the card. The corruption may not be immediately obvious. Signs of corruption are:
–
–
Conditions: This symptom is observed when you enter the show file system EXEC command while a file is being written to the ATA-disk card or when you enter the dir filesystem: EXEC command while a file is being written to the same device as the target of the dir filesystem: EXEC command.
Workaround: Avoid using any commands that access the ATA-disk card while a file is being written to the ATA-disk card.
•
Symptoms: A memory leak may occur in the PPP authorization process on a Cisco 7206VXR.
Conditions: This symptom is observed on a Cisco 7206VXR that is running Cisco IOS Release 12.2(16) and that is configured for PPP over Ethernet (PPPoE). The symptom may occur or any Cisco router that is running Cisco IOS Release 12.2(16).
Workaround: There is no workaround.
•
Symptoms: Virtual Private Network (VPN) routing/forwarding (VRF) IP Security (IPSec) may fail when Rivest, Shamir, and Adleman (RSA) encryption is configured.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when an error occurs during the certificate enrollment.
Conditions: This symptom is observed on a Cisco 831 and occurs only when the router attempts to connect to the Certificate Authority (CA). The symptom may also occur on other platforms.
Workaround: There is no workaround. To minimize the chance that the symptom occurs, verify that the correct enrollment information is configured for the trustpoint that is used for the enrollment, and ensure that the CA is functioning properly before you initiate the certificate enrollment.
•
Symptoms: A Cisco uBR905 incorrectly sources a Dynamic Host Configuration Protocol (DHCP) request packet from a cable modem interface.
Conditions: This symptom is observed during the DHCP proxy process.
Workaround: There is no workaround.
•
Symptoms: When Cisco Networking Services (CNS) commands fail authentication by an associated Cisco IE2100 series, two messages may be sent to the CNS event bus:
–
–
Conditions: This symptom is observed when the cns config initial ip-address global configuration command, cns config partial ip-address global configuration command, and cns config retrieve EXEC command fail authentication by the associated Cisco IE2100 series.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for IP over Multiprotocol Label Switching (MPLS) may reload. CPUHOG messages may be displayed on the console before the router reloads.
Conditions: This symptom is observed in configurations with many interfaces or IP addresses, or with a very large number of labelled prefixes.
Workaround: There is no workaround.
•
Symptoms: An IP Packet that is sent out from a Cisco AS5850 may not be switched by using Cisco Express Forwarding (CEF). This situation may cause performance difficulties and may impact the call success rate.
Conditions: This symptom is observed on a Cisco AS5850 that is running Cisco IOS Release 12.3(1).
Workaround: There is no workaround.
•
Symptoms: Process-switched Internet service packets may be dropped.
Conditions: This symptom is observed only after a Service Selection Gateway (SSG) processes the packets properly in the Cisco Express Forwarding (CEF) path; the packets are forwarded to the processor at a later time. The symptom typically occurs with Network Address Translation (NAT) connections.
Workaround: Add a network-specific route either in the service profile or in the global routing table by entering the ip route global configuration command.
•
Symptoms: A Cisco router may reload when 24 voice calls are successfully established and you enter the show interfaces privileged EXEC command followed by the show interface multilink number privileged EXEC command.
Conditions: This symptom is observed on a Cisco 2691, Cisco 3725 and Cisco 3745 that are configured with the following:
–
–
–
–
Workaround: Disable LLQ or RSVP-support for LLQ.
•
Symptoms: A Cisco router may reload when you enter the show atm map privileged EXEC command.
Conditions: This symptom is observed on all Cisco routers after you have first deleted a subinterface on which a static map bundle was configured.
Workaround: First remove the static map bundle; then, delete the subinterface.
•
Symptoms: When you remove a Gigabit Ethernet port adapter (PA-GE) from a Cisco 7200 series and then reinsert it, the interface state is "up/up," even though there are no cables attached to the Gigabit Interface Converters (GBICs) of the PA-GE.
Conditions: This symptom is observed after you enter the no shutdown interface configuration command to bring up the interface.
Workaround: There is no workaround.
•
Symptoms: A fax call that occurs on a router that is configured with a Voice Extensible Markup Language (VXML) application may result in the following actions:
–
–
–
Conditions: This symptom may occur on a router that is running Cisco IOS Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A router that has the Service Selection Gateway (SSG) enabled may sometimes reload when the no ssg enable force-cleanup global configuration command is issued.
Conditions: This symptom is observed on a Cisco Multiprocessor WAN Application Module (MWAM) that is acting as an SSG.
Workaround: Do not use the no ssg enable force-cleanup global configuration command if SSG is enabled. There is no other workaround.
•
Symptoms: A router may reload when a bundle member with an overlapping precedence is added.
Conditions: This symptom is observed when the bundle member that has the overlapping precedence is added, removed, and subsequently readded with another precedence.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series or Cisco 7401 may reload because of a bus error exception.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with a Network Service Engine-1 (NSE-1) and on a Cisco 7401 when Parallel Express Forwarding (PXF) is enabled. This symptom occurs when the router forwards traffic through a 1-port Fast Ethernet port adapter (PA-FE) that incorporates the DEC21140 chip or through a Fast Ethernet I/O controller (C7200-IO-FE) that incorporates the DEC21140 chip, and when traffic is running at the Fast Ethernet line rate.
Workaround: There is no workaround.
•
Symptoms: When you attempt to configure the ds0-group controller configuration command or the pri-group controller configuration command on the controller of an enhanced 2 port T1/E1 high capacity port adapter (PA-VXC-2TE1+), the following error message may be generated:
No DSP resource availableConditions: This symptom is observed when you first enter the card type {t1 | e1} global configuration command before you enter the ds0-group controller configuration command or the pri-group controller configuration command.
Workaround: After you enter the card-type command, reload the router before you enter the ds0-group controller configuration command or the pri-group controller configuration command.
•
This caveat consists of two symptoms, two conditions, and two workarounds.
Symptoms 1: When the Rivest, Shamir, and Adleman (RSA) public key of the peer of Cisco router that is running Cisco IOS Release 12.3 is manually configured on the router, the router may reload and generate the following error message:
%ALIGN-1-FATAL: Illegal access to a low addressConditions 1: This symptom is observed when you enter the following sequence of commands:
–
–
–
Workaround 1: Do not configure the RSA public key of a peer statically on the router; rather, use certificates. This workaround may not be acceptable in situations in which a certification authority (CA) server is not available or deployed.
Symptoms 2: When a Cisco router has saved the RSA public key of any peer in its configuration and is booted up with Release 12.3, the router may reload and generate the following error message:
%ALIGN-1-FATAL: Illegal access to a low addressConditions 2: This symptom is observed when you have configured the RSA public key of the peer by using the following sequence of commands:
–
–
–
Workaround 2: Do not configure the RSA public key of a peer statically on the router; rather, use certificates. This workaround may not be acceptable in situations in which a certification authority (CA) server is not available or deployed.
•
Symptoms: A remote line fault indication (RFI) or remote defect indication (RDI) may bring down an E1 link that is in the local loopback mode.
Conditions: This symptom is observed on a multichannel STM-1 port adapter (PA- MC-STM1).
Workaround: There is no workaround.
•
Symptoms: A router may reload after an online insertion and removal (OIR) is performed on a Versatile Interface Processor (VIP).
Conditions: This symptom is observed if an OIR is performed on the VIP of a Cisco 7500 series while an 8-port T1/E1 Inverse Multiplexing over ATM (IMA) port adapter (PA-A3-8T1/8E1) is installed on the VIP.
Workaround: There is no workaround.
•
Symptoms: The line protocol of the some channels of a 1-port multichannel STM-1 port adapter (PA-MC-STM) may go down.
Conditions: This symptom is observed on a PA-MC-STM that is installed in a Cisco router that is running Cisco IOS Release 12.0 S, Release 12.1 E, Release 12.2 S, or Release 12.2 T.
Workaround: There is no workaround.
•
Symptoms: Traffic may be dropped when Cisco Express Forwarding (CEF) or fast switching is enabled with software encryption.
Conditions: This symptom is observed on a Cisco platform that is running Cisco IOS Release 12.3 and that supports software encryption.
Workaround: Use process switching.
Alternate Workaround: Do not use software encryption; rather, use hardware encryption.
•
Symptoms: When you configuring a large number of channels on a 1-port multichannel STM-1 port adapter (PA-MC-STM), some of the channels may remain down because of insufficient FIFO resources.
Conditions: This symptom is observed when you reload the Cisco router in which the PA-MC-STM is installed.
Workaround: There is no workaround.
•
Symptoms: You may not be able to boot up a Cisco 3725 or a Cisco 3745.
Conditions: This symptom is observed when the Cisco 3725 is booted up with the c3725-g4js-mz image and the Cisco 3745 is booted up with the c3745-g4js-mz image of Cisco IOS Release 12.2(15)B or Release 12.2(15)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when it receives a caller ID.
Conditions: This symptom is observed only on a Cisco router that is configured with a High-Density Analog Voice/Fax network module (NM-HDA).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when you copy the running configuration to or from a network file system.
Conditions: This symptom is observed when the network file system is located on a TFTP server.
Workaround: There is no workaround.
•
Symptoms: A Cisco universal access server may reload when you run the AAA-SESSION-MIB MIB.
Conditions: This symptom is observed on a Cisco AS5300 that is running Cisco IOS Release 12.3.
Workaround: There is no workaround.
•
Symptoms: Collected digits are not handled properly by a Voice Extensible Markup Language (VXML) application, causing the interdigit timeout event trigger to disconnect the call.
Conditions: This symptom is observed on a Cisco AS5350.
Workaround: There is no workaround.
•
Symptoms: Traffic loss may occur when you configure the no ip cef global configuration command.
Conditions: This symptom is observed on a Cisco router that has Cisco Express Forwarding (CEF) enabled by default, but that does not have the no ip cef global configuration command configured in the startup configuration.
Workaround: After CEF has been enabled by default, disable CEF.
•
Symptoms: When the debug atm errors EXEC command is configured, the following error message maybe generated:
atm_get_passive_svc_config: invalid svc_handle found from vcConditions: This symptom is observed during the creation of Tag Virtual Circuits (TVCs).
Workaround: There is no workaround.
•
Symptoms: After a Media Gateway Control Protocol (MGCP) channel-associated signaling (CAS) call is established, there may not be voice-path continuity; the call signaling is properly terminated, but there is only one-way voice traffic.
Conditions: This symptom is observed on a Cisco router that uses an MGCP CAS call flow.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the Media Resource Control Protocol (MRCP) client process on a Cisco 5400.
Conditions: This symptom is observed during a stress test.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload.
Conditions: This symptom is observed when you enter the verify EXEC command on a Flash card device.
Workaround: There is no workaround.
•
Symptoms: An output service policy with a police feature may be rejected, and the following error message may be generated:
Cannot attach flat policy to pvc/sub-interface. Hierarchical policy with shape in class-default is recommendedConditions: This symptom is observed when the output service policy is attached to multiple subinterfaces.
Workaround: There is no workaround.
•
When packets are intercepted and replicated with IP version 6 (IPv6) encapsulation, packets that are replicated to the Mediation Device (MD) may be process switched at the MD interface instead of being switched by using Cisco Express Forwarding (CEF). This situation may affect the performance of the router.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3 and occurs when the intercepted packets are replicated with IPv6 encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform that functions as a gatekeeper may reload.
Conditions: This symptom is observed when you deconfigure the zone local gatekeeper configuration command.
Workaround: There is no workaround.
•
Symptoms: Traffic forwarding through a traffic engineering (TE) tunnel may not function properly.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2 T.
Workaround: There is no workaround.
•
Symptoms: Redirection may occur unexpectedly on a Cisco router when redirect is configured on more than one interface with more than one service configured.
Conditions: This symptom is observed on a Cisco router when Web Cache Communication Protocol (WCCP) input redirection is configured on several interfaces and not all services are configured on each interface. In this situation, packets are matched against all services when looking for redirect candidates. This behavior may lead to a spurious match and unexpected redirection of packets to a cache.
Workaround: Use output redirection.
Novell IPX, XNS, and Apollo Domain
•
Symptoms: A Cisco 3640 router may reload at "__doprnt."
Conditions: This symptom is observed on a Cisco 3640 router that is running Cisco IOS Release 12.2(13) while the router is being configured for Internetwork Packet Exchange (IPX) routing.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1710 router that is running Cisco IOS Release 12.2(13)T may reload because of a segmentation violation (SegV) exception error.
Conditions: This symptom is observed while the router is transporting Novell traffic over Point-to-Point Tunneling Protocol (PPTP).
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: A memory leak may occur on a router after TCP-to-X.25 translation is configured.
Conditions: This symptom is observed if a user attempts to use TCP-to-X.25 translation while a router is already performing translation for the maximum number of configured users. The additional user will not be able to use translation, and the router will leak memory.
Workaround: There is no workaround.
•
Symptoms: A router may reload while you change the maximum transmission unit (MTU) size to 64 bytes on an OC-12 or OC-24 Packet-over-SONET (POS) interface.
Conditions: This symptom is observed on a Cisco 10000 series router or a Cisco 12000 series router when Multiprotocol Label Switching (MPLS) is enabled on the interface.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: You may not be able to make the 421st digital call, and existing calls may drop after the failed attempt to make the 421st call.
Conditions: This symptom is observed on a Cisco AS5xx0 platform that has a configuration to bring up 450 digital calls.
Workaround: Configure the dialer pool-member number interface configuration command on the serial interface from which the calls are made.
•
Symptoms: A call that originates from the public switched telephone network (PSTN) to a Cisco IP telephone that is configured for call forward all (CFA) back-out to a PSTN phone may fail to connect.
ISDN debug messages indicate that the call was disconnected by the PSTN side on the first (inbound) call leg; Cisco CallManager tore down the second (outbound) call leg.
Conditions: This symptom is observed on a Cisco platform that is functioning as an ISDN gateway, that is running Cisco IOS Release 12.2(11)T, that is configured for H.323, and that is connected to a Cisco CallManager. The gateways that connect to the PSTN are configured with the isdn switch-type primary-dms100 (PRI) global configuration or interface configuration command.
Workaround: There is no workaround.
•
Symptoms: When you make ISDN configuration changes on a Cisco 7204VXR router, bus errors may occur.
Conditions: This symptom is observed on a Cisco 7204VXR router that is running Cisco IOS Release 12.2(12a).
Workaround: There is no workaround.
•
Symptoms: Spurious memory accesses may occasionally be seen on a router that is using Multilink PPP (MLP).
Conditions: This symptom is observed on a Cisco router if a datagram is forwarded to a multilink bundle at the same time that the bundle interface is in the process of going down.
Workaround: There is no workaround.
•
Symptoms: Link Control Protocol (LCP) keepalive functionality may not work properly.
Conditions: This symptom is observed when an LCP keepalive period is configured to last longer than 255 seconds on an interface.
Workaround: Configure the LCP keepalive period to last shorter than 255 seconds.
•
Symptoms: Payload packets may be transmitted out of order over a Multilink PPP (MLP) bundle.
Conditions: This symptom is observed during periods of heavy data traffic.
Workaround: There is no workaround.
•
Symptoms: The value of the Logical Link Control (LLC) N2 error counter may not reset when no information frames (I-frames) are sent and acknowledged. When final Receive Ready frames are dropped, the error counter is increased, but when a proper final Receive Ready frame (in which the next received [nr] frame equals the next sent [ns] frame) is received, the error counter is not reset.
Conditions: This symptom is observed when a Systems Network Architecture (SNA) LLC connection is made. Each side sends a single I-frame or no I-frame; then, the connection remains idle for many hours. Final Receive Ready packets are dropped in the network, causing the T1 timer to expire. When this situation occurs often, the value of the retry-count argument of the llc2 n2 retry-count internal adapter configuration command may be exceeded, and the SNA connection may be terminated.
Workaround: When the SNA LLC connection is slow, increase the T1 timer by entering the llc2 t1-time milliseconds internal adapter configuration command.
Alternate Workaround: Increase the value of the retry-count argument of the llc2 n2 retry-count internal adapter configuration command.
Second Alternate Workaround: Ensure that I-frames continue to be sent in both directions.
•
Symptoms: Authentication, authorization, and accounting (AAA) may not process vendor-specific attributes (VSAs) that are sent with tagged Layer 2 Tunnel Protocol (L2TP) tunnel attributes.
Conditions: This symptom is observed on a Cisco AS 5400 and a Cisco AS5800.
Workaround: There is no workaround.
•
Symptoms: A valid X.25 call received in the appropriate one-way channel range (incoming-only for X.25 DTEs, outgoing-only for X.25 DCEs) may be refused by a Cisco router.
Conditions: This symptom may occur when an X.25 interface is configured with one-way SVC ranges.
Workaround: Extend the two-way channel range to include the offending one-way channel range.
•
Symptom: When the pri-group timeslots timeslot-range service mgcp controller configuration command is configured on a router, ISDN layer 2 may come up, even when the isdn bind-l3 ccm-manager interface configuration command is not configured. An incoming call may cause the error message "Assertion Failed" to be generated, or may cause the router to reload, or may cause both to occur.
Conditions: This symptom is observed only on a router that has a PRI line that is improperly configured for a Media Gateway Control Protocol (MGCP) backhaul connection to a Cisco CallManager.
Workaround: Ensure that the PRI MGCP backhaul connection is correctly configured on the router before attempting calls. The isdn bind-l3 ccm-manager interface configuration command must be configured under the serial interface that corresponds to the E1 or T1 interface for which the pri-group timeslots timeslot-range service mgcp controller configuration command has been configured.
•
Symptoms: A Cisco router may unexpectedly reload during the "traffic_shape_dequeue_shim" process.
Conditions: This symptom is observed on a Cisco 7200 series and a Cisco 3660.
Workaround: There is no workaround.
•
Symptoms: A call control block (CCB) may not be released after an ISDN layer 2 goes down and active calls are disconnected.
Conditions: This symptom is observed for PRI calls.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series router that is configured for LAN Emulation (LANE) and bridging allows LANE Address Resolution Protocol (LE ARP) to be answered on a blocked port.
Conditions: This symptom is observed on a Cisco 3600 series router that is running Cisco IOS Release 12.2 or Release 12.2 T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3600 series may reload while Non-Facility Associated Signaling (NFAS) is deconfigured by using automated scripts.
Conditions: This symptom is observed under extreme stress conditions.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload while you attempt to set up a Frame Relay switched virtual circuit (SVC).
Conditions: This symptom is observed when you attempt to set up a Frame Relay SVC by using a data-link connection identifier (DLCI) that is already in use; for example, when a permanent virtual circuit (PVC) is configured by using the same DLCI.
Workaround: When a PVC is configured by using the same DLCI, remove the PVC configuration before you attempt to set up the Frame Relay SVC.
•
Symptoms: The isdn service interface switch-type interface configuration or global configuration command may not function properly. This situation may affect service.
Conditions: This symptom is observed only for the NET5 switch type when you attempt to configure the isdn service interface primary-net5 interface configuration or global configuration command.
Workaround: Reload the router.
•
Symptoms: PPP Network Control Protocol negotiation may fail on a Cisco router.
Conditions: This symptom is observed for most PPP protocols on all platforms that are running an image of Cisco IOS Release 12.3 when PPP encapsulation is used via a serial interface.
Workaround: Complete the configuration of PPP protocols at both ends of a connection before you bring up the connection.
Alternate Workaround: After you have completed the configuration of PPP protocols, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the serial interface.
•
Symptoms: A Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) may reload during the "dialer pending" process.
Conditions: This symptom is observed only when the virtual private dialup network (VPDN) tunnel is torn down prematurely.
Workaround: There is no workaround.
•
Symptoms: The configuration of the pri-group timeslots timeslot-range service mgcp controller configuration command that is defined under an E1 controller may be deleted when you boot up a Cisco platform.
Conditions: This symptom is observed on a Cisco AS5400 that is running Cisco IOS Release 12.3 but may occur on any Cisco platform that is capable of supporting a Media Gateway Control Protocol (MGCP) PRI E1 connection.
Workaround: There is no workaround.
•
Symptoms: The dialer-list dialer-group protocol protocol-name global configuration command displays duplicate options.
Conditions: This symptom is observed only for non-IP protocol options.
Workaround: There is no workaround.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
