Table Of Contents
Caveats for Cisco IOS Release 12.3
Open Caveats—Cisco IOS Release 12.3(26)
Resolved Caveats—Cisco IOS Release 12.3(26)
Resolved Caveats—Cisco IOS Release 12.3(25)
Resolved Caveats—Cisco IOS Release 12.3(24a)
Resolved Caveats—Cisco IOS Release 12.3(24)
Resolved Caveats—Cisco IOS Release 12.3(23)
Resolved Caveats—Cisco IOS Release 12.3(22a)
Resolved Caveats—Cisco IOS Release 12.3(22)
Resolved Caveats—Cisco IOS Release 12.3(21b)
Resolved Caveats—Cisco IOS Release 12.3(21a)
Resolved Caveats—Cisco IOS Release 12.3(21)
Resolved Caveats—Cisco IOS Release 12.3(20a)
Resolved Caveats—Cisco IOS Release 12.3(20)
Resolved Caveats—Cisco IOS Release 12.3(19a)
Resolved Caveats—Cisco IOS Release 12.3(19)
Resolved Caveats—Cisco IOS Release 12.3(18a)
Resolved Caveats—Cisco IOS Release 12.3(18)
Resolved Caveats—Cisco IOS Release 12.3(17c)
Resolved Caveats—Cisco IOS Release 12.3(17b)
Resolved Caveats—Cisco IOS Release 12.3(17a)
Resolved Caveats—Cisco IOS Release 12.3(17)
Resolved Caveats—Cisco IOS Release 12.3(16a)
Resolved Caveats—Cisco IOS Release 12.3(16)
Resolved Caveats—Cisco IOS Release 12.3(15b)
Resolved Caveats—Cisco IOS Release 12.3(15a)
Resolved Caveats—Cisco IOS Release 12.3(15)
Resolved Caveats—Cisco IOS Release 12.3(13b)
Resolved Caveats—Cisco IOS Release 12.3(13a)
Resolved Caveats—Cisco IOS Release 12.3(13)
Resolved Caveats—Cisco IOS Release 12.3(12e)
Resolved Caveats—Cisco IOS Release 12.3(12d)
Resolved Caveats—Cisco IOS Release 12.3(12c)
Resolved Caveats—Cisco IOS Release 12.3(12b)
Resolved Caveats—Cisco IOS Release 12.3(12a)
Resolved Caveats—Cisco IOS Release 12.3(12)
Resolved Caveats—Cisco IOS Release 12.3(10f)
Resolved Caveats—Cisco IOS Release 12.3(10e)
Resolved Caveats—Cisco IOS Release 12.3(10d)
Resolved Caveats—Cisco IOS Release 12.3(10c)
Resolved Caveats—Cisco IOS Release 12.3(10b)
Resolved Caveats—Cisco IOS Release 12.3(10a)
Resolved Caveats—Cisco IOS Release 12.3(10)
Novell IPX, XNS, and Apollo Domain
Caveats for Cisco IOS Release 12.3
September 24, 2008
Cisco IOS Release 12.3(26)
OL-4353-20
This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.3, up to and including Cisco IOS Release 12.3(26). Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
To improve this document, we would appreciate your comments. If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically at http://www.cisco.com/feedback/ or contact caveats-doc@cisco.com. For more information, see the "Obtaining Documentation and Submitting a Service Request" section on page 1026.
How to Use This Document
This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats:
•
The "Open Caveats" section lists open caveats that apply to the current release and may apply to previous releases.
•
Within the sections the caveats are sorted by technology in alphabetical order. For example, AppleTalk caveats are listed separately from, and before, IP caveats. The caveats are also sorted alphanumerically by caveat number.
If You Need More Information
Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation and Submitting a Service Request" section on page 1026.
For more information on caveats and features in Cisco IOS Release 12.3, refer to the following sources:
•
•
(If the defect that you have requested cannot be displayed, this may be due to one of more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
•
•
•
Note
The most recent release notes when this caveats document was published were Release Notes for
Cisco IOS Release 12.3, for Cisco IOS Release 12.3(26) on March 18, 2008.Contents
The caveats documentation for Cisco IOS Release 12.3 consists of the following subsections:
Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 5:
Caveats for 12.3(10) through 12.3(26)•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 6:
Caveats for 12.3(6) through 12.3(9e)•
•
•
•
•
•
•
•
•
•
•
•
Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 7:
Caveats for 12.3(1) through 12.3(5f)•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Open Caveats—Cisco IOS Release 12.3(26)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(26). All the caveats listed in this section are open in Cisco IOS Release 12.3(26). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: The connect global configuration command presents duplicate options; that is, there appear to be two switching subsystems.
Conditions: This symptom is observed on a Cisco router when you attempt to configure the connect global configuration command for ATM.
Workaround: There is no workaround.
•
Symptoms: CPU utilization may reach 100 percent in the IGMP Input process when a UDL interface is down. When the downstream UDL interface (on the downstream router) goes down, any (downstream router) locally received IGMP report/leave will be sent 255 times to the router itself and will cause high CPU utilization.
Conditions: This symptom is observed on a Cisco router that has a UDL interface that is connected to a satellite link after you have upgraded the Cisco IOS software image from Release 12.4(5a) to Release 12.4(7a). However, the symptom is not release-specific.
Workaround: There is no workaround.
Further Problem Description: When the UDL link goes down, the downstream router starts to flood IGMP reports to itself, and in Releases 12.4(7a), 12.4(8), and 12.3(19), Cisco IOS software is really processing these packets, which has a big impact on CPU utilization.
•
Symptoms: Unable to obtain low latency for priority traffic while LLQ is configured.
Conditions: This is happening while LLQ is configured with IPsec and IPsec-GRE tunnels.
Workaround: There is no workaround.
•
Symptoms: QoS Group Marking may not function.
Conditions: This symptom is observed on a Cisco router after you have reloaded the router.
Workaround: Detach the policy map from the interface and then re-attach it to the interface.
•
Symptoms: A Cisco 7206VXR (NPE-G1) that is running Cisco IOS Release 12.3(22) has a software-forced reload because of a memory corruption. The memory pool type is Processor rip_create_rdb.
Conditions: The Cisco 7206VXR (NPE-G1) with Cisco IOS Release 12.3(22) was running fine for one month before the crash occurred. The crash occurred during/after some configuration changes, which were done regularly. The crash occurred only once.
Workaround: There is no workaround.
•
Symptoms: After multiple calls are established, and then calls are disconnected by the users, new calls cannot be established.
Conditions: This problem is seen when using a Cisco 3660 router with a digital modem network module, NM-30DM. This problem is seen in all Cisco IOS 12.2 and 12.3 releases.
Workaround: Reloading the router will allow new calls to be established.
•
Symptoms: AP does not seem to handle PAC provisioning for the Windows OS Vista client.
Conditions: This symptom is observed with the AP running 12.3(8) JEB.
Workaround: There is no workaround.
•
Symptoms: All CMs became offline with no alert or log message. When the clear cable modem all del command was executed, no CM was ranging. When checked, upconverter signal was okay and ucd counter was also normal.
As there was no log and no other specific information remained, it is hard to know the root cause.
Conditions: This symptom is observed only on the MC520H card.
Workaround: Enter the cable downstream rf-shutdown command followed by the no cable downstream rf-shutdown command.
Further Problem Description: This is similar to CSCsj03260; Externally found moderate (Sev3) bug: Resolved (R); modem stay offline after modulation switch om MC5x20H. But this is integrated at 12.3(21a)BC4 and DE said that this is different. And customer did not use dynamic modulation.
•
Symptoms: After the AP (AIR-AP1231G-E-K9) is upgraded to 12.3(8).JEC, a periodic loss of interface "Dot11Radio0" is seen because of "failed - Driver transmit queue stuck." This results in only a brief service interruption; the AP and radio do recover and start servicing again within 1 to 2 seconds.
Conditions: This symptom is observed under normal operation.
Workaround: There is no workaround.
Further Problem Description: The following is the syslog record of the failure and recovery:
Dec 19 10:51:23: %DOT11-2-RADIO_FAILED: Interface Dot11Radio0,failed - Driver transmit queue stuck -Traceback= 19670 420248 427A64 428C20 42B31C 3D1BA4 3D457C 3D8DAC 4BB43C 4B6C30 24306C
Dec 19 10:51:23: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down Dec 19 10:51:23: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset Dec 19 10:51:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down Dec 19 10:51:24: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up Dec 19 10:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
•
Symptoms: Applying an access group to physical interfaces modifies the ACL in the running configuration.
Conditions: When a physical interface is made a part of a bridge group and when the physical interface has an "ip access-group <list> [in/out]" assigned from a corresponding access list, and if this ACL has "logging" labeled, then the running configuration is modified at the first list match that hits any of the bridged interfaces in such a way that the logging is removed from the ACL.
Workaround: Instead of assigning the ACL to a physical interface, create a BVI interface for the bridge group and assign the ACL to the BVI.
Further Problem Description: The following is a sample interface configuration.
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid tsunami
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid tsunami
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role non-root bridge
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
hold-queue 160 in
!
interface BVI1
ip address 10.0.0.12 255.255.255.224
ip access-group 105 in
no ip route-cache
!
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 5.5.5.0 0.0.0.255 any log
access-list 105 permit ip any any log•
Symptoms: The multilink interfaces stop forwarding traffic, and the serial interfaces out of the multilink start to flap.
Conditions: This symptom is observed when the E3 controller is saturated.
Workaround: Enter the shutdown command followed by the no shutdown command on the controller.
•
Symptoms: A Cisco AS5400 router crashes with a bus error at sstrncpy. The error message will look like the following:
System returned to ROM by bus error at PC 0x6184FA30, address 0xD0D0D0D
Conditions: This symptom is observed on a Cisco AS5400 router.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(26)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(26). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(26). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
•
Symptoms: A router may reload unexpectedly when a routing event causes multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.
Conditions: This symptom is observed on a Cisco platform that is configured for PIM.
Workaround: Remove multicast boundary from the configuration.
•
Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted "msg-auth-response-get-user" TACACS+ packet is received.
Conditions: This symptom is observed after the Cisco platform had send an initial "recv-auth-start" TACACS+ packet.
Workaround: There is no workaround.
•
Symptoms: Password information may be displayed in a syslog message as follows:
%SYS-5-CONFIG_I: Configured from scp://userid:password@10.1.1.1/config.txt by console
Conditions: This symptom is observed when using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB; selection of ConfigCopyProtocol of SCP or FTP may result in the password being exposed in a syslog message.
Workaround: When using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB, use the ConfigCopyProtocol of RCP to avoid exposure of the password.
•
Symptoms: With X.25 over TCP (XOT) enabled on a router or Catalyst switch, malformed traffic that is sent to TCP port 1998 causes the device to reload. This symptom was first observed in Cisco IOS Release 12.2(31)SB2.
Conditions: This symptom is observed only when X.25 routing is enabled on the device.
Workaround: Use IPsec or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is accepted only from trusted tunnel endpoints.
•
Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: A PIM hello message may not reach the neighbor.
Conditions: This symptom is observed on a Cisco router when an interface comes up and a PIM hello message is triggered.
Workaround: Decrease the hello timer for PIM hello messages.
Further Problem Description: The symptom occurs because the PIM hello message is sent before the port can actually forward IP packets. IGP manages to get its neighborship up but PIM does not, causing RPF to change to the new neighbor and causing blackholing to occur for up to 30 seconds.
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
•
Symptoms: The following message can be seen after executing the write memory command, even though the version has not been changed.
Router# write memoryWarning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image. Overwrite the previous NVRAM configuration?[confirm]The router then restarts with the following traceback:
-Traceback= 6067F3DC 6067FB38 605E3FE8 60686384 605E3FE8 605188BC 60518830 605444D4 60539164 6054719C 605AB65C 605AB648Conditions: This symptom is observed on a Cisco 7206 VXR (NPE-400) with C7200-IO-FE-MII/RJ45= or C7200-I/O= running the Cisco IOS Release 12.2(24a) interim build.
Workaround: There is no workaround.
•
Symptoms: A switch aborts or reloads after the no ip routing command is entered.
Conditions: This symptom is observed when a Supervisor Engine IV is configured with a minimal IP multicast and Multicast Source Discovery Protocol (MSDP) configuration.
Workaround: There is no workaround.
•
Symptoms: Router crashes with an Unexpected exception to CPUvector traceback.
Conditions: Issuing the modemui command with a large input parameter in the [modem-commands], such as:
host> modemui ATZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa OK OK OK Host:00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FCMore information about the Cisco Modem User Interface feature is available at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bf9.html
Workaround
AAA Authorization: AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For a complete description of authorization commands, refer to the following links:
Configuring Authorization
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm
ACS 4.1 Command Authorization Sets
ACS 4.1 Configuring a Shell Command Authorization Set for a User Group
Role-Based CLI Access: The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices. The following link provides more information about the Role-Based CLI Access feature:
Role-Based CLI Access
http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.shtml
Device Access: Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:
Infrastructure Protection on Cisco IOS Software-Based Platforms Appendix B-Controlling Device Access
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
•
Symptoms: OSPF is redistributing in RIP using a route map, based on a prefix list. Every time the prefix list is changed, the RIP database is not updated.
Conditions: This symptom is observed when a new network is added to the prefix list. The show ip route network command shows that the network is not advertised by RIP. The clear ip route network command will fix the problem.
Workaround: There is no workaround.
•
Symptoms: Under heavy traffic, ISDN calls may be rejected due to high CPU usage with the following messages seen in the log (with tracebacks):
%IVR-3-LOW_CPU_RESOURCE: IVR: System experiencing high cpu utilization (98/100). Call (callID=23524) is rejected.
%SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (32/18),process = ISDN.
Conditions: This problem occurs only under heavy traffic.
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS may crash due to watchdog timeout.
Conditions: Occurs when IP SLA probes are configured and active for a period of 72 weeks. After this much time has passed, polling the rttmon mib for the probe statistics will cause the router to reload. Then the problem will not be seen again for another 72 weeks.
Workaround: There is no workaround.
•
Symptoms: A router may reload when malformed packets are sent to the TFTP UDP port.
Conditions: This symptom is observed when malformed traffic is sent to the router's TFTP UDP port 69.
Workaround: There is no workaround.
•
Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.
Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.
Workaround: There are four possible workarounds:
1) Use an "aggregate-address" configuration instead of the static route to generate the summary.
2) Remove auto-summary from the BGP process.
3) Enter the clear ip bgp * command.
4) Remove and reconfigure the BGP network statement for the summary route.
•
Symptoms: TCP ports may not show open as required during port scanning using NMAP.
Conditions: This symptom is observed on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: A Cisco SOHO 78 router freezes while booting. A power-cycle is required to restore it to operational condition.
Conditions: The router freezes after self-decompressing the image.
Workaround: There is no workaround.
•
Symptoms: The multilink interfaces stop forwarding traffic, and the serial interfaces out of the multilink start to flap.
Conditions: This symptom is observed when the E3 controller is saturated.
Workaround: Enter the shutdown command followed by the no shutdown command on the controller.
•
Symptoms: When Multicast Distributed Fast Switching is configured, a VIP crashes on a Cisco 7500 router that is running a Cisco IOS 12.3 release.
Conditions:
1) The router has around 1000 interfaces/subinterfaces.
2) Distributed multicast is configured.
3) The router is running any Cisco IOS 12.3 release.
Workaround: There is no workaround.
Further Problem Description: In summary, the line card is accessing the memory location that has been freed already. This results in the VIP crashing. There are sanity checks that are missing in Cisco IOS 12.3 releases. The problem is similar to what bug CSCdm29808 does on line cards of the Cisco 12000 Internet series router (this router does not support Cisco IOS Release 12.3). This basically checks if the interface index on MDFS messages is less than the MDFS Idb map size, which indicates the current size of the Idb map table.
Resolved Caveats—Cisco IOS Release 12.3(25)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(25). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(25). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: With an ATA flash card, the dir disk0: command will fail if any filename or directory name stored on disk0 contains embedded spaces. This applies to disk1 or disk2 as well. This situation can also occur with a compact flash (CF) card using the dir flash: command.
Conditions: This symptom has been observed when using a removable flash card, such as an ATA flash car or CF card, that is formatted to use DOSFS. The removable flash card is removed from the router and inserted into a laptop that is running a version of the Microsoft Windows operating system. A "New Folder" directory is created on the flash card and the flash card is removed from the laptop and re-inserted into the router. Entering the dir command on the router may fail to show all of the stored files or may crash the router.
Workaround: Remove or rename all files and directories having names with embedded spaces so that no file or directory names contains embedded spaces.
•
Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: A traceback is noticed when long URLs are used to configure a device using Cisco IOS HTTP web parser. The device does not crash.
Conditions: Trying to configure commands that have a single keyword or parameter greater than N characters in length using the web-based Cisco IOS command parser causes a traceback where N is:
–
–
–
Workaround: Avoid using the web-based command line parser for CLI commands with long keywords or arguments.
•
Symptoms:
A router crashes with a TLB (load or instruction fetch) exception segmentation fault or a Breakpoint exception.
Conditions:
TLB (Load or Instruction Fetch) Exception Segmentation Fault Crash
From the (tcl) CLI prompt, issue the "ea_display_pitem" or "ea_display_msg" commands with a large ID input parameter such as:
router(tcl)# ea_display_msg 999999999or
router(tcl)# ea_display_pitem 99999999914:02:10 UTC Sat Jul 28 2001: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61B3CCA8
-----------------------------------------------------------------------------------
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.
-----------------------------------------------------------------------------------
-Traceback= 61B3CCA8 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : EEC550B8, v1 : 316EBFFD a0 : 00000000, a1 : 00000000, a2 : 63B2FD21, a3 : 00000039 t0 : 107A3FFF, t1 : 0000000C, t2 : 0000000D, t3 : 0000000B t4 : 0000000A, t5 : 00000000, t6 : 63B2FDC4, t7 : 63B2FDC0 s0 : 2012F338, s1 : 63B32648, s2 : 634F3219, s3 : 634F50D0 s4 : 63B32648, s5 : 8B75FFE8, s6 : 00000002, s7 : 631E0000 t8 : 63B2FE10, t9 : 00000000, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 2012F2C0, s8 : 634F31FC, ra : 61B3CC98 EPC : 61B3CCA8, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000003, MDHI : 280ED7D0, BadVaddr : EEC550C4 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception
00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FC
Breakpoint Exception Crash
From the (tcl) CLI prompt, download a very large file such as:
router(tcl)# source tftp://192.168.10.10/very-large-fileOpening file: tftp://192.168.10.10/very-large-file, buffer size=65536
Loading target from 192.168.10.10 (via GigabitEthernet0/2): !!!!!!!!!!!!!
========= Dump bp = 2036B72C ======================2036B62C: FD0110DF AB1234CD 8A 502B7AF8 62A7FF74 616E96A8 2036B67C 2036B5F8 2036B64C: 80000012 1 0 63BF7AA0 0 400 0 8 2036B66C: 0 0 0 FD0110DF AB1234CD 1E 639C1A58 623BCD20 2036B68C: 60B26684 2036B6E0 2036B644 8000001E 1 0 2017A9DC 200302F4 2036B6AC: 623BCC3C 200302F4 1 3 1 3 0 0
=== output truncated ===
%Software-forced reload
14:47:00 UTC Sat Jul 28 2001: Breakpoint exception, CPU signal 23, PC = 0x6080A0C0
-----------------------------------------------------------------------------------
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support. -----------------------------------------------------------------------------------
-Traceback= 6080A0C0 60808014 607EDCE4 607EAF44 61B307D4 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : 636A0000, v1 : 636A0000 a0 : 6366A408, a1 : 0000FF00, a2 : 00000000, a3 : 62FF0000 t0 : 6080F7A0, t1 : 3400FF01, t2 : 6080F7A0, t3 : FFFF00FF t4 : 6080F7A0, t5 : 36423734, t6 : 78312030, t7 : 32324431 s0 : 00000000, s1 : 00000000, s2 : 63010000, s3 : 634308E0 s4 : 2036B754, s5 : 202AEDB8, s6 : 63010000, s7 : 631E0000 t8 : 63B2FCF4, t9 : 00000002, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 202AEB68, s8 : 634F31FC, ra : 60808014 EPC : 6080A0C0, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000000, MDHI : 00000006, BadVaddr : 0B6719BC Cause 00000024 (Code 0x9): Breakpoint exception
Cisco IOS software introduced the ability to support Tool Command Language (Tcl) version 7.0 commands as part of the Cisco IOS Interactive Voice Response feature in Cisco IOS Release 12.0(6)T and later. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/tclivrpg.htm.
The Cisco IOS Scripting with Tcl feature provides the ability to run Tool Command Language (Tcl) version 8.3.4 commands and was introduced from Cisco IOS Release 12.3(2)T. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm.
Workaround:
AAA Authorization
AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For a complete description of authorization commands, see the following links:
Configuring Authorization
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm
ACS 4.1 Command Authorization Sets
ACS 4.1 Configuring a Shell Command Authorization Set for a User Group
Role-Based CLI Access
The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
The following link provides more information about the Role-Based CLI Access feature:
Role-Based CLI Access
http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.shtml
Device Access
Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:
Infrastructure Protection on Cisco IOS Software-Based Platforms, Appendix B—Controlling Device Access http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_white_paper0900aecd804ac831.pdf
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
•
Symptoms: With no traffic on a PA-A6-OC3SMi card, the max ICMP pings times are seen at 352 ms to 384 ms when testing to an ATM loopback diag. Min/avg are 1/4. This is seen with 1500-byte packets.
Conditions: This symptom is observed with a 7206vxr backplane version 2.8- 2.11 with the PA-A6-OC3SMi ATM card.
Workaround: There is no workaround.
Further Problem Description: This symptom is not observed with version 2.8- 2.11 with the PA-A3-T3 card.
Sending 200, 1500-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 1/3/352 ms
Router# ping 10.1.1.1 repeat 200 size 1500
•
Symptoms: A Cisco 7200 router crashes when unconfiguring service policy from a Multilink Frame Relay (MFR) interface.
Conditions: This symptom is observed if one of the MFR bundle link interfaces was previously being used for Multilink PPP over Frame Relay. Changing the encapsulation may not clean up queuing configuration properly—a dual FIFO queue may remain on the interface.
Workaround: Ensure that a dual FIFO queue is not present on the MFR bundle link interface. It should be plain FIFO queue. If it is a dual FIFO, change the interface to HDLC encapsulation, which should remove the dual FIFO queue, then back to MFR bundle link encapsulation.
•
Symptoms: This issue is observed only when the NVRAM file path length is greater than 355 characters, which is very much a corner case.
Conditions: This issues occurs when the NVRAM file name length is more than 355 characters. Trigger: it is not possible to create an NVRAM file name length of more than 32 characters. A problem in the base code is the root cause. The impact is very minimal to nil.
Workaround: There is no workaround needed.
Resolved Caveats—Cisco IOS Release 12.3(24a)
Cisco IOS Release 12.3(24a) is a rebuild release for Cisco IOS Release 12.3(24). The caveats in this section are resolved in Cisco IOS Release 12.3(24a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The default engine ID shows up in the running configuration.
Conditions: The engine ID shows up in the running configuration even if no engine ID is explicitly configured.
Workaround: There is no workaround.
•
Symptoms: TACACS authentication fails.
Conditions: One Telnet session, disconnect, second Telnet session done, then enter the show tcp brief command on the UUT, expected Username prompted, but failed.
Workaround: There is no workaround.
•
Symptoms: A traceback is noticed when long URLs are used to configure a device using Cisco IOS HTTP web parser. The device does not crash.
Conditions: Trying to configure commands that have a single keyword or parameter greater than N characters in length using the web-based Cisco IOS command parser causes a traceback where N is:
–
–
–
Workaround: Avoid using the web-based command-line parser for CLI commands with long keywords or arguments.
Miscellaneous
•
The relation between addresses in the data part of a buffer dump and addresses in the buffer header is broken. Addresses in the header are real memory addresses, while addresses in the data part are simply byte count from the beginning of the current memory block.
This behavior was introduced in CSCee24363.
Workaround: network_start should always be 84 bytes (ENCAPBYTES) from data_area.
•
Customer has the following topology:
ISDN--2811--MGCP-----CCM/IPCC AA---Phones
Incoming call hits the AA, and the caller enters an extension. The call gets transferred, and the PSTN caller hears the ringback. The ringback stops immediately when the PSTN user hits any key on the phone (in this case, a # was pressed). Then there is a small ringback just before the call goes to voicemail. Turned on the following traces:
–
–
–
–
Trace shows the dsp turns off the tone upon pressing the # key. The MGCP trace shows GW receives G/rt just before it goes to the extension's voicemail. I am not sure why the gateway asks the dsp to turn off the ringback tone. I have included the sh ver and sh run where with and the trace as an attachment. Customer claims that any DID call to an IP phone bypassing the AA experiences the same problem. I made a few test calls to the DID number and pressed the # key or any other keys. It did not stop the dialtone. For the customer, it happens every time from landline or a mobile phone. But ringback stops immediately when I call through AA.
•
Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: Spurious Alarm events on PA-MC-8TE1+ can cause a router crash on a Cisco 7200.
Conditions: 1. Huge Line Errors. 2. Issue is seen only with a Cisco 7200 and PA-MC-8TE1+ PA.
Workaround: Check the line for errors and clear them.
•
Symptoms: In a Cisco 7500 HA router in RPR+ mode when configuring and unconfiguring channel groups under an E1 controller, the router reports the following:
*Aug 22 17:58:34.970: %HA-2-IPC_ERROR: Failed to open peer port. timeout
*Aug 22 17:58:34.974: %HA-3-SYNC_ERROR: CCB sync failed for slot: 1
*Aug 22 17:58:34.974: %HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).And the standby RSP is reloaded.
Conditions: This symptom is observed when configuring and unconfiguring channel groups under an E1 controller.
Workaround: There is no workaround.
•
By doing below procedure, sub-IF comes up.
T1 -- PA-MC-8T1 TE1 -- PA-MC-8TE1+
Case1
1. shut controller and sub-IF
2. no-shut controller
3. sub-IF in TE1 controller comes up (sub-IF in T1 controller remains shut)OR
Case2
1. no-shut controller and sub-IF
2. shut controller
3. shut sub-IF
4. no-shut controller
5. sub-IF in both TE1 and T1 controller comes upIn above case, if an order is 1->3->2->4->5, sub-IF in both controllers does not come up.
•
Symptoms:
A router crashes with a TLB (load or instruction fetch) exception segmentation fault or a Breakpoint exception.
Conditions:
TLB (Load or Instruction Fetch) Exception Segmentation Fault Crash
From the (tcl) CLI prompt, issue the "ea_display_pitem" or "ea_display_msg" commands with a large ID input parameter such as:
router(tcl)# ea_display_msg 999999999or
router(tcl)# ea_display_pitem 99999999914:02:10 UTC Sat Jul 28 2001: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61B3CCA8
-----------------------------------------------------------------------------------
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.
-----------------------------------------------------------------------------------
-Traceback= 61B3CCA8 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : EEC550B8, v1 : 316EBFFD a0 : 00000000, a1 : 00000000, a2 : 63B2FD21, a3 : 00000039 t0 : 107A3FFF, t1 : 0000000C, t2 : 0000000D, t3 : 0000000B t4 : 0000000A, t5 : 00000000, t6 : 63B2FDC4, t7 : 63B2FDC0 s0 : 2012F338, s1 : 63B32648, s2 : 634F3219, s3 : 634F50D0 s4 : 63B32648, s5 : 8B75FFE8, s6 : 00000002, s7 : 631E0000 t8 : 63B2FE10, t9 : 00000000, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 2012F2C0, s8 : 634F31FC, ra : 61B3CC98 EPC : 61B3CCA8, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000003, MDHI : 280ED7D0, BadVaddr : EEC550C4 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception
00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FC
Breakpoint Exception Crash
From the (tcl) CLI prompt, download a very large file such as:
router(tcl)# source tftp://192.168.10.10/very-large-fileOpening file: tftp://192.168.10.10/very-large-file, buffer size=65536
Loading target from 192.168.10.10 (via GigabitEthernet0/2): !!!!!!!!!!!!!
========= Dump bp = 2036B72C ======================2036B62C: FD0110DF AB1234CD 8A 502B7AF8 62A7FF74 616E96A8 2036B67C 2036B5F8 2036B64C: 80000012 1 0 63BF7AA0 0 400 0 8 2036B66C: 0 0 0 FD0110DF AB1234CD 1E 639C1A58 623BCD20 2036B68C: 60B26684 2036B6E0 2036B644 8000001E 1 0 2017A9DC 200302F4 2036B6AC: 623BCC3C 200302F4 1 3 1 3 0 0
=== output truncated ===
%Software-forced reload
14:47:00 UTC Sat Jul 28 2001: Breakpoint exception, CPU signal 23, PC = 0x6080A0C0
-----------------------------------------------------------------------------------
Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support. -----------------------------------------------------------------------------------
-Traceback= 6080A0C0 60808014 607EDCE4 607EAF44 61B307D4 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : 636A0000, v1 : 636A0000 a0 : 6366A408, a1 : 0000FF00, a2 : 00000000, a3 : 62FF0000 t0 : 6080F7A0, t1 : 3400FF01, t2 : 6080F7A0, t3 : FFFF00FF t4 : 6080F7A0, t5 : 36423734, t6 : 78312030, t7 : 32324431 s0 : 00000000, s1 : 00000000, s2 : 63010000, s3 : 634308E0 s4 : 2036B754, s5 : 202AEDB8, s6 : 63010000, s7 : 631E0000 t8 : 63B2FCF4, t9 : 00000002, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 202AEB68, s8 : 634F31FC, ra : 60808014 EPC : 6080A0C0, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000000, MDHI : 00000006, BadVaddr : 0B6719BC Cause 00000024 (Code 0x9): Breakpoint exception
Cisco IOS software introduced the ability to support Tool Command Language (Tcl) version 7.0 commands as part of the Cisco IOS Interactive Voice Response feature in Cisco IOS Release 12.0(6)T and later. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/tclivrpg.htm.
The Cisco IOS Scripting with Tcl feature provides the ability to run Tool Command Language (Tcl) version 8.3.4 commands and was introduced from Cisco IOS Release 12.3(2)T. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm.
Workaround:
AAA Authorization
AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.
For a complete description of authorization commands, see the following links:
Configuring Authorization
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm
ACS 4.1 Command Authorization Sets
ACS 4.1 Configuring a Shell Command Authorization Set for a User Group
Role-Based CLI Access
The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.
The following link provides more information about the Role-Based CLI Access feature:
Role-Based CLI Access
http://www.cisco.com/en/US/netsol/ns696/networking_solutions_white_paper09186a00801ee18d.shtml
Device Access
Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:
Infrastructure Protection on Cisco IOS Software-Based Platforms, Appendix B—Controlling Device Access http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_white_paper0900aecd804ac831.pdf
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
Terminal Service
•
This DDTS addresses the issue in the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Inc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature.
This security response is posted at:
http://www.cisco.com/warp/public/707/cisco-sr-20071010-lpd.shtml
Resolved Caveats—Cisco IOS Release 12.3(24)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(24). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(24). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A line card gets wedged and needs a restart.
Conditions: This symptom is observed when a particular VIP is marked as wedged.
Workaround: There is no workaround.
•
Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.
Conditions: This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:
Cisco 800 series
Cisco 1700 series
Cisco 1800 series
Cisco 2700 series
Cisco 2800 series
Cisco 3700 series
Cisco 3800 series
Workaround: For extensive information and a workaround, see the following Field Notice:
http://www.cisco.com/en/US/products/ps5855/products_field_notice09186a0080809c8e.shtml.
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
Symptoms: A router that is running Cisco IOS may crash due to a software forced crash.
Conditions: This problem is specific to a DLSW configuration with SDLC attached controllers. At the time of the crash, on one SDLC interface, the encapsulation SDLC was removed.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.
Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.
•
Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:
-Process= "IP RIB Update", ipl= 3, pid= 68
-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04
6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8
Address Error (load or instruction fetch) exception, CPU signal 10, PC =
0x609538FC
Conditions: No specific conditions are known to cause this fault.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.
Conditions: This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C
00000000011111111111222222222333^
12345678901234567890123456789012|
|
PROBLEM
(Variable Overflowed).
Workaround: Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.
•
Symptoms: A service policy is unexpectedly removed.
Conditions: This symptom is observed when you apply a service policy to a multilink interface and then the interface is reset.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, reconfigure the service policy after the multilink interface has been brought up.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog reset
Conditions: This symptom is observed only on Cisco 7200 and Cisco 7301 series routers that are configured with an NPE-G1 Network Processing Engine.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of a bus error during ISAKMP negotiation.
Conditions: This symptom is observed on a Cisco 2611XM that runs Cisco IOS Release 12.3(17a) but is not platform-specific and may also affect Release 12.4.
Workaround: There is no workaround.
•
Symptoms: Alignment errors and a bus error may occur on a Cisco router that has the ip inspect command enabled.
Conditions: This symptom can be observed where the Cisco IOS Firewall feature is handling a lot of RTSP traffic.
Workaround: There is no workaround.
•
Symptoms: The Hot Standby Router Protocol (HSRP) may not come up and may remain in the "Init" state, which can be verified in the output of the show standby brief command.
Conditions: This symptom is observed when dampening is configured on a native Gigabit Ethernet interface of a Cisco 7200 series or on a Fast Ethernet interface of a PA-FE-TX port adapter. Other types of interfaces are not affected.
Workaround: When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the Gigabit Ethernet and Fast Ethernet interfaces of all routers of the standby group.
To prevent the symptom from occurring, remove dampening from the Gigabit Ethernet and Fast Ethernet interfaces.
•
Symptoms: A tunnel interface cannot ping the other end of an IP tunnel.
Conditions: This symptom is observed when ATM is configured and when the tunnel interface is up.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the tunnel interface.
•
Symptoms: A software-forced crash may occur on a Cisco 3745, and an error message similar to the following may be displayed:
rcojx67-vgw01-3745 uptime is 1 day, 16 hours, 19 minutes
System returned to ROM by error - a Software forced crash, PC 0x60A87D38
at 15:59:36 GMT Tue May 16 2006
System restarted at 16:00:35 GMT Tue May 16 2006
System image file is "flash:c3745-ipvoice-mz.123-14.T3.bin"
Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.3(14)T3 only when there are some memory allocation failures. The symptom may also affect Release 12.4.
Workaround: There is no workaround.
•
Symptoms: When configuring a serial interface or issuing show commands related to that serial interface, a router may incorrectly configure a different serial interface or may show output from a different serial interface in the router.
Conditions: The conditions under which the problem manifest itself are unknown, and appear to be random. The symptom exists only when using a channelized T3 card and configuring one of the T1's.
Workaround: A router reload clears the issue.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
•
Symptoms: With X25 over TCP (XOT) enabled on a router or catalyst switch, malformed traffic sent to TCP port 1998 will cause the device to reload. This was first observed in Cisco IOS Release 12.2(31)SB2.
Conditions: Must have "x25 routing" enabled on the device.
Workarounds: Use IPSEC or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is only accepted from trusted tunnel endpoints.
•
Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, VBR-rt PVCs may be deactivated before VBR-nrt PVCs in an over-subscription scenario.
Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have oversubscribed ATM PVCs with a VBR-rt and VBR-nrt class of service.
Workaround: Configure all PVCs with an SCR of less than or equal to the line rate.
•
Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.
Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.
Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.
•
Symptoms: SIP may not pass the correct calling number in the header when an e164 address is used. SIP should block the population of the calling party number if the user portion of the "From" header is not an e164 address, preventing the calling party number IE from being populated when ISDN sends the SETUP message. However, this does not occur, and SIP may pass an incorrect number.
Conditions: This symptom is observed on a Cisco gateway that sends Microsoft Communicator SIP calls to the PSTN.
Workaround: There is no workaround.
•
Symptoms: Some E1 channels may remain down after you have reloaded a router.
Conditions: This symptom is observed on a Cisco 7200 series that function as a PE router and that connects to a CE router. Both routers are connected through 1-port multichannel STM-1 (PA-MC-STM-1) port adapters and the framing no-crc4 command is enabled on all interfaces of both routers.
Workaround: Enter the shutdown command followed by the no shutdown command on the SONET controller of the PA-MC-STM-1 at the PE side to enable all interfaces to come up.
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link: http://www.kb.cert.org/vuls/id/739224.
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall. Cisco response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml.
•
Symptoms: A Cisco 3700 series with an IMA interface may crash.
Conditions: This symptom is observed when the ATM IMA PVC had an AutoQoS configuration.
Workaround: Remove the AutoQoS configuration.
•
Symptoms: A Cisco router running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 will show TCP connections hung in CLOSEWAIT state. These connections will not time out, and if enough accumulate, the router will become unresponsive and need to be reloaded.
Conditions: This symptom occurs on a Cisco router running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 when executing a copy source-url ftp: command and the FTP server fails to initiate the FTP layer (no banner) but does setup a TCP connection. This may occur when the FTP server is misconfigured or overloaded.
The CLI command will timeout, but will not close the TCP connection or clean up associated resources. The FTP server will eventually answer and timeout itself, and close the TCP connection, but the router will not clean up the TCP resources at this time either.
Workaround: Manually clear TCP resources using the clear tcp CLI command, referencing the show tcp brief command output.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
•
Symptoms: A router may crash because of a bus error. Spurious accesses may be observed.
Conditions: This symptom is observed on a Cisco 7200 series router that has an NPE-G1 and that runs Cisco IOS Release 12.3(22). The router is configured as a PE router and uses MQC hierarchical policies for some subinterfaces and the legacy rate-limit command for other subinterfaces.
Workaround: There is no workaround.
•
Symptoms: All E1 interfaces on a PA-MC-E3 port adapter may flap continuously even after the traffic has been stopped.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that have a PA-MC-E3 port adapter when you configure 16 or 128 channel groups on each time slot (that is, time slots 1-31) and then generate traffic just above line rate traffic through all the channel groups. Note that the symptom is not platform-specific.
Workaround: Stop the traffic and reset the E3 controller of the PA-MC-E3 port adapter.
•
Symptoms: A router may crash because of a bus error when you perform an OIR of a PA-MC-8TE1+ port adapter or when you enter the hw-module slot slot-number stop command for the slot in which the PA-MC-8TE1+ port adapter is installed.
Conditions: This symptom is observed on a Cisco 7200 series.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: A Cisco router is crashing at p_dequeue.
Conditions: This symptom is observed when testing the Echo cancelling feature in the Cisco 1700 platform but is not platform dependent.
Workaround: There is no workaround.
•
Symptoms: The latency for the RSH command could increase when they are flowing through an FWSM module.
Conditions: The following issue was observed on an FWSM that is running 2.2 (1) software. The long delay was triggered by using either Cisco IOS Release 12.3(13a)BC1 or Release 12.3(17a)BC1 on routers toward which those RSH commands were sent.
Workaround: Either bypass the FWSM module or downgrade to Cisco IOS Release 12.3(9a)BC3 which is not affected by this extra delay issue.
Wide-Area Networking
•
Symptoms: High CPU usage occurs on a Cisco 7301, and the following error message and traceback are generated:
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer:
0x0
-Process= "L2X SSS manager", ipl= 0, pid= 69
-Traceback= 0x606E43DC 0x60B9FAC8 0x60BA11C4 0x619F502C 0x619F4A2C
0x619F4D34 0x619F35C4 0x619F4FF4 0x619F6820 0x619F5ED8 0x619F6350 0x619CA1F4
0x619CA6C4 0x619D2524 0x619CABB4 0x619CAFA0
Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS Release 12.4(5b) with PPTP/VPDN connections after, on a connected platform, rate limiting is changed to MQC policy-based limiting of the bandwidth. Note that the symptom may b e release-independent.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2811 router running Cisco IOS Release 12.4(7a) may have a memory leak in the ISDN process as has been seen in the show process memory. The leak rate appears to be about 1.20MB/Hour.
Conditions: This symptom has been observed with BRI-U interface that is UP/UP (spoofing).
Workaround: Administratively shut down the BRI interface.
•
Symptoms: A router may crash while parsing "x28 profile spaced." This occurs when x28 mode is configured.
The crashinfo file will show:
"%SYS-2-FREEFREE: Attempted to free unassigned memory at [...]"
Conditions: This symptom is observed on a Cisco AS5350 that is running Cisco IOS Release 12.3(20) and is occurring under heavy traffic.
Workaround: There is no workaround.
•
Symptoms: The output of the show isdn active command may show disconnected calls.
Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(23)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(23). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(23). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A Route Switch Processor (RSP) may reload unexpectedly when a bus error with an invalid memory address occurs while packets are placed into a hold queue.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0 S, 12.1(14)E4, or 12.2 S when the following sequence of events occurs:
1.
2.
3.
Workaround: There is no workaround.
•
Symptoms: A line card gets wedged and needs a restart.
Conditions: This symptom is observed when a particular VIP is marked as wedged.
Workaround: There is no workaround.
•
Symptoms: After you have performed a microcode reload on a router, a ping may not go through for 100 percent.
Conditions: This symptom is observed on a Cisco router that has an RSP after you have entered the microcode reload command.
Workaround: There is no workaround.
•
Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.
Conditions: This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:
Cisco 800 series
Cisco 1700 series
Cisco 1800 series
Cisco 2700 series
Cisco 2800 series
Cisco 3700 series
Cisco 3800 series
Workaround: For extensive information and a workaround, see the following Field Notice: http://www.cisco.com/en/US/products/ps5855/products_field_notice09186a0080809c8e.shtml
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IP Routing Protocols
•
Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.
Workaround: Enter the no auto-summary command.
ISO CLNS
•
Symptoms: An IS-IS adjacency may flap when an RP switchover occurs.
Conditions: This symptom is observed on a Cisco router that is configured for IS-IS Multi-Topology, IS-IS NSF Awareness, and IPv4 and IPv6 unicast.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A gatekeeper rejects new registration requests from a Cisco Unified CallManager (CUCM) or other H.323 endpoints with Registration Rejection (RRJ) reason of duplicateAlias. Attempting to clear this stale registration fails and a "No such local endpoint is registered, clear failed." error message is generated.
Conditions: This symptom is observed in the following topology:
CUCM H.225 trunks register to a gatekeeper (GK) cluster. Gatekeeper 1 (GK1) and gatekeeper 2 (GK2) are members of the GK cluster. The CUCM registers first to GK1, then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.
When the H.225 trunk attempts to register with GK1, it is rejected because the alternate registration is still present, and there is no way to clear it.
10.9.20.3 34273 10.9.20.3 32853 SJC-LMPVA-GK-1 H323-GW A
ENDPOINT-ID: 450FC24400000000 VERSION: 5 AGE: 1618993 secs
SupportsAnnexE: FALSE
g_supp_prots: 0x00000050
H323-ID: SJC-LMPVA-Trunk_4
Workaround: Reset the gatekeeper by entering the shutdown command followed by the no shutdown command, or reboot the affected GK.
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#
The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open
•
Symptoms: An AAA server does not authenticate.
Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.
Workaround: There is no workaround.
•
Symptoms: A router may hang briefly and then may crash when you enter any command of the following form:
show ... | redirect rcp:....
Conditions: This symptom is observed when Remote Copy Protocol (RCP) is used as the transfer protocol.
Workaround: Use a transfer protocol other than RCP such as TFTP or FTP.
Further Problem Description: RCP requires delivery of the total file size to the remote host before it delivers the file itself. The output of a show command is not an actual file on the file system nor is it completely accumulated before the transmission occurs, so the total file size is simply not available in a manner that is compatible with RCP requirements.
•
Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:
Last reset from watchdog reset
Conditions: This symptom is observed only on Cisco 7200 and Cisco 7301 series routers that are configured with an NPE-G1 Network Processing Engine.
Workaround: There is no workaround.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: A Cisco 10000 router that is running Cisco IOS Release 12.3(7)XI6 may reload because of a software forced crash after a c10k_ttcm_write: Invalid Address error.
Conditions: This symptom may occur if a static route of the form:
ip route vrf name ip address 255.255.255.255 interface
(where interface is not a point-to-point interface)
is configured.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: A tunnel interface cannot ping the other end of an IP tunnel.
Conditions: This symptom is observed when ATM is configured and when the tunnel interface is up.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the tunnel interface.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router crashes when PPPoEoA sessions are torn down.
Conditions: This symptom is observed when the maximum number of class-map instances are configured on the router.
Workaround: There is no workaround.
•
Symptoms: ISDN L2 may remain in the "TEI_ASSIGNED" state.
Conditions: This symptom is observed on a Cisco router after you have performed a hard OIR of a PA-MC-4T1 port adapter.
Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred, reload the router.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router may crash and generate an "%ALIGN-1-FATAL: Illegal access to a low address" error message.
Conditions: This symptom is observed on a Cisco router that is configured for IPv6, IPsec, and multicast.
Workaround: There is no workaround.
Further Problem Description: The fix for caveat CSCsg83834 also fixes caveat CSCsg94837. For more information about caveat CSCsg94837, see http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg94837.
•
Symptoms: A VIP may reset because of a bus error when you remove a service policy from an ATM subinterface.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(20) but may also affect Release 12.4 and Release 12.4.T. The symptom appears to be platform-independent.
Workaround: There is no workaround.
•
Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, VBR-rt PVCs may be deactivated before VBR-nrt PVCs in an over-subscription scenario.
Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have oversubscribed ATM PVCs with a VBR-rt and VBR-nrt class of service.
Workaround: Configure all PVCs with an SCR of less than or equal to the line rate.
•
Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.
Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.
Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
TCP/IP Host-Mode Services
•
Symptoms: The Border Gateway Protocol (BGP) session is stuck in FINWAIT1 connection state.
Conditions: This symptom has been observed with a BGP session when changing the BGP password.
Workaround: Use the clear tcp tcb address command to delete the stuck Transmission Control Block (TCB).
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Wide-Area Networking
•
Symptoms: A Cisco router that has an ISDN interface as a backup for an ADSL port may exhibit spurious memory accesses and a high CPU utilization during interrupts.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(13)ZH2, Release 12.3, or Release 12.3T when an L2TP tunnel is up, when the BRI-U interface is disconnected and reconnected, and when the router attempt to reenable the tunnel.
Workaround: There is no workaround.
•
Symptoms: A ping may be dropped in a PPP callback scenario.
Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(22a)
Cisco IOS Release 12.3(22a) is a rebuild release for Cisco IOS Release 12.3(22). The caveats in this section are resolved in Cisco IOS Release 12.3(22a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
Miscellaneous
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#
The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
TCP/IP Host-Mode Services
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.3(22)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(22). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(22). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
Symptoms: A Cisco router crashes when the default dest-ip command is entered in IPSLA jitter, UDP Echo and TCP Connect operations.
Conditions: The issue is seen when the default dest-ip command is entered.
Workaround: There is no workaround.
•
Symptoms: In a Cisco 7500 RSP Console, the show controller cbus command output does not list details for Interfaces other than Serial Interfaces.
Conditions: Do show controller cbus in a Cisco 7500 RSP console.
Workaround: There is no workaround.
IBM Connectivity
•
A Cisco 706VXR/NPE-G1 running Cisco IOS Release 12.3(20.12) and configured for DLSW (data link switching) reloaded unexpectedly.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: All packets are dropped from a 1-port OC-3/STM-1 POS port adapter (PA-POS-1OC3) or 2-port OC-3/STM-1 POS port adapter (PA-POS-2OC3) that is configured for CBWFQ.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1. However, the symptom may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: Router crashes when "encapsulation dot1Q <VC id>" is enabled on a mpls router.
Conditions: The crash is observed in 7200 platform router from the Cisco IOS Release 12.4(12.7)
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A CE router that has L2TP tunnels in an MPLS VPN environment with about 1000 VRFs may crash and generate the following error message:
Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x50766038
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(32)S and that functions as a CE router when BGP neighbors are unconfigured via the no neighbor ip-address command while the show ip bgp summary command is entered from the Aux console. The symptom is not release-specific and may also affect other releases.
Workaround: There is no workaround.
•
Symptoms: Stale LSA can be created after issuing the summary-address not-advertise command in a very corner case. Problem became visible after CSCsf27810 fix.
Conditions: This symptom occurs when a self-originated external LSA with the same address and more specific mask exists in OSPF database.
Workaround: Clear the OSPF process.
•
Symptoms: The problem is observed on ESR10K / PRE-1 with c10k-k4p10-mz.120-25.SX6f as a PE router with multiple VRFs using OSPF and other VRFs, created but not used or assigned.
Conditions: When removing unused and unassigned VRF via the "no ip vrf <vpn_name>" config command causes the router to crash.
Workaround: There is no workaround
•
Symptoms: When the OSPF interface goes down, some FSM events won't happen (old netwrork LSA won't be flushed as an example).
Conditions: This symptom was introduced in CSCek63900.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A Cisco VIP4-80 with a PA-MC-STM-1SMI crash when QOS is deployed and traffic is generated. Replacing the Cisco VIP4-80 doesn't fix this issue.
Conditions: This symptom has been observed on a Cisco VIP4-80.
Workaround: A reload of the Cisco VIP4-80 is required to reconnect to the CE.
•
Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.
Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.
Workaround: Disable SNMP polling for ccrpCPVGEntry.
•
Symptoms: A Cisco 7200 series may send a corrupted packet via a 2-port T3 serial, enhanced port adapter (PA-2T3+). The rate of corrupted packets is very low.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2SB, Release 12.4T, or Release 12.4(4)XD3 and occurs when the router functions under high stress conditions such as a high CPU load and an oversubscribed interface of the PA-2T3+.
Workaround: Avoid a high CPU load and oversubscription of the interface of the PA-2T3+.
•
Symptoms: A modem autoconfiguration fails.
Conditions: This symptom is observed in an asynchronous call.
Workaround: There is no workaround.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: Percentage based traffic shaping is not working.
Conditions: This symptom is observed on a Cisco router that is configured the percentage based traffic shaping an output policy
Workaround: There is no workaround.
•
Symptoms: A VRF may become stuck in the "Delete Pending" state.
Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.
Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.
•
This bug documents the deprecation and removal of the Cisco IOS FTP Server feature.
•
Symptoms: Router reload unexpectedly by malformed DNS response packets.
Conditions: configure name-server and domain lookup.
Workaround: Configure "no ip domain lookup" to stop the router using DNS to resolve hostnames.
•
Symptoms: A Cisco router may exhibit high CPU in the "IP Background" process and then spontaneously reload.
Conditions: RIP is configured. A RIP host route is advertised from another router. The same host route is assigned to an interface on this router. For example, on a ppp link with "ip address negotiated" configured.
Workaround: Use a route-map to block the advertised route.
•
Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.
Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:
Router(config)#interface Serialx/y:zRouter(config-if)# frame-relay ip rtp header-compression passiveRouter(config-if)# frame-relay ip rtp compression-connections numberWorkaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:
Router(config)#interface Serialx/y:zRouter(config-if)# shutdownRouter(config-if)# frame-relay ip rtp header- compressionRouter(config-if)# frame-relay ip rtp compression-connections numberRouter(config-if)# frame-relay ip rtp header-compression passiveRouter(config-if)# no shutdownFurther Problem Description: The issue was not reported when using Cisco IOS Release 12.3T or Release 12.4.
•
Symptoms: A Cisco 7200 series that is configured for QoS may crash when traffic is sent.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 or NPE-G2 and that has a Port Adapter Jacket Card in which a 2-port OC-3/STM-1 POS port adapter (PA-POS-2OC3) in installed that has an interface with a service policy.
Workaround: There is no workaround.
•
Symptoms: RSP may crash when clear counters command is given in Cisco IOS Release 12.4.
Conditions: RSP may crash when the clear counters command is given after termination of voice calls with pa-vxc-2TE1 PAs.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7500 running Cisco IOS Release 12.3(20) may experience the reset of a VIP due to a bus error when removing a service policy from an ATM sub interface.
Conditions: The service policy is removed from the ATM sub interface.
Workaround: There is no workaround.
•
Symptoms: The primary RSP may crash when you perform a soft OIR on the standby RSP.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for dMLP and RPR+.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: When Multilink PPP (MLP) is enabled for a PPP over Ethernet (PPPoE) session, outbound packets are incorrectly sent without PPPoE headers. This situation causes packets to be dropped.
Conditions: This symptom is observed in Cisco IOS Release 12.4 on all software-forwarding routers and affects only packets that are not multilink-encapsulated (when the bundle has only a single link).
Workaround: Enter the ppp multilink fragment delay interface configuration command to force multilink headers to be applied to all outbound packets.
Alternate Workaround: Disable MLP.
•
Symptoms: QSIG (ISO) call back (ring back) fails between a Cisco 3745 router and a Cisco 1760 router.
Conditions: The call back fails.
Workaround: There is no workaround.
•
Symptoms: Non Facility Associated Signaling (NFAS) on back-to-back routers is failing.The primary D-channel state is OUT OF SERVICE.
Conditions: This symptom happens with Cisco IOS Release 12.3(20.14) when the Primary D-channel is brought Down using the isdn test l2 disconnect command.
Workaround: There is no workaround.
•
Symptoms: When a Multilink PPP (MLP) session is established over an ISDN link, IPCP fails to negotiate. When the debug ppp negotiation command is enabled, you can see that IPCP packets from the peer are not processed. The output of the show interface command for the ISDN D-channel interface shows that the input queue limit is 0.
Conditions: This symptom is observed when the ISDN BRI or PRI interface is not configured as part of a dialer rotary group or dialer pool and when RADIUS is used to assign the multilink bundle to a VRF.
Workaround: Enter the dialer rotary-group command to assign the ISDN interface to a dialer.
•
Symptoms: A router crashes during Online Insertion and Removal (OIR) on MLP- PPP on a Cisco 7200 platform.
Conditions: This symptom is observed on a Cisco 7200 router that is configured for MLP-PPP.
Workaround: Shut the multilink interface before doing an OIR.
•
Symptoms: When BRI interface flaps rapidly, ISDN Layer 1 detects link down, but Layers 2 and 3 keep active state during the transition. This may cause the BRI interface to get stuck, where subsequent incoming/outgoing call is rejected.
Conditions: The symptom may be observed when cable is pulled out and put back rapidly.
Workaround: Issue the clear interface command or the shutdown command followed by the no shutdown command on the affected BRI interface.
•
Symptoms: Inbound GSM V.110 calls fail to train at a speed of 14400 bps.
Conditions: This symptom is observed on a Cisco AS5400 when the Bearer Capability (BC) does not match the Lower Layer Compatibility (LLC) in the ISDN setup message. The BC should take precedence over the LLC.
Workaround: If this an option, configure the ISDN switch to send the correct BC and LLC. If this is not an option, there is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(21b)
Cisco IOS Release 12.3(21b) is a rebuild release for Cisco IOS Release 12.3(21). The caveats in this section are resolved in Cisco IOS Release 12.3(21b) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
Miscellaneous
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#
The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
TCP/IP Host-Mode Services
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.3(21a)
Cisco IOS Release 12.3(21a) is a rebuild release for Cisco IOS Release 12.3(21). The caveats in this section are resolved in Cisco IOS Release 12.3(21a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.
Conditions: The Cisco IOS configuration command:
clock summer-time zone recurring
uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March. It changes the end date from the last Sunday of October to the first Sunday of November.
Workaround: A workaround is possible by using the clock summer- time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
(This example is for the US/Pacific time zone.)
Not A Workaround: Using NTP is not a workaround to this problem. NTP does not carry any information about timezones or summertime.
Miscellaneous
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
Resolved Caveats—Cisco IOS Release 12.3(21)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(21). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(21). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Some ciscoFlashCopyTable & ciscoFlashMiscOpTable objects cannot be read after row creation.
Conditions: For any newly created rows in these tables, some objects will not be readable.
Workaround: Objects will become readable immediately after being set. Additionally, rows can still be activated in these tables even if all objects cannot be read. Any objects which cannot be read contain their MIB defined default value.
•
Symptoms: If a Cisco 2800 series router is configured to do async tunneling using sync/async module with very slow speed like 2400bps or below, the sync/async line may get in stuck state. Entering the show tcp command on that stuck line shows CLOSED TCP connection with some unread input bytes, for example:
Router#sh tcp
tty0/2/0, connection 1 to host 172.16.242.129
Connection state is CLOSED, I/O status: 7, unread input bytes: 97
Connection is ECN Disabled
Local host: 172.16.146.249, Local port: 20514
Foreign host: 172.16.242.129, Foreign port: 23
....
....
Conditions: This symptom occurs only when the Cisco 2800 series router is used for async data tunneling at line speed of 2400 bps or lower with wic-2a/s card
Workarounds: See the following:
1.
2.
3.
•
Symptoms: A Cisco router crashes when the default dest-ip command is entered in IPSLA jitter, UDP Echo and TCP Connect operations.
Conditions: The issue is seen when the default dest-ip command is entered.
Workaround: There is no workaround.
•
Symptoms: A router crashes when the casnDisconnect object is set to "true" for a PPPoE session.
Conditions: This symptom is observed on a Cisco 10000 series when you attempt to terminate the PPPoE session through SNMP by using the casnDisconnect object of the CISCO-AAA-SESSION-MIB.
Workaround: There is no workaround.
•
Symptoms: SNMPv3 informs are not sent out after a device reload.
Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.
Workaround: Re-enter any of the snmp-server host commands.
•
Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround is to disable on interfaces where CDP is not necessary.
•
Symptoms: %RADIUS-3-NOSERVERS messages are logged after a reload in Cisco IOS Release 12.3(18). At this time, the RADIUS accounting tickets are not generated.
Conditions: This symptom has been observed on a Cisco AS5300 gateway.
Workaround: Enter into configuration mode and change the order of the servers under the server group.
•
Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.
Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.
Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:
event manager applet add-buffer
event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "buffers particle-clone 16384"
action 4.0 cli command "buffers header 4096"
action 5.0 cli command "buffers fastswitching 8192"
action 6.0 syslog msg "Reinstated buffers command"
IP Routing Protocols
•
Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.
Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.
•
Symptoms: The output of the ping is different than expected.
Conditions: After configuring the security options, the output of the ping is different than expected.
Workaround: There is no workaround.
•
Symptoms: When loading a large link state database from a third-party vendor router that runs Cisco IOS software, the CPU usage by OSPF may become very high, the router may generate CPUHOG messages, and it may take a long time to reach the FULL state, or the FULL state is not reached.
Conditions: These symptoms are observed in an environment in which packet drops occur. When the link state request that is sent from the Cisco IOS router is dropped, the routers may still continue to exchange DBD packets. However, the link stay request list on the Cisco IOS router may become long, and it may take a lot of CPU usage to maintain it.
Workaround: There is no workaround.
Further Problem Description: See also caveat CSCsd38572.
•
Symptoms: Connections fail through a router that uses CBAC. The pre-gen session is created, and the download or transfer begins. The pre-gen session times out and gets deleted from the router. Since the full session never gets established, the connection then times out on the host.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8) and using CBAC outbound on the outside interface when policy based routing is applied.
Workaround: There is no workaround.
Further Problem Description: This bug is first seen in Cisco IOS Interim Release 12.4(7.24).
ISO CLNS
•
Symptoms: Tracebacks may be generated when you configure IS-IS and LDP features, for example, when you enter the no ip router isis area-tag command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(32)SY but may also occur in other releases.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A router crashes when you remove an ATM subinterface.
Conditions: This symptom is observed when the subinterface is configured with a LANE client that is configured for Multiprotocol over ATM (MPOA).
Workaround: There is no workaround.
•
Symptoms: A router may not properly detect supervisory tones.
Conditions: This symptom is observed on a Cisco 3640 and Cisco 3660 only when a DSP is configured to detect custom cptones and when no cadence is specified for the tone. The symptom may also occur on other routers.
Workaround: Configure the cadence values.
•
Symptoms: PPPoA sessions are not coming up in autovcs after entering the shutdown interface configuration command followed by the no shutdown interface configuration command. Tracebacks are reported.
Conditions: This problem is found only if the QoS parameters are configured via the Radius server.
Workaround: Configure the QoS parameters through the command line interface (CLI).
•
Symptoms: An AAA server does not authenticate.
Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.
Workaround: There is no workaround.
•
Symptoms: A build break is observed in c5850tb-p9-mz.
Conditions: This symptom occurs when Marvel supports two devices. When fixing CSCsc20917, the third device is also initialized. This break is seen in Cisco IOS Releases 12.4 and 12.4T.
Workaround: There is no workaround.
•
Symptoms: A modem autoconfiguration fails.
Conditions: This symptom is observed in an asynchronous call.
Workaround: There is no workaround.
•
Symptoms: A router may keep the vty lines busy after finishing a Telnet/Secure Shell (SSH) session from a client. When all vty lines are busy, no more Telnet/SSH sessions to the router are possible.
Conditions: This symptom is observed on a Cisco router that is configured to allow SSH sessions to other devices.
Workaround: Clear the SSH sessions that were initiated from the router to other devices.
•
Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.
Conditions: This symptom occurs after H323 is disabled using the following configuration commands:
voice service voip h323 call service stop
Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html.
For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.
For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/partner/products/ps6642/products_white_paper0900aecd804fa16a.shtml.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.
Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reload due to a bus error after being reloaded or power cycled. The last console output in the crashinfo will be the ima-group group number command before the crash.
Conditions: The router must have the ip telnet source- interface command or the ip tftp source- interface command configured to use an IMA sub-interface as the source. There also must be at least one ATM interface in the IMA group.
Workaround: Remove the IMA interface from the source interface command in the configuration.
•
Symptoms: When a PVC is shut down on the remote side, the PVC subinterface on a router transitions from the down state to the up state within one second, but then remains in the down state after the down retry timers expire.
Conditions: This symptom is observed on a Cisco router that is configured for Operation, Administration, and Maintenance (OAM) and Dynamic Bandwidth Selection (DBS).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash when configuring a hierarchical service policy.
Conditions: This symptom is observed in a Cisco 7200 series router that is running Cisco IOS Release 12.3(6a). At the time of the crash, configuration contained missing keywords causing some of the configuration lines to be rejected and some classes without match statements.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A Cisco router that is running DHCP service will run out of memory eventually and will require a reload to recover. You can confirm this by issuing the show proc mem | inc DHCP command and seeing that the process named "DHCPD Receive" consumes an increasing amount of memory until the available memory is exhausted.
In addition, the number of AAA sessions will constantly increase and will not decrease when DHCP bindings expire. You can see this by noticing how the output of the show aaa session and show aaa user all commands show a constantly increasing number of sessions, with those associated with DHCP bindings never vanishing.
Conditions: This problem is always seen on Cisco routers operating as a DHCP relay or server with one or more DHCP pools configured via the ip dhcp pool name command where accounting dhcp is configured in at least one pool, and the configured poolname is not the name of a valid AAA method list.
This problem may also be seen when there is very little free processor memory on the router, enabling the allocation of some but not all data structures necessary to perform accounting for a DHCP binding.
Workaround 1: If you do not want AAA accounting for DHCP leases, disable accounting method MethListName in the DHCP pool by configuring no accounting method MethListName while in the pool configuration mode.
Workaround 2: If you want AAA accounting for DHCP leases, configure a valid accounting method list by configuring aaa accounting network methodlistname start-stop method1 where the configured method list name for the accounting method list EXACTLY matches the name provided on the accounting methodlistname line in the DHCP pool configuration.
•
Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).
Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: IP route configurations, when configured, are not getting visible on the running and startup configurations. CMTS is accepting the IP route configuration, and also the show ip route command is getting updated with configured routes.
Conditions: The symptom occurs while configuring static route. The configured route will not get visible on running and startup configurations.
Workaround: There is no workaround.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Symptoms: An SNA Switch router may reload and display the following error message:
System returned to ROM by bus error at PC 0x61504EB0, address 0x58
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.3(18).
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series router with VAM2+ Encryption/Compression engine, running Cisco IOS Release 12.4(10), may reload due to a bus error after a large service policy is applied to a Gig interface.
The following error messages may flood the console:
*crypto qos: get_shape_class fail, class=<name>
*crypto qos: get_shape_class fail, class=<name>
*crypto qos: get_shape_class fail, class=<name>
*crypto qos: get_shape_class fail, class=<name>
Crash:
%ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006
pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40
%ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006
pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40
06:30:27 MEST Fri Aug 18 2006: TLB (load or instruction fetch) exception, CPU
signal 10, PC = 0x7E000000
-Traceback= 0x7E000000
$0 : 00000000, AT : 63F00000, v0 : 00000001, v1 : 64DE2F90
a0 : 00000000, a1 : 663004BC, a2 : 00000188, a3 : 6454B6D0
t0 : 66419DD8, t1 : 661BFC08, t2 : 00000018, t3 : 00000000
t4 : 6410AD00, t5 : 00000001, t6 : 00000000, t7 : 00000000
s0 : 661BFE50, s1 : 66300940, s2 : 00000A61, s3 : 66302AC4
s4 : 6454AA3C, s5 : 618D9FF0, s6 : 663003A4, s7 : 63CA0000
t8 : 00000061, t9 : 6410AD00, k0 : 6571911C, k1 : 6080F4E4
gp : 63F0AA08, sp : 64DE2E40, s8 : 00000001, ra : 6633E958
EPC : 7E000000, ErrorEPC : BFC018D4, SREG : 3400FF03
MDLO : 00374C80, MDHI : 00000000, BadVaddr : 7E000000
Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception
Process watchdog registers:
$0 : 658FC0EC, AT : 00000000, v0 : 606CCE5C, v1 : 00000001
a0 : 658F9E6C, a1 : 00000000, a2 : 00000000, a3 : 658F6118
t0 : 00000000, t1 : 658FC0B8, t2 : 658FC0EC, t3 : 00000000
t4 : FFFFFFF7, t5 : 6080F4CC, t6 : 62B23BA8, t7 : 00000001
s0 : 00000000, s1 : 658F9E98, s2 : 6543A190, s3 : 00000018
s4 : 6543A190, s5 : 6643D788, s6 : 6497AA80, s7 : 6080F5A0
t8 : 662F5D6C, t9 : 00000001, k0 : 00000000, k1 : 658FC0B8
gp : 6497AA80, sp : 00000001, s8 : 658FC0EC, ra : 00000000
EPC : 658FC0B8, SP : 00000001, forkx : 00000000
Conditions: This symptom occurs when the router has a VAM+ encryption module.
Workaround: There is no workaround.
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
•
Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.
Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.
Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.
•
Symptoms: A VRF may become stuck in the "Delete Pending" state.
Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.
Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.
•
This bug documents the deprecation and removal of the Cisco IOS FTP Server feature.
•
Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.
Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:
Router(config)#<CmdBold>interface
Serial<noCmdBold><CmdArg>x/y:z<noCmdArg>
Router(config-if)# <CmdBold>frame-relay ip rtp header-compression
passive<noCmdBold>
Router(config-if)# <CmdBold>frame-relay ip rtp
compression-connections<noCmdBold> <CmdArg>number<noCmdArg>
Workaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:
Router(config)#interface
Serial x/y:z
Router(config-if)# shutdown
Router(config-if)# frame-relay ip rtp header-
compression
Router(config-if)# frame-relay ip rtp
compression-connections number
Router(config-if)# frame-relay ip rtp header-compression
passive
Router(config-if)# no shutdown
Further Problem Description: The issue was not reported when using Cisco IOS Releases 12.3T or 12.4.
•
Symptoms: A router may crash when a serial interface of a neighboring router is brought up.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that is earlier than Release 12.4(8) and that is configured for IP Multicast when some interfaces on the router are configured for PIM. The symptom occurs when the serial interface that is brought up on the neighboring router is configured for PIM and the connecting interface on the Cisco router is not configured for PIM.
Workaround: Depending on the desired operation for the link, either enable PIM at both ends or disable PIM at both ends.
Wide-Area Networking
•
Symptoms: When the ppp multilink endpoint mac lan-interface command or the ppp multilink endpoint ip ip-address command is configured, the router may unexpectedly reload if the multilink interface goes to the DOWN state, for example, when a PVC virtual circuit is unconfigured.
Conditions: This symptom is observed on a Cisco router that is configured for Multilink PPP.
Workaround: There is no workaround. Do not use these configuration commands in Cisco IOS Releases 12.3, 12.4 or 12.2SB without a fix for this DDTS.
•
Symptoms: A Cisco router is acting as a X25 switch. Both standard X25 route statements and hunt-groups are being used.
After a period of normal operations, output of the show x25 hunt- group command shows status full for all hunt-groups where destinations are reachable over XoT.
Other hunt groups where calls are forwarded over X25 serial interfaces do not show this problem. When problem is present, calls cannot be forwarded via hunt groups, and configured redundant routes are used.
Workaround: Unconfigure/configure back all X25 routes helps to recover in some cases. However, in some cases router reload is needed.
•
Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.
Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.
Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.
Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.
•
Symptoms: A router may crash when you enter the frame-relay inverse-arp ip dlci command.
Conditions: This symptom is observed when you attempt to configure a hunt-group member.
Workaround: Do not enter the frame-relay inverse-arp ip dlci command. Rather, configure the hunt-group master dialer interface.
•
Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.
Conditions: This symptom happens on all Multilink interfaces.
Workaround: There is no workaround.
•
Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.
Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS 12.4 mainline and 12.4T releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience an unexpected reload when using traffic shaping on a Tunnel interface together with frame relay fragmentation.
Conditions: This symptom is observed on any Cisco router which has a Tunnel interface, configured with a traffic shaping service policy containing a priority class, whose traffic goes out over a frame relay PVC, configured for frame relay traffic shaping with fragmentation and fair queuing.
Workaround: Configure a service policy on the frame relay PVC instead of using fair queuing.
•
Symptom: QSIG (ISO) call back (ring back) fails between a Cisco 3745 router and a Cisco 1760 router.
Conditions: The call back fails.
Workaround: There is no workaround.
•
Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.
Conditions: This leak occurs when a SETUP message with Display IE is received.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(20a)
Cisco IOS Release 12.3(20a) is a rebuild release for Cisco IOS Release 12.3(20). The caveats in this section are resolved in Cisco IOS Release 12.3(20a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
Miscellaneous
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#
The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.
Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:
Router(config)#interface Serialx/y:z Router(config-if)# frame-relay ip rtp header-compression passive Router(config-if)# frame-relay ip rtp compression-connections number
Workaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:
Router(config)#interface Serialx/y:z Router(config-if)# shutdown Router(config-if)# frame-relay ip rtp header- compression Router(config-if)# frame-relay ip rtp compression-connections number Router(config-if)# frame-relay ip rtp header-compression passive Router(config-if)# no shutdown
Further Problem Description: The issue was not reported when using Cisco IOS Releases 12.3T or 12.4.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
TCP/IP Host-Mode Services
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
Resolved Caveats—Cisco IOS Release 12.3(20)
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(20). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(20). This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Incorrect "output IFMIB" counters are observed on the main interface.
Conditions: This symptom has been observed on a Cisco 7500 series router running Cisco IOS Release 12.0(25)S1 when an 802.1q VLAN is configured with Committed Access Rate (CAR). The "output CLI" and "input SNMP/CLI" counters are correct.
Workaround: There is no workaround.
•
Symptoms: An %AAA-3-ACCT_LOW_MEM_TRASH error message is generated when a low-memory condition occurs. When this situation occurs, a memory leak may occur in AAA data.
Conditions: This symptom is observed when an interface flaps and causes a very large number of sessions to go down simultaneously, in turn generating a very large number of accounting stop records. In this situation, the I/O memory may be held for a long time when accounting records are send and when an AAA server is slow or unreachable.
Workaround: There is no workaround.
•
Symptoms: CyBus errors may occur during an HA switchover, causing most VIPs to be disabled on a Cisco 7500 series.
Conditions: This symptom is observed when MLP Multilink interfaces are configured on channelized T3 (CT3) port adapters.
Workaround: Reload microcode onto all affected VIPs.
•
Symptoms: An access point may crash when you add or remove TACACS servers via the CLI.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)JA1 or Release 12.3(7)JA2 and that has the aaa accounting commands level default list-name group groupname command enabled. The symptom may also occur in other releases.
Workaround: Disable the aaa accounting commands level default list-name group groupname command.
Alternate Workaround: Use RADIUS instead of TACACS.
•
Symptoms: A ping does not go through completely.
Conditions: This symptom is observed after you have entered the microcode reload command.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
The crash happens only when an SNMP v3 user is configured with security model noauth or auth only and then in the snmp-server host configuration give the same SNMP v3 user as priv security model. This is wrong configuration.
Conditions: The problem always occurs when traps are triggered after the following software configurations are applied:
snmp-server user TESTUSER TESTUSER v3
snmp-server group TESTUSER v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
snmp-server host 10.1.1.10 version 3 priv TESTUSER
snmp-server enable traps
Workaround: Do not give the wrong configuration.
•
Symptoms: SNMPv3 informs are not sent out after a device reload.
Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.
Workaround: Re-enter any of the snmp-server host commands.
•
Symptoms: An RSP may generate tracebacks.
Conditions: This symptom is observed on a Cisco router that is configured for dCEF when you reload microcode onto the RSP. Note that the symptom is platform-independent.
Workaround: There is no workaround.
IBM Connectivity
•
Symptoms: When DLSw Ethernet Redundancy is configured, circuits may be established through the wrong switch.
Conditions: This symptom is observed in the following configuration:
–
–
The output of the show dlsw transparent map shows that Switch 1 has the active mapping and that Switch 2 has the passive mapping. All circuits should be established on Switch 1, but instead they are established on switch 2.
The outputs of the show dlsw trans neighbor and show dlsw trans map commands show correct information, but the output of the show dlsw cir cache command shows state "negative" on Switch 1 and state "positive" on Switch 2.
Workaround: There is no workaround. Note that all circuits are up and running, but they just go through the wrong router.
Interfaces and Bridging
•
Symptoms: An online insertion and removal (OIR) of a Versatile Interface Processor (VIP) that is installed in a Cisco 7500 series may cause the Route Switch Processor (RSP) to stop responding.
Conditions: This symptom is observed when two FDDI port adapters are installed in the VIP.
Workaround: There is no workaround.
•
Symptoms: Error messages such as the following one may be generated on a Cisco 7500 series or Cisco 7600 series:
%CWPA-3-IPCALLOCFAIL: Failed to allocate IPC buffer for loveletter data
Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured with a 1-port Packet-over-SONNET OC-3c/STM-1 multimode port adapter (PA-POS-OC3MM) when you enter the no shutdown interface configuration command on the interface.
Workaround: There is no workaround.
•
Symptoms: POS interfaces may remain in the up/down state after the router is upgraded to Cisco IOS interim 121-26.E6 image.
Conditions: This symptom has been observed on Cisco Catalyst 6500 series and Cisco 7600 series routers.
Workaround: Reload the FlexWAN or VIP in which the POS port adapter is installed.
•
Symptoms: A ping from a channelized T3 (CT3) port adapter may fail.
Conditions: This symptom is observed on a Cisco platform that is configured with a CT3 port adapter that functions in unchannelized mode.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.
Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.
•
Symptoms: When you modify an access control list (ACL) by entering the ip multicast boundary command, the command may not fully take effect.
Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(28)S4 or Release 12.0(32)S but appears to be platform- and release-independent.
Workaround: Disable and re-enter the ip multicast boundary command.
Alternate Workaround: Enter the clear ip mroute * command.
•
Symptoms: When an inter-area, external, or Not-So-Stubby Area (NSSA) route is learned via a link state update that follows the initial database synchronization, the route may not be added to the routing table by a partial shortest path first (SPF) computation even though the LSA is installed in the link state database. A subsequent full SPF computation causes the route to be added.
Conditions: This symptom is observed on a Cisco router and is most likely to occur when a large number of type 3, type 5, or type 7 LSAs are advertised and withdrawn.
Workaround: Trigger an action that causes a full SPF computation.
•
Symptoms: A router may reload unexpectedly because of a bus error crash after you have removed a summary-prefix IPv6 OSPF command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF but may also occur in other releases. The symptom occurs only when the summary-prefix IPv6 OSPF command is configured without any redistribute commands.
Workaround: Configure a redistribute command under the IPv6 OSPF configuration.
•
This caveats consists of two symptoms, two conditions, and two workarounds:
Symptom 1: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.
Condition 1: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4 when the DMVPN tunnel is up and when you enter the show ip nhrp brief and clear ip nhrp commands. When the tunnel comes up again (because of the NHRP registration by the spoke), the NHRP cache entry expires a long time before its expiration time.
Workaround 1: Do not enter the show ip nhrp brief command.
Symptom 2: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.
Condition 2: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4(6)T or a later release and occurs without any specific action.
Workaround 2: There is no workaround.
ISO CLNS
•
Symptoms: A Cisco router that is configured for RPR or RPR+ may reload its standby RP when a configuration change is made to IS-IS.
The reload of the standby RP is proceeded by the following error messages:
%HA-3-SYNC_ERROR: Parser no match.
%HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4. Note, however, that the symptom is platform-independent for Release 12.4 and its derivatives. Any of the IS-IS global configuration commands may trigger the symptom. Following are a few examples of these IS-IS global configuration commands:
–
–
–
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A Versatile Interface Processor 4 (VIP4) with an E1 controller may reload unexpectedly and display the following error message:
%ALIGN-1-FATAL: Illegal access to a low address
addr=0x28, pc=0x604716A8, ra=0x604711FC, sp=0x60D66628
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.2(15)T2, Release 12.2(15)T5, or Release 12.3.
Workaround: There is no workaround.
•
Symptoms: A router may crash when you attempt to unconfigure a service policy.
Conditions: This symptom is observed on a Cisco router that is configured for Network Based Application Recognition (NBAR).
Workaround: There is no workaround.
•
Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.
Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:
http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
•
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers.
This issue is documented as Cisco bug ID CSCek37177.
There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml
•
Symptoms: A Cisco AS5350 may reload because of a bus error (SIG=10).
Conditions: This symptom is observed when SNMP is configured and when SNMP queries are made into the Cisco AS5350.
Workaround: Disable SNMP or stop polling the router.
•
Symptoms: The input error counter may not be incremented for packet errors such as runts, CRC errors, and overrun errors.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1.
Workaround: There is no workaround.
•
Symptoms: A router cannot be reloaded by entering the reload command, and the following message is displayed when you attempt to reload the router:
The startup configuration is currently being updated. Try again.
Conditions: This symptom is observed under rare conditions and may be triggered after an "Invalid pointer value in private configuration structure" error message is displayed (as seen in caveat CSCin98933). This symptom is observed in Cisco IOS interim Release 12.3(19.7), interim Release 12.4(6.5), and interim Release 12.4(6.5)T, and in later releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may hang, stop forwarding traffic, and stop responding to the console.
Conditions: This symptom is observed on a Cisco 7200 series that has the ip audit command enabled.
Workaround: There is no workaround.
•
Symptoms: With H323 call service stopped, the router still listens on tcp port 1720 and completes connection attempts.
Conditions: After H323 is disabled using the configuration commands:
voice service voip
h323
call service stop
Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document: http://www.cisco.com/warp/public/707/tacl.html
For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document: http://www.cisco.com/warp/public/707/iacl.html
For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper:" http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html
•
Symptoms: A router requires a very long time to boot (more than 5 minutes, potentially hours). Also, changes to the QoS configuration may require long times.
Conditions: This symptom is observed when the QoS configuration has a complex arrangement of many policies that reference many access control entries (ACEs) through a number of class maps. The time required is, roughly, proportional to the number of combinations of interfaces, policies, classes, and ACEs. For example, if each of 200 interfaces has a QoS policy, each policy uses five class maps, each class map references two ACLs, and each ACL has 30 entries, there are 60,000 combinations.
Workaround: Either reduce the number of combinations of interfaces, policies, class maps, and ACEs, or load the configuration in two stages. The first stage (from NVRAM) should contain the interface and ACL definitions, and the second stage (from another file) should contain the classes and policies.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Symptoms: URL filtering takes an excessively long time to revert to the allow mode if a URL Filtering Server is unavailable.
Conditions: This symptom is observed when a communication loss occurs between the router and the URL Filtering Server because of a failure or an excessive load on the URL Filtering Server, or because of a network connectivity failure between the router and the URL Filtering Server.
Workaround: There is no workaround.
•
Symptoms: The voice ports of a Cisco IOS Voice over IP (VoIP) gateway that terminates fax calls may lock up and not accept any new calls. The following error messages may be generated on the console or syslog (if enabled):
%HPI-3-CODEC_NOT_LOADED: channel:2/0/0 (171) DSP ID:0x1, command failed as
codec not loaded 0
- Traceback= 615D2FA8 615C8528 617D5044 617D5258 61BBCD44 61BBD764 617BAE88
617BBD38 6138720C
Conditions: This symptom is observed on a Cisco 3600 series router but is not platform-dependent.
Workaround: Disable T.38 and use fax passthrough.
•
Symptoms: CEF switching is broken for voice traffic on some interfaces, which breaks the transcoding feature. The caller then experiences no voice path.
Conditions: This symptom has been observed on some network modules and interfaces.
Workaround: Disable the ip cef command.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.
Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.
Workaround: There is no workaround.
•
Symptoms: The standby RP reboots when you perform an OIR of an active VIP that is installed in any slot of the router.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.4(7.10) and that is configured for RPR, RPR+, or SSO. The symptom may also affect other releases.
Workaround: There is no workaround.
•
Symptoms: A router crashes because of errors from checkheaps.
Conditions: This symptom is observed when hundreds of CLI commands are entered in virtual-template mode.
Workaround: There is no workaround.
•
Symptoms: When applying a service-policy to a subinterface, the router crashes.
Conditions: This problem happens on an ATM subinterface with a large amount of subinterfaces with service-policies applied.
Workaround: There is no workaround.
•
Symptoms: The following error message is displayed:
%HYPERION-4-HYP_RESET: Hyperion Error Interrupt
Resetting ASIC messages when links flap on flexwan2 with STM-1 PA interface stats show line errors for that flapping line.
Conditions: This symptom is observed on a Cisco 7600 router and PA: PA-MC-STM1 that is running Cisco IOS Release 12.2(17d)SXB9.
Workaround: There is no workaround.
•
Symptoms: A slot controller such as a slot controller of a VIP4-80 may reset because of a TLB (load or instruction fetch) exception.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(17b) or Release 12.4, that has T1 or E1 port adapters installed in the slot that is controlled by the slot controller that resets, and that has NBAR configured.
Workaround: Remove the NBAR configuration.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: None of the policy classes after the first child policy of a hierarchical QoS policy take effect when you reload the router.
Condition 1: This symptom is observed on a Cisco 7304 that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.
Workaround 1: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the service-policy output interface configuration command to enable the child policies to take effect. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.
Symptom 2: On a Cisco 10000 series that is configured with hierarchical queueing policies, when you remove the match vlan command for a VLAN that matches a dot1q subinterface, the queues that are allocated to the subinterface are not cleared, allowing traffic to continue to flow through these queues.
Condition 2: This symptom is observed on a Cisco 10000 series that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.
Workaround 2: There is no workaround. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.
•
Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.
Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.
Workaround: Enter the no standby redirects command to prevent the symptom from occurring.
•
Symptoms: When a PVC is being shutdown on the remote side, the PVC subinterface on the Cisco 10000 router transitions from down to up within one second, and then stays down after the down retry timers expire. This is seen when using OAM and DBS.
Conditions: This symptom is observed on a Cisco 10008 that is using Cisco IOS Release 12.3(7)XI7a.
Workaround: There is no workaround.
•
Symptoms: An NPE-G2 crashes when you first enter the no ima-group command, then you enter the atm vc command for the IMA group, and finally you enter the show vc command.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an IMA port adapter.
Workaround: First configure an IMA group. Then, configure a VC for this IMA group.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Symptoms: The line protocol may go down on some of the serial interfaces of a 1-port multichannel STM-1 single mode port adapter.
Conditions: This symptom is observed on a Cisco router when the maximum number of channel groups (256) is configured on the port adapter.
Workaround: There is no workaround.
•
Symptoms: A traceback may be generated when you enter the show funi pvc interface serial x/y command.
Conditions: This symptom is observed on a Cisco router when a null data structure is accessed.
Workaround: There is no workaround.
•
Symptoms: After upgrading the Cisco IOS on a Cisco 7200 series router that is using a PA-A3-IMA, shaping accuracy problems can be observed. The PVC is shaped at a rate bigger than the configured value.
Conditions: This problem is observed on a Cisco 7200 series router.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the CEF Scanner process of a Cisco 7200 VXR router that has an NPE-G1 processor when a virtual-template interface is configured to perform CEF load balancing on a per-packet basis instead of a per-destination basis.
Conditions: This symptom is observed on a 7204VXR that functions as an LNS and that runs the c7200-js-mz image of Cisco IOS Release 12.3(15) or the 7200-js-mz image of Cisco IOS Release 12.3(19). The symptom may also occur in other releases.
Workaround: Use the default CEF load balancing on a per-destination basis. If you need to configure loadbalancing on a per-packet basis, disable IP CEF accounting by entering the no ip cef accounting per-prefix non-recursive command.
•
Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).
Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.
•
Symptoms: The line protocol on a newly configured SRP interface may remain down and does not come up after you have entered the no shutdown command.
Conditions: This symptom is observed on a Cisco router that has an SRP/DPT port adapter.
Workaround: There is no workaround.
•
Symptoms: A Versatile Interface Processor (VIP) with CT3 PA crashes continuously.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS interim Release 12.4(9.9).
Workaround: There is no workaround.
Terminal Service
•
Symptoms: A Cisco router that is configured for X.25 routing may reload unexpectedly.
Conditions: The problem is experienced in Cisco IOS Release 12.3(14)T2 with X.25-over-TCP (XOT) configuration.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A router may crash by address error (load or instruction fetch) exception during normal operation.
Conditions: This symptom has been observed when the router is configured with VPDN and Multilink PPP, using Virtual-Template interfaces.
Workaround: There is no workaround.
•
Symptoms: A router may crash when the AAA per-user attribute idletime is specified in the user profile.
Conditions: This symptom is observed on a Cisco router that is configured for PPP and AAA.
Workaround: Do not specify the AAA per-user attribute idletime in the user profile.
•
Symptoms: When an HSSIRSET, SERRSET, or FDDIRSET error message is generated or when the output becomes stuck, a VIP does not come up during its first recovery attempt.
Conditions: This symptom is observed on a Cisco platform that is configured with a VIP when a CCB timeout occurs during an IDB reset or when the output becomes stuck.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when you configure more multilink interfaces than the maximum number that the router can support. The router should not reload but should generate an error message.
Conditions: This symptom is observed on any Cisco router that imposes a limit on the number of multilink interfaces.
Workaround: Do not exceed the maximum number of multilink interfaces.
•
Symptoms: Multihop router fails establishing a session from LAC. CDN is sent by one of the following reasons:
L2TP: disconnect (AAA) IETF: 15/service-unavailable Ascend: 67/VPDN Softshut/Session Limit
L2TP: disconnect (L2X) IETF: 9/nas-error Ascend: 62/VPDN No Resources
Conditions: This problem can happen to either a multihop LAC or a simple LAC that accepts dial in, if LAS has multiple destination LNSes configured in some vpdn-group and the LNSes have per vpdn-group session limit configured in the vpdn-groups that accept the sessions from the LAC.
Workaround: Configure the minimal L2TP tunnel timeout value (5 seconds) in the vpdn-group on LAC that experiences the problem. The CLI is as follows:
l2tp tunnel busy timeout 5
Workaround 2: Do not configure load balancing.
Workaround 3: Create some loopback interfaces on the LNSes for different vpdn- groups on the LACs to use. That is, configuring different vpdn-groups on a LAC to use distinct loopback addresses on the LNSes. Therefore, when a LAC gets a "busy" CDN back from the LNSes, the LAC will only put the particular LNS address for the corresponding vpdn-group on busy list, without affecting other LNS vpdn-groups capacity to accept new sessions.
•
Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.
Conditions: This symptom happens on all Multilink interfaces.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(19a)
Cisco IOS Release 12.3(19a) is a rebuild release for Cisco IOS Release 12.3(19). The caveats in this section are resolved in Cisco IOS Release 12.3(19a) but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.
Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.
Workaround: Disable HTTP server using the no ip http server command.
•
Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.
Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.
Workaround: Disable on interfaces where CDP is not necessary.
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
The error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml.
Miscellaneous
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#
The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.
Conditions: This symptom occurs after H323 is disabled using the following configuration commands:
voice service voip h323 call service stop
Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.
For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html
For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.
For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtm.
Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).
Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Multiple vulnerabilities exist in th
Guest
