Guest

Cisco IOS Software Releases 12.3 Mainline

Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 5: Caveats for 12.3(10) through 12.3(26)

 Feedback

Table Of Contents

Caveats for Cisco IOS Release 12.3

How to Use This Document

If You Need More Information

Contents

Open Caveats—Cisco IOS Release 12.3(26)

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(26)

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(25)

Basic System Services

Resolved Caveats—Cisco IOS Release 12.3(24a)

Basic System Services

Miscellaneous

Terminal Service

Resolved Caveats—Cisco IOS Release 12.3(24)

Basic System Services

IBM Connectivity

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(23)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(22a)

Basic System Services

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.3(22)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(21b)

Basic System Services

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.3(21a)

Basic System Services

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(21)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(20a)

Basic System Services

IBM Connectivity

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.3(20)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Terminal Service

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(19a)

Basic System Services

IBM Connectivity

Miscellaneous

TCP/IP Host-Mode Services

Resolved Caveats—Cisco IOS Release 12.3(19)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(18a)

Basic System Services

IBM Connectivity

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(18)

Basic System Services

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(17c)

Basic System Services

IBM Connectivity

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(17b)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(17a)

Interfaces and Bridging

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(17)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(16a)

Basic System Services

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(16)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(15b)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(15a)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(15)

Access Server

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(13b)

Access Server

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(13a)

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(13)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

TCP/IP Host-Mode Services

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(12e)

Access Server

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(12d)

Basic System Services

Resolved Caveats—Cisco IOS Release 12.3(12c)

IP Routing Protocols

Miscellaneous

Resolved Caveats—Cisco IOS Release 12.3(12b)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(12a)

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(12)

Basic System Services

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10f)

Basic System Services

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10e)

Access Server

Basic System Services

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10d)

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10c)

Basic System Services

IBM Connectivity

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10b)

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10a)

Basic System Services

Interfaces and Bridging

IP Routing Protocols

Miscellaneous

Wide-Area Networking

Resolved Caveats—Cisco IOS Release 12.3(10)

Basic System Services

EXEC and Configuration Parser

IBM Connectivity

Interfaces and Bridging

IP Routing Protocols

ISO CLNS

Miscellaneous

Novell IPX, XNS, and Apollo Domain

Wide-Area Networking


Caveats for Cisco IOS Release 12.3


September 24, 2008

Cisco IOS Release 12.3(26)

OL-4353-20

This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.3, up to and including Cisco IOS Release 12.3(26). Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.

To improve this document, we would appreciate your comments. If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically at http://www.cisco.com/feedback/ or contact caveats-doc@cisco.com. For more information, see the "Obtaining Documentation and Submitting a Service Request" section on page 1024.

How to Use This Document

This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats:

The "Open Caveats" section lists open caveats that apply to the current release and may apply to previous releases.

The "Resolved Caveats" sections list caveats resolved in a particular release, but open in previous releases.

Within the sections the caveats are sorted by technology in alphabetical order. For example, AppleTalk caveats are listed separately from, and before, IP caveats. The caveats are also sorted alphanumerically by caveat number.

If You Need More Information

Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation and Submitting a Service Request" section on page 1024.

For more information on caveats and features in Cisco IOS Release 12.3, refer to the following sources:

Dictionary of Internetworking Terms and Acronyms—The Dictionary of Internetworking Terms and Acronyms contains definitions of acronyms that are not defined in this caveats document.

Bug Toolkit—If you have an account on Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in to Cisco.com and click Products and Services: Cisco IOS Software: Cisco IOS Software Releases 12.3: Troubleshooting: Bug Toolkit. Another option is to go to http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl.

(If the defect that you have requested cannot be displayed, this may be due to one of more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)

Release Notes for Cisco IOS Release 12.3—These release notes describe new features and significant software components for Cisco IOS software Release 12.3.

Deferral Advisories and Software Advisories for Cisco IOS SoftwareDeferral Advisories and Software Advisories for Cisco IOS Software provides information about caveats that are related to deferred software images for Cisco IOS releases. If you have an account on Cisco.com, you can access Deferral Advisories and Software Advisories for Cisco IOS Software at http://www.cisco.com/public/sw-center/sw-ios-advisories.shtml.

What's New for IOSWhat's New for IOS lists recently posted Cisco IOS software releases and software releases that have been removed from Cisco.com. If you have an account on Cisco.com, you can access What's New for IOS at http://www.cisco.com/public/sw-center/sw-ios.shtml.


Note Release notes are modified only on an as-needed basis. The maintenance release number and the revision date represent the last time the release notes were modified to include new or updated information. For example, release notes are modified whenever any of the following items change: software or hardware features, feature sets, memory requirements, software deferrals for the platform, microcode or modem code, or related documents.


The most recent release notes when this caveats document was published were Release Notes for
Cisco IOS Release 12.3
, for Cisco IOS Release 12.3(26) on March 18, 2008.

Contents

The caveats documentation for Cisco IOS Release 12.3 consists of the following subsections:

Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 5:
Caveats for 12.3(10) through 12.3(26)

How to Use This Document

If You Need More Information

Open Caveats—Cisco IOS Release 12.3(26)

Resolved Caveats—Cisco IOS Release 12.3(26)

Resolved Caveats—Cisco IOS Release 12.3(25)

Resolved Caveats—Cisco IOS Release 12.3(24a)

Resolved Caveats—Cisco IOS Release 12.3(24)

Resolved Caveats—Cisco IOS Release 12.3(23)

Resolved Caveats—Cisco IOS Release 12.3(22a)

Resolved Caveats—Cisco IOS Release 12.3(22)

Resolved Caveats—Cisco IOS Release 12.3(21b)

Resolved Caveats—Cisco IOS Release 12.3(21a)

Resolved Caveats—Cisco IOS Release 12.3(21)

Resolved Caveats—Cisco IOS Release 12.3(20a)

Resolved Caveats—Cisco IOS Release 12.3(20)

Resolved Caveats—Cisco IOS Release 12.3(19a)

Resolved Caveats—Cisco IOS Release 12.3(19)

Resolved Caveats—Cisco IOS Release 12.3(18a)

Resolved Caveats—Cisco IOS Release 12.3(18)

Resolved Caveats—Cisco IOS Release 12.3(17c)

Resolved Caveats—Cisco IOS Release 12.3(17b)

Resolved Caveats—Cisco IOS Release 12.3(17a)

Resolved Caveats—Cisco IOS Release 12.3(17)

Resolved Caveats—Cisco IOS Release 12.3(16a)

Resolved Caveats—Cisco IOS Release 12.3(16)

Resolved Caveats—Cisco IOS Release 12.3(15b)

Resolved Caveats—Cisco IOS Release 12.3(15a)

Resolved Caveats—Cisco IOS Release 12.3(15)

Resolved Caveats—Cisco IOS Release 12.3(13b)

Resolved Caveats—Cisco IOS Release 12.3(13a)

Resolved Caveats—Cisco IOS Release 12.3(13)

Resolved Caveats—Cisco IOS Release 12.3(12e)

Resolved Caveats—Cisco IOS Release 12.3(12d)

Resolved Caveats—Cisco IOS Release 12.3(12c)

Resolved Caveats—Cisco IOS Release 12.3(12b)

Resolved Caveats—Cisco IOS Release 12.3(12a)

Resolved Caveats—Cisco IOS Release 12.3(12)

Resolved Caveats—Cisco IOS Release 12.3(10f)

Resolved Caveats—Cisco IOS Release 12.3(10e)

Resolved Caveats—Cisco IOS Release 12.3(10d)

Resolved Caveats—Cisco IOS Release 12.3(10c)

Resolved Caveats—Cisco IOS Release 12.3(10b)

Resolved Caveats—Cisco IOS Release 12.3(10a)

Resolved Caveats—Cisco IOS Release 12.3(10)


Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 6:
Caveats for 12.3(6) through 12.3(9e)

Resolved Caveats—Cisco IOS Release 12.3(9e), page 421

Resolved Caveats—Cisco IOS Release 12.3(9d), page 422

Resolved Caveats—Cisco IOS Release 12.3(9c), page 429

Resolved Caveats—Cisco IOS Release 12.3(9b), page 436

Resolved Caveats—Cisco IOS Release 12.3(9a), page 439

Resolved Caveats—Cisco IOS Release 12.3(9), page 455

Resolved Caveats—Cisco IOS Release 12.3(6f), page 539

Resolved Caveats—Cisco IOS Release 12.3(6e), page 540

Resolved Caveats—Cisco IOS Release 12.3(6c), page 547

Resolved Caveats—Cisco IOS Release 12.3(6b), page 554

Resolved Caveats—Cisco IOS Release 12.3(6a), page 559

Resolved Caveats—Cisco IOS Release 12.3(6), page 571


Cross-Platform Release Notes for Cisco IOS Release 12.3, Part 7:
Caveats for 12.3(1) through 12.3(5f)

Resolved Caveats—Cisco IOS Release 12.3(5f), page 655

Resolved Caveats—Cisco IOS Release 12.3(5e), page 656

Resolved Caveats—Cisco IOS Release 12.3(5d), page 665

Resolved Caveats—Cisco IOS Release 12.3(5c), page 680

Resolved Caveats—Cisco IOS Release 12.3(5b), page 696

Resolved Caveats—Cisco IOS Release 12.3(5a), page 698

Resolved Caveats—Cisco IOS Release 12.3(5), page 702

Resolved Caveats—Cisco IOS Release 12.3(3i), page 793

Resolved Caveats—Cisco IOS Release 12.3(3h), page 794

Resolved Caveats—Cisco IOS Release 12.3(3g), page 807

Resolved Caveats—Cisco IOS Release 12.3(3f), page 814

Resolved Caveats—Cisco IOS Release 12.3(3e), page 842

Resolved Caveats—Cisco IOS Release 12.3(3c), page 844

Resolved Caveats—Cisco IOS Release 12.3(3b), page 845

Resolved Caveats—Cisco IOS Release 12.3(3a), page 849

Resolved Caveats—Cisco IOS Release 12.3(3), page 856

Resolved Caveats—Cisco IOS Release 12.3(1a), page 963

Resolved Caveats—Cisco IOS Release 12.3(1), page 972

Obtaining Documentation and Submitting a Service Request, page 1024

Open Caveats—Cisco IOS Release 12.3(26)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(26). All the caveats listed in this section are open in Cisco IOS Release 12.3(26). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Miscellaneous

CSCin95455

Symptoms: The connect global configuration command presents duplicate options; that is, there appear to be two switching subsystems.

Conditions: This symptom is observed on a Cisco router when you attempt to configure the connect global configuration command for ATM.

Workaround: There is no workaround.

CSCse44079

Symptoms: CPU utilization may reach 100 percent in the IGMP Input process when a UDL interface is down. When the downstream UDL interface (on the downstream router) goes down, any (downstream router) locally received IGMP report/leave will be sent 255 times to the router itself and will cause high CPU utilization.

Conditions: This symptom is observed on a Cisco router that has a UDL interface that is connected to a satellite link after you have upgraded the Cisco IOS software image from Release 12.4(5a) to Release 12.4(7a). However, the symptom is not release-specific.

Workaround: There is no workaround.

Further Problem Description: When the UDL link goes down, the downstream router starts to flood IGMP reports to itself, and in Releases 12.4(7a), 12.4(8), and 12.3(19), Cisco IOS software is really processing these packets, which has a big impact on CPU utilization.

CSCsf96266

Symptoms: Unable to obtain low latency for priority traffic while LLQ is configured.

Conditions: This is happening while LLQ is configured with IPsec and IPsec-GRE tunnels.

Workaround: There is no workaround.

CSCsi18669

Symptoms: QoS Group Marking may not function.

Conditions: This symptom is observed on a Cisco router after you have reloaded the router.

Workaround: Detach the policy map from the interface and then re-attach it to the interface.

CSCsi83714

Symptoms: A Cisco 7206VXR (NPE-G1) that is running Cisco IOS Release 12.3(22) has a software-forced reload because of a memory corruption. The memory pool type is Processor rip_create_rdb.

Conditions: The Cisco 7206VXR (NPE-G1) with Cisco IOS Release 12.3(22) was running fine for one month before the crash occurred. The crash occurred during/after some configuration changes, which were done regularly. The crash occurred only once.

Workaround: There is no workaround.

CSCsk51939

Symptoms: After multiple calls are established, and then calls are disconnected by the users, new calls cannot be established.

Conditions: This problem is seen when using a Cisco 3660 router with a digital modem network module, NM-30DM. This problem is seen in all Cisco IOS 12.2 and 12.3 releases.

Workaround: Reloading the router will allow new calls to be established.

CSCsk80813

Symptoms: AP does not seem to handle PAC provisioning for the Windows OS Vista client.

Conditions: This symptom is observed with the AP running 12.3(8) JEB.

Workaround: There is no workaround.

CSCsl42554

Symptoms: All CMs became offline with no alert or log message. When the clear cable modem all del command was executed, no CM was ranging. When checked, upconverter signal was okay and ucd counter was also normal.

As there was no log and no other specific information remained, it is hard to know the root cause.

Conditions: This symptom is observed only on the MC520H card.

Workaround: Enter the cable downstream rf-shutdown command followed by the no cable downstream rf-shutdown command.

Further Problem Description: This is similar to CSCsj03260; Externally found moderate (Sev3) bug: Resolved (R); modem stay offline after modulation switch om MC5x20H. But this is integrated at 12.3(21a)BC4 and DE said that this is different. And customer did not use dynamic modulation.

CSCsm60103

Symptoms: After the AP (AIR-AP1231G-E-K9) is upgraded to 12.3(8).JEC, a periodic loss of interface "Dot11Radio0" is seen because of "failed - Driver transmit queue stuck." This results in only a brief service interruption; the AP and radio do recover and start servicing again within 1 to 2 seconds.

Conditions: This symptom is observed under normal operation.

Workaround: There is no workaround.

Further Problem Description: The following is the syslog record of the failure and recovery:

Dec 19 10:51:23: %DOT11-2-RADIO_FAILED: Interface Dot11Radio0,failed - Driver transmit queue stuck -Traceback= 19670 420248 427A64 428C20 42B31C 3D1BA4 3D457C 3D8DAC 4BB43C 4B6C30 24306C

Dec 19 10:51:23: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down Dec 19 10:51:23: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset Dec 19 10:51:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down Dec 19 10:51:24: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up Dec 19 10:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

CSCsm62622

Symptoms: Applying an access group to physical interfaces modifies the ACL in the running configuration.

Conditions: When a physical interface is made a part of a bridge group and when the physical interface has an "ip access-group <list> [in/out]" assigned from a corresponding access list, and if this ACL has "logging" labeled, then the running configuration is modified at the first list match that hits any of the bridged interfaces in such a way that the logging is removed from the ACL.

Workaround: Instead of assigning the ACL to a physical interface, create a BVI interface for the bridge group and assign the ACL to the BVI.

Further Problem Description: The following is a sample interface configuration.

!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid tsunami
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role non-root bridge
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 ssid tsunami
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role non-root bridge
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 bridge-group 1 spanning-disabled
 hold-queue 160 in
!
interface BVI1
 ip address 10.0.0.12 255.255.255.224
 ip access-group 105 in
 no ip route-cache
!
access-list 105 deny ip 127.0.0.0 0.255.255.255 any log
access-list 105 deny ip 5.5.5.0 0.0.0.255 any log
access-list 105 permit ip any any log

CSCso03047

Symptoms: The multilink interfaces stop forwarding traffic, and the serial interfaces out of the multilink start to flap.

Conditions: This symptom is observed when the E3 controller is saturated.

Workaround: Enter the shutdown command followed by the no shutdown command on the controller.

CSCso11620

Symptoms: A Cisco AS5400 router crashes with a bus error at sstrncpy. The error message will look like the following:

System returned to ROM by bus error at PC 0x6184FA30, address 0xD0D0D0D

Conditions: This symptom is observed on a Cisco AS5400 router.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(26)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(26). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(26). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Miscellaneous

CSCec12299

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.

Workarounds are available to help mitigate this vulnerability.

This issue is triggered by a logic error when processing extended communities on the PE device.

This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.

CSCse92050

Symptoms: A router may reload unexpectedly when a routing event causes multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.

Conditions: This symptom is observed on a Cisco platform that is configured for PIM.

Workaround: Remove multicast boundary from the configuration.

CSCsg21398

Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted "msg-auth-response-get-user" TACACS+ packet is received.

Conditions: This symptom is observed after the Cisco platform had send an initial "recv-auth-start" TACACS+ packet.

Workaround: There is no workaround.

CSCsg39295

Symptoms: Password information may be displayed in a syslog message as follows:

%SYS-5-CONFIG_I: Configured from scp://userid:password@10.1.1.1/config.txt by console

Conditions: This symptom is observed when using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB; selection of ConfigCopyProtocol of SCP or FTP may result in the password being exposed in a syslog message.

Workaround: When using SNMP to modify a configuration by means of the CISCO-CONFIG-COPY-MIB, use the ConfigCopyProtocol of RCP to avoid exposure of the password.

CSCsh04686

Symptoms: With X.25 over TCP (XOT) enabled on a router or Catalyst switch, malformed traffic that is sent to TCP port 1998 causes the device to reload. This symptom was first observed in Cisco IOS Release 12.2(31)SB2.

Conditions: This symptom is observed only when X.25 routing is enabled on the device.

Workaround: Use IPsec or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is accepted only from trusted tunnel endpoints.

CSCsh74975

Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.

Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.

Workaround: There is no workaround.

CSCsi03359

Symptoms: A PIM hello message may not reach the neighbor.

Conditions: This symptom is observed on a Cisco router when an interface comes up and a PIM hello message is triggered.

Workaround: Decrease the hello timer for PIM hello messages.

Further Problem Description: The symptom occurs because the PIM hello message is sent before the port can actually forward IP packets. IGP manages to get its neighborship up but PIM does not, causing RPF to change to the new neighbor and causing blackholing to occur for up to 30 seconds.

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

CSCsj12867

Symptoms: The following message can be seen after executing the write memory command, even though the version has not been changed.

Router# write memory 

Warning: Attempting to overwrite an NVRAM configuration previously written by a 
different version of the system image. Overwrite the previous NVRAM 
configuration?[confirm]

The router then restarts with the following traceback:

-Traceback= 6067F3DC 6067FB38 605E3FE8 60686384 605E3FE8 605188BC 60518830 605444D4 
60539164 6054719C 605AB65C 605AB648

Conditions: This symptom is observed on a Cisco 7206 VXR (NPE-400) with C7200-IO-FE-MII/RJ45= or C7200-I/O= running the Cisco IOS Release 12.2(24a) interim build.

Workaround: There is no workaround.

CSCsk68320

Symptoms: A switch aborts or reloads after the no ip routing command is entered.

Conditions: This symptom is observed when a Supervisor Engine IV is configured with a minimal IP multicast and Multicast Source Discovery Protocol (MSDP) configuration.

Workaround: There is no workaround.

CSCsk97261

Symptoms: Router crashes with an Unexpected exception to CPUvector traceback.

Conditions:

Issuing the modemui command with a large input parameter in the [modem-commands], such as:

host>modemui ATZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
OK 
OK
OK
Host:
00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 
-Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 
80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FC

More information about the Cisco Modem User Interface feature is available at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_ guide09186a0080087bf9.html

Workaround:There is no workaround.

CSCsl47915

Symptoms: OSPF is redistributing in RIP using a route map, based on a prefix list. Every time the prefix list is changed, the RIP database is not updated.

Conditions: This symptom is observed when a new network is added to the prefix list. The show ip route network command shows that the network is not advertised by RIP. The clear ip route network command will fix the problem.

Workaround: There is no workaround.

CSCsl70143

Symptoms: Under heavy traffic, ISDN calls may be rejected due to high CPU usage with the following messages seen in the log (with tracebacks):

%IVR-3-LOW_CPU_RESOURCE: IVR: System experiencing high cpu utilization (98/100). Call (callID=23524) is rejected.

%SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (32/18),process = ISDN.

Conditions: This problem occurs only under heavy traffic.

Workaround: There is no workaround.

CSCsl70722

Symptoms: A router running Cisco IOS may crash due to watchdog timeout.

Conditions: Occurs when IP SLA probes are configured and active for a period of 72 weeks. After this much time has passed, polling the rttmon mib for the probe statistics will cause the router to reload. Then the problem will not be seen again for another 72 weeks.

Workaround: There is no workaround.

CSCsl95431

Symptoms: A router may reload when malformed packets are sent to the TFTP UDP port.

Conditions: This symptom is observed when malformed traffic is sent to the router's TFTP UDP port 69.

Workaround: There is no workaround.

CSCsm26130

Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.

Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.

Workaround: There are four possible workarounds:

1) Use an "aggregate-address" configuration instead of the static route to generate the summary.

2) Remove auto-summary from the BGP process.

3) Enter the clear ip bgp * command.

4) Remove and reconfigure the BGP network statement for the summary route.

CSCsm34361

Symptoms: TCP ports may not show open as required during port scanning using NMAP.

Conditions: This symptom is observed on a Cisco 7200 router.

Workaround: There is no workaround.

CSCsm43993

Symptoms: A Cisco SOHO 78 router freezes while booting. A power-cycle is required to restore it to operational condition.

Conditions: The router freezes after self-decompressing the image.

Workaround: There is no workaround.

CSCso03047

Symptoms: The multilink interfaces stop forwarding traffic, and the serial interfaces out of the multilink start to flap.

Conditions: This symptom is observed when the E3 controller is saturated.

Workaround: Enter the shutdown command followed by the no shutdown command on the controller.

CSCso15151

Symptoms: When Multicast Distributed Fast Switching is configured, a VIP crashes on a Cisco 7500 router that is running a Cisco IOS 12.3 release.

Conditions:

1) The router has around 1000 interfaces/subinterfaces.

2) Distributed multicast is configured.

3) The router is running any Cisco IOS 12.3 release.

Workaround: There is no workaround.

Further Problem Description: In summary, the line card is accessing the memory location that has been freed already. This results in the VIP crashing. There are sanity checks that are missing in Cisco IOS 12.3 releases. The problem is similar to what bug CSCdm29808 does on line cards of the Cisco 12000 Internet series router (this router does not support Cisco IOS Release 12.3). This basically checks if the interface index on MDFS messages is less than the MDFS Idb map size, which indicates the current size of the Idb map table.

Resolved Caveats—Cisco IOS Release 12.3(25)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(25). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(25). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsh48919

Symptoms: With an ATA flash card, the dir disk0: command will fail if any filename or directory name stored on disk0 contains embedded spaces. This applies to disk1 or disk2 as well. This situation can also occur with a compact flash (CF) card using the dir flash: command.

Conditions: This symptom has been observed when using a removable flash card, such as an ATA flash car or CF card, that is formatted to use DOSFS. The removable flash card is removed from the router and inserted into a laptop that is running a version of the Microsoft Windows operating system. A "New Folder" directory is created on the flash card and the flash card is removed from the laptop and re-inserted into the router. Entering the dir command on the router may fail to show all of the stored files or may crash the router.

Workaround: Remove or rename all files and directories having names with embedded spaces so that no file or directory names contains embedded spaces.

CSCsh74975

Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.

Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.

Workaround: There is no workaround.

CSCsk70446

Symptoms: A traceback is noticed when long URLs are used to configure a device using Cisco IOS HTTP web parser. The device does not crash.

Conditions: Trying to configure commands that have a single keyword or parameter greater than N characters in length using the web-based Cisco IOS command parser causes a traceback where N is:

50 for Cisco IOS Release 12.0 and later releases

128 for Cisco IOS Release 12.2 and later releases

256 for Cisco IOS Release 12.2(25) and later releases

Workaround: Avoid using the web-based command line parser for CLI commands with long keywords or arguments.

CSCsk93113

Symptoms:

A router crashes with a TLB (load or instruction fetch) exception segmentation fault or a Breakpoint exception.

Conditions:

TLB (Load or Instruction Fetch) Exception Segmentation Fault Crash

From the (tcl) CLI prompt, issue the "ea_display_pitem" or "ea_display_msg" commands with a large ID input parameter such as:

router(tcl)# ea_display_msg 999999999  

or

router(tcl)# ea_display_pitem 999999999 

14:02:10 UTC Sat Jul 28 2001: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61B3CCA8

-----------------------------------------------------------------------------------

Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.

-----------------------------------------------------------------------------------

-Traceback= 61B3CCA8 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : EEC550B8, v1 : 316EBFFD a0 : 00000000, a1 : 00000000, a2 : 63B2FD21, a3 : 00000039 t0 : 107A3FFF, t1 : 0000000C, t2 : 0000000D, t3 : 0000000B t4 : 0000000A, t5 : 00000000, t6 : 63B2FDC4, t7 : 63B2FDC0 s0 : 2012F338, s1 : 63B32648, s2 : 634F3219, s3 : 634F50D0 s4 : 63B32648, s5 : 8B75FFE8, s6 : 00000002, s7 : 631E0000 t8 : 63B2FE10, t9 : 00000000, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 2012F2C0, s8 : 634F31FC, ra : 61B3CC98 EPC : 61B3CCA8, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000003, MDHI : 280ED7D0, BadVaddr : EEC550C4 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception

00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FC

Breakpoint Exception Crash

From the (tcl) CLI prompt, download a very large file such as:

router(tcl)# source tftp://192.168.10.10/very-large-file 

Opening file: tftp://192.168.10.10/very-large-file, buffer size=65536
Loading target from 192.168.10.10 (via GigabitEthernet0/2): !!!!!!!!!!!!!
========= Dump bp = 2036B72C ======================

2036B62C: FD0110DF AB1234CD 8A 502B7AF8 62A7FF74 616E96A8 2036B67C 2036B5F8 2036B64C: 80000012 1 0 63BF7AA0 0 400 0 8 2036B66C: 0 0 0 FD0110DF AB1234CD 1E 639C1A58 623BCD20 2036B68C: 60B26684 2036B6E0 2036B644 8000001E 1 0 2017A9DC 200302F4 2036B6AC: 623BCC3C 200302F4 1 3 1 3 0 0

=== output truncated ===

%Software-forced reload

14:47:00 UTC Sat Jul 28 2001: Breakpoint exception, CPU signal 23, PC = 0x6080A0C0

-----------------------------------------------------------------------------------

Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support. -----------------------------------------------------------------------------------

-Traceback= 6080A0C0 60808014 607EDCE4 607EAF44 61B307D4 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : 636A0000, v1 : 636A0000 a0 : 6366A408, a1 : 0000FF00, a2 : 00000000, a3 : 62FF0000 t0 : 6080F7A0, t1 : 3400FF01, t2 : 6080F7A0, t3 : FFFF00FF t4 : 6080F7A0, t5 : 36423734, t6 : 78312030, t7 : 32324431 s0 : 00000000, s1 : 00000000, s2 : 63010000, s3 : 634308E0 s4 : 2036B754, s5 : 202AEDB8, s6 : 63010000, s7 : 631E0000 t8 : 63B2FCF4, t9 : 00000002, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 202AEB68, s8 : 634F31FC, ra : 60808014 EPC : 6080A0C0, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000000, MDHI : 00000006, BadVaddr : 0B6719BC Cause 00000024 (Code 0x9): Breakpoint exception

Cisco IOS software introduced the ability to support Tool Command Language (Tcl) version 7.0 commands as part of the Cisco IOS Interactive Voice Response feature in Cisco IOS Release 12.0(6)T and later. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/tclivrpg.htm.

The Cisco IOS Scripting with Tcl feature provides the ability to run Tool Command Language (Tcl) version 8.3.4 commands and was introduced from Cisco IOS Release 12.3(2)T. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm.

Workaround:

AAA Authorization

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.

For a complete description of authorization commands, see the following links:

Configuring Authorization

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm

ACS 4.1 Command Authorization Sets

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wpxref9538

ACS 4.1 Configuring a Shell Command Authorization Set for a User Group

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp480029

Role-Based CLI Access

The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

The following link provides more information about the Role-Based CLI Access feature:

Role-Based CLI Access

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

Device Access

Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:

Infrastructure Protection on Cisco IOS Software-Based Platforms, Appendix B—Controlling Device Access http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_white_paper0900aecd804ac831.pdf

Improving Security on Cisco Routers

http://www.cisco.com/warp/public/707/21.html

CSCsl02927

Symptoms: With no traffic on a PA-A6-OC3SMi card, the max ICMP pings times are seen at 352 ms to 384 ms when testing to an ATM loopback diag. Min/avg are 1/4. This is seen with 1500-byte packets.

Conditions: This symptom is observed with a 7206vxr backplane version 2.8- 2.11 with the PA-A6-OC3SMi ATM card.

Workaround: There is no workaround.

Further Problem Description: This symptom is not observed with version 2.8- 2.11 with the PA-A3-T3 card.

Sending 200, 1500-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 100 percent (200/200), round-trip min/avg/max = 1/3/352 ms

Router# ping 10.1.1.1 repeat 200 size 1500

CSCsl34303

Symptoms: A Cisco 7200 router crashes when unconfiguring service policy from a Multilink Frame Relay (MFR) interface.

Conditions: This symptom is observed if one of the MFR bundle link interfaces was previously being used for Multilink PPP over Frame Relay. Changing the encapsulation may not clean up queuing configuration properly—a dual FIFO queue may remain on the interface.

Workaround: Ensure that a dual FIFO queue is not present on the MFR bundle link interface. It should be plain FIFO queue. If it is a dual FIFO, change the interface to HDLC encapsulation, which should remove the dual FIFO queue, then back to MFR bundle link encapsulation.

CSCsl48149

Symptoms: This issue is observed only when the NVRAM file path length is greater than 355 characters, which is very much a corner case.

Conditions: This issues occurs when the NVRAM file name length is more than 355 characters. Trigger: it is not possible to create an NVRAM file name length of more than 32 characters. A problem in the base code is the root cause. The impact is very minimal to nil.

Workaround: There is no workaround needed.

Resolved Caveats—Cisco IOS Release 12.3(24a)

Cisco IOS Release 12.3(24a) is a rebuild release for Cisco IOS Release 12.3(24). The caveats in this section are resolved in Cisco IOS Release 12.3(24a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCei16552

Symptoms: The default engine ID shows up in the running configuration.

Conditions: The engine ID shows up in the running configuration even if no engine ID is explicitly configured.

Workaround: There is no workaround.

CSCek77360

Symptoms: TACACS authentication fails.

Conditions: One Telnet session, disconnect, second Telnet session done, then enter the show tcp brief command on the UUT, expected Username prompted, but failed.

Workaround: There is no workaround.

CSCsk70446

Symptoms: A traceback is noticed when long URLs are used to configure a device using Cisco IOS HTTP web parser. The device does not crash.

Conditions: Trying to configure commands that have a single keyword or parameter greater than N characters in length using the web-based Cisco IOS command parser causes a traceback where N is:

50 for Cisco IOS Release 12.0 and later releases

128 for Cisco IOS Release 12.2 and later releases

256 for Cisco IOS Release 12.2(25) and later releases

Workaround: Avoid using the web-based command-line parser for CLI commands with long keywords or arguments.

Miscellaneous

CSCsa67433

The relation between addresses in the data part of a buffer dump and addresses in the buffer header is broken. Addresses in the header are real memory addresses, while addresses in the data part are simply byte count from the beginning of the current memory block.

This behavior was introduced in CSCee24363.

Workaround: network_start should always be 84 bytes (ENCAPBYTES) from data_area.

CSCsb86537

Customer has the following topology:

ISDN--2811--MGCP-----CCM/IPCC AA---Phones

Incoming call hits the AA, and the caller enters an extension. The call gets transferred, and the PSTN caller hears the ringback. The ringback stops immediately when the PSTN user hits any key on the phone (in this case, a # was pressed). Then there is a small ringback just before the call goes to voicemail. Turned on the following traces:

deb isdn q931

deb mgcp pack

deb voip hpi comm

deb voip hpi det

Trace shows the dsp turns off the tone upon pressing the # key. The MGCP trace shows GW receives G/rt just before it goes to the extension's voicemail. I am not sure why the gateway asks the dsp to turn off the ringback tone. I have included the sh ver and sh run where with and the trace as an attachment. Customer claims that any DID call to an IP phone bypassing the AA experiences the same problem. I made a few test calls to the DID number and pressed the # key or any other keys. It did not stop the dialtone. For the customer, it happens every time from landline or a mobile phone. But ringback stops immediately when I call through AA.

CSCsh74975

Symptoms: A router may reload or a memory leak may occur when UDP malformed packets are sent to port 2517.

Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.

Workaround: There is no workaround.

CSCsj94539

Symptoms: Spurious Alarm events on PA-MC-8TE1+ can cause a router crash on a Cisco 7200.

Conditions: 1. Huge Line Errors. 2. Issue is seen only with a Cisco 7200 and PA-MC-8TE1+ PA.

Workaround: Check the line for errors and clear them.

CSCsk19661

Symptoms: In a Cisco 7500 HA router in RPR+ mode when configuring and unconfiguring channel groups under an E1 controller, the router reports the following:

*Aug 22 17:58:34.970: %HA-2-IPC_ERROR: Failed to open peer port. timeout
*Aug 22 17:58:34.974: %HA-3-SYNC_ERROR: CCB sync failed for slot: 1
*Aug 22 17:58:34.974: %HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).

And the standby RSP is reloaded.

Conditions: This symptom is observed when configuring and unconfiguring channel groups under an E1 controller.

Workaround: There is no workaround.

CSCsk63369

By doing below procedure, sub-IF comes up.

T1 -- PA-MC-8T1 TE1 -- PA-MC-8TE1+

Case1

1. shut controller and sub-IF
2. no-shut controller
3. sub-IF in TE1 controller comes up (sub-IF in T1 controller remains shut)

OR

Case2

1. no-shut controller and sub-IF
2. shut controller
3. shut sub-IF
4. no-shut controller
5. sub-IF in both TE1 and T1 controller comes up

In above case, if an order is 1->3->2->4->5, sub-IF in both controllers does not come up.

CSCsk93113

Symptoms:

A router crashes with a TLB (load or instruction fetch) exception segmentation fault or a Breakpoint exception.

Conditions:

TLB (Load or Instruction Fetch) Exception Segmentation Fault Crash

From the (tcl) CLI prompt, issue the "ea_display_pitem" or "ea_display_msg" commands with a large ID input parameter such as:

router(tcl)# ea_display_msg 999999999  

or

router(tcl)# ea_display_pitem 999999999 

14:02:10 UTC Sat Jul 28 2001: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61B3CCA8

-----------------------------------------------------------------------------------

Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support.

-----------------------------------------------------------------------------------

-Traceback= 61B3CCA8 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : EEC550B8, v1 : 316EBFFD a0 : 00000000, a1 : 00000000, a2 : 63B2FD21, a3 : 00000039 t0 : 107A3FFF, t1 : 0000000C, t2 : 0000000D, t3 : 0000000B t4 : 0000000A, t5 : 00000000, t6 : 63B2FDC4, t7 : 63B2FDC0 s0 : 2012F338, s1 : 63B32648, s2 : 634F3219, s3 : 634F50D0 s4 : 63B32648, s5 : 8B75FFE8, s6 : 00000002, s7 : 631E0000 t8 : 63B2FE10, t9 : 00000000, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 2012F2C0, s8 : 634F31FC, ra : 61B3CC98 EPC : 61B3CCA8, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000003, MDHI : 280ED7D0, BadVaddr : EEC550C4 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception

00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FC

Breakpoint Exception Crash

From the (tcl) CLI prompt, download a very large file such as:

router(tcl)# source tftp://192.168.10.10/very-large-file 

Opening file: tftp://192.168.10.10/very-large-file, buffer size=65536
Loading target from 192.168.10.10 (via GigabitEthernet0/2): !!!!!!!!!!!!!
========= Dump bp = 2036B72C ======================

2036B62C: FD0110DF AB1234CD 8A 502B7AF8 62A7FF74 616E96A8 2036B67C 2036B5F8 2036B64C: 80000012 1 0 63BF7AA0 0 400 0 8 2036B66C: 0 0 0 FD0110DF AB1234CD 1E 639C1A58 623BCD20 2036B68C: 60B26684 2036B6E0 2036B644 8000001E 1 0 2017A9DC 200302F4 2036B6AC: 623BCC3C 200302F4 1 3 1 3 0 0

=== output truncated ===

%Software-forced reload

14:47:00 UTC Sat Jul 28 2001: Breakpoint exception, CPU signal 23, PC = 0x6080A0C0

-----------------------------------------------------------------------------------

Possible software fault. Upon recurrence, please collect crashinfo, "show tech" and contact Cisco Technical Support. -----------------------------------------------------------------------------------

-Traceback= 6080A0C0 60808014 607EDCE4 607EAF44 61B307D4 61B1DCBC 61B2725C 61B1C518 60759B24 607D8914 607D88F8 $0 : 00000000, AT : 632D0000, v0 : 636A0000, v1 : 636A0000 a0 : 6366A408, a1 : 0000FF00, a2 : 00000000, a3 : 62FF0000 t0 : 6080F7A0, t1 : 3400FF01, t2 : 6080F7A0, t3 : FFFF00FF t4 : 6080F7A0, t5 : 36423734, t6 : 78312030, t7 : 32324431 s0 : 00000000, s1 : 00000000, s2 : 63010000, s3 : 634308E0 s4 : 2036B754, s5 : 202AEDB8, s6 : 63010000, s7 : 631E0000 t8 : 63B2FCF4, t9 : 00000002, k0 : 3040D001, k1 : 00000800 gp : 632D5328, sp : 202AEB68, s8 : 634F31FC, ra : 60808014 EPC : 6080A0C0, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000000, MDHI : 00000006, BadVaddr : 0B6719BC Cause 00000024 (Code 0x9): Breakpoint exception

Cisco IOS software introduced the ability to support Tool Command Language (Tcl) version 7.0 commands as part of the Cisco IOS Interactive Voice Response feature in Cisco IOS Release 12.0(6)T and later. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/tclivrpg.htm.

The Cisco IOS Scripting with Tcl feature provides the ability to run Tool Command Language (Tcl) version 8.3.4 commands and was introduced from Cisco IOS Release 12.3(2)T. For further information, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm.

Workaround:

AAA Authorization

AAA authorization enables you to limit the services available to a user. When AAA authorization is enabled, the network access server uses information retrieved from the user's profile, which is located either in the local user database or on the security server, to configure the user's session. Once this is done, the user will be granted access to a requested service only if the information in the user profile allows it.

For a complete description of authorization commands, see the following links:

Configuring Authorization

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part05/schathor.htm

ACS 4.1 Command Authorization Sets

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/SPC.html#wpxref9538

ACS 4.1 Configuring a Shell Command Authorization Set for a User Group

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/GrpMgt.html#wp480029

Role-Based CLI Access

The Role-Based CLI Access feature allows the network administrator to define "views," which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-line interface (CLI) and configuration information; that is, a view can define what commands are accepted and what configuration information is visible. Thus, network administrators can exercise better control over access to Cisco networking devices.

The following link provides more information about the Role-Based CLI Access feature:

Role-Based CLI Access

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

Device Access

Due to the nature of this vulnerability, networking best practices such as access control lists (ACLs) and Control Plane Policing (CoPP) that restrict vulnerable device access to certain IP addresses or subnetworks may not be effective. Device access best practices provide some mitigation for these issues by allowing systemic control of authenticated and unauthenticated users. Device access best practices are documented in:

Infrastructure Protection on Cisco IOS Software-Based Platforms, Appendix B—Controlling Device Access http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6970/ps1838/prod_white_paper0900aecd804ac831.pdf

Improving Security on Cisco Routers

http://www.cisco.com/warp/public/707/21.html

Terminal Service

CSCsj86725

This DDTS addresses the issue in the Cisco Product Security Incident Response Team (PSIRT) response to an issue discovered and reported to Cisco by Andy Davis from IRM, Inc. regarding a stack overflow in the Cisco IOS Line Printer Daemon (LPD) Protocol feature.

This security response is posted at:

http://www.cisco.com/warp/public/707/cisco-sr-20071010-lpd.shtml

Resolved Caveats—Cisco IOS Release 12.3(24)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(24). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(24). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCin75237

Symptoms: A line card gets wedged and needs a restart.

Conditions: This symptom is observed when a particular VIP is marked as wedged.

Workaround: There is no workaround.

CSCsi13312

Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.

Conditions: This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:

Cisco 800 series

Cisco 1700 series

Cisco 1800 series

Cisco 2700 series

Cisco 2800 series

Cisco 3700 series

Cisco 3800 series

Workaround: For extensive information and a workaround, see the following Field Notice:

http://www.cisco.com/en/US/ts/fn/620/fn62758.html

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IBM Connectivity

CSCsi57284

Symptoms: A router that is running Cisco IOS may crash due to a software forced crash.

Conditions: This problem is specific to a DLSW configuration with SDLC attached controllers. At the time of the crash, on one SDLC interface, the encapsulation SDLC was removed.

Workaround: There is no workaround.

IP Routing Protocols

CSCsi62559

Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.

Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.

CSCsj39538

Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:

-Process= "IP RIB Update", ipl= 3, pid= 68

-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04

6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8

Address Error (load or instruction fetch) exception, CPU signal 10, PC =

0x609538FC

Conditions: No specific conditions are known to cause this fault.

Workaround: There is no workaround.

Miscellaneous

CSCdz55178

Symptoms: A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.

Conditions: This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:

cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C

00000000011111111111222222222333^

12345678901234567890123456789012|

|

PROBLEM

(Variable Overflowed).

Workaround: Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.

CSCek63384

Symptoms: A service policy is unexpectedly removed.

Conditions: This symptom is observed when you apply a service policy to a multilink interface and then the interface is reset.

Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, reconfigure the service policy after the multilink interface has been brought up.

CSCsa92748

Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:

Last reset from watchdog reset

Conditions: This symptom is observed only on Cisco 7200 and Cisco 7301 series routers that are configured with an NPE-G1 Network Processing Engine.

Workaround: There is no workaround.

CSCsc93516

Symptoms: A router may crash because of a bus error during ISAKMP negotiation.

Conditions: This symptom is observed on a Cisco 2611XM that runs Cisco IOS Release 12.3(17a) but is not platform-specific and may also affect Release 12.4.

Workaround: There is no workaround.

CSCsd37629

Symptoms: Alignment errors and a bus error may occur on a Cisco router that has the ip inspect command enabled.

Conditions: This symptom can be observed where the Cisco IOS Firewall feature is handling a lot of RTSP traffic.

Workaround: There is no workaround.

CSCse01124

Symptoms: The Hot Standby Router Protocol (HSRP) may not come up and may remain in the "Init" state, which can be verified in the output of the show standby brief command.

Conditions: This symptom is observed when dampening is configured on a native Gigabit Ethernet interface of a Cisco 7200 series or on a Fast Ethernet interface of a PA-FE-TX port adapter. Other types of interfaces are not affected.

Workaround: When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the Gigabit Ethernet and Fast Ethernet interfaces of all routers of the standby group.

To prevent the symptom from occurring, remove dampening from the Gigabit Ethernet and Fast Ethernet interfaces.

CSCse40423

Symptoms: A tunnel interface cannot ping the other end of an IP tunnel.

Conditions: This symptom is observed when ATM is configured and when the tunnel interface is up.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the tunnel interface.

CSCse49985

Symptoms: A software-forced crash may occur on a Cisco 3745, and an error message similar to the following may be displayed:

rcojx67-vgw01-3745 uptime is 1 day, 16 hours, 19 minutes

System returned to ROM by error - a Software forced crash, PC 0x60A87D38

at 15:59:36 GMT Tue May 16 2006

System restarted at 16:00:35 GMT Tue May 16 2006

System image file is "flash:c3745-ipvoice-mz.123-14.T3.bin"

Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.3(14)T3 only when there are some memory allocation failures. The symptom may also affect Release 12.4.

Workaround: There is no workaround.

CSCse55425

Symptoms: When configuring a serial interface or issuing show commands related to that serial interface, a router may incorrectly configure a different serial interface or may show output from a different serial interface in the router.

Conditions: The conditions under which the problem manifest itself are unknown, and appear to be random. The symptom exists only when using a channelized T3 card and configuring one of the T1's.

Workaround: A router reload clears the issue.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsh04686

Symptoms: With X25 over TCP (XOT) enabled on a router or catalyst switch, malformed traffic sent to TCP port 1998 will cause the device to reload. This was first observed in Cisco IOS Release 12.2(31)SB2.

Conditions: Must have "x25 routing" enabled on the device.

Workarounds: Use IPSEC or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is only accepted from trusted tunnel endpoints.

CSCsh06117

Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, VBR-rt PVCs may be deactivated before VBR-nrt PVCs in an over-subscription scenario.

Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have oversubscribed ATM PVCs with a VBR-rt and VBR-nrt class of service.

Workaround: Configure all PVCs with an SCR of less than or equal to the line rate.

CSCsh33430

Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.

Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.

Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.

CSCsh71993

Symptoms: SIP may not pass the correct calling number in the header when an e164 address is used. SIP should block the population of the calling party number if the user portion of the "From" header is not an e164 address, preventing the calling party number IE from being populated when ISDN sends the SETUP message. However, this does not occur, and SIP may pass an incorrect number.

Conditions: This symptom is observed on a Cisco gateway that sends Microsoft Communicator SIP calls to the PSTN.

Workaround: There is no workaround.

CSCsh85531

Symptoms: Some E1 channels may remain down after you have reloaded a router.

Conditions: This symptom is observed on a Cisco 7200 series that function as a PE router and that connects to a CE router. Both routers are connected through 1-port multichannel STM-1 (PA-MC-STM-1) port adapters and the framing no-crc4 command is enabled on all interfaces of both routers.

Workaround: Enter the shutdown command followed by the no shutdown command on the SONET controller of the PA-MC-STM-1 at the PE side to enable all interfaces to come up.

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link: http://www.kb.cert.org/vuls/id/739224.

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall. Cisco response is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml.

CSCsi42490

Symptoms: A Cisco 3700 series with an IMA interface may crash.

Conditions: This symptom is observed when the ATM IMA PVC had an AutoQoS configuration.

Workaround: Remove the AutoQoS configuration.

CSCsi57927

Symptoms: A Cisco router running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 will show TCP connections hung in CLOSEWAIT state. These connections will not time out, and if enough accumulate, the router will become unresponsive and need to be reloaded.

Conditions: This symptom occurs on a Cisco router running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 when executing a copy source-url ftp: command and the FTP server fails to initiate the FTP layer (no banner) but does setup a TCP connection. This may occur when the FTP server is misconfigured or overloaded.

The CLI command will timeout, but will not close the TCP connection or clean up associated resources. The FTP server will eventually answer and timeout itself, and close the TCP connection, but the router will not clean up the TCP resources at this time either.

Workaround: Manually clear TCP resources using the clear tcp CLI command, referencing the show tcp brief command output.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsi98120

Symptoms: A router may crash because of a bus error. Spurious accesses may be observed.

Conditions: This symptom is observed on a Cisco 7200 series router that has an NPE-G1 and that runs Cisco IOS Release 12.3(22). The router is configured as a PE router and uses MQC hierarchical policies for some subinterfaces and the legacy rate-limit command for other subinterfaces.

Workaround: There is no workaround.

CSCsj37071

Symptoms: All E1 interfaces on a PA-MC-E3 port adapter may flap continuously even after the traffic has been stopped.

Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that have a PA-MC-E3 port adapter when you configure 16 or 128 channel groups on each time slot (that is, time slots 1-31) and then generate traffic just above line rate traffic through all the channel groups. Note that the symptom is not platform-specific.

Workaround: Stop the traffic and reset the E3 controller of the PA-MC-E3 port adapter.

CSCsj94561

Symptoms: A router may crash because of a bus error when you perform an OIR of a PA-MC-8TE1+ port adapter or when you enter the hw-module slot slot-number stop command for the slot in which the PA-MC-8TE1+ port adapter is installed.

Conditions: This symptom is observed on a Cisco 7200 series.

Workaround: There is no workaround.

TCP/IP Host-Mode Services

CSCsh36203

Symptoms: A Cisco router is crashing at p_dequeue.

Conditions: This symptom is observed when testing the Echo cancelling feature in the Cisco 1700 platform but is not platform dependent.

Workaround: There is no workaround.

CSCsh92986

Symptoms: The latency for the RSH command could increase when they are flowing through an FWSM module.

Conditions: The following issue was observed on an FWSM that is running 2.2 (1) software. The long delay was triggered by using either Cisco IOS Release 12.3(13a)BC1 or Release 12.3(17a)BC1 on routers toward which those RSH commands were sent.

Workaround: Either bypass the FWSM module or downgrade to Cisco IOS Release 12.3(9a)BC3 which is not affected by this extra delay issue.

Wide-Area Networking

CSCee56988

Symptoms: High CPU usage occurs on a Cisco 7301, and the following error message and traceback are generated:

%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer:

0x0

-Process= "L2X SSS manager", ipl= 0, pid= 69

-Traceback= 0x606E43DC 0x60B9FAC8 0x60BA11C4 0x619F502C 0x619F4A2C

0x619F4D34 0x619F35C4 0x619F4FF4 0x619F6820 0x619F5ED8 0x619F6350 0x619CA1F4

0x619CA6C4 0x619D2524 0x619CABB4 0x619CAFA0

Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS Release 12.4(5b) with PPTP/VPDN connections after, on a connected platform, rate limiting is changed to MQC policy-based limiting of the bandwidth. Note that the symptom may b e release-independent.

Workaround: There is no workaround.

CSCek41543

Symptoms: A Cisco 2811 router running Cisco IOS Release 12.4(7a) may have a memory leak in the ISDN process as has been seen in the show process memory. The leak rate appears to be about 1.20MB/Hour.

Conditions: This symptom has been observed with BRI-U interface that is UP/UP (spoofing).

Workaround: Administratively shut down the BRI interface.

CSCsg03793

Symptoms: A router may crash while parsing "x28 profile spaced." This occurs when x28 mode is configured.

The crashinfo file will show:

"%SYS-2-FREEFREE: Attempted to free unassigned memory at [...]"

Conditions: This symptom is observed on a Cisco AS5350 that is running Cisco IOS Release 12.3(20) and is occurring under heavy traffic.

Workaround: There is no workaround.

CSCsh82513

Symptoms: The output of the show isdn active command may show disconnected calls.

Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(23)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(23). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(23). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeb20967

Symptoms: A Route Switch Processor (RSP) may reload unexpectedly when a bus error with an invalid memory address occurs while packets are placed into a hold queue.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0 S, 12.1(14)E4, or 12.2 S when the following sequence of events occurs:

1. A packet is switched via Cisco Express Forwarding (CEF).

2. The egress interface has queueing/shaping configured.

3. The egress interface is congested, causing the packet to be placed into the hold queue.

Workaround: There is no workaround.

CSCin75237

Symptoms: A line card gets wedged and needs a restart.

Conditions: This symptom is observed when a particular VIP is marked as wedged.

Workaround: There is no workaround.

CSCsg69244

Symptoms: After you have performed a microcode reload on a router, a ping may not go through for 100 percent.

Conditions: This symptom is observed on a Cisco router that has an RSP after you have entered the microcode reload command.

Workaround: There is no workaround.

CSCsi13312

Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.

Conditions: This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:

Cisco 800 series

Cisco 1700 series

Cisco 1800 series

Cisco 2700 series

Cisco 2800 series

Cisco 3700 series

Cisco 3800 series

Workaround: For extensive information and a workaround, see the following Field Notice:

http://www.cisco.com/en/US/ts/fn/620/fn62758.html

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IP Routing Protocols

CSCsh80678

Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.

Workaround: Enter the no auto-summary command.

ISO CLNS

CSCsg28497

Symptoms: An IS-IS adjacency may flap when an RP switchover occurs.

Conditions: This symptom is observed on a Cisco router that is configured for IS-IS Multi-Topology, IS-IS NSF Awareness, and IPv4 and IPv6 unicast.

Workaround: There is no workaround.

Miscellaneous

CSCds25257

Symptoms: A gatekeeper rejects new registration requests from a Cisco Unified CallManager (CUCM) or other H.323 endpoints with Registration Rejection (RRJ) reason of duplicateAlias. Attempting to clear this stale registration fails and a "No such local endpoint is registered, clear failed." error message is generated.

Conditions: This symptom is observed in the following topology:

CUCM H.225 trunks register to a gatekeeper (GK) cluster. Gatekeeper 1 (GK1) and gatekeeper 2 (GK2) are members of the GK cluster. The CUCM registers first to GK1, then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.

When the H.225 trunk attempts to register with GK1, it is rejected because the alternate registration is still present, and there is no way to clear it.

10.9.20.3 34273 10.9.20.3 32853 SJC-LMPVA-GK-1 H323-GW A

ENDPOINT-ID: 450FC24400000000 VERSION: 5 AGE: 1618993 secs

SupportsAnnexE: FALSE

g_supp_prots: 0x00000050

H323-ID: SJC-LMPVA-Trunk_4

Workaround: Reset the gatekeeper by entering the shutdown command followed by the no shutdown command, or reboot the affected GK.

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCek60527

Symptoms: An AAA server does not authenticate.

Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.

Workaround: There is no workaround.

CSCek66164

Symptoms: A router may hang briefly and then may crash when you enter any command of the following form:

show ... | redirect rcp:....

Conditions: This symptom is observed when Remote Copy Protocol (RCP) is used as the transfer protocol.

Workaround: Use a transfer protocol other than RCP such as TFTP or FTP.

Further Problem Description: RCP requires delivery of the total file size to the remote host before it delivers the file itself. The output of a show command is not an actual file on the file system nor is it completely accumulated before the transmission occurs, so the total file size is simply not available in a manner that is compatible with RCP requirements.

CSCsa92748

Symptoms: A Network Processing Engine G1 (NPE-G1) may restart unexpectedly and report the following message:

Last reset from watchdog reset

Conditions: This symptom is observed only on Cisco 7200 and Cisco 7301 series routers that are configured with an NPE-G1 Network Processing Engine.

Workaround: There is no workaround.

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb89005

Symptoms: A Cisco 10000 router that is running Cisco IOS Release 12.3(7)XI6 may reload because of a software forced crash after a c10k_ttcm_write: Invalid Address error.

Conditions: This symptom may occur if a static route of the form:

ip route vrf name ip address 255.255.255.255 interface

(where interface is not a point-to-point interface)

is configured.

Workaround: There is no workaround.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCse40423

Symptoms: A tunnel interface cannot ping the other end of an IP tunnel.

Conditions: This symptom is observed when ATM is configured and when the tunnel interface is up.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the tunnel interface.

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg10134

Symptoms: A router crashes when PPPoEoA sessions are torn down.

Conditions: This symptom is observed when the maximum number of class-map instances are configured on the router.

Workaround: There is no workaround.

CSCsg40482

Symptoms: ISDN L2 may remain in the "TEI_ASSIGNED" state.

Conditions: This symptom is observed on a Cisco router after you have performed a hard OIR of a PA-MC-4T1 port adapter.

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred, reload the router.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg83834

Symptoms: A router may crash and generate an "%ALIGN-1-FATAL: Illegal access to a low address" error message.

Conditions: This symptom is observed on a Cisco router that is configured for IPv6, IPsec, and multicast.

Workaround: There is no workaround.

Further Problem Description: The fix for caveat CSCsg83834 also fixes caveat CSCsg94837. For more information about caveat CSCsg94837, see http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg94837.

CSCsh05979

Symptoms: A VIP may reset because of a bus error when you remove a service policy from an ATM subinterface.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(20) but may also affect Release 12.4 and Release 12.4.T. The symptom appears to be platform-independent.

Workaround: There is no workaround.

CSCsh06117

Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, VBR-rt PVCs may be deactivated before VBR-nrt PVCs in an over-subscription scenario.

Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have oversubscribed ATM PVCs with a VBR-rt and VBR-nrt class of service.

Workaround: Configure all PVCs with an SCR of less than or equal to the line rate.

CSCsh33430

Symptoms: A traceback may occur in an HSRP function and the platform may reload unexpectedly.

Conditions: This symptom is observed on a Cisco platform that has the HSRP Support for ICMP Redirects feature enabled and occurs when a learned HSRP group is removed after a resign message has been received.

Workaround: Disable the Support for ICMP Redirects feature by entering the no standby redirects global configuration command.

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

TCP/IP Host-Mode Services

CSCek40455

Symptoms: The Border Gateway Protocol (BGP) session is stuck in FINWAIT1 connection state.

Conditions: This symptom has been observed with a BGP session when changing the BGP password.

Workaround: Use the clear tcp tcb address command to delete the stuck Transmission Control Block (TCB).

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Wide-Area Networking

CSCee13617

Symptoms: A Cisco router that has an ISDN interface as a backup for an ADSL port may exhibit spurious memory accesses and a high CPU utilization during interrupts.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(13)ZH2, Release 12.3, or Release 12.3T when an L2TP tunnel is up, when the BRI-U interface is disconnected and reconnected, and when the router attempt to reenable the tunnel.

Workaround: There is no workaround.

CSCek60025

Symptoms: A ping may be dropped in a PPP callback scenario.

Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(22a)

Cisco IOS Release 12.3(22a) is a rebuild release for Cisco IOS Release 12.3(22). The caveats in this section are resolved in Cisco IOS Release 12.3(22a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

Miscellaneous

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCej20505

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Resolved Caveats—Cisco IOS Release 12.3(22)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(22). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(22). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCek52249

Symptoms: A Cisco router crashes when the default dest-ip command is entered in IPSLA jitter, UDP Echo and TCP Connect operations.

Conditions: The issue is seen when the default dest-ip command is entered.

Workaround: There is no workaround.

CSCsh02375

Symptoms: In a Cisco 7500 RSP Console, the show controller cbus command output does not list details for Interfaces other than Serial Interfaces.

Conditions: Do show controller cbus in a Cisco 7500 RSP console.

Workaround: There is no workaround.

IBM Connectivity

CSCsg65485

A Cisco 706VXR/NPE-G1 running Cisco IOS Release 12.3(20.12) and configured for DLSW (data link switching) reloaded unexpectedly.

Workaround: There is no workaround.

Interfaces and Bridging

CSCek43732

Symptoms: All packets are dropped from a 1-port OC-3/STM-1 POS port adapter (PA-POS-1OC3) or 2-port OC-3/STM-1 POS port adapter (PA-POS-2OC3) that is configured for CBWFQ.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1. However, the symptom may be platform-independent.

Workaround: There is no workaround.

CSCsh16540

Symptoms: Router crashes when "encapsulation dot1Q <VC id>" is enabled on a mpls router.

Conditions: The crash is observed in 7200 platform router from the Cisco IOS Release 12.4(12.7)

Workaround: There is no workaround.

IP Routing Protocols

CSCei29944

Symptoms: A CE router that has L2TP tunnels in an MPLS VPN environment with about 1000 VRFs may crash and generate the following error message:

Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x50766038

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(32)S and that functions as a CE router when BGP neighbors are unconfigured via the no neighbor ip-address command while the show ip bgp summary command is entered from the Aux console. The symptom is not release-specific and may also affect other releases.

Workaround: There is no workaround.

CSCsg29248

Symptoms: Stale LSA can be created after issuing the summary-address not-advertise command in a very corner case. Problem became visible after CSCsf27810 fix.

Conditions: This symptom occurs when a self-originated external LSA with the same address and more specific mask exists in OSPF database.

Workaround: Clear the OSPF process.

CSCsg52336

Symptoms: The problem is observed on ESR10K / PRE-1 with c10k-k4p10-mz.120-25.SX6f as a PE router with multiple VRFs using OSPF and other VRFs, created but not used or assigned.

Conditions: When removing unused and unassigned VRF via the "no ip vrf <vpn_name>" config command causes the router to crash.

Workaround: There is no workaround

CSCsh19852

Symptoms: When the OSPF interface goes down, some FSM events won't happen (old netwrork LSA won't be flushed as an example).

Conditions: This symptom was introduced in CSCek63900.

Workaround: There is no workaround.

Miscellaneous

CSCdv43124

Symptoms: A Cisco VIP4-80 with a PA-MC-STM-1SMI crash when QOS is deployed and traffic is generated. Replacing the Cisco VIP4-80 doesn't fix this issue.

Conditions: This symptom has been observed on a Cisco VIP4-80.

Workaround: A reload of the Cisco VIP4-80 is required to reconnect to the CE.

CSCek55511

Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.

Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.

Workaround: Disable SNMP polling for ccrpCPVGEntry.

CSCek56991

Symptoms: A Cisco 7200 series may send a corrupted packet via a 2-port T3 serial, enhanced port adapter (PA-2T3+). The rate of corrupted packets is very low.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2SB, Release 12.4T, or Release 12.4(4)XD3 and occurs when the router functions under high stress conditions such as a high CPU load and an oversubscribed interface of the PA-2T3+.

Workaround: Avoid a high CPU load and oversubscription of the interface of the PA-2T3+.

CSCek57655

Symptoms: A modem autoconfiguration fails.

Conditions: This symptom is observed in an asynchronous call.

Workaround: There is no workaround.

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb40304

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM)

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


Note Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsf27178

Symptoms: Percentage based traffic shaping is not working.

Conditions: This symptom is observed on a Cisco router that is configured the percentage based traffic shaping an output policy

Workaround: There is no workaround.

CSCsg11718

Symptoms: A VRF may become stuck in the "Delete Pending" state.

Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.

Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.

CSCsg16908

This bug documents the deprecation and removal of the Cisco IOS FTP Server feature.

CSCsg21394

Symptoms: Router reload unexpectedly by malformed DNS response packets.

Conditions: configure name-server and domain lookup.

Workaround: Configure "no ip domain lookup" to stop the router using DNS to resolve hostnames.

CSCsg42246

Symptoms: A Cisco router may exhibit high CPU in the "IP Background" process and then spontaneously reload.

Conditions: RIP is configured. A RIP host route is advertised from another router. The same host route is assigned to an interface on this router. For example, on a ppp link with "ip address negotiated" configured.

Workaround: Use a route-map to block the advertised route.

CSCsg42519

Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.

Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:

Router(config)#interface Serialx/y:z 
Router(config-if)# frame-relay ip rtp header-compression passive 
Router(config-if)# frame-relay ip rtp compression-connections number

Workaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:

Router(config)#interface Serialx/y:z 
Router(config-if)# shutdown 
Router(config-if)# frame-relay ip rtp header- compression 
Router(config-if)# frame-relay ip rtp compression-connections number 
Router(config-if)# frame-relay ip rtp header-compression passive 
Router(config-if)# no shutdown

Further Problem Description: The issue was not reported when using Cisco IOS Release 12.3T or Release 12.4.

CSCsg70932

Symptoms: A Cisco 7200 series that is configured for QoS may crash when traffic is sent.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 or NPE-G2 and that has a Port Adapter Jacket Card in which a 2-port OC-3/STM-1 POS port adapter (PA-POS-2OC3) in installed that has an interface with a service policy.

Workaround: There is no workaround.

CSCsg76519

Symptoms: RSP may crash when clear counters command is given in Cisco IOS Release 12.4.

Conditions: RSP may crash when the clear counters command is given after termination of voice calls with pa-vxc-2TE1 PAs.

Workaround: There is no workaround.

CSCsh05979

Symptoms: A Cisco 7500 running Cisco IOS Release 12.3(20) may experience the reset of a VIP due to a bus error when removing a service policy from an ATM sub interface.

Conditions: The service policy is removed from the ATM sub interface.

Workaround: There is no workaround.

CSCsh22978

Symptoms: The primary RSP may crash when you perform a soft OIR on the standby RSP.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dMLP and RPR+.

Workaround: There is no workaround.

Wide-Area Networking

CSCek62099

Symptoms: When Multilink PPP (MLP) is enabled for a PPP over Ethernet (PPPoE) session, outbound packets are incorrectly sent without PPPoE headers. This situation causes packets to be dropped.

Conditions: This symptom is observed in Cisco IOS Release 12.4 on all software-forwarding routers and affects only packets that are not multilink-encapsulated (when the bundle has only a single link).

Workaround: Enter the ppp multilink fragment delay interface configuration command to force multilink headers to be applied to all outbound packets.

Alternate Workaround: Disable MLP.

CSCsf96318

Symptoms: QSIG (ISO) call back (ring back) fails between a Cisco 3745 router and a Cisco 1760 router.

Conditions: The call back fails.

Workaround: There is no workaround.

CSCsg32183

Symptoms: Non Facility Associated Signaling (NFAS) on back-to-back routers is failing.The primary D-channel state is OUT OF SERVICE.

Conditions: This symptom happens with Cisco IOS Release 12.3(20.14) when the Primary D-channel is brought Down using the isdn test l2 disconnect command.

Workaround: There is no workaround.

CSCsg38412

Symptoms: When a Multilink PPP (MLP) session is established over an ISDN link, IPCP fails to negotiate. When the debug ppp negotiation command is enabled, you can see that IPCP packets from the peer are not processed. The output of the show interface command for the ISDN D-channel interface shows that the input queue limit is 0.

Conditions: This symptom is observed when the ISDN BRI or PRI interface is not configured as part of a dialer rotary group or dialer pool and when RADIUS is used to assign the multilink bundle to a VRF.

Workaround: Enter the dialer rotary-group command to assign the ISDN interface to a dialer.

CSCsg40885

Symptoms: A router crashes during Online Insertion and Removal (OIR) on MLP- PPP on a Cisco 7200 platform.

Conditions: This symptom is observed on a Cisco 7200 router that is configured for MLP-PPP.

Workaround: Shut the multilink interface before doing an OIR.

CSCsg50202

Symptoms: When BRI interface flaps rapidly, ISDN Layer 1 detects link down, but Layers 2 and 3 keep active state during the transition. This may cause the BRI interface to get stuck, where subsequent incoming/outgoing call is rejected.

Conditions: The symptom may be observed when cable is pulled out and put back rapidly.

Workaround: Issue the clear interface command or the shutdown command followed by the no shutdown command on the affected BRI interface.

CSCsg56148

Symptoms: Inbound GSM V.110 calls fail to train at a speed of 14400 bps.

Conditions: This symptom is observed on a Cisco AS5400 when the Bearer Capability (BC) does not match the Lower Layer Compatibility (LLC) in the ISDN setup message. The BC should take precedence over the LLC.

Workaround: If this an option, configure the ISDN switch to send the correct BC and LLC. If this is not an option, there is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(21b)

Cisco IOS Release 12.3(21b) is a rebuild release for Cisco IOS Release 12.3(21). The caveats in this section are resolved in Cisco IOS Release 12.3(21b) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

Miscellaneous

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

-The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Resolved Caveats—Cisco IOS Release 12.3(21a)

Cisco IOS Release 12.3(21a) is a rebuild release for Cisco IOS Release 12.3(21). The caveats in this section are resolved in Cisco IOS Release 12.3(21a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsg70355

Symptoms: Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour.

Conditions: The Cisco IOS configuration command:

clock summer-time zone recurring

uses United States standards for daylight savings time rules by default. The Energy Policy Act of 2005 (H.R.6.ENR), Section 110 changes the start date from the first Sunday of April to the second Sunday of March. It changes the end date from the last Sunday of October to the first Sunday of November.

Workaround: A workaround is possible by using the clock summer- time configuration command to manually configure the proper start date and end date for daylight savings time. After the summer-time period for calendar year 2006 is over, one can for example configure:

clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

(This example is for the US/Pacific time zone.)

Not A Workaround: Using NTP is not a workaround to this problem. NTP does not carry any information about timezones or summertime.

Miscellaneous

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb40304

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.


Note Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.


A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

Resolved Caveats—Cisco IOS Release 12.3(21)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(21). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(21). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCdy11174

Symptoms: Some ciscoFlashCopyTable & ciscoFlashMiscOpTable objects cannot be read after row creation.

Conditions: For any newly created rows in these tables, some objects will not be readable.

Workaround: Objects will become readable immediately after being set. Additionally, rows can still be activated in these tables even if all objects cannot be read. Any objects which cannot be read contain their MIB defined default value.

CSCek40101

Symptoms: If a Cisco 2800 series router is configured to do async tunneling using sync/async module with very slow speed like 2400bps or below, the sync/async line may get in stuck state. Entering the show tcp command on that stuck line shows CLOSED TCP connection with some unread input bytes, for example:

Router#sh tcp

tty0/2/0, connection 1 to host 172.16.242.129

Connection state is CLOSED, I/O status: 7, unread input bytes: 97

Connection is ECN Disabled

Local host: 172.16.146.249, Local port: 20514

Foreign host: 172.16.242.129, Foreign port: 23

....

....

Conditions: This symptom occurs only when the Cisco 2800 series router is used for async data tunneling at line speed of 2400 bps or lower with wic-2a/s card

Workarounds: See the following:

1. Issue the clear line x/y/z command to make that line usable again

2. Use Cisco IOS Release 12.3(14)T7, which does not show this issue as readily as Cisco IOS 12.4 version

3. Use line speed higher than 2400 bps 4. Use aux port of 2800 router

CSCek52249

Symptoms: A Cisco router crashes when the default dest-ip command is entered in IPSLA jitter, UDP Echo and TCP Connect operations.

Conditions: The issue is seen when the default dest-ip command is entered.

Workaround: There is no workaround.

CSCir00074

Symptoms: A router crashes when the casnDisconnect object is set to "true" for a PPPoE session.

Conditions: This symptom is observed on a Cisco 10000 series when you attempt to terminate the PPPoE session through SNMP by using the casnDisconnect object of the CISCO-AAA-SESSION-MIB.

Workaround: There is no workaround.

CSCse49728

Symptoms: SNMPv3 informs are not sent out after a device reload.

Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.

Workaround: Re-enter any of the snmp-server host commands.

CSCse85200

Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround is to disable on interfaces where CDP is not necessary.

CSCsf19139

Symptoms: %RADIUS-3-NOSERVERS messages are logged after a reload in Cisco IOS Release 12.3(18). At this time, the RADIUS accounting tickets are not generated.

Conditions: This symptom has been observed on a Cisco AS5300 gateway.

Workaround: Enter into configuration mode and change the order of the servers under the server group.

CSCsf32390

Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.

Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.

Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:

event manager applet add-buffer

event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"

action 1.0 cli command "enable"

action 2.0 cli command "configure terminal"

action 3.0 cli command "buffers particle-clone 16384"

action 4.0 cli command "buffers header 4096"

action 5.0 cli command "buffers fastswitching 8192"

action 6.0 syslog msg "Reinstated buffers command"

IP Routing Protocols

CSCed84633

Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.

Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.

CSCek27981

Symptoms: The output of the ping is different than expected.

Conditions: After configuring the security options, the output of the ping is different than expected.

Workaround: There is no workaround.

CSCsd03021

Symptoms: When loading a large link state database from a third-party vendor router that runs Cisco IOS software, the CPU usage by OSPF may become very high, the router may generate CPUHOG messages, and it may take a long time to reach the FULL state, or the FULL state is not reached.

Conditions: These symptoms are observed in an environment in which packet drops occur. When the link state request that is sent from the Cisco IOS router is dropped, the routers may still continue to exchange DBD packets. However, the link stay request list on the Cisco IOS router may become long, and it may take a lot of CPU usage to maintain it.

Workaround: There is no workaround.

Further Problem Description: See also caveat CSCsd38572.

CSCse56552

Symptoms: Connections fail through a router that uses CBAC. The pre-gen session is created, and the download or transfer begins. The pre-gen session times out and gets deleted from the router. Since the full session never gets established, the connection then times out on the host.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8) and using CBAC outbound on the outside interface when policy based routing is applied.

Workaround: There is no workaround.

Further Problem Description: This bug is first seen in Cisco IOS Interim Release 12.4(7.24).

ISO CLNS

CSCse40346

Symptoms: Tracebacks may be generated when you configure IS-IS and LDP features, for example, when you enter the no ip router isis area-tag command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(32)SY but may also occur in other releases.

Workaround: There is no workaround.

Miscellaneous

CSCeg00531

Symptoms: A router crashes when you remove an ATM subinterface.

Conditions: This symptom is observed when the subinterface is configured with a LANE client that is configured for Multiprotocol over ATM (MPOA).

Workaround: There is no workaround.

CSCeg20412

Symptoms: A router may not properly detect supervisory tones.

Conditions: This symptom is observed on a Cisco 3640 and Cisco 3660 only when a DSP is configured to detect custom cptones and when no cadence is specified for the tone. The symptom may also occur on other routers.

Workaround: Configure the cadence values.

CSCeg42877

Symptoms: PPPoA sessions are not coming up in autovcs after entering the shutdown interface configuration command followed by the no shutdown interface configuration command. Tracebacks are reported.

Conditions: This problem is found only if the QoS parameters are configured via the Radius server.

Workaround: Configure the QoS parameters through the command line interface (CLI).

CSCeg86867

Symptoms: An AAA server does not authenticate.

Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.

Workaround: There is no workaround.

CSCek43310

Symptoms: A build break is observed in c5850tb-p9-mz.

Conditions: This symptom occurs when Marvel supports two devices. When fixing CSCsc20917, the third device is also initialized. This break is seen in Cisco IOS Releases 12.4 and 12.4T.

Workaround: There is no workaround.

CSCek57655

Symptoms: A modem autoconfiguration fails.

Conditions: This symptom is observed in an asynchronous call.

Workaround: There is no workaround.

CSCsb74409

Symptoms: A router may keep the vty lines busy after finishing a Telnet/Secure Shell (SSH) session from a client. When all vty lines are busy, no more Telnet/SSH sessions to the router are possible.

Conditions: This symptom is observed on a Cisco router that is configured to allow SSH sessions to other devices.

Workaround: Clear the SSH sessions that were initiated from the router to other devices.

CSCsb93407

Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.

Conditions: This symptom occurs after H323 is disabled using the following configuration commands:

voice service voip h323 call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html.

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/partner/products/ps6642/products_white_paper0900aecd804fa16a.shtml.

CSCsd28214

Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.

Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.

Workaround: There is no workaround.

CSCsd81861

Symptoms: A router may unexpectedly reload due to a bus error after being reloaded or power cycled. The last console output in the crashinfo will be the ima-group group number command before the crash.

Conditions: The router must have the ip telnet source- interface command or the ip tftp source- interface command configured to use an IMA sub-interface as the source. There also must be at least one ATM interface in the IMA group.

Workaround: Remove the IMA interface from the source interface command in the configuration.

CSCsd85852

Symptoms: When a PVC is shut down on the remote side, the PVC subinterface on a router transitions from the down state to the up state within one second, but then remains in the down state after the down retry timers expire.

Conditions: This symptom is observed on a Cisco router that is configured for Operation, Administration, and Maintenance (OAM) and Dynamic Bandwidth Selection (DBS).

Workaround: There is no workaround.

CSCsd87358

Symptoms: A Cisco router may crash when configuring a hierarchical service policy.

Conditions: This symptom is observed in a Cisco 7200 series router that is running Cisco IOS Release 12.3(6a). At the time of the crash, configuration contained missing keywords causing some of the configuration lines to be rejected and some classes without match statements.

Workaround: There is no workaround.

CSCse05642

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse39191

Symptoms: A Cisco router that is running DHCP service will run out of memory eventually and will require a reload to recover. You can confirm this by issuing the show proc mem | inc DHCP command and seeing that the process named "DHCPD Receive" consumes an increasing amount of memory until the available memory is exhausted.

In addition, the number of AAA sessions will constantly increase and will not decrease when DHCP bindings expire. You can see this by noticing how the output of the show aaa session and show aaa user all commands show a constantly increasing number of sessions, with those associated with DHCP bindings never vanishing.

Conditions: This problem is always seen on Cisco routers operating as a DHCP relay or server with one or more DHCP pools configured via the ip dhcp pool name command where accounting dhcp is configured in at least one pool, and the configured poolname is not the name of a valid AAA method list.

This problem may also be seen when there is very little free processor memory on the router, enabling the allocation of some but not all data structures necessary to perform accounting for a DHCP binding.

Workaround 1: If you do not want AAA accounting for DHCP leases, disable accounting method MethListName in the DHCP pool by configuring no accounting method MethListName while in the pool configuration mode.

Workaround 2: If you want AAA accounting for DHCP leases, configure a valid accounting method list by configuring aaa accounting network methodlistname start-stop method1 where the configured method list name for the accounting method list EXACTLY matches the name provided on the accounting methodlistname line in the DHCP pool configuration.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse93156

Symptoms: IP route configurations, when configured, are not getting visible on the running and startup configurations. CMTS is accepting the IP route configuration, and also the show ip route command is getting updated with configured routes.

Conditions: The symptom occurs while configuring static route. The configured route will not get visible on running and startup configurations.

Workaround: There is no workaround.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsf12037

Symptoms: An SNA Switch router may reload and display the following error message:

System returned to ROM by bus error at PC 0x61504EB0, address 0x58

Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.3(18).

Workaround: There is no workaround.

CSCsf13740

Symptoms: A Cisco 7200 series router with VAM2+ Encryption/Compression engine, running Cisco IOS Release 12.4(10), may reload due to a bus error after a large service policy is applied to a Gig interface.

The following error messages may flood the console:

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

*crypto qos: get_shape_class fail, class=<name>

Crash:

%ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006

pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40

%ALIGN-1-FATAL: Corrupted program counter 06:30:27 MEST Fri Aug 18 2006

pc=0x7E000000 , ra=0x6633E958 , sp=0x64DE2E40

06:30:27 MEST Fri Aug 18 2006: TLB (load or instruction fetch) exception, CPU

signal 10, PC = 0x7E000000

-Traceback= 0x7E000000

$0 : 00000000, AT : 63F00000, v0 : 00000001, v1 : 64DE2F90

a0 : 00000000, a1 : 663004BC, a2 : 00000188, a3 : 6454B6D0

t0 : 66419DD8, t1 : 661BFC08, t2 : 00000018, t3 : 00000000

t4 : 6410AD00, t5 : 00000001, t6 : 00000000, t7 : 00000000

s0 : 661BFE50, s1 : 66300940, s2 : 00000A61, s3 : 66302AC4

s4 : 6454AA3C, s5 : 618D9FF0, s6 : 663003A4, s7 : 63CA0000

t8 : 00000061, t9 : 6410AD00, k0 : 6571911C, k1 : 6080F4E4

gp : 63F0AA08, sp : 64DE2E40, s8 : 00000001, ra : 6633E958

EPC : 7E000000, ErrorEPC : BFC018D4, SREG : 3400FF03

MDLO : 00374C80, MDHI : 00000000, BadVaddr : 7E000000

Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception

Process watchdog registers:

$0 : 658FC0EC, AT : 00000000, v0 : 606CCE5C, v1 : 00000001

a0 : 658F9E6C, a1 : 00000000, a2 : 00000000, a3 : 658F6118

t0 : 00000000, t1 : 658FC0B8, t2 : 658FC0EC, t3 : 00000000

t4 : FFFFFFF7, t5 : 6080F4CC, t6 : 62B23BA8, t7 : 00000001

s0 : 00000000, s1 : 658F9E98, s2 : 6543A190, s3 : 00000018

s4 : 6543A190, s5 : 6643D788, s6 : 6497AA80, s7 : 6080F5A0

t8 : 662F5D6C, t9 : 00000001, k0 : 00000000, k1 : 658FC0B8

gp : 6497AA80, sp : 00000001, s8 : 658FC0EC, ra : 00000000

EPC : 658FC0B8, SP : 00000001, forkx : 00000000

Conditions: This symptom occurs when the router has a VAM+ encryption module.

Workaround: There is no workaround.

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

CSCsf98345

Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.

Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.

Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.

CSCsg11718

Symptoms: A VRF may become stuck in the "Delete Pending" state.

Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN and Half-Duplex VRF (HDVRF) when you delete the VRF and then associate it with an interface before it is completely deleted.

Workaround: To ensure that the VRF is properly deleted, enter the shutdown interface configuration command on the interface with which the VRF is associated or remove the interface with which the VRF is associated.

CSCsg16908

This bug documents the deprecation and removal of the Cisco IOS FTP Server feature.

CSCsg42519

Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.

Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:

Router(config)#<CmdBold>interface

Serial<noCmdBold><CmdArg>x/y:z<noCmdArg>

Router(config-if)# <CmdBold>frame-relay ip rtp header-compression

passive<noCmdBold>

Router(config-if)# <CmdBold>frame-relay ip rtp

compression-connections<noCmdBold> <CmdArg>number<noCmdArg>

Workaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:

Router(config)#interface

Serial x/y:z

Router(config-if)# shutdown

Router(config-if)# frame-relay ip rtp header-

compression

Router(config-if)# frame-relay ip rtp

compression-connections number

Router(config-if)# frame-relay ip rtp header-compression

passive

Router(config-if)# no shutdown

Further Problem Description: The issue was not reported when using Cisco IOS Releases 12.3T or 12.4.

CSCuk57037

Symptoms: A router may crash when a serial interface of a neighboring router is brought up.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that is earlier than Release 12.4(8) and that is configured for IP Multicast when some interfaces on the router are configured for PIM. The symptom occurs when the serial interface that is brought up on the neighboring router is configured for PIM and the connecting interface on the Cisco router is not configured for PIM.

Workaround: Depending on the desired operation for the link, either enable PIM at both ends or disable PIM at both ends.

Wide-Area Networking

CSCek55209

Symptoms: When the ppp multilink endpoint mac lan-interface command or the ppp multilink endpoint ip ip-address command is configured, the router may unexpectedly reload if the multilink interface goes to the DOWN state, for example, when a PVC virtual circuit is unconfigured.

Conditions: This symptom is observed on a Cisco router that is configured for Multilink PPP.

Workaround: There is no workaround. Do not use these configuration commands in Cisco IOS Releases 12.3, 12.4 or 12.2SB without a fix for this DDTS.

CSCsd93740

Symptoms: A Cisco router is acting as a X25 switch. Both standard X25 route statements and hunt-groups are being used.

After a period of normal operations, output of the show x25 hunt- group command shows status full for all hunt-groups where destinations are reachable over XoT.

Other hunt groups where calls are forwarded over X25 serial interfaces do not show this problem. When problem is present, calls cannot be forwarded via hunt groups, and configured redundant routes are used.

Workaround: Unconfigure/configure back all X25 routes helps to recover in some cases. However, in some cases router reload is needed.

CSCse12198

Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.

Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.

Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.

Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.

CSCse71875

Symptoms: A router may crash when you enter the frame-relay inverse-arp ip dlci command.

Conditions: This symptom is observed when you attempt to configure a hunt-group member.

Workaround: Do not enter the frame-relay inverse-arp ip dlci command. Rather, configure the hunt-group master dialer interface.

CSCse78652

Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.

Conditions: This symptom happens on all Multilink interfaces.

Workaround: There is no workaround.

CSCsf03251

Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.

Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS 12.4 mainline and 12.4T releases.

Workaround: There is no workaround.

CSCsf26705

Symptoms: A Cisco router may experience an unexpected reload when using traffic shaping on a Tunnel interface together with frame relay fragmentation.

Conditions: This symptom is observed on any Cisco router which has a Tunnel interface, configured with a traffic shaping service policy containing a priority class, whose traffic goes out over a frame relay PVC, configured for frame relay traffic shaping with fragmentation and fair queuing.

Workaround: Configure a service policy on the frame relay PVC instead of using fair queuing.

CSCsf96318

Symptom: QSIG (ISO) call back (ring back) fails between a Cisco 3745 router and a Cisco 1760 router.

Conditions: The call back fails.

Workaround: There is no workaround.

CSCsg15642

Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.

Conditions: This leak occurs when a SETUP message with Display IE is received.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(20a)

Cisco IOS Release 12.3(20a) is a rebuild release for Cisco IOS Release 12.3(20). The caveats in this section are resolved in Cisco IOS Release 12.3(20a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IBM Connectivity

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

Miscellaneous

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCej20505

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse05642

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg42519

Symptoms: Router may reload by TLB exception (Bus Error) or Address error when configuring channelized interfaces.

Conditions: This behavior is observed on a Cisco router that is running Cisco IOS Release 12.3(20) when channelized interface is configured as follows:

Router(config)#interface Serialx/y:z Router(config-if)# frame-relay ip rtp header-compression passive Router(config-if)# frame-relay ip rtp compression-connections number

Workaround: Shutdown the interface and temporarily remove the passive attribute from the header compression command prior to reducing the number of compression connections as follows:

Router(config)#interface Serialx/y:z Router(config-if)# shutdown Router(config-if)# frame-relay ip rtp header- compression Router(config-if)# frame-relay ip rtp compression-connections number Router(config-if)# frame-relay ip rtp header-compression passive Router(config-if)# no shutdown

Further Problem Description: The issue was not reported when using Cisco IOS Releases 12.3T or 12.4.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Resolved Caveats—Cisco IOS Release 12.3(20)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(20). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(20). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCed21186

Symptoms: Incorrect "output IFMIB" counters are observed on the main interface.

Conditions: This symptom has been observed on a Cisco 7500 series router running Cisco IOS Release 12.0(25)S1 when an 802.1q VLAN is configured with Committed Access Rate (CAR). The "output CLI" and "input SNMP/CLI" counters are correct.

Workaround: There is no workaround.

CSCin99788

Symptoms: An %AAA-3-ACCT_LOW_MEM_TRASH error message is generated when a low-memory condition occurs. When this situation occurs, a memory leak may occur in AAA data.

Conditions: This symptom is observed when an interface flaps and causes a very large number of sessions to go down simultaneously, in turn generating a very large number of accounting stop records. In this situation, the I/O memory may be held for a long time when accounting records are send and when an AAA server is slow or unreachable.

Workaround: There is no workaround.

CSCsc91735

Symptoms: CyBus errors may occur during an HA switchover, causing most VIPs to be disabled on a Cisco 7500 series.

Conditions: This symptom is observed when MLP Multilink interfaces are configured on channelized T3 (CT3) port adapters.

Workaround: Reload microcode onto all affected VIPs.

CSCsc97727

Symptoms: An access point may crash when you add or remove TACACS servers via the CLI.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)JA1 or Release 12.3(7)JA2 and that has the aaa accounting commands level default list-name group groupname command enabled. The symptom may also occur in other releases.

Workaround: Disable the aaa accounting commands level default list-name group groupname command.

Alternate Workaround: Use RADIUS instead of TACACS.

CSCsd55847

Symptoms: A ping does not go through completely.

Conditions: This symptom is observed after you have entered the microcode reload command.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.

CSCse10074

The crash happens only when an SNMP v3 user is configured with security model noauth or auth only and then in the snmp-server host configuration give the same SNMP v3 user as priv security model. This is wrong configuration.

Conditions: The problem always occurs when traps are triggered after the following software configurations are applied:

snmp-server user TESTUSER TESTUSER v3

snmp-server group TESTUSER v3 priv notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F

snmp-server host 10.1.1.10 version 3 priv TESTUSER

snmp-server enable traps

Workaround: Do not give the wrong configuration.

CSCse49728

Symptoms: SNMPv3 informs are not sent out after a device reload.

Conditions: This symptom is observed when SNMPv3 informs have been configured, and the device is reloaded.

Workaround: Re-enter any of the snmp-server host commands.

CSCse52503

Symptoms: An RSP may generate tracebacks.

Conditions: This symptom is observed on a Cisco router that is configured for dCEF when you reload microcode onto the RSP. Note that the symptom is platform-independent.

Workaround: There is no workaround.

IBM Connectivity

CSCse17611

Symptoms: When DLSw Ethernet Redundancy is configured, circuits may be established through the wrong switch.

Conditions: This symptom is observed in the following configuration:

Clients are connecting to MAC A.

Mapping statements are configured so that Switch 1 has a mapping of MAC A = MAC A and Switch 2 has a mapping of MAC B = MAC A.

The output of the show dlsw transparent map shows that Switch 1 has the active mapping and that Switch 2 has the passive mapping. All circuits should be established on Switch 1, but instead they are established on switch 2.

The outputs of the show dlsw trans neighbor and show dlsw trans map commands show correct information, but the output of the show dlsw cir cache command shows state "negative" on Switch 1 and state "positive" on Switch 2.

Workaround: There is no workaround. Note that all circuits are up and running, but they just go through the wrong router.

Interfaces and Bridging

CSCin97786

Symptoms: An online insertion and removal (OIR) of a Versatile Interface Processor (VIP) that is installed in a Cisco 7500 series may cause the Route Switch Processor (RSP) to stop responding.

Conditions: This symptom is observed when two FDDI port adapters are installed in the VIP.

Workaround: There is no workaround.

CSCsc66187

Symptoms: Error messages such as the following one may be generated on a Cisco 7500 series or Cisco 7600 series:

%CWPA-3-IPCALLOCFAIL: Failed to allocate IPC buffer for loveletter data

Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured with a 1-port Packet-over-SONNET OC-3c/STM-1 multimode port adapter (PA-POS-OC3MM) when you enter the no shutdown interface configuration command on the interface.

Workaround: There is no workaround.

CSCsd40136

Symptoms: POS interfaces may remain in the up/down state after the router is upgraded to Cisco IOS interim 121-26.E6 image.

Conditions: This symptom has been observed on Cisco Catalyst 6500 series and Cisco 7600 series routers.

Workaround: Reload the FlexWAN or VIP in which the POS port adapter is installed.

CSCse61893

Symptoms: A ping from a channelized T3 (CT3) port adapter may fail.

Conditions: This symptom is observed on a Cisco platform that is configured with a CT3 port adapter that functions in unchannelized mode.

Workaround: There is no workaround.

IP Routing Protocols

CSCed84633

Symptoms: The interface-type and interface-number arguments in the distribute-list address family configuration command do not function.

Conditions: This symptom is observed on a Cisco platform that integrates the fix for caveat CSCea59206. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea59206. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

Further Problem Description: The fix for CSCed84633 re-enables the interface-type and interface-number arguments in the distribute-list address family configuration command for both VRF interfaces and non-VRF interfaces.

CSCek31478

Symptoms: When you modify an access control list (ACL) by entering the ip multicast boundary command, the command may not fully take effect.

Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(28)S4 or Release 12.0(32)S but appears to be platform- and release-independent.

Workaround: Disable and re-enter the ip multicast boundary command.

Alternate Workaround: Enter the clear ip mroute * command.

CSCsc10494

Symptoms: When an inter-area, external, or Not-So-Stubby Area (NSSA) route is learned via a link state update that follows the initial database synchronization, the route may not be added to the routing table by a partial shortest path first (SPF) computation even though the LSA is installed in the link state database. A subsequent full SPF computation causes the route to be added.

Conditions: This symptom is observed on a Cisco router and is most likely to occur when a large number of type 3, type 5, or type 7 LSAs are advertised and withdrawn.

Workaround: Trigger an action that causes a full SPF computation.

CSCsd64173

Symptoms: A router may reload unexpectedly because of a bus error crash after you have removed a summary-prefix IPv6 OSPF command.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF but may also occur in other releases. The symptom occurs only when the summary-prefix IPv6 OSPF command is configured without any redistribute commands.

Workaround: Configure a redistribute command under the IPv6 OSPF configuration.

CSCse51804

This caveats consists of two symptoms, two conditions, and two workarounds:

Symptom 1: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.

Condition 1: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4 when the DMVPN tunnel is up and when you enter the show ip nhrp brief and clear ip nhrp commands. When the tunnel comes up again (because of the NHRP registration by the spoke), the NHRP cache entry expires a long time before its expiration time.

Workaround 1: Do not enter the show ip nhrp brief command.

Symptom 2: A DMVPN tunnel may flap at regular intervals. The NHRP cache entry at the hub expires a long time before its expiration time.

Condition 2: These symptoms are observed on a Cisco router that runs Cisco IOS Release 12.4(6)T or a later release and occurs without any specific action.

Workaround 2: There is no workaround.

ISO CLNS

CSCsd87651

Symptoms: A Cisco router that is configured for RPR or RPR+ may reload its standby RP when a configuration change is made to IS-IS.

The reload of the standby RP is proceeded by the following error messages:

%HA-3-SYNC_ERROR: Parser no match.

%HA-5-SYNC_RETRY: Reloading standby and retrying sync operation (retry 1).

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4. Note, however, that the symptom is platform-independent for Release 12.4 and its derivatives. Any of the IS-IS global configuration commands may trigger the symptom. Following are a few examples of these IS-IS global configuration commands:

is-type level-2-only

lsp-gen-interval level-2 5 50 100

redistribute eigrp

Workaround: There is no workaround.

Miscellaneous

CSCec15400

Symptoms: A Versatile Interface Processor 4 (VIP4) with an E1 controller may reload unexpectedly and display the following error message:

%ALIGN-1-FATAL: Illegal access to a low address

addr=0x28, pc=0x604716A8, ra=0x604711FC, sp=0x60D66628

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.2(15)T2, Release 12.2(15)T5, or Release 12.3.

Workaround: There is no workaround.

CSCeh18855

Symptoms: A router may crash when you attempt to unconfigure a service policy.

Conditions: This symptom is observed on a Cisco router that is configured for Network Based Application Recognition (NBAR).

Workaround: There is no workaround.

CSCek26492

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCek37177

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCek37686

Symptoms: A Cisco AS5350 may reload because of a bus error (SIG=10).

Conditions: This symptom is observed when SNMP is configured and when SNMP queries are made into the Cisco AS5350.

Workaround: Disable SNMP or stop polling the router.

CSCek38939

Symptoms: The input error counter may not be incremented for packet errors such as runts, CRC errors, and overrun errors.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1.

Workaround: There is no workaround.

CSCek47283

Symptoms: A router cannot be reloaded by entering the reload command, and the following message is displayed when you attempt to reload the router:

The startup configuration is currently being updated. Try again.

Conditions: This symptom is observed under rare conditions and may be triggered after an "Invalid pointer value in private configuration structure" error message is displayed (as seen in caveat CSCin98933). This symptom is observed in Cisco IOS interim Release 12.3(19.7), interim Release 12.4(6.5), and interim Release 12.4(6.5)T, and in later releases.

Workaround: There is no workaround.

CSCsb53884

Symptoms: A Cisco 7200 series may hang, stop forwarding traffic, and stop responding to the console.

Conditions: This symptom is observed on a Cisco 7200 series that has the ip audit command enabled.

Workaround: There is no workaround.

CSCsb93407

Symptoms: With H323 call service stopped, the router still listens on tcp port 1720 and completes connection attempts.

Conditions: After H323 is disabled using the configuration commands:

voice service voip

h323

call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document: http://www.cisco.com/warp/public/707/tacl.html

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document: http://www.cisco.com/warp/public/707/iacl.html

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper:" http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html

CSCsc11636

Symptoms: A router requires a very long time to boot (more than 5 minutes, potentially hours). Also, changes to the QoS configuration may require long times.

Conditions: This symptom is observed when the QoS configuration has a complex arrangement of many policies that reference many access control entries (ACEs) through a number of class maps. The time required is, roughly, proportional to the number of combinations of interfaces, policies, classes, and ACEs. For example, if each of 200 interfaces has a QoS policy, each policy uses five class maps, each class map references two ACLs, and each ACL has 30 entries, there are 60,000 combinations.

Workaround: Either reduce the number of combinations of interfaces, policies, class maps, and ACEs, or load the configuration in two stages. The first stage (from NVRAM) should contain the interface and ACL definitions, and the second stage (from another file) should contain the classes and policies.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsc79700

Symptoms: URL filtering takes an excessively long time to revert to the allow mode if a URL Filtering Server is unavailable.

Conditions: This symptom is observed when a communication loss occurs between the router and the URL Filtering Server because of a failure or an excessive load on the URL Filtering Server, or because of a network connectivity failure between the router and the URL Filtering Server.

Workaround: There is no workaround.

CSCsd04075

Symptoms: The voice ports of a Cisco IOS Voice over IP (VoIP) gateway that terminates fax calls may lock up and not accept any new calls. The following error messages may be generated on the console or syslog (if enabled):

%HPI-3-CODEC_NOT_LOADED: channel:2/0/0 (171) DSP ID:0x1, command failed as

codec not loaded 0

- Traceback= 615D2FA8 615C8528 617D5044 617D5258 61BBCD44 61BBD764 617BAE88

617BBD38 6138720C

Conditions: This symptom is observed on a Cisco 3600 series router but is not platform-dependent.

Workaround: Disable T.38 and use fax passthrough.

CSCsd13920

Symptoms: CEF switching is broken for voice traffic on some interfaces, which breaks the transcoding feature. The caller then experiences no voice path.

Conditions: This symptom has been observed on some network modules and interfaces.

Workaround: Disable the ip cef command.

CSCsd28214

Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.

Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.

Workaround: There is no workaround.

CSCsd46323

Symptoms: The standby RP reboots when you perform an OIR of an active VIP that is installed in any slot of the router.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.4(7.10) and that is configured for RPR, RPR+, or SSO. The symptom may also affect other releases.

Workaround: There is no workaround.

CSCsd61780

Symptoms: A router crashes because of errors from checkheaps.

Conditions: This symptom is observed when hundreds of CLI commands are entered in virtual-template mode.

Workaround: There is no workaround.

CSCsd65289

Symptoms: When applying a service-policy to a subinterface, the router crashes.

Conditions: This problem happens on an ATM subinterface with a large amount of subinterfaces with service-policies applied.

Workaround: There is no workaround.

CSCsd69480

Symptoms: The following error message is displayed:

%HYPERION-4-HYP_RESET: Hyperion Error Interrupt

Resetting ASIC messages when links flap on flexwan2 with STM-1 PA interface stats show line errors for that flapping line.

Conditions: This symptom is observed on a Cisco 7600 router and PA: PA-MC-STM1 that is running Cisco IOS Release 12.2(17d)SXB9.

Workaround: There is no workaround.

CSCsd74000

Symptoms: A slot controller such as a slot controller of a VIP4-80 may reset because of a TLB (load or instruction fetch) exception.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(17b) or Release 12.4, that has T1 or E1 port adapters installed in the slot that is controlled by the slot controller that resets, and that has NBAR configured.

Workaround: Remove the NBAR configuration.

CSCsd76528

This caveat consists of two symptoms, two conditions, and two workarounds:

Symptom 1: None of the policy classes after the first child policy of a hierarchical QoS policy take effect when you reload the router.

Condition 1: This symptom is observed on a Cisco 7304 that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.

Workaround 1: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the service-policy output interface configuration command to enable the child policies to take effect. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.

Symptom 2: On a Cisco 10000 series that is configured with hierarchical queueing policies, when you remove the match vlan command for a VLAN that matches a dot1q subinterface, the queues that are allocated to the subinterface are not cleared, allowing traffic to continue to flow through these queues.

Condition 2: This symptom is observed on a Cisco 10000 series that has hierarchical QoS policies with multiple child policies but may also occur on other platforms.

Workaround 2: There is no workaround. Note that the symptom does not occur for a hierarchical QoS policy with only one child policy in the very last class of the parent policy.

CSCsd80754

Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.

Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.

Workaround: Enter the no standby redirects command to prevent the symptom from occurring.

CSCsd85852

Symptoms: When a PVC is being shutdown on the remote side, the PVC subinterface on the Cisco 10000 router transitions from down to up within one second, and then stays down after the down retry timers expire. This is seen when using OAM and DBS.

Conditions: This symptom is observed on a Cisco 10008 that is using Cisco IOS Release 12.3(7)XI7a.

Workaround: There is no workaround.

CSCsd93522

Symptoms: An NPE-G2 crashes when you first enter the no ima-group command, then you enter the atm vc command for the IMA group, and finally you enter the show vc command.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with an IMA port adapter.

Workaround: First configure an IMA group. Then, configure a VC for this IMA group.

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse17175

Symptoms: The line protocol may go down on some of the serial interfaces of a 1-port multichannel STM-1 single mode port adapter.

Conditions: This symptom is observed on a Cisco router when the maximum number of channel groups (256) is configured on the port adapter.

Workaround: There is no workaround.

CSCse25166

Symptoms: A traceback may be generated when you enter the show funi pvc interface serial x/y command.

Conditions: This symptom is observed on a Cisco router when a null data structure is accessed.

Workaround: There is no workaround.

CSCse25331

Symptoms: After upgrading the Cisco IOS on a Cisco 7200 series router that is using a PA-A3-IMA, shaping accuracy problems can be observed. The PVC is shaped at a rate bigger than the configured value.

Conditions: This problem is observed on a Cisco 7200 series router.

Workaround: There is no workaround.

CSCse42991

Symptoms: A memory leak may occur in the CEF Scanner process of a Cisco 7200 VXR router that has an NPE-G1 processor when a virtual-template interface is configured to perform CEF load balancing on a per-packet basis instead of a per-destination basis.

Conditions: This symptom is observed on a 7204VXR that functions as an LNS and that runs the c7200-js-mz image of Cisco IOS Release 12.3(15) or the 7200-js-mz image of Cisco IOS Release 12.3(19). The symptom may also occur in other releases.

Workaround: Use the default CEF load balancing on a per-destination basis. If you need to configure loadbalancing on a per-packet basis, disable IP CEF accounting by entering the no ip cef accounting per-prefix non-recursive command.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse52987

Symptoms: The line protocol on a newly configured SRP interface may remain down and does not come up after you have entered the no shutdown command.

Conditions: This symptom is observed on a Cisco router that has an SRP/DPT port adapter.

Workaround: There is no workaround.

CSCse55522

Symptoms: A Versatile Interface Processor (VIP) with CT3 PA crashes continuously.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS interim Release 12.4(9.9).

Workaround: There is no workaround.

Terminal Service

CSCej00344

Symptoms: A Cisco router that is configured for X.25 routing may reload unexpectedly.

Conditions: The problem is experienced in Cisco IOS Release 12.3(14)T2 with X.25-over-TCP (XOT) configuration.

Workaround: There is no workaround.

Wide-Area Networking

CSCek40618

Symptoms: A router may crash by address error (load or instruction fetch) exception during normal operation.

Conditions: This symptom has been observed when the router is configured with VPDN and Multilink PPP, using Virtual-Template interfaces.

Workaround: There is no workaround.

CSCsd38761

Symptoms: A router may crash when the AAA per-user attribute idletime is specified in the user profile.

Conditions: This symptom is observed on a Cisco router that is configured for PPP and AAA.

Workaround: Do not specify the AAA per-user attribute idletime in the user profile.

CSCsd74130

Symptoms: When an HSSIRSET, SERRSET, or FDDIRSET error message is generated or when the output becomes stuck, a VIP does not come up during its first recovery attempt.

Conditions: This symptom is observed on a Cisco platform that is configured with a VIP when a CCB timeout occurs during an IDB reset or when the output becomes stuck.

Workaround: There is no workaround.

CSCse05777

Symptoms: A router may reload unexpectedly when you configure more multilink interfaces than the maximum number that the router can support. The router should not reload but should generate an error message.

Conditions: This symptom is observed on any Cisco router that imposes a limit on the number of multilink interfaces.

Workaround: Do not exceed the maximum number of multilink interfaces.

CSCse38823

Symptoms: Multihop router fails establishing a session from LAC. CDN is sent by one of the following reasons:

L2TP: disconnect (AAA) IETF: 15/service-unavailable Ascend: 67/VPDN Softshut/Session Limit

L2TP: disconnect (L2X) IETF: 9/nas-error Ascend: 62/VPDN No Resources

Conditions: This problem can happen to either a multihop LAC or a simple LAC that accepts dial in, if LAS has multiple destination LNSes configured in some vpdn-group and the LNSes have per vpdn-group session limit configured in the vpdn-groups that accept the sessions from the LAC.

Workaround: Configure the minimal L2TP tunnel timeout value (5 seconds) in the vpdn-group on LAC that experiences the problem. The CLI is as follows:

l2tp tunnel busy timeout 5

Workaround 2: Do not configure load balancing.

Workaround 3: Create some loopback interfaces on the LNSes for different vpdn- groups on the LACs to use. That is, configuring different vpdn-groups on a LAC to use distinct loopback addresses on the LNSes. Therefore, when a LAC gets a "busy" CDN back from the LNSes, the LAC will only put the particular LNS address for the corresponding vpdn-group on busy list, without affecting other LNS vpdn-groups capacity to accept new sessions.

CSCse78652

Symptoms: The queuing mode on Multilink interfaces is erroneously defaulting to fair queuing instead of FIFO. This is causing distributed Cisco Express Forwarding (dCEF) to fail on Cisco 7500 routers.

Conditions: This symptom happens on all Multilink interfaces.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(19a)

Cisco IOS Release 12.3(19a) is a rebuild release for Cisco IOS Release 12.3(19). The caveats in this section are resolved in Cisco IOS Release 12.3(19a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCse85200

Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround: Disable on interfaces where CDP is not necessary.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IBM Connectivity

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml.

Miscellaneous

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb93407

Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.

Conditions: This symptom occurs after H323 is disabled using the following configuration commands:

voice service voip h323 call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtm.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Resolved Caveats—Cisco IOS Release 12.3(19)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(19). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(19). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCea36491

Symptoms: When a Telnet session is made to a router after a VTY session pauses indefinitely, the user in the Telnet session may not be able to enter the configuration mode. When these symptoms occur, interfaces may enter the wedged state with Simple Network Management Protocol (SNMP) traffic.

Conditions: This behavior is observed on ATM and Packet over SONET (POS) interfaces. This behavior is not platform-specific.

Workaround: Disable Simple Network Management Protocol (SNMP) configuration traps by entering the no snmp-server enable traps config global configuration command.

CSCee41892

Symptoms: A VIP4-80 card may fail to load the Cisco IOS software image. When this situation occurs, the following error messages are generated:

%DBUS-3-SW_NOTRDY: DBUS software not ready after HARD_RESET, elapsed 13056,

status 0x0

%DBUS-3-WCSLDERR: Slot 2, error loading WCS, status 0x4 cmd/data 0xDEAD pos 97

%DBUS-3-WCSLDERR: Slot 2, error loading WCS, status 0x4 cmd/data 0xDEAD pos 99

%UCODE-3-LDFAIL: Unable to download ucode from system image in slot 2, trying

rom ucode

%RSP-3-NOSTART: No microcode for VIP4-80 RM7000 card, slot 2

Conditions: This symptom is observed on a Cisco 7500 series when you enter the microcode reload command.

Workaround: There is no workaround.

Further Problem Description: The symptom may also occur because of improperly installed line cards. If this situation occurs, re-install the line cards.

CSCef68681

Symptoms: A CBUS complex may occur, causing all VIPs to reload and to be reconfigured. In turn, this situation prevents the router from being accessible for 30 seconds.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.0S when you change the MTU of an already existing interface or when you add a new interface. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCej57779

Symptoms: A reload of a Cisco 7600 router, with a huge number (for example, 1000) of VRF configured with BGP/VPN learning redistributed routers, may cause some VRFs to not learn distributed routes from the peer.

Conditions: The number of configured VRF should be huge. This symptom has been observed in Cisco IOS Release 12.2SRA. This symptom is not applicable to Cisco IOS Release 12.4.

Workaround: The symptom can be resolved on the per VRF basis by removing the VRF instance and the BGP/VPN configuration for this instance and then adding them back.

CSCek32365

Symptoms: A Cisco 7500 series that is configured with more than two VIP 4-80 or VIP 6-80 processors may crash during the boot process and may not boot at all.

Conditions: This symptom is observed on a Cisco 7500 series that runs a Cisco IOS software image that includes he fix for caveat CSCei45236. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCei45236. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

CSCek36902

Symptoms: A Cisco 7500 series may generate a "%CBUS-3-CMDONPROC" error message and a traceback.

Conditions: This symptom is observed on a Cisco 7500 series with a Fast Serial Interface Processor (FSIP) when you perform an OIR.

Workaround: There is no workaround.

CSCsb14371

Symptoms: A Cisco 7500 series may log the following error message even if no VIP is installed in slot 0:

%IPC_RSP_CBUS-3-NOHWQ: Hardware queue for card at slot 0 not found

Conditions: This symptom is observed after a crash of another VIP has occurred. Sometimes the symptom occurs when a VIP is installed in slot 0 but most of the time there is no VIP in slot 0 when the symptom occurs.

Workaround: There is no workaround.

CSCsc19289

Symptoms: MC-T1 is disabled and wedged when changing the MTU size on the MC-T1 interface.

Conditions: This symptom has been observed when dLFIoLL is configured on a Cisco 7500 router and the MTU size on MX-serial interface is changed.

Workaround: Remove and replace the MC-T1 or micro reload the MC-T1.

CSCsc70055

Symptoms: A Cisco 7200 series may crash when you perform a graceful OIR of a port adapter that is processing traffic.

Conditions: This symptom is observed mostly when the port adapter processes ingress traffic.

Workaround: Do not perform a graceful OIR. Rather, perform a manual OIR.

CSCsd63874

A traceback may occur in the "send_link_monitor_config_cmd" function and the following error message may be generated:

%CBUS-3-CMDONPROC: Cmd not interrupt protected

Conditions: This symptom is observed on a Cisco 7500 series.

Workaround: There is no workaround.

Interfaces and Bridging

CSCek27126

Symptoms: A router may crash when you remove a label-controlled ATM (LC-ATM) subinterface and may generate an "%ALIGN-1-FATAL: Corrupted program counter" error message.

Conditions: This symptom is observed on a Cisco 7200 series but may be platform-independent.

Workaround: Shut down the main interface before you remove the subinterface.

CSCsc66187

Symptoms: Error messages such as the following one may be generated on a Cisco 7500 series or Cisco 7600 series:

%CWPA-3-IPCALLOCFAIL: Failed to allocate IPC buffer for loveletter data

Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured with a 1-port Packet-over-SONNET OC-3c/STM-1 multimode port adapter (PA-POS-OC3MM) when you enter the no shutdown interface configuration command on the interface.

Workaround: There is no workaround.

CSCsd40136

Symptoms: POS interfaces may remain in the up/down state after the router is upgraded to Cisco IOS interim 121-26.E6 image.

Conditions: This symptom has been observed on Cisco Catalyst 6500 series and Cisco 7600 series routers.

Workaround: Reload the FlexWAN or VIP in which the POS port adapter is installed.

CSCsd41989

Symptoms: A T3 controller remains down when loopback local is configured.

Conditions: This symptom is observed on a Cisco platform that is configured with a channelized T3 port adapter when the T3 controller is in an unavailable seconds (UAS) state.

Workaround: Remove the cause of the UAS state for the T3 controller.

CSCsd63918

Symptoms: A router reloads unexpectedly when you enter the bridge-group bridge-group command as part of an ATM PVC configuration.

Conditions: This symptom is observed on a Cisco router that is configured with an ATM port adapter such as a PA-A2 port adapter.

Workaround: There is no workaround.

IP Routing Protocols

CSCee83549

Symptoms: When multipath is configured, one of the paths may have an inconsistent (old) label, causing only one path to be operational.

Conditions: This symptom is observed when BGP does not update the outlabel information in the TFIB and for CEF.

Workaround: Clear or readvertise the route that is inoperational.

CSCek25582

Symptoms: Spurious memory accesses may be (continuously) generated at the "igmp_process_timers" function.

Conditions: This symptom is observed on a Cisco router that is configured for multicast routing.

Workaround: There is no workaround.

CSCek32244

Symptoms: Not all classful networks are locally generated in the BGP table.

Conditions: This symptom is observed on a Cisco router that has the auto-summary command enabled and occurs when classful networks are provided before the routes are made available in the routing table.

Workaround: There is no workaround.

CSCek33991

Symptoms: A router may reset unexpectedly when it is in the midst of output of the results of the show interface dampening command, and the interface is deleted from another vty connection.

Conditions: This symptom can be encountered if concurrent connections are opened to a router, and the show interface dampening command is issued while interface(s) are deleted.

Workaround: Ensure interfaces with dampening configured are not deleted while the show interface dampening command can be possibly issued on another vty.

CSCsc56595

Symptoms: When an OSPFv3 router has more IPv6 prefixes in a single OSPFv3 area than can be advertised in a single intra-area prefix Link State Advertisement (LSA) that is small enough to be advertised via the normal IPv6 Maximum Transmission Unit (MTU), the additional IPv6 prefixes are not advertised.

Conditions: This symptom is observed when many interfaces with IPv6 global addresses are configured in a single OSPFv3 area and when the size of the LSA is less than the normal IPv6 interface MTU.

Workaround: Spread the IPv6 interfaces over multiple OSPFv3 areas.

CSCsc78813

Symptoms: While using NAT in an overlapping network configuration, the IP address inside a DNS reply payload from the nameserver is not translated at the NAT router.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(18) and that has the ip nat outside source command enabled. The symptom could also occur in Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsd11019

Symptoms: A Cisco IOS router with OSPFv3 and a virtual link configured may crash when there is a switchover.

Conditions: This symptom is observed on Cisco platforms supporting switchover when OSPFv3 is configured with the area transit- area-id virtual-link transit-router- id command configured.

Workaround: There is no workaround.

CSCsd15770

Symptoms: High CPU utilization occurs during PPPoEoQinQ session setup.

Conditions: This symptom occurs when Internet Group Management Protocol (IGMP) is enabled.

Workaround: There is no workaround.

CSCsd16043

Symptoms: A Cisco IOS platform that is configured for Auto-RP in a multicast environment may periodically lose the RP to group mappings.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(17) when the RP drops the Auto-RP announce messages, which is shown in the output of the debug ip pim auto-rp command. This situation may cause a loss of multicast connectivity while the RP mappings are purged from the cache. See the following output example:

Auto-RP(0): Received RP-announce, from ourselves (X.X.X.x), ignored

Note that the symptom may also affect Cisco IOS Release 12.4 and Release 12.4T.

Workaround: Create a dummy loopback interface (do not use the configured IP address in the whole network) and use the ip mtu to configure the size of the MTU for the RP interface to 1500 and the size of the MTU for the dummy loopback interface to 570, as in the following examples:

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip mtu 570

ip pim sparse-mode

end

(This example assumes that the Auto-RP interface is loopback 0.)

interface Loopback0

ip address 10.255.1.1 255.255.255.255

ip mtu 1500

ip pim sparse-dense-mode

end

ISO CLNS

CSCsb89900

This caveat consists of two symptoms, two conditions, and two workarounds:

Symptom 1: Corrupted timer data structures may cause tracebacks in an IS-IS environment.

Condition 1: This symptom is observed when an IS-IS instance is configured for IPv6 interfaces only, when the IS-IS instance has a passive interface, and when you take the following actions:

You enter the no router isis command.

You then re-enable IS-IS, including on the passive interface, which then becomes an active IPv6 interface.

Workaround 1: Do not configure a passive interface if an IS-IS instance is configured for an IPv6 interface only. If you must configure a passive interface in an IS-IS instance, do not enable IS-IS on this passive interface after you have disabled IS-IS at the global via the no router isis command.

Symptom 2: IS-IS may crash or function unreliably because of uninitialized or freed data structures.

Condition 2: This symptom is observed when a passive interface is configured and when the following actions occur:

IS-IS is disabled on all interfaces (whether IPv4 or IPv6 interfaces), one by one on.

Then, the no router isis command is entered to disable IS-IS globally.

Next, IS-IS is globally enabled and the passive interface is made active via the ip router isis or ipv6 router isis command.

Workaround: Do not use a passive interface in an IS-IS environment. If you must use a passive interface in an IS-IS environment, prevent the actions that are described in Condition 2.

Miscellaneous

CSCdz18851

Symptoms: When you reload microcode onto a line card or perform an OIR of a line card, a spurious memory access error may be logged on some or all other line cards in the router.

Conditions: This symptom is observed on a Cisco router that is configured for IPv6 dCEF when an IPv6 route is loadbalanced across two equal cost paths that both leave the router on interfaces of the same line card, which is the line card onto which you reload microcode or on which you perform an OIR.

Workaround: There is no workaround.

CSCec15400

Symptoms: A Versatile Interface Processor 4 (VIP4) with an E1 controller may reload unexpectedly and display the following error message:

%ALIGN-1-FATAL: Illegal access to a low address

addr=0x28, pc=0x604716A8, ra=0x604711FC, sp=0x60D66628

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.2(15)T2, Release 12.2(15)T5, or Release 12.3.

Workaround: There is no workaround.

CSCeg55213

Symptoms: Ethernet VLAN data counters may not be updated for a virtual circuit (VC) that is configured for Xconnect.

Conditions: This symptom is observed on a Cisco platform that has the EoMPLS VLAN mode enabled.

Workaround: There is no workaround.

CSCeh85133

Symptoms: A memory leak may occur when an SNMP trap is sent to a VRF destination. The output of the show processes memory command shows that the memory that is held by the process that creates the trap increases, and eventually causes a MALLOC failure. When this situation occurs, you must reload the platform.

Conditions: This symptom is platform-independent and occurs in a configuration in which at least one VRF destination has the snmp-server host command enabled.

Workaround: Ensure that no VRF is associated with the snmp-server host command.

CSCei05246

Symptoms: After an OIR of a PA-MC-E3 port adaptor that is installed in a VIP6-80, the serial interfaces do not transmit. The message "not transmitting" is generated, followed by "output frozen." After these messages, a Cbus Complex occurs.

Conditions: This symptom is observed on a Cisco 7500 series.

Workaround: There is no workaround.

CSCei21877

Symptoms: The first modem in a service processing element (SPE) is marked busy and the state of the SPE is reported as BAD.

Conditions: This symptom is observed on a Cisco AS5800 that is configured with MICA modems.

Workaround: Enter the shutdown command followed by the no shutdown command on the affected SPE to recover the modem from the busy state.

CSCej27978

Symptoms: A CE router that is configured for VRFLite does not receive Auto-RP mappings.

Conditions: This symptom is observed when MDS is enabled on the multilink interface that connects the CE router and the PE router.

Workaround: Configure process switching on the multilink interface that connects the CE router and the PE router by entering the no ip mroute-cache interface configuration command.

CSCek26492

Symptoms: A router may crash if it receives a packet with a specific crafted IP option as detailed in Cisco Security Advisory: Crafted IP Option Vulnerability:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

Conditions: This DDTS resolves a symptom of CSCec71950. Cisco IOS with this specific DDTS are not at risk of crash if CSCec71950 has been resolved in the software.

Workaround: Cisco IOS versions with the fix for CSCec71950 are not at risk for this issue and no workaround is required. If CSCec71950 is not resolved, see the following Cisco Security Advisory: Crafted IP Option Vulnerability for workaround information:

http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

CSCek33253

Symptoms: NextPort modems that function in a T1 CAS signaling configuration do not dial all the DTMF digits successfully.

Conditions: This symptom is observed when you enter valid DTMF digits such as # and * in a dial string.

Workaround: Use MICA modems instead of NextPort modems.

Alternate Workaround: Use ISDN PRI T1 instead of T1 CAS signaling.

CSCek37177

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCin86885

Symptoms: A VIP6-80 in which a PA-MC-STM-1SMI is installed may crash.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS interim release for Release 12.0(31)S after link flaps occur on the PA-MC-STM-1SMI that has QOS configured on its serial interfaces.

Workaround: There is no workaround.

CSCin95988

Symptoms: When a single DSP is used to make both a modem call and a fax-relay call, the calls fail, and tracebacks are generated on the terminating gateway (TGW).

Conditions: This symptom is observed on Cisco platforms that are running Cisco IOS Release 12.3(13b) or Release 12.3(16) in the following topology:

Call originator---T1---OGW---VoIP---TGW---T1 PRI---call recipient

Workaround: Use different DSPs for modem and fax-relay calls.

CSCsa61635

Symptoms: A Cisco router may reload unexpectedly because of a bad block pointer.

Conditions: This symptom is observed on a Cisco 3660 that has a GRE tunnel configuration. The symptom may be platform-independent.

Workaround: There is no workaround.

CSCsa63173

Symptoms: CEF may not be updated with a new path label that is received from a BGP peer.

Conditions: This symptom is observed when a Cisco router that is configured for IPv4 BGP Label Distribution and multipath receives a BGP update that changes only the MPLS label to a non-bestpath multipath. In this situation, the router does not update the forwarding plane, causing dropping or misbranding of traffic because of label inconsistencies between the BGP table and the forwarding table.

Workaround: There is no workaround.

CSCsb52900

Symptoms: An inconsistency may occur in the outlabel information that is used by BGP and MPLS forwarding.

Conditions: This symptom is observed when there are two route reflectors (RRs) that advertise the same route and when one of the routes is the best path. The symptom occurs when the following conditions are present:

The PE router that is the source restarts, causing the prefix to be readvertised with a new label.

The RR that forms the non-best path delays the withdrawal and readvertisement of the prefix, for example, because the RR has a heavy load.

This situation causes BGP to function with the new label but MPLS forwarding to function with the old label.

Workaround: Enter the clear ip route network command for the affected prefix.

CSCsb67539

Symptoms: A Voice Gateway crashes when running under a heavy voice call load.

Conditions: This symptom is observed on a Voice Gateway that is running Cisco IOS Release 12.3(11)T6. The gateway is under heavy voice call load with access to media/application documents residing on local gateway flash, http and tftp servers.

Workaround: The following is not quite a workaround:

call threshold global cpu-5sec low value high value

For example:

call threshold global cpu-5sec low 50 high 70

The CLI can ease the CPU load on the gateway by reducing the probability for a crash.

CSCsc35024

Symptoms: A Cisco 2600 series with an E1 WIC may crash when you enter the channel-group timeslots command.

Conditions: This symptom is observed when the router runs Cisco IOS Release 12.3(15b) or an earlier release, when a service policy is applied on a subinterface, and when traffic is being processed by the router. The symptom could occur in Release 12.4 or Release 12.4T.

Workaround: Remove the service policy before you change the time slot.

CSCsc40236

Symptoms: Incorrect outgoing labels are installed for BGP-IPv4 Multipath prefixes.

Conditions: This symptom has been observed anytime that a label changes from a BGP-IPv4 Multipath peer.

Workaround: Clearing the BGP neighbor should allow the correct labels to be installed.

CSCsc65165

Symptoms: A Cisco 7200 series reloads unexpectedly when you enter the hw-module slot slot-number stop command for a T3 port adapter.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with 100 EzVPN IVRFs on a DS3 interface of the T3 port adapter.

Workaround: There is no workaround.

CSCsc76061

Symptoms: When PPPoA and a virtual template are used, ARP requests are not bridged from a LAN through a DSL connection.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(8)YI3 or Release 12.4(4)T when BVI is configured to bridge remote LANs to DSL connections that use PPPoA with virtual templates and aal5ciscoppp encapsulation. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCsc84858

Symptoms: A router may crash because of a bus error when you enter the no policy-map command.

Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 and that runs Cisco IOS Release 12.3(10c). The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCsc94359

Symptoms: The BGP table and CEF forwarding table may have mismatched labels for prefixes that are learnt from a remote PE router.

Conditions: This symptom is observed on a Cisco router that functions as a PE router when an eBGP session flap or route flap occurs on the remote PE router. A new label for the prefix is learnt from the remote PE router, but forwarding may not be updated properly.

Workaround: There is no workaround. When the symptom has occurred, and to correct the situation, enter the clear ip route vrf vrf-name network command on the PE router that has mismatched labels.

CSCsd02602

Symptoms: All channels on a multichannel T3 port adapter may go down. The router may then reload unexpectedly due to a software forced crash. If not, all of the channels in the T3 may stay down until corrective action is taken.

The following messages may appear one or more times in the router or VIP log: %CT3-3-MBOXSENDM: Failed to send msg MBOXP_MSG_T1_DISABLE

to bay 1 firmware

On a Cisco 7200 router, the following messages may be seen in the log:

CT3SW WatchDog not cleared, WatchDog = 2

CT3SW WatchDog not cleared, WatchDog = 3

On a Cisco 7500 router, the following messages may be seen in the log:

%CT3 5/8: Illegal Love Letter, cmd 0

%CT3 5/9: Illegal Love Letter, cmd 0

Conditions: This symptom affects routers using two-port multichannel T3 port adapters, the PA-MC-2T3 and the PA-MC-2T3+. The symptom occurs when one or more of the T1's in either T3 sees framing errors. One-port multichannel T3 port adapters, the PA-MC-T3 and the PA-MC-T3+, are not affected.

Workaround: There is no workaround to prevent this problem. Possible corrective actions are listed below:

Possible Corrective Actions for the Cisco 7200 router: 1. Remove and reinsert the affected port adapter. 2. Simulate removal and reinsertion with these exec mode commands in sequence: hw-module slot slot- number stop hw-module slot slot- number start 3. Reload the router.

Possible Corrective Actions for the Cisco 7500 router: 1. Remove and reinsert the VIP with the affected port adapter. 2. Use the configuration mode command: microcode reload 3. Reload the router.

CSCsd04075

Symptoms: A Cisco IOS Voice Over IP Gateway terminating fax calls may have its voice-ports lock up and not accept any new calls. The following messages may be seen (but not mandatory) on the console or syslog (if applicable):

%HPI-3-CODEC_NOT_LOADED: channel:2/0/0 (171) DSP ID:0x1, command failed as

codec not loaded 0

- Traceback= 615D2FA8 615C8528 617D5044 617D5258 61BBCD44 61BBD764 617BAE88

617BBD38 6138720C

Conditions: This symptom is observed on a Cisco 3600 series router but is not platform dependent.

Workaround: Disabling T.38 and using passthrough resolves the issue.

CSCsd08862

Symptoms: A router may crash because of a bus error when you enter the show interface command for a virtual-access interface or subinterface.

Conditions: This symptom is observed when you enter the show interface command while a session that is associated with the virtual-access interface or subinterface is being cleared.

Workaround: There is no workaround.

CSCsd11646

Symptoms: On a router that runs Multiprotocol Label Switching (MPLS), the "%SYS-3-OVERRUN:" and "%SYS-6-BLKINFO" error messages may be generated and a software-forced crash may occur on the router.

Conditions: This symptom is observed when you enter the show mpls ldp discovery command under the following condition:

There are multiple LDP adjacencies configured through one interface.

The adjacencies between peers through this interface have not been fully established for some peers.

The unestablished LDP adjacencies are coming while you enter the show mpls ldp discovery command.

Workaround: Do not enter the show mpls ldp discovery command while multiple LDP adjacencies are coming up. Rather, enter the show mpls ldp neighbor [detail] command while multiple LDP adjacencies are coming up.

CSCsd15546

Symptoms: A Cisco router that is configured as a DHCP relay may not append option 82 (that is, the Relay Agent option), even when the router is configured to do so in the following way:

ip dhcp relay information option

no ip dhcp relay information check

ip dhcp relay information trust-all

Conditions: This symptom is observed when the DHCP message contains an invalid option according to RFC 2132; for example, option 12 with length 0.

Workaround: Ensure that the DHCP messages that are sent to the Cisco router that functions as a DHCP relay contain valid options. If you cannot ensure this, there is no workaround.

CSCsd21567

Symptoms: Packets are route-cache switched instead of distributed-cache switched.

Conditions: This symptom occurs when distributed-cache switching is enabled, but packets are still route-cache switched for Cisco IOS Release 12.3.

Workaround: There is no workaround.

CSCsd38693

Symptoms: Renaming a file to a string that contains multiple trailing dots ("." characters) corrupts the file system on ATA, CF, and USB flash storage devices.

Conditions: This symptom is observed when you enter the following commands to rename the file:

rename disk0:file2 disk0:file3...

Workaround: Avoid renaming a file that contains multiple trailing "." characters. When the symptom has occurred and the file system is no longer accessible, you must reformat the disk by entering the format disk0: command.

CSCsd40334

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd47671

Symptoms: A Cisco 7200 series router that is running Cisco IOS Release 12.3(17) may experience an Output stuck condition on PVCs that are running on PA-A3-8T1-IMA. The condition results in all traffic over affected PVCs ceasing to pass.

show queueing int atm1/ima0 may report:

Interface ATM1/ima0 VC 1/41

Queueing strategy: fifo

Output queue 40/40, 9156 drops per VC

Conditions: See the following:

1. Issue is reproducible in TAC Labs that are running Cisco IOS Release 12.3(17a).

2. Issue is not reproducible in TAC Labs that are running Cisco IOS Release 12.4(5a).

3. During the problem, after interfaces are wedged, doing the shut command followed by the no shut command on the logical IMA interface results in the interface showing down/down (disabled).

Condition appears in all Cisco IOS versions that contain the fix for CSCee20451.

Workaround: See the following:

1. Reload Cisco 7200 series router.

2. Run Cisco IOS image that does not include the fix for CSCee20451.

CSCsd51429

Symptoms: A Cisco router that is running SNASw that has lost connectivity on an HPR-IP link shows the link state as active with the show snasw link command. The message "%SNASW-4-LDLC_CTRL_LOG_1: EXCEPTION - 81 - LDLC command frame retry limit exceeded" appears, but a message "%SNASW- 3-EVENT: Link station XXXX deactivated" does not. The mainframe product correctly shows the link as inactive.

The link cannot be reactivated. Trying to stop the link with the snasw stop link command leaves the link in Pending Inactive state.

Conditions: This symptom occurs when there is an outage between the SNASw router and the mainframe, such as an IP failure, interface failure, or mainframe reload.

Workaround: There is no workaround. The SNASw subsystem must be restarted with the snasw stop command followed by the snasw start command to clear the condition.

Further Problem Description: This problem was caused by a bad code fix in CSCej78434.

CSCsd58381

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd65009

Symptoms: Spurious memory access is reported on the log after configuring a new VRF on a router running an MP-BGP session. The message can be similar to this example and is followed by a trace back.

%ALIGN-3-SPURIOUS: Spurious memory access made at 0x60C55F6C reading 0x8

%ALIGN-3-TRACE: -Traceback= 60C55F6C 60607554 605E0858 605E5570 605E8E90

605E9A20 605EE870 605F87B0

Conditions: This symptom has been observed after adding a new VRF.

Workaround: There is no workaround.

Further Problem Description: This symptom does not cause any side effects. VRF can be applied to the interface and will work fine but tracebacks are reported after configuring it.

CSCsd74000

Symptoms: A slot controller such as a slot controller of a VIP4-80 may reset because of a TLB (load or instruction fetch) exception.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(17b) or Release 12.4, that has T1 or E1 port adapters installed in the slot that is controlled by the slot controller that resets, and that has NBAR configured.

Workaround: Remove the NBAR configuration.

TCP/IP Host-Mode Services

CSCsb51019

Symptoms: A TCP session does not time out but is stuck in the FINWAIT1 state and the following error message is generated:

%TCP-6-BADAUTH: No MD5 digest from x.x.x.x to y.y.y.y(179) (RST)

Conditions: This symptom is observed on a Cisco router that is configured for BGP and that is connected to a third-party vendor router after the BGP authentication password is changed on the Cisco router.

Workaround: Identify the BGP connection that is stale by entering the show tcp brief command and then clear the TCP control block.

Wide-Area Networking

CSCek25684

Symptoms: When you remove a map group from an interface, the router may reload.

Conditions: This symptom is observed while Frame Relay SVC is coming up.

Workaround: Shut down the interface before you remove the map group from the configuration.

CSCek28575

Symptoms: A router reloads at the "process_modem_command" function during a test that involves asynchronous media.

Conditions: This symptom is observed on a Cisco AS5400 but is not platform-dependent.

Workaround: There is no workaround.

CSCsd01816

Symptoms: Multilink interfaces do not recover after a T1 link in a bundle flaps.

Conditions: This symptom is observed when two Cisco router are connected back-to-back via two channelized OC-3 connections with 168 T1 links and when the multilink bundles are created with two T1 links each.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected multilink interfaces.

CSCsd06510

Symptoms: Unexpected drops may occur in the Multilink Frame Relay (MFR) output hold queue. The drops persist under a very low (25 pps) transmit rate.

The MFR output hold queue may become congested, causing all traffic to fail.

After you have disabled the traffic source or shut down the ingress interface, the MFR output hold queue may take as long as 15 minutes to "drain."

Conditions: These symptoms are observed on a Cisco router when you run multicast traffic over GRE tunnel interfaces that in turn use an MFR interface for transport.

Workaround: Disable multicast fast-switching.

CSCsd06518

Symptoms: A Cisco router may experience unexpected MFR output hold queue drops when running multicast traffic over GRE tunnel interfaces that in turn use a Multilink Frame Relay (MFR) interface for transport.

Drops persist under very low [25pps] transmit rate.

The MFR output hold queue may get into a congestion state that results in all traffic failing. Further, after disabling the traffic source or shutting down the ingress interface, the output hold queue may take as long as 15 minutes to "drain."

Conditions: This symptom is observed when using GRE tunnels for multicast traffic over MFR.

Workaround: Disable multicast fast switching.

CSCsd28564

Symptoms: When adding or removing PPP over Frame Relay (PPPoFR) configuration on a Cisco 7500 series router, the following error message is displayed:

%RSP-3-RESTART: cbus complex

Conditions: This symptom occurs on a Cisco 7500 series router when PPPoFR configuration is added or removed.

Workaround: There is no workaround.

CSCsd47777

Symptoms: Any PPP session that runs on a subinterface may crash.

Conditions: This symptom is observed with PPPoA, PPPoE, or VPDN sessions on a subinterface.

Workaround: Enter the no virtual-template subinterface command globally.

CSCsd74130

Symptoms: When an HSSIRSET, SERRSET, or FDDIRSET error message is generated or when the output becomes stuck, a VIP does not come up during its first recovery attempt.

Conditions: This symptom is observed on a Cisco platform that is configured with a VIP when a CCB timeout occurs during an IDB reset or when the output becomes stuck.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(18a)

Cisco IOS Release 12.3(18a) is a rebuild release for Cisco IOS Release 12.3(18). The caveats in this section are resolved in Cisco IOS Release 12.3(18a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCse85200

Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround is to disable on interfaces where CDP is not necessary.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IBM Connectivity

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml

Miscellaneous

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router ip: 10.10.10.2 .1

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.

CSCsb93407

Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.

Conditions: This symptom occurs after H323 is disabled using the following configuration commands:

voice service voip h323 call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsd58381

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse56501

A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.

Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml

CSCse68138

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi01470

A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCek37177

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Wide-Area Networking

CSCei00766

Symptoms: A router may crash when the encapsulation is set to PPP and removed repeatedly.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.4 and that is configured for PPP Link Control Protocol (LCP).

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(18)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(18). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(18). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsc19289

Symptoms: MC-T1 is disabled and wedged when changing the MTU size on the MC-T1 interface.

Conditions: This symptom has been observed when dLFIoLL is configured on a Cisco 7500 router and the MTU size on MX-serial interface is changed.

Workaround: Remove and replace the MC-T1 or micro reload the MC-T1.

CSCsc27615

Symptoms: RSP QAERROR is seen with a VIP crash and MEMD carve due to standby OIR or another VIP crash at close intervals.

Conditions: This symptom is observed on Cisco 7500 series routers.

Workaround: There is no workaround.

CSCsc64976

A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.

Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml

CSCsc70055

Symptoms: Cisco 7200 routers with traffic-carrying port adapters (PA) may crash when a Graceful OIR is done on the traffic-carrying port adapter.

Conditions: The following conditions may result in a crash of the Cisco 7200 router:

1. Graceful OIR must be done.

2. The PA must be carrying traffic and the symptom occurs mostly with ingress traffic on the PA.

Workaround: Perform a manual OIR.

CSCsc81440

Symptoms: A Cisco router may reload after stopping the probe, changing the history, enhanced-history, collection, or distribution statistics configuration, and starting the probe again.

Conditions: The following changes will cause the problem:

Increase the bucket number, samples-of-history-kept or life of the history/pathHistory statistics table.

Increase distributions-of-statistics-kept, hours-of-statistics-kept or paths- of-statistics-kept of the hourly/pathHourly statistics table, start it or do "show rtr distribution/total/collection".

Remove the configured enhanced-history.

Configure more enhanced-history with different intervals.

Workaround: Remove the old probe and create a new one if the configuration changes as listed above are needed.

IP Routing Protocols

CSCsc75409

Symptoms: Toggle the no ip cef command followed by the ip cef command could cause a router CPUHOG.

Conditions: This symptom is especially vulnerable on a router that is configured with many VRFs (maybe more than 100 VRFs) and with an import/export routes to each other.

Workaround: There is no problem if the command sequence no ip cef command followed by the ip cef command is not executed. If this command sequence is executed, there should be no problem if less than 50 VRFs are configured. As the number of VRFs that are configured is increased, the CPU utilization will rise. There is no workaround.

CSCsc78813

Symptoms: While using NAT in an overlapping network configuration, the IP address inside a DNS reply payload from the nameserver is not getting translated at the NAT BOX.

Conditions: The above symptom is seen in Cisco routers that are loaded with Cisco IOS Release 12.3(18) image, configured with the ip nat outside source command.

Workaround: There is no workaround.

CSCsd16043

Symptoms: A Cisco IOS device that is running Auto-RP for multicast may periodically lose the RP to group mappings.

Conditions: This symptom is caused by the RP dropping the Auto-RP announce messages as can be seen with the debug ip pim auto-rp debug command. This may result in loss of multicast connectivity while the RP mappings are purged from the cache. See the following output example:

Auto-RP(0): Received RP-announce, from ourselves (X.X.X.x), ignored

This problem appeared in Cisco IOS Release 12.3(17).

Workaround: Create extra dummy loopback interface and specifically configure "ip mtu" size on RP interface to 1500 and size of dummy loopback interface to 570.

(1) create another dummy loopback interface and have the ip mtu configured as 570.

(interface loopback1 is a dummy one, the configured ip address shall not be used in the whole network)

interface Loopback1

ip address 10.10.10.10 255.255.255.255

ip mtu 570

ip pim sparse-mode

end

(2) configure the ip mtu of the RP interface to 1500.

(assumed the auto RP interface is loopback 0)

interface Loopback0

ip address 10.255.1.1 255.255.255.255

ip mtu 1500

ip pim sparse-dense-mode

end

ISO CLNS

CSCsc68437

Symptoms: ISIS on a router that is running Cisco IOS Release 12.3(13a) software can leave some IP routes not updated after topology change if metric of the new route is worse than the metric of a previously-valid path.

Conditions: This problem can only occur on multiaccess interfaces when the outgoing interface stays the same, but the next-hop changes. Point-to-point interfaces are not affected by this problem.

Workaround: The clear ip route command restores the correct routing table.

Miscellaneous

CSCeg55213

Symptoms: Ethernet VLAN data counters may not get updated for VC (Virtual Circuit/xconnect) configured for the EoMPLS (VLAN) feature.

Conditions: This symptom is seen with the EoMPLS (VLAN) feature configured.

Workaround: There is no workaround.

CSCej88595

Symptoms: A read/write or copy CLI to an Advanced Technology Attachment (ATA) disk will be noticeably slower.

Conditions: This symptom occurs when retrying and doing the read/write for successful cases.

Workaround: There is no workaround.

CSCsa61635

Symptoms: A Cisco router may reload unexpectedly because of a bad block pointer.

Conditions: This symptom is observed on a Cisco 3660 that has a GRE tunnel configuration. The symptom may be platform-independent.

Workaround: There is no workaround.

CSCsc27474

Symptoms: The show ip mcache command output would not display the MAC header on a multicast Multilink Frame Relay (MLFR) router.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(5).

Workaround: There is no workaround.

CSCsc40027

Symptoms: In very rare conditions, when using a combination of MPLS, service load balancing (SLB) and Hot Standby Router Protocol (HSRP), frequently flapping HSRP might trigger a corrupted program counter crash. The following message may be displayed:

Nov 4 05:53:49: %IP-3-LOOPPAK: Looping packet detected and dropped -

src=, dst=, hl=4261816683, tl=1684290561, prot=0, sport=37374, dport=251

in=, nexthop=, out=

options=Vlan1300

-Process= "IP Input", ipl= 0, pid= 122

-Traceback= 4078490C

%ALIGN-1-FATAL: Corrupted program counter

pc=0x31203041, ra=0x31203041, sp=0x520F13F8

Conditions: This symptom occurs when using a combination of MPLS, service load balancing (SLB), and Hot Standby Router Protocol (HSRP).

Workaround: There is no workaround.

CSCsc42335

Symptoms: Tunneled packets that terminate on a device with an SII intercept in place do not get intercepted.

Conditions: This symptom occurs if the device on which the tunnel terminates has SII intercepts that match the inner packet. SII will not intercept the packet.

Workaround: If the packets to be intercepted must arrive via a tunnel, there is no workaround. If not, another method of transport will allow the packets to be intercepted.

CSCsc44856

Symptoms: After HCCP switchover, CEF may have adjfibs in the wrong VRF and incomplete adjacencies.

Conditions: This symptom occurs on a Cisco uBR10000 router with cable modem interface redundancy that is switching over from a subinterface in one VRF to an interface in a different VRF.

Workaround: There is no workaround.

CSCsc48543

Symptoms: A Cisco router crashes when the E3 controller is shutdown using SNMP.

Conditions: This symptom is observed on a Cisco 7200 series router but is not platform dependent.

Workaround: There is no workaround.

CSCsc60249

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd02602

Symptoms: All channels on a multichannel T3 port adapter may go down. The router may then reload unexpectedly due to a software forced crash. If not, all of the channels in the T3 may stay down until corrective action is taken.

The following messages may appear one or more times in the router or VIP log:

%CT3-3-MBOXSENDM: Failed to send msg MBOXP_MSG_T1_DISABLE

to bay 1 firmware

On a Cisco 7200 router, the following messages may be seen in the log:

CT3SW WatchDog not cleared, WatchDog = 2

CT3SW WatchDog not cleared, WatchDog = 3

On a Cisco 7500 router, the following messages may be seen in the log:

%CT3 5/8: Illegal Love Letter, cmd 0

%CT3 5/9: Illegal Love Letter, cmd 0

Conditions: This symptom affects routers using two-port multichannel T3 port adapters, the PA-MC-2T3 and the PA-MC-2T3+. The symptom occurs when one or more of the T1s in either T3 sees framing errors. One-port multichannel T3 port adapters, the PA-MC-T3 and the PA-MC-T3+, are not affected.

Workaround: There is no workaround to prevent this problem. Possible corrective actions are listed below:

Possible Corrective Actions for the Cisco 7200 router:

1. Remove and reinsert the affected port adapter.

2. Simulate removal and reinsertion with these exec mode commands in sequence: hw-module slot slot- number stop hw-module slot slot- number start

3. Reload the router.

Possible Corrective Actions for the Cisco 7500 router:

1. Remove and reinsert the VIP with the affected port adapter.

2. Use the configuration mode command: microcode reload

3. Reload the router.

CSCsd11646

Symptoms: On a router that runs Multiprotocol Label Switching (MPLS), the "%SYS-3-OVERRUN:" and "%SYS-6-BLKINFO" error messages may be generated and a software-forced crash may occur on the router.

Conditions: This symptom is observed when you enter the show mpls ldp discovery command under the following condition:

There are multiple LDP adjacencies configured through one interface.

The adjacencies between peers through this interface have not been fully established for some peers.

The unestablished LDP adjacencies are coming while you enter the show mpls ldp discovery command.

Workaround: Do not enter the show mpls ldp discovery command while multiple LDP adjacencies are coming up. Rather, enter the show mpls ldp neighbor [detail] command while multiple LDP adjacencies are coming up.

CSCsd16132

Symptoms: The following symptoms are observed:

1. Poor voice performance.

2. Transcoding does not work.

3. In some cases, no voice path. This is caused by voice packets originating from the router not being CEF switched.

Conditions: This symptom occurs when voice modules are plugged in the router.

Workaround: There is no workaround.

CSCsd40334

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

CSCsd47671

Symptoms: A Cisco 7200 series router that is running Cisco IOS Release 12.3(17) may experience an Output stuck condition on PVCs that are running on PA-A3-8T1-IMA. The condition results in all traffic over affected PVCs ceasing to pass.

show queueing int atm1/ima0 may report:

Interface ATM1/ima0 VC 1/41

Queueing strategy: fifo

Output queue 40/40, 9156 drops per VC

Conditions: See the following:

1. Issue is reproducible in TAC Labs that are running Cisco IOS Release 12.3(17a).

2. Issue is not reproducible in TAC Labs that are running Cisco IOS Release 12.4(5a).

3. During the problem, after interfaces are wedged, doing the shut command followed by the no shut command on the logical IMA interface results in the interface showing down/down (disabled).

Condition appears in all Cisco IOS versions that contain the fix for CSCee20451.

Workaround: See the following:

1. Reload Cisco 7200 series router.

2. Run Cisco IOS image that does not include the fix for CSCee20451.

Wide-Area Networking

CSCek28575

Symptoms: A unit under test (UUT) router reloads at process_modem_command during async related testing.

Conditions: The reload is seen on a Cisco AS5400 platform but is not platform dependent. It happens when async media is involved.

Workaround: There is no workaround.

CSCsc30497

Symptoms: NAS-Port Pre-Auth failure breaks PPPoE session limit per VLAN. Once the authorization fails, local limit does not get applied to a particular interface.

Conditions: This symptom is observed in Cisco IOS Release 12.3YM.

Workaround: There is no workaround.

CSCsc95588

Symptoms: A Cisco router reloads when the show log, show interface, or show caller commands are issued.

Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.3(5b), but it can happen on any Cisco IOS 12.3 release. This symptom can occur when PPP sessions go down while the show output is suspended.

Workaround: There is no workaround.

CSCsd06510

Symptoms: A Cisco router may experience unexpected MFR output hold queue drops when running multicast traffic over GRE tunnel interfaces that in turn use a Multilink Frame Relay (MFR) interface for transport.

Drops persist under very low [25pps] transmit rate.

The MFR output hold queue may get into a congestion state that results in all traffic failing. Further, after disabling the traffic source or shutting down the ingress interface, the output hold queue may take as long as 15 minutes to "drain."

Conditions: This symptom is observed when using GRE tunnels for multicast traffic over MFR.

Workaround: Disable multicast fast switching.

CSCsd06518

Symptoms: A Cisco router may experience unexpected MFR output hold queue drops when running multicast traffic over GRE tunnel interfaces that in turn use a Multilink Frame Relay (MFR) interface for transport.

Drops persist under very low [25pps] transmit rate.

The MFR output hold queue may get into a congestion state that results in all traffic failing. Further, after disabling the traffic source or shutting down the ingress interface, the output hold queue may take as long as 15 minutes to "drain."

Conditions: This symptom is observed when using GRE tunnels for multicast traffic over MFR.

Workaround: Disable multicast fast switching.

CSCsd28564

Symptoms: When adding or removing PPP over Frame Relay (PPPoFR) configuration on a Cisco 7500 series router, the following error message is displayed:

%RSP-3-RESTART: cbus complex

Conditions: This symptom occurs on a Cisco 7500 series router when PPPoFR configuration is added or removed.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(17c)

Cisco IOS Release 12.3(17c) is a rebuild release for Cisco IOS Release 12.3(17). The caveats in this section are resolved in Cisco IOS Release 12.3(17c) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeg62070

Symptoms: Tracebacks or crash are seen during HTTP transactions with long URLs.

Conditions: The crash is seen when the length of any token in the URL of the request is excessively long.

Workaround: Disable HTTP server using the no ip http server command.

CSCsc64976

A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated output, such as the output from a show buffers command, will be passed to the browser requesting the page. This HTML code could be interpreted by the client browser and potentially execute malicious commands against the device or other possible cross-site scripting attacks. Successful exploitation of this vulnerability requires that a user browse a page containing dynamic content in which HTML commands have been injected.

Cisco will be making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051201-http.shtml

CSCse85200

Specifically crafted CDP packets can cause a router to allocate and keep extra memory. Exploitation of this behavior by sending multiple specifically crafted CDP packets could cause memory allocation problems on the router.

Since CDP is a layer-2 protocol, this issue can only be triggered by systems that are residing on the same network segment.

Workaround is to disable on interfaces where CDP is not necessary.

CSCsj44081

Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.

Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.

The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp

May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error

The error message is then followed by a traceback.

It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.

Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.

IBM Connectivity

CSCsf28840

A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.

There are workarounds available for this vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml.

Miscellaneous

CSCdz55178

Symptoms: A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.

Conditions: This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:

cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C

00000000011111111111222222222333^

12345678901234567890123456789012|

|

PROBLEM

(Variable Overflowed).

Workaround: Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.

CSCeh15949

Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.

Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.

Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.

Further Problem Description: An example of this caveat is shown below.

When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.

Topology:

RPM-XF-(FE)-------(FE)--Router ip: 10.10.10.2 .1

RPM-XF-(FE)-------(FE)--Router

ip: 10.10.10.2 .1

Router_RPM09_XF#show running-config

Building configuration...

Current configuration : 1190 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router_RPM09_XF

!

boot-start-marker

boot system x:rpmxf-p12-mz.123-7.T3

boot system bootflash:rpmxf-p12-mz.123-7.T3

boot-end-marker

interface FastEthernet2/0

ip address 10.10.10.2 255.255.255.252

ip access-group 101 in

duplex auto

speed auto

access-list 101 deny tcp any host 10.10.10.2 eq telnet

access-list 101 permit ip any any

Router_RPM09_XF#show ip access-list 101

Extended IP access list 101 (Compiled)

10 deny tcp any host 10.10.10.2 eq telnet

20 permit ip any any (96 matches)

Router_RPM09_XF#

The information below shows that the access list does not function:

Router#telnet 10.10.10.2

Trying 10.10.10.2 ... Open

CSCsb12598

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml

CSCsb93407

Symptoms: When H323 call service stops, the router still listens on TCP port 1720 and completes connection attempts.

Conditions: This symptom occurs after H323 is disabled using the following configuration commands:

voice service voip h323 call service stop

Workaround: Access can be blocked by deploying an interface access list that blocks access to TCP port 1720 for traffic that is destined for any of the IP addresses of the router.

For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document at http://www.cisco.com/warp/public/707/tacl.html.

For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document at http://www.cisco.com/warp/public/707/iacl.html.

For information about using control plane policing to block access to TCP port 1720, see the "Deploying Control Plane Policing White Paper" at http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml.

CSCsc72722

Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.

Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.

Workaround: There is no workaround.

CSCsd81407

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsd85587

A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

The vulnerable cryptographic library is used in the following Cisco products:

Cisco IOS, documented as Cisco bug ID CSCsd85587

Cisco IOS XR, documented as Cisco bug ID CSCsg41084

Cisco PIX and ASA Security Appliances, documented as Cisco bug ID CSCse91999

Cisco Unified CallManager, documented as Cisco bug ID CSCsg44348

Cisco Firewall Service Module (FWSM) CSCsi97695

This vulnerability is also being tracked by CERT/CC as VU#754281.

Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.

Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. A combined software table for Cisco IOS only is available at http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml and can be used to choose a software release which fixes all security vulnerabilities published as of May 22, 2007. The related advisory is published at:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

CSCsd92405

Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.

Cisco IOS is affected by the following vulnerabilities:

Processing ClientHello messages, documented as Cisco bug ID CSCsb12598

Processing ChangeCipherSpec messages, documented as Cisco bug ID CSCsb40304

Processing Finished messages, documented as Cisco bug ID CSCsd92405

Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.

Note: Another related advisory has been posted with this advisory. This additional advisory also describes a vulnerability related to cryptography that affects Cisco IOS. This related advisory is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link:

http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml

CSCsd95616

Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.

CSCse45425

Symptoms: A VAM2 may reset when it receives a malformed ESP packet, and a "Free Pool stuck" error message may be generated. This situation causes high CPU usage in the encryption process while the software is handling the encryption as opposed to the hardware. Even when the VAM2 recovers, the high CPU usage remains because the software-encrypted tunnels do not fall back to hardware encryption until the SA lifetime expires.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(19) or Release 12.4(7a).

Workaround: There is no workaround to prevent the symptom from occurring. After the symptom has occurred and after the VAM2 has recovered, disable software encryption by entering the no crypto engine software ipsec command to force the encryption back to the hardware.

CSCse56501

Symptoms: When two sockets are bound to the same port, the first File Descriptor always receives the requests.

Conditions: This symptom is observed on a Cisco router when two sockets such as one IPv4 socket and one IPv6 socket are connected to the same UDP port.

Workaround: Use different UDP ports for different sockets.

CSCsf04754

Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.

The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.

This advisory will be posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml

CSCsf08998

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

CSCsg16908

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.

CSCsg40567

Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.

Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.

Workaround: Disable the ip http secure server command.

CSCsg70474

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsi60004

Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:

Session Initiation Protocol (SIP)

Media Gateway Control Protocol (MGCP)

Signaling protocols H.323, H.254

Real-time Transport Protocol (RTP)

Facsimile reception

Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.

There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.

CSCsi67763

The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:

http://www.kb.cert.org/vuls/id/739224

By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.

Cisco response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml

TCP/IP Host-Mode Services

CSCek37177

The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.

This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers.

This issue is documented as Cisco bug ID CSCek37177.

There are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml

CSCse05736

Symptoms: A router that is running RCP can be reloaded by a specific packet.

Conditions: This symptom is seen under the following conditions:

The router must have RCP enabled.

The packet must come from the source address of the designated system configured to send RCP packets to the router.

The packet must have a specific data content.

Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.

Wide-Area Networking

CSCei00766

Symptoms: A router may crash when the encapsulation is set to PPP and removed repeatedly.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.4 and that is configured for PPP Link Control Protocol (LCP).

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(17b)

Cisco IOS Release 12.3(17b) is a rebuild release for Cisco IOS Release 12.3(17). The caveats in this section are resolved in Cisco IOS Release 12.3(17b) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsc19289

Symptoms: MC-T1 is disabled and wedged when changing the MTU size on the MC-T1 interface.

Conditions: This symptom has been observed when dLFIoLL is configured on a Cisco 7500 router and the MTU size on MX-serial interface is changed.

Workaround: Remove and replace the MC-T1 or micro reload the MC-T1.

Miscellaneous

CSCsd02602

Symptoms: All channels on a multichannel T3 port adapter may go down. The router may then reload unexpectedly due to a software forced crash. If not, all of the channels in the T3 may stay down until corrective action is taken.

The following messages may appear one or more times in the router or VIP log:

%CT3-3-MBOXSENDM: Failed to send msg MBOXP_MSG_T1_DISABLE to bay 1 firmware

On a Cisco 7200 router, the following messages may be seen in the log:

CT3SW WatchDog not cleared, WatchDog = 2

CT3SW WatchDog not cleared, WatchDog = 3

On a Cisco 7500 router, the following messages may be seen in the log:

%CT3 5/8: Illegal Love Letter, cmd 0

%CT3 5/9: Illegal Love Letter, cmd 0

Conditions: This symptom affects routers using two-port multichannel T3 port adapters, the PA-MC-2T3 and the PA-MC-2T3+. The symptom occurs when one or more of the T1's in either T3 sees framing errors. One-port multichannel T3 port adapters, the PA-MC-T3 and the PA-MC-T3+, are not affected.

Workaround: There is no workaround to prevent this problem. Possible corrective actions are listed below:

Possible Corrective Actions for the Cisco 7200 router:

1. Remove and reinsert the affected port adapter.

2. Simulate removal and reinsertion with these exec mode commands in sequence: hw-module slot slot- number stop hw-module slot slot- number start

3. Reload the router.

Possible Corrective Actions for the Cisco 7500 router:

1. Remove and reinsert the VIP with the affected port adapter.

2. Use the configuration mode command: microcode reload.

3. Reload the router.

CSCsd40334

Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.

Cisco has made free software available to address this vulnerability for affected customers.

There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml

Wide-Area Networking

CSCsd28564

Symptoms: When adding or removing PPP over Frame Relay (PPPoFR) configuration on a Cisco 7500 series router, the following error message is displayed:

%RSP-3-RESTART: cbus complex

Conditions: This symptom occurs on a Cisco 7500 series router when PPPoFR configuration is added or removed.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(17a)

Cisco IOS Release 12.3(17a) is a rebuild release for Cisco IOS Release 12.3(17). The caveats in this section are resolved in Cisco IOS Release 12.3(17a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Interfaces and Bridging

CSCsc30369

Symptoms: A Cisco 7500 series router may experience a cBus Complex Restart while exiting configuration mode after changing the encapsulation on a serial interface from HDLC to some other encapsulation, like PPP or Frame- Relay. It will also fix maxdgram to 1608 for low speed serial PAs and 1610 for high speed serial PAs for an MTU of 1500

Conditions: This occurs after the first change to the encapsulation type from the default (HDLC) to some other encapsulation type and an exit from configuration mode. Subsequent changes to the encapsulation type do not cause the cBus Complex Restart. The overhead added to the MTU is always 24. This will be changed to 108.

Workaround: There is no workaround for the cBus-complex issue. The MTU can be set accordingly to avoid packets drop as giants in the driver.

Further Problem Description: When the router boots with the encapsulation type set to the default of HDLC on a serial interface, the maximum datagram size that can be accepted by the interface is set to 1608. When the encapsulation type is changed, the maximum datagram size may change which causes an internal MTU change. An MTU change on the Cisco 7500 router results in a CBUS complex restart, which usually means a 15 second to 45 second outage on the whole router.

Miscellaneous

CSCsc64530

Symptoms: A Cisco 3745 router does not boot up when booting a Cisco IOS with the fix of CSCec74317.

Conditions: Original NVCONFIG doesn't have the correct MAGIC number in NVRAM.

Workaround: Turn the router off and then back on one time will resolve the issue.

Resolved Caveats—Cisco IOS Release 12.3(17)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(17). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(17). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCei77083

Symptoms: A spurious memory access may be generated on an RSP when a VIP that is in a disabled or wedged condition is recovered because of a Cbus Complex or microcode reload.

Conditions: This symptom is observed on a Cisco 7500 series that has a VIP that is in a disabled or wedged condition after the router has booted.

Workaround: There is no workaround.

CSCej18051

Symptoms: Terminal window PPP clients may fail with Cisco Access servers.

Conditions: This symptom has been observed on Cisco AS5400 gateways and Cisco AS5800 servers.

Workaround: There is no workaround.

CSCej42445

Symptoms: MS-CHAP authentication fails with Cisco IOS Release 12.4(5) and MS- CHAP and PAP authentication fails with the Cisco IOS Release 12.4(5)fc2 image

Conditions: This symptom has been observed when running Cisco IOS Release 12.4 (5) and Release 12.4(5)fc2 while using Tacacs+ with MS chap for authentication.

Workaround: There is no workaround.

CSCej59916

Symptoms: The removal of authorization keywords for attributes that are implemented can cause some undesirable authorization failure.

Conditions: This symptom has been observed when AAA tries to do authorization using these keywords.

Workaround: There is no workaround.

CSCsb43767

Symptoms: Radius packets being sent have the incorrect value for attribute 5 (Nas-Port). The Async interface-related information is needed in the Cisco-Nas- Port attribute.

Conditions: This symptom has been observed on the Cisco-Nas-Port attribute on a radius server.

Workaround: There is no workaround.

CSCsb86257

Symptoms: When a named ACL is used at a vty line on an PE router with an interface that is configured in an VPN VRF, making a Telnet connection from this VRF on the interface that is part of the VRF is accepted even though the vrf-also keyword is not configured in the access-class access-list-number command.

When a regular numbered ACL is used, an incoming Telnet connection from an interface that is part of a VRF is rejected without the vrf-also keyword being configured in the access-class access-list-number command.

Conditions: This symptom is observed on a Cisco router that functions as a PE router in an MPLS VPN environment and that has VPN VRFs configured.

Workaround: Use a numbered ACL instead of a named ACL on vty lines on a PE router.

Interfaces and Bridging

CSCee22523

Symptoms: A VIP that contains a PA-A3-OC12 ATM port adapter may unexpectedly reload.

Conditions: This symptom is observed on a Cisco 7500 series that functions in an ATM LANE configuration.

Workaround: There is no workaround. The traffic on the VIP is disrupted until the VIP comes back up.

CSCei25164

Symptoms: A Cisco 7xxx series router may crash because of a bus error exception and may report CPUHOG message when you perform an OIR of an ATM PA-A3 or ATM PA-A6 port adapter.

Conditions: This symptom is observed on a Cisco 7xxx series router that runs Cisco IOS Release 12.3 when PVC auto-provisioning is enabled on the ATM PA-A3 or ATM PA-A6 port adapter and when many PPP sessions are in transition. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCei68284

Symptoms: POS interfaces may remain in the up/down state after the router has been reloaded.

Conditions: This symptom is observed on a Cisco Catalyst 6500 series, Cisco 7500 series, and Cisco 7600 series.

Workaround: Reload the FlexWAN or VIP in which the POS port adapter is installed.

CSCsa83907

Symptoms: Layer-1 alarm handling does not meet the ANSI T1.231 standard on a PA-A3-T3 interface. The PA-A3-T3 port adapter does not provide a soaking time to declare and clear near-end failures such as LOS, LOF, and AIS. Also, PA-A3-T3 interfaces do not properly handle P-bit and C-bit errors and do not bring down the controller when the threshold is reached for such errors.

Conditions: These symptoms are observed on a Cisco 7200 series that is configured with a PA-A3-T3 port adapter.

Workaround: There is no workaround.

CSCsa94345

Symptoms: PVCs in an auto VC range stop passing traffic. The output of the show atm pvc command does not show the PVC as existing on the router.

Conditions: This symptom is observed on a Cisco 7206VXR router that is configured with an NPE-G1 and that runs Cisco IOS Release 12.3(14)T, Release 12.4, or Release 12.4T when the router is configured to aggregate PPPoA DSL users.

Workaround: There is no workaround.

Further Problem Description: The following sample configuration illustrates the symptom:

interface ATM1/0.10 multipoint

no ip mroute-cache

atm pppoa passive

range pvc 10/50 10/100

encapsulation aal5mux ppp Virtual-Template1

create on-demand

CSCsb65340

Symptoms: An interface may not be able to receive OSPF hello packets.

Conditions: This symptom is observed after you have entered the shutdown interface configuration command followed by the no shutdown interface configuration command on the peer interface, causing a link up/down event to occur.

Workaround: Reconfigure OSPF.

Further Problem Description: The symptom occurs because the address filter entry is deleted during the link up/down event. You can verify that the symptom has occurred in the output of the show controller command and you can manually confirm the deletion of the OSPF MAC entry. When you reconfigure OSPF, the OSPF MAC entry is re-inserted in the address filter.

CSCsb94350

Symptoms: An Ethernet interface may accept packets for any destination MAC address. The router will process them and will forward them through the appropriate interface should a valid entry exists in the routing table.

Conditions: The controller is in promiscuous mode and bridging is configured in any interface in the router. The output of show interface interface irb for the affected Ethernet interface prints the following message for all subinterfaces:

Not bridging this sub-interface.

Workaround: In the affected Ethernet interface: 1. Configure a subinterface with a dumb VLAN. 2. Configure bridging in that subinterface. 3. Remove the bridging configuration. 4. Remove the subinterface.

CSCsc05213

Symptoms: ISDN L2TP sessions cannot be brought up.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4 or Release 12.4T and that is configured with a PA-MC-8TE1+ port adapter that functions in T1 mode. The symptom is platform-independent and could also occur in Release 12.3.

Workaround: There is no workaround.

CSCsc25970

Symptoms: While configuring the dot1q encapsulation in the router, traceback is seen.

Conditions: This symptom has been observed with a router configured with dot1q encapsulation and IPSec.

Workaround: There is no workaround.

IP Routing Protocols

CSCee12098

Symptoms: When you enter a show command that is related to NAT or you enter the show run command when there is a NAT configuration, the "%NAT: System busy. Try later" error message may be generated. In addition, "%SYS-2-NOBLOCK" messages may be generated and the CPU utilization may be very high in the IP Input process.

Conditions: These symptoms are observed on a Cisco 1750 that runs Cisco IOS Release 12.3(9) and that is configured for NAT with SIP traffic (the router is a gateway for IP phones).

Workaround: Reload the router.

CSCef19137

Symptoms: There are duplicate entries in the flow cache after an interface bounces, causing packet loss. The output of the show ip cache flow command may show information similar to the following:

SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts

Gi0/0.1 10.2.0.1 Fa2/0 10.3.0.1 06 2C26 00B3 5

Gi0/0 10.2.0.1 Null 10.3.0.1 06 2C26 00B3<<<< 7

Conditions: This symptom is observed on a Cisco 7304 that is configured with an NSE-100 and that runs Cisco IOS Release 12.2(20)S4 when an interface bounces quickly and when the CEF structures are flushed while the ARP cache is not flushed. This situation causes incomplete adjacencies because the CEF process expects a fresh ARP entry to complete its adjacency. The symptom is platform-independent and may also occur on other platforms when the same conditions occur.

Workaround: Clear the ARP cache or enter the shutdown command followed by the no shutdown command on the affected interface.

CSCeg57155

Symptoms: A ping, Telnet traffic, FTP traffic, and trace route traffic across a VRF-aware NAT do not function.

Conditions: This symptom is observed on a Cisco router that is configured for VRF-aware NAT only when the router is not directly connected to a gateway.

Workaround: There is no workaround.

CSCeh15639

Symptoms: A Cisco router may crash when it is reloaded with PIM traffic on the network.

Conditions: This symptom is observed on a Cisco 7200 series router with multicast enabled but is not platform dependent. Bootup is the most likely place where this will happen, but the router may crash anytime if an interface flap happens at the right time while receiving PIM traffic.

Workaround: There is no workaround.

CSCei06089

Symptoms: Conditional advertisement of the default route via a route map does not work when you enter the neighbor default-originate command.

Conditions: This symptom is observed on a Cisco router that is configured for BGP.

Workaround: Disable the route map entirely. If this is not an option, there is no workaround.

CSCei36960

Symptoms: On a router that is configured with a Context-based Access Control (CBAC) firewall, NAT may not work properly, causing routing errors.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.3(14)T when the router has the ip nat outside static network global-network local-network mask command enabled and when the command points to a serial interface that is configured for both CBAC and NAT.

Workaround: Use a static route for the global-network argument. If this is not an option, there is no workaround.

CSCei45669

Symptoms: An OSPF router may update and originate a new version of an LSA when it should flush the LSA.

Conditions: This symptom is observed on the originating router when it receives a self-originated MaxAge LSA before it can flush this LSA from its database. This symptom may occur under a rare condition when a neighboring router calculates that is has a newer copy of the LSA from the originating router and bounces the MaxAge LSA to the originating router.

Workaround: Enter the clear ip ospf process command.

CSCei65865

Symptoms: When an RSVP application (for example, the MPLS TE feature) sends an updated Path message to reflect a modification in its QoS request, the updated Path message may not be forwarded by a downstream RSVP-aware router.

Conditions: This symptom is observed when the downstream RSVP-aware router has two RSVP features configured: local policy and refresh reduction. The commands to configure these features are the ip rsvp policy local command and the ip rsvp signalling refresh reduction command, respectively.

When an RSVP reservation is established with a Path/Resv message handshake and the sender application subsequently transmits an updated Path message that the downstream router applies to an RSVP local policy, the router does not forward the modified Path message. This situation prevents the application from receiving the corresponding Resv message, and may cause the application to fail.

Workaround: If this is an option, unconfigure the local RSVP policy or refresh the reduction and then restart the RSVP application. If this is not an option, there is no workaround.

CSCei71446

Symptoms: A router crashes when the IP address of a GRE tunnel is changed to an unnumbered loopback address.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(3).

Workaround: Remove all ip unnumbered commands that point to the original numbered interface before you configure this numbered interface as an unnumbered interface itself.

Alternate Workaround: Change all unnumbered interfaces to point to the new parent.

CSCei83265

Symptoms: MVPN traffic is limited to about 9 Mpps and the CPU usage on the egress line card is 100 percent.

Conditions: This symptom is observed on a Cisco router that functions as a PE router when MVPN performs decapsulation in the slow path instead of the fast path.

Workaround: There is no workaround.

CSCei86031

Symptoms: When the distribute-list route-map map-tag command is used under the OSPF router mode and when the route map is modified, OSPF does not update the routing table based on the changes in the route map.

Conditions: This symptom is observed when a route map that is referenced in the distribute-list route-map map-tag command is modified.

Workaround: Enter the clear ip ospf process id command or the clear ip route * command.

CSCej55183

Symptoms: The router might crash when removing the ARPA Encapsulation from the configuration.

Conditions: This symptom has been observed when ARPA Encapsulation is removed from the configuration.

Workaround: There is no workaround.

CSCin95836

The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.

NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.

NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.

NHRP is not enabled by default for Cisco IOS.

This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.

This advisory is posted at

http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.

CSCsb22290

Symptoms: On a Cisco router that is configured for Port Address Translation, when you enter the ip nat service fullrange udp port port-number command, the port-allocation logic does not function. When a PAT port is already taken, the next-port logic fails, causing some packets to be discarded.

Conditions: This symptom is observed on a Cisco IOS Mobile Wireless Gateway (MWG) that is configured for high availability (HA). However, the symptom may occur on any platform that has the ip nat service fullrange udp port port-number command enabled.

Workaround: Disable the ip nat service fullrange command.

Further Problem Description: Regular PAT and NAT are not affected. Only the port-allocation logic in relation to the ip nat service fullrange command is affected.

CSCsb23433

Symptoms: IP multicast packets are lost until the next periodic PIM (S,G) Join message.

Conditions: This symptom is observed in the following scenario:

When there is an intermittent source that is not active for 3.5 minutes, the (S,G) entry expires on the local RP and transit routers but remains active on the remote RP because the entry is refreshed each minute by an MSDP SA message from the local RP. When the source starts after 3.5 minutes of inactivity, it is registered with the local RP, and an MSDP SA message with an encapsulated packet is sent to the remote RP. However, the remote RP does not sent a PIM (S,G) Join message to the source because the remote RP still has an (S,G) entry present.

Workaround: Configure a keepalive mechanism for the intermittent source to maintain the integrity of the multicast tree.

CSCsb32141

Symptoms: A router that is configured for Resource Reservation Protocol (RSVP) generates the following error messages on the console and then crashes:

%LINK-0-REENTER: Fatal reentrancy, level=3, intfc=FastEthernet0/1
-Process= "RSVP", ipl= 3, pid= 251
%SYS-6-STACKLOW: Stack for process RSVP running low, 0/24000

Conditions: This symptom is observed when the ip rsvp bandwidth and service-policy output commands are configured on the same interface and when the policy map for the service policy is configured with the fair-queue command.

Workaround: Enter the ip rsvp resource-provider none command on the interface.

Alternate Workaround: Enter the ip rsvp bandwidth value command and ensure that the value argument is equal to the value that is displayed on the "Available Bandwidth" line in the output of the show interface interface command plus the value that is shown in the "allocated" column in the output of the show ip rsvp interface command.

CSCsb36589

Symptoms: A router that is configured for OSPFv3 may crash because of memory corruption or a CPUHOG condition.

Conditions: This symptom is observed rarely in a configuration with a large LSA with at least 44 links that have OSPFv3 enabled and with some links configured for broadcast mode when an adjacency with a peer router flaps.

Workaround: There is no workaround.

CSCsb50606

Symptoms: Memory utilization in the "Dead" process grows gradually until the memory is exhausted. The output of the show memory dead command shows that many "TCP CBs" re allocated. Analysis shows that these are TCP descriptors for non-existing active BGP connections.

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(13), that has an NPE-G1, and that functions as a PE router with many BGP neighbors. However, the symptom is not platform-specific, nor release-specific.

Workaround: Reload the router. I this is not an option, there is no workaround.

CSCsb60206

Symptoms: When an SSO switchover occurs, the newly active Supervisor Engine or RP generates a series of CPU Hog messages in the PIM Process, generates tracebacks, and finally crashes because the watchdog timer expires.

Conditions: This symptom is observed on a Cisco switch that has redundant Supervisor Engines and on a Cisco router that has redundant RPs when Auto-RP is configured and when regular multicast traffic runs for a few hundred multicast routes.

Workaround: There is no workaround.

CSCsb74588

Symptoms: A router that is configured for OSPFv3 may crash because of memory corruption or a CPUHOG condition.

Conditions: This symptom is observed rarely in a configuration with a large LSA with 64 parallel links that have OSPFv3 enabled in broadcast mode when all adjacencies with a peer router flap.

Workaround: There is no workaround.

CSCsc07467

Symptoms: An OSPF route is lost after an interface flaps.

Conditions: This symptom is observed rarely when all of the following conditions are present:

There is a very brief (shorter than 500 ms) interface flap on a point-to-point interface such as a POS interface.

The flap is not noticed by the neighbor, so the neighbors interface remains up.

The OSPF adjacency goes down and comes back up very quickly (the total time is shorter than 500 ms).

OSPF runs an SPF during this period and, based on the transient adjacency information, removes routes via this adjacency.

The OSPF LSA generation is delayed because of LSA throttling. When the LSA throttle timer expires and the LSA is built, the LSA appears unchanged.

Workaround: Increase the carrier-delay time for the interface to about 1 second or longer.

Alternate Workaround: Use an LSA build time shorter than the time that it takes for an adjacency to come up completely.

CSCsc41694

Symptoms: Router hangs while unconfiguring the BGP no router bgp command.

Conditions: This symptom has been observed in Cisco AS5400 and Cisco AS5850 routers having the image c5400-js-mz.123-16.15

Workaround: There is no workaround.

ISO CLNS

CSCei04683

Symptoms: A router may advertise an IPv6 default route into a level-2 topology.

Conditions: This symptom is observed when the following conditions are present:

The router runs the IS-IS routing protocol on both level 1 and level 2.

The router advertises IPv6 prefixes.

The router has the IS-IS ATT bit set.

The router has level-1 connectivity to another level-1/level-2 IS-IS router.

An SSO switchover occurs on the router or the router loses and then regains connectivity to the level-2 topology.

Workaround: Trigger a change that causes the router to regenerate its level-2 LSP.

Miscellaneous

CSCea73586

Symptoms: The FlexWAN linecard crashes when dLFIoATM is configured under traffic.

Conditions: This symptom has been observed with the configuration of dLFIoATM under traffic on a Cisco 7500 or Cisco 7600 platform.

Workaround: There is no workaround.

Further Description: Configuration of dLFIoATM when traffic is stopped should prevent the crash and then later traffic should be alright.

CSCec11488

Symptoms: A Network Processing Engine G1 (NPE-G1) may reload unexpectedly when a redzone overrun error occurs.

Conditions: This symptom is observed on a Cisco 7200 series that has an ATM subinterface on which the atm arp-server nsap nsap-address interface configuration command is enabled.

Workaround: Disable the atm arp-server nsap nsap-address interface configuration command on the ATM subinterface.

CSCee15581

Symptoms: A router that is configured for L2VPN may crash.

Conditions: This symptom is observed when L2VPN connections are dynamically deconfigured and then reconfigured.

Workaround: There is no workaround.

CSCee20451

Symptoms: A VC may experience an output stuck condition.

Conditions: This symptom occurs when using T1 ATM (the IMA function is not used) on a PA-A3-8T1IMA.

Workaround: Perform the clear interface command.

CSCee31450

Symptoms: IPv6 packets may not be switched via CEFv6 but may be blackholed.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)S4 when the packets are switched from an FE interface to a POS interface. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCef41603

Symptoms: The gatekeeper does not route calls based on the ARQ call identifier.

Conditions: This symptom was observed with a third party application that is registered to a gatekeeper when attempting to use Trunk Group routing.

Workaround: There is no workaround.

CSCef48325

Symptoms: WRED counters do not function on distributed platforms such as a Cisco 7500 series and a Cisco 7600 series.

Conditions: This symptom is observed on a distributed Cisco platform that runs Cisco IOS Release 12.0(26)S3, 12.0(29)S, 12.2(25)S, 12.3(10), or 12.3(11)T and that has dWRED configured.

Workaround: There is no workaround.

CSCeg12134

Symptoms: When you send multicast traffic over an IPSec tunnel, a memory leak may occur on a router.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T when both IP CEF and hardware encryption are configured. The symptom may also occur in other releases.

Workaround: Switch to software encryption for a while and then switch back to hardware encryption.

Alternate Workaround: Disable IP CEF.

CSCeg23300

Symptoms: When you enter the show memory address command, irrespective of whether or not you place an optional keyword after the pipe (vertical bar), the console or vty session hangs and cannot be restored without reloading the platform. This situation especially impacts the console, but as long as there is a vty session available, Telnet still functions.

Although the platform may return the initially requested data, it does not return the prompt. The session (either console logging and/or terminal monitoring) continues to generate system or error messages to the terminal.

Conditions: This symptom is observed on a Cisco Catalyst 6000 series but is platform-independent.

Workaround: Reload the platform. The stalled prompt will eventually recover but this could take many hours or even days.

Further Problem Description: The symptom is expected behavior because the parser must scan the entire range of possible (and ever growing) memory addresses. For this reason, we recommend against the use of the show memory address command, which will be removed from common usage in all future releases.

CSCeg36362

Symptoms: A Cisco 7200 series that is configured with an NPE-G1 may reload unexpectedly because of a bus error.

Conditions: This symptom is observed when the Cisco 7200 series is configured for Fast Switching.

Workaround: There is no workaround.

CSCeg38778

Symptoms: An invalid packet causes Cisco IP Communicator to loose audio for the first 6 seconds.

Conditions: This symptom is observed on a Cisco router that is configured for the G.729 codec when the router sends a single G.711ulaw packet while it terminates an H.323 Voice over IP (VoIP) call.

Workaround: Upgrade to IP Communicator 1.1(3) or above, which ignores this incorrect packet

CSCeg64679

Symptoms: A Cisco AS5850 reloads when you enter the redundancy handover peer-resources command to hand over the peer resources to the other RSC.

Conditions: This symptom is observed when the RSC that hands over the peer resources is in the "ACTIVE_EXTRALOAD" mode and when an SNMP trap is sent to obtain the card status.

Workaround: There is no workaround.

CSCeg83467

Symptoms: The router crashes whenever encapsulation changes from AAL5SNAP to AAL0 on a private virtual circuit (PVC).

Conditions: This symptom has been observed when encapsulation is changed from AAL5SNAP to AAL0.

Workaround: Do not configure AAL0.

CSCeh18306

Symptoms: On a Cisco 2600-XM series that is configured with an AIM-ATM module, when one PVC is configured for ABR and another PVC is configured for another ATM class, CRC errors occur on the far end of the ATM link of the PVC that is configured for the other ATM class. This situation may occur because the PVC that is configured for ABR sends two RM cells in a row and overwrites some data of the PVC that is configured for the other ATM class

Conditions: This symptom is observed on a Cisco 2651-XM that runs Cisco IOS Release 12.3 and that is configured with an AIM-ATM module. However, the symptom may not be platform-dependent and may occur on any platform that is configured with an AIM-ATM module.

Workaround: Do not configure ABR on a PVC.

CSCeh61467

This caveat consists of the two symptoms, two conditions, and two workarounds:

Symptom 1: After you have disabled MVPN on a VRF interface, the CPU use for the PIM process increases to 99 or 100 percent and remains at that level.

Condition 1: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SB, Release 12.2SX, or a release that is based on these releases. The symptom may also occur in other releases.

Workaround 1: Before you disable MVPN on the VRF interface, enable and then disable multicast routing by entering the ip multicast-routing vrf vrf-name global configuration command followed by the no ip multicast-routing vrf vrf-name global configuration command.

Symptom 2: A router that functions under stress and that is configured with a VRF interface may crash when an MDT group is removed from a remote PE router.

Condition 2: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SB, Release 12.2SX, or a release that is based on these releases, and occurs only when there are frequent link flaps or other multicast topology changes that affect the VRF interface. The symptom may also occur in other releases.

Workaround 2: There is no workaround.

CSCeh76209

Symptoms: When Policy Based Routing (PBR) is configured with the set interface command, packets continue to be forwarded to an interface when that went down, causing packets to be dropped. When the ip local policy route-map command is enabled, all locally-generated packets are impacted.

Conditions: This symptom is observed on a Cisco router and only applies to packets that require process-switching.

Workaround: Do not enter the set interface command. Rather, enter the set ip next-hop command.

CSCeh78411

Symptoms: If a spoke cannot complete IKE phase I because of a bad certificate, the failed IKE sessions may not be deleted on an IPSec/IKE responder. Such failed sessions may accumulate, eventually causing router instability. These failed sessions can be seen in the output of the show crypto isakmp sa | i MM command:

172.18.95.21 10.253.34.80 MM_KEY_EXCH 898 0 ACTIVE

172.18.95.21 10.253.34.80 MM_KEY_EXCH 896 0 ACTIVE

172.18.95.21 10.253.34.80 MM_KEY_EXCH 895 0 ACTIVE

172.18.95.21 10.253.34.80 MM_KEY_EXCH 894 0 ACTIVE

172.18.95.21 10.253.34.80 MM_KEY_EXCH 893 0 ACTIVE

...

Conditions: These symptoms are observed when RSA signatures are used as the authentication method.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that is used for the IKE sessions or re-apply the crypto map to this interface.

CSCei08458

Symptoms: The FIB may be disabled or the output interface may be stuck on an A3 ATM port adapter.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoATM.

Workaround: Reload the microcode or perform an OIR to recover the A3 ATM port adapter.

CSCei09130

Symptoms: A Cisco 2600XM series that is configured with an AIM module may increment layer 1 errors and clock slips.

Conditions: This symptom is observed only on a Cisco 2600XM series that runs Cisco IOS Release 12.4 when the following four specific conditions occur:

The router is configured with an AIM-ATM, AIM-VOICE, or AIM-ATM-VOICE module.

The router is configured with a VWIC-2MFT-x card. (The symptom does not occur with a VWIC-1MFT-x card.)

Both ports of the VWIC-2MFT-x card are configured for Line Timing.

The first VWIC port is connected and active, while the second VWIC port is either disconnected, in the LOS alarm state, or on a different clock domain than the first VWIC port.

The symptom could also occur on a Cisco 2600XM series that runs Release 12.4 or Release 12.4.T.

Workaround: There is no workaround.

CSCei45749

Symptoms: When you enter the clear interface command on an Inverse Multiplexing for ATM (IMA) interface configured for dynamic bandwidth, the PVCs that are associated with the IMA interface may become Inactive.

Conditions: This symptom is observed only for IMA interfaces that have the atm bandwidth dynamic command enabled.

Workaround: Issuing the command no atm bandwidth dynamic from the IMA interface can prevent the problem from happening. If the problem has been experienced already, using the command no atm bandwidth dynamic followed by a shutdown and subsequent no shutdown from the IMA interface can be used to workaround the problem and clear the inactive PVC condition.

CSCei46978

Symptoms: A Cisco 7200 series may generate the following error message, and links flap:

%SBETH-3-ERRINT: GigabitEthernet0/1, error interrupt, mac_status = 0x0000000000840000

Conditions: These symptoms are observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(15) and that is configured with an NPE-G1.

Workaround: There is no workaround. Note that the symptom does not occur in Release 12.3(13).

CSCei50425

Symptoms: A Cisco 7200 series or Cisco 7301 that is equipped with a VAM, VAM2 or VAM2+ accelerator may refuse a valid RSA key and generate an error message such as the following:

% Error in generating keys: did not validate % Key pair import failed.

Conditions: This symptom is observed under rare circumstances when a valid RSA key is composed of unusually short or long prime numbers and coefficient.

When the VAM is deactivated during the importation of the RSA key, the router accepts the key but when the VAM, VAM2, or VAM2+ is inserted into the chassis, the router miscomputates the signature payload of the IKE/ISAKMP exchanges.

Workaround: Create a new RSA key.

Further Problem Description: The result of the wrong operation can be seen on the other side of the connection by activating the debug crypto engine and debug crypto isakmp commands. The following messages are related to the failure:

crypto_engine: public key verify

crypto_engine: public key verify, got error no available resources

ISAKMP:(0:2:HW:2): signature invalid!

CSCei51322

Symptoms: A router that is configured for IPSec may reload because of a stack or program counter corruption.

Conditions: This symptom is observed on a Cisco router that uses a certificate with a very long subject name of several hundred bytes when the distinguished name (DN) is used as an ISAKMP identity. The symptom does not occur for shorter subject names (for example, 290 characters). In most environments, a subject name of 80 characters or less is common.

Workaround: Use certificates with a shorter subject name.

CSCei61814

Symptoms: A Fast Ethernet (FE) interface on a Cisco AS5850 may reset unexpectedly.

Conditions: This symptom is observed when you attempt to program the FE controller for multicast or broadcast traffic such as OSPF, EIGRP, RIP, or PIM.

Workaround: There is no workaround.

CSCei62348

Symptoms: A Cisco 2691 crashes because of a bus error exception and alignment errors.

Conditions: This symptom is observed when SNMP passes invalid VLAN IDs to VTP.

Workaround: There is no workaround.

CSCei62522

Symptoms: ISAKMP SA negotiation is not successful in aggressive mode.

Condition: This symptom has been observed when testing Radius Tunnel Attribute with HUB and Spoke Scenario using Cisco IOS interim Release 12.4(3.3).

Workaround: There is no workaround.

CSCei66542

Symptoms: SGBP AAA authentication fails in a large scale dial-in configuration.

Conditions: This symptom is observed when a bid is processed and when an incorrect name is retrieved, causing an incorrect user name to be sent and the AAA authentication to fail.

Workaround: There is no workaround.

CSCei70222

Symptoms: All IKE IPSec SAs are down and encryption services do not function when an hardware encryption engine is enabled.

Conditions: This symptom is observed on a Cisco router that is configured with a VAM, VAM2, or VAM2+ when the router runs under low memory conditions.

Workaround: There is no workaround. Reboot the router to temporarily resolve the symptoms.

Further Problem Description: When the debug crypto engine error command is enabled, the following debug message is generated:

CryptoEngine: epa_get_blk_buffer FAILED

CSCei79855

Symptoms: When Cisco IOS software is secured using "secure boot" commands and after formatting the disk, the show disk command will not display the secured image and the corresponding configurations in the output.

Conditions: This symptom occurs when securing the Cisco IOS software using the secure boot-config and the secure boot- image commands and formatting the disk.

Workaround: There is no workaround.

CSCei86192

Symptoms: When a buffer leak occurs, the RP crashes because of the starvation of buffers.

Conditions: This symptom is observed on a Cisco 7500 series that has a VIP in which a channelized T1/E1 port adapter is installed and on Cisco 7600 series that has a FlexWAN in which a channelized T1/E1 port adapter is installed.

Workaround: There is no workaround.

CSCei93090

Symptoms: EIGRP does not learn routes when the ip pim sparse-dense-mode command is configured on a Gigabit Ethernet interface.

Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS interim Release 12.4(4.3).

Workaround: There is no workaround.

CSCej00319

Symptoms: A router that is configured for Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) may crash when LDP is configured or removed from an interface or globally.

Conditions: This symptom is observed when parallel links are present.

Workaround: There is no workaround.

CSCej42480

Symptoms: Incoming or outgoing PSTN calls fail on a PRI interface.

Conditions: This symptom has been observed on a Cisco 2620XM VoIP Gateway (MGCP) with Cisco IOS Release 12.4(2)T1 and a PRI Backhauled MGCP Gateway controlled by Cisco CallManager Release 4.1(3)SR1.

Workaround: There is no workaround.

CSCej42935

Symptoms: Data corruption may occur on a disk when directory entries are read by more than one process simultaneously.

Conditions: This symptom is observed on a Cisco platform that has an ATA file system when, for example, the dir disk0: command is entered on one vty connection and simultaneously, and for the same disk, the copy disk0: command is entered on another vty connection.

Workaround: There is no workaround.

CSCin79522

Symptoms: A Cisco router that runs Cisco IOS Release 12.3T may reload when the ATM interfaces are swapped.

Conditions: This symptom is observed when an ATM IMA port adaptor is removed and a PA-A3 port adaptor is inserted in the same slot and when there is at least one PVC configured that has the inarp enabled. The symptom may also occur in Release 12.3 or Release 12.4.

Workaround: There is no workaround.

CSCsa49177

Symptoms: After you reload a router, the physical ATM interface for an IMA group interface remains down even though the T1 controllers are active.

Conditions: This symptom is observed on a Modular Access Router such as a Cisco 3700 series that is configured with a VWIC-2MFT-T1 and an ATM-AIM.

Workaround: Reload the router or remove and reconfigure all ATM parameters.

CSCsa60223

Symptoms: After a call is made between H.323 and SIP on the IPIPGW, executing the show call active voice command does not reflect the call leg information.

Conditions: This symptom occurs when doing SIP-H323 calls.

Workaround: There is no workaround.

CSCsa65035

Symptoms: The committed information rate (CIR) of policers is calculated incorrectly.

Conditions: This symptom is observed when Frame Relay Traffic Shaping (FRTS) is applied using Modular QoS CLI (MQC) (that is, it is applied on the shaper in the parent service policy) and when the classes of the child policy include percentage-based policers.

Workaround: There is no workaround.

CSCsa65819

Symptoms: The Label Information Base (LIB) may not be disabled.

Conditions: This symptom is observed on a Cisco router that is configured for MPLS VPN when an IPv4 BGP neighbor that is configured to exchange MPLS labels goes down.

Workaround: There is no workaround.

CSCsa97663

Symptoms: An ATM interface is unexpectedly removed from an IMA group even though the ATM interface is still in the up/up state, causing T1 links to be disconnected.

Conditions: This symptom is observed on a Cisco 2600 series when you change the Cisco IOS software from Release 12.2(13)T8 to Release 12.3(12b).

Workaround: Re-add the ATM interface to the IMA group by removing and reconfiguring the IMA configuration on the ATM interface.

CSCsb00759

Symptoms: A Cisco 3640 or Cisco 3660 stops encrypting GRE packets, which are then sent in the clear.

Conditions: This symptom is observed on a Cisco 3640 and Cisco 3660 that run Cisco IOS Release 12.3(13), that are configured for CEF, and that have an interface (but not necessarily the interface with the crypto map) that has the ip tcp header-compression command enabled.

Workaround: Re-apply the service policy on the interface that is configured with the crypto map.

First Alternate Workaround: Enter the no route-cache cef command followed by the route-cache cef command.

Second Alternate Workaround: Delete the crypto map from the interface and re-apply the crypto map.

CSCsb02061

Symptoms: An "Output Hold Queue Wedge" condition may occur on PVCs that are defined on DS1 ports that are not configured for IMA.

Conditions: This symptom is observed on a Cisco 7200 series that runs the c7200-ik9s-mz image of Cisco IOS Release 12.3(13), that is configured with a PA-A3-8T1-IMA port adapter that is configured for DSL aggregation, and that terminates hundreds of UBR VCs on a DS1 interface. The "Output Hold Queue Wedge" condition occurs on idle subinterfaces or when multiple point-to-point subinterfaces are "spawned" from a single subinterface by entering a PVC range command such as the following:

interface ATM1/0.100 point-to-point

ip unnumbered Loopback10

atm route-bridged ip

range pvc 6/100 6/599

Workaround: There are four workarounds:

Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the physical interface.

Enter the no pvc-in-range command followed by the pvc-in-range command on a wedged VC.

Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on an uplink interface.

Tear down and rebuild a PVC.

CSCsb04447

Symptoms: A Cisco AS5400 does not generate a RADIUS stop record when a call disconnect is initiated by a modem on the Cisco AS5400.

Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(10a) or Release 12.3(12) and that is configured for PRI T1. The symptom does not occur when the remote end or a signal initiates the call disconnect.

Workaround: There is no workaround.

CSCsb04721

Symptoms: When the Any Transport over MPLS (AToM) feature is enabled on a router, AToM virtual circuits to a peer may not be re-established after an interface flap or after being reconfigured, because the required targeted Label Distribution Protocol (LDP) session is not re-established.

Conditions: This symptom is observed when LDP is not configured on any interfaces via the mpls ip interface configuration command, which is typically the case when MPLS Traffic Engineering (TE) tunnels are used to transport AToM traffic between endpoints and when the mpls ip interface configuration command is not enabled on any TE tunnels.

The symptom occurs in Cisco IOS software releases that include the fix for caveat CSCec69982 when any form of one of the following commands is configured on the router and appears in the running configuration:

mpls ldp explicit-null

mpls ldp advertise-labels

mpls ldp session protection

mpls ldp password fallback

mpls ldp password option

mpls ldp password required

A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec69982.

Workaround: Enter the mpls ip command on a TE tunnel interface or temporarily on a physical interface to force LDP to be re-established.

CSCsb18502

Symptoms: Data that is forwarded downstream from a SNASw router is intermittently corrupted. Sniffer traces that are captured upstream and downstream from the SNASw router show that the data that is sent from the host to the SNASw router is fine, but when the data leaves the SNASw router, there are some corrupted bytes at the end of the data stream.

Conditions: This symptom is observed on a SNASw router that is connected upstream to a mainframe host via Enterprise Extender.

Workaround: There is no workaround.

CSCsb25429

Symptoms: A Cisco router that has a virtual-template interface that is configured for PPPoE may reload because of a software-forced crash.

Conditions: This symptom is observed only when RADIUS AAA per-user attributes are used in active PPPoE sessions.

Workaround: There is no workaround.

CSCsb28315

Symptoms: The "tunnel protection malloc" process may cause a memory leak in the Crypto IKMP process.

Conditions: This symptom is observed on a Cisco platform that runs a crypto image and that functions as a spoke when the interface that connects to the hub flaps and receives a new IP address after the flap.

Workaround: There is no workaround.

CSCsb34344

Symptoms: A Fast Ethernet (FE) interface on a Cisco AS5400 may reset unexpectedly.

Conditions: This symptom is observed when you attempt to program the FE controller for multicast or broadcast traffic such as OSPF, EIGRP, RIP, or PIM.

Workaround: There is no workaround.

CSCsb37645

Symptoms: A router may crash during a basic H.323 call with carrier ID routing.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(3.3).

Workaround: There is no workaround.

CSCsb42176

Symptoms: A Cisco 7200 series may pause indefinitely when a neighbor reloads.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with a PA-POS-2OC3 port adapter.

Workaround: There is no workaround.

CSCsb43117

Symptoms: Media negotiation fails for SIP calls and the terminating gateway replies with a "488" message to an Invite message.

Conditions: This symptom is observed on a Cisco platform when the terminating gateway is configured with the G279B (annex B) codec and when the Session Description Protocol (SDP) for the incoming Invite message does not have any FMTP attribute line, which means that the default value, that is, the G279B (annex B) codec, is used.

Workaround: There is no workaround.

CSCsb50995

Symptoms: The Switch Processor (SP) of a Cisco Catalyst 6500 series or Cisco 7600 series may run out of memory with 15,000 VPLS VCs (that is, with 512 VFIs and 30 LDP neighbors).

Conditions: This symptom is observed when all LDP sessions are flapped many times with a pause of approximately 10 seconds between each flap.

Workaround: There is no workaround.

CSCsb59555

Symptoms: An Engine 3 or Engine 4+ line card may be stuck in the "request reload" state and CEF may be disabled on the line card, although the CEF table is up, as is shown in the output of the show cef linecard command:

Slot MsgSent XDRSent Window LowQ MedQ HighQ Flags

1 8558 719895 4966 0 0 0 up

2 8560 718293 4966 0 0 0 up

3 8609 722867 4965 0 0 0 up

4 8584 721311 4965 0 0 0 up

5 8597 724307 4965 0 0 0 up

9 8586 722060 4966 0 0 0 up

10 8579 720566 4966 0 0 0 up

11 8566 719086 4966 0 0 0 up

12 8606 725072 4966 0 0 0 up

13 8597 723572 4966 0 0 0 up

*7 1 3 24 0 0 0 disabled, rrp hold

0 4058 359354 4966 0 0 0 up

VRF Default, version 5032, 5024 routes

Slot Version CEF-XDR I/Fs State Flags

1 5032 5016 67 Active sync, table-up

2 5032 5016 5 Active sync, table-up

3 5032 5016 20 Active sync, table-up

4 5032 5016 5 Active sync, table-up

5 5032 5016 5 Active sync, table-up

9 5032 5016 4 Active sync, table-up

10 5032 5016 4 Active sync, table-up

11 5032 5016 20 Active sync, table-up

12 5032 5016 4 Active sync, table-up

13 5032 5016 8 Active sync, table-up

*7 0 0 4 Active table-disabled

0 0 0 5 Active request reload, table-up

Conditions: This symptom is observed on a Cisco 12000 series after an RPR+ switchover has occurred. However, the symptom is platform-independent and may also occur on another platform that is configured for CEF when an RPR+ switchover has occurred.

Workaround: Enter the clear cef linecard command for the affected line card.

CSCsb64721

Symptoms: A spurious access is generated on a Cisco 7500 series and a virtual-access interface does not come up but remains in the up/down state.

Conditions: These symptoms are observed on a Cisco 7500 series that is configured for dLFIoFR when the MTU size is changed on the physical interface.

Workaround: There is no workaround.

CSCsb72138

Symptoms: A Foreign Exchange Station (FXS) port may lock up after having functioned fine for a long time.

Conditions: This symptom is observed on a Cisco 2821 that runs Cisco IOS Release 12.3(11)T5. This symptom typically occurs when fax devices are configured on the FXS port but is not limited to this configuration.

This particular instance is when using MGCP controlled voice ports.

Workaround: Use H323 for signaling.

CSCsb74409

Symptoms: A router may keep the vty lines busy after finishing a Telnet/Secure Shell (SSH) session from a client. When all vty lines are busy, no more Telnet/SSH sessions to the router are possible.

Conditions: This symptom is observed on a Cisco router that is configured to allow SSH sessions to other devices.

Workaround: Clear the SSH sessions that were initiated from the router to other devices.

CSCsb75197

Symptoms: An SNA Switch (SNASw) rejects EE link activation with sense code 08120000. Once the SNASw runs out of ANR Labels, inbound connections, i.e. pu2.1 clients, will also be rejected with sense code 08120000 as seen on a DLCTRACE.

Conditions: This symptom is seen when a downstream device has repeatedly sent in an old-SNA flavor of XID3 (one that indicates no exchange state indicators are supported) over an SNASw port that has not specified CONNTYPE.

Workaround: A reload of the router will be needed to clear this condition. However, the problem can be avoided in the first place by configuring CONNTYPE NOHPR on the downstream port.

Further Problem Description: VTAM logs show sense code 08010000 during the link activation XID3 negotiation. The SNASw shows sense code 08120000 on a DLCTRACE capture during the link activation XID3 negotiation for either upstream link activation or for an inbound device XID3 negotiation exchange during a connection attempt.

CSCsb80536

Symptoms: A Cisco 3640 router may fail to boot with an image of Cisco IOS Release 12.3 and may enter the ROMmon during the boot process.

Conditions: This symptom is observed only on a Cisco 3640.

Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2T. The fix for this caveat is also integrated in Release 12.4 and Release 12.4T.

Further Problem Description: If the router boots an image successfully once, then it is safe to assume that the symptom will not occur on the router.

CSCsb83876

Symptoms: The counters on a PA-MC-E3 port adapter may provide incorrect information. For some interfaces of the port adapter, the counters are always zero, and for others interfaces, the counters do increase but very slowly.

Conditions: This symptom is observed when you enter the show interfaces type slot command for a PA-MC-E3 port adapter.

Note that the symptom does not occur when you enter the show interface type number stats command or the show interfaces type slot accounting command. Also, when you enter the show interfaces type slot command for the VIP in which the PA-MC-E3 port adapter is installed, the counters provide correct information.

Workaround: Enter the show interface type number stats command to retrieve the correct information.

CSCsb84354

Symptoms: A memory leak occurs when a midcall INVITE fails media negotiation for an incoming "200". Eventually, this leak causes memory fragmentation and causes the platform to reload.

Conditions: This symptom is observed on a Cisco AS5850 gateway that runs Cisco IOS Release 12.3(14)T3 but may also occur in Release 12.4 and Release 12.4T. The symptom occurs when the gateway sends a "a=T38MaxBitRate:7200" and when the other side responds incorrectly with a "a=T38MaxBitRate:14400". The gateway functions properly by failing media negotiation but the incorrect SDP data is released, causing the leak.

Workaround: There is no workaround.

CSCsb86611

Symptoms: The PPP link fails when using LQM and hardware compression.

Conditions: This symptom has been observed on Cisco 3745 routers with AIM- COMPR4 on Cisco IOS Release 12.3(14)T2 and Release 12.4(3).

Workaround: Use software compression, disable CEF on the ingress interface, or disable WFQ on the WAN interface.

CSCsb91678

Symptoms: A software-forced crash may occur on a Cisco 7206VXR because of a watchdog timeout.

Conditions: This symptom is observed on a Cisco 7206VXR that has a low-speed Mueslix-based serial port adapter such as a PA-4T+, PA-8T-V35, PA-8T-X21, or PA-8T-232 port adapter and that runs a Cisco IOS image that integrates the fix for caveat CSCec63468.

The symptom occurs only for low-speed port adapters such as the PA-4T+, PA-8T-V35, PA-8T-X21, and PA-8T-232 port adapters. The symptom may also affect port adapters in adjacent slots, and not only the port adapters in physically adjacent slots, but also the port adapters that are logically adjacent in the initialization path. This memory corruption occurs in the PCI/IO memory space.

A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec63468. Cisco IOS software releases not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround. Note that high-speed or unchannelized serial port adapters are not affected.

Further Problem Description: The following error messages and tracebacks are generated just before the crash occurs:

%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0

-Traceback= 6074F79C 601BB3AC 601BC72C

%MUESLIX-1-HALT: Mx serial: Serial2/0 TPU halted: cause 0x3 status 0x0043404F

shadow 0x630FB864

%ALIGN-3-SPURIOUS: Spurious memory access made at 0x6074F388 reading 0x1F

%ALIGN-3-TRACE: -Traceback= 6074F388 601BB3AC 601BC72C 00000000 00000000

00000000 00000000 00000000

%ALIGN-3-TRACE: -Traceback= 6074F7C0 601BB3AC 601BC72C 00000000 00000000

00000000 00000000 00000000

%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process

= Per-Second Jobs.

-Traceback= 607E0078 607E44AC 607DACD0 601B0CD4 601B1A04 601ADEA8 603E2C2C

607CF128 6076E2EC

CSCsb93316

Symptoms: In dual RP systems or in RP/SP systems, the system may crash with a Segmentation violation error.

Conditions: This symptom has been observed only in dual RP or RP/SP systems with High availability features present. The crash may be observed when the show file system command is issued.

Workaround: There is no workaround.

CSCsb99091

Symptoms: An SNA Switch (SNASw) router reloads in snaswitch code in case of memory shortage.

Conditions: This symptom was observed with a router that is concentrating downstream physical units (DSPU) via DLSw/VLDC, and forwarding their traffic via HPR/LLC to the mainframes. There are about 300 to 400 physical units concentrated via the SNASw/DLUR. There are total of 16 routers in this system, with pairs of 8 routers backing up each other.

Workaround: There is no workaround.

CSCsc02139

Symptoms: A router running SNA Switch (SNASw) may reload unexpectedly after logging the following messages:

Sep 13 08:42:45.950 METDST: %SNASW-3-SM_LOG_5: PROBLEM - 287990 - Insufficient

storage to activate LU6.2 session

Sep 13 08:42:46.014 METDST: %SNASW-3-SS_LOG_16: PROBLEM - 287994 - CP

capabilities exchange failed because of contention winner CP-CP session failure

Sep 13 08:42:47.946 METDST: %SNASW-3-SS_LOG_16: PROBLEM - 288001 - CP

capabilities exchange failed because of contention winner CP-CP session

failure (Message suppressed 16 times)

Sep 13 08:42:47.946 METDST: %SNASW-3-SM_LOG_5: PROBLEM - 287991 - Insufficient

storage to activate LU6.2 session (Message suppressed 109 times)

TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x61327E00

Conditions: This symptom has been observed on a DLSw/SNASw concentration router which is providing connectivity for 300 to 400 physical units through DLSw.

Workaround: There is no workaround.

CSCsc02825

Symptoms: In Cisco IOS software that is running the Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP), the router could reload while trying to access a bad virtual address.

Conditions: This symptom may be observed when LDP is being used. It will not be observed with TDP. It may happen when LDP receives a protocol message larger than 512 bytes right after receiving several Label Mapping messages smaller than 25 bytes. This problem is likely to be accompanied by the presence of one of the following error message:

Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0xD0D0D0D

The above error message may be preceded by one of the following four error messages:

%ALIGN-1-FATAL: Corrupted program counter 19:45:07 CET Mon Sep 26 2005
pc=0xD0D0D0D, ra=0x61164128, sp=0x64879B98

%TDP-3-BAD_PIE: peer x.x.x.x; unknown pie type 0x11E

%TDP-3-UNEXPECTED_PIE: peer x.x.x.x unexpected pie type 0x0

%TDP-3-PTCLREAD: peer x.xx.x0, read failure

This problem may be seen in releases that include the fix for CSCeg74562 but do not have the fix associated with this defect.

Workaround: There is no workaround.

CSCsc03569

Symptoms: Incoming and outgoing PSTN calls fail on a BRI interface.

Conditions: This symptom has been observed on a Cisco 2620XM VoIP Gateway (MGCP) with Cisco IOS Release 12.4(2)T1 and a BRI Backhauled MGCP Gateway controlled by Cisco CallManager release 4.1(3)SR1.

Workaround: There is no workaround.

CSCsc25745

Symptoms: In rare circumstances, an SNA Switch (SNASw) may get a "half session" towards the backup DLUS; issuing the show snasw session local command, and verifying the details that there is a CONWINNER, but no CONLOSER. On the mainframe side, the link appears to hang.

This creates no problem in operation, except when issuing a GiveBack command or a Takeover command, in which case, the link towards the backup DLUS does not work.

Conditions: This symptom has been observed on a Cisco 7200 router with an SNASw.

Workaround: The situation can be cleared with a snasw stop session pcid using the PCID shown with the show snasw session local command.

CSCsc40912

Symptoms: SNA Switch (SNASw) routers experience a software-forced crash. The following message is seen in the log:

validblock_diagnose, code = 1

Conditions: This symptom has been observed after issuing an inact giveback command at VTAM directed at the router:

V NET,INACT,ID=dlurname,GIVEBACK,FINAL=YES

where dlurname is the router CP name.

This symptom occurs during VTAM VARY INACT GIVEBACK processing. This is a regression problem caused by CSCsb11554 so it is only applicable if running Cisco IOS after Cisco IOS interim Release 12.3(15.8), Release 12.4(2.11) and Release 12.4(2.11)T.

Workaround: There is no workaround.

CSCuk59798

Symptoms: The router crashes on removal of a Virtual-TokenRing subinterface. The router also crashes on removal of a main Virtual-TokenRing interface when that main interface also has subinterfaces configured.

Conditions: This symptom has been observed under the following conditions:

1. Create a main Virtual-Tokenring interface.

2. Create a Virtual-TokenRing subinterface on the interface created in step 1.

3. Remove either the Virtual-TokenRing main interface created in step 1, or the Virtual-TokenRing subinterface created in step 2.

Workaround: There is no workaround.

Wide-Area Networking

CSCed52110

Symptoms: IP header compression does not function for FR PVC-Bundles.

Conditions: This symptom is observed when IP header compression is configured for Frame Relay PVC bundles.

Workaround: There is no workaround.

CSCee85138

Symptoms: A SegV exception crash may occur on a Cisco router that is configured for voice calls.

Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.3(6a) or Release 12.3(9) but may not be platform-dependent.

Workaround: There is no workaround.

CSCeg62022

Symptoms: A DSL stops responding to ISDN calls (no response to SETUP messages). An "L3_GetUser_NLCB returned NULL" Q931 debug message may generated for each failed call.

Conditions: This symptom is observed intermittently on a Cisco router.

Workaround: There is no workaround.

CSCeh49616

Symptoms: Incoming MPLS packets with IETF Frame Relay encapsulation are process-switched.

Conditions: This symptom is observed only on a Cisco 7200 series.

Workaround: Do not configure IETF Frame Relay encapsulation. Rather, configure Cisco Frame Relay encapsulation.

CSCei11919

Symptoms: A dialed circuit that carries a PPP connection over a tunnel between an LNS and a LAC is not dropped when the tunnel is reset.

Conditions: This symptom is observed when you enter the clear vpdn all command, when the LNS reloads, when the IP link between the LSN and LAC is disrupted, or when any other event occurs that causes the tunnel to be reset.

Workaround: There is no workaround.

CSCei13743

Symptoms: An outgoing Basic Rate Interface (BRI) call fails to activate the layer 1.

Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that includes the fix for caveat CSCsa66756. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa66756. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

CSCei21549

Symptoms: A Cisco AS5850 reloads when an RLM group is unconfigured.

Conditions: This symptom is observed when you enter the no isdn rlm-group number command and when there are more than 31 NFAS members in the same NFAS group.

Workaround: Shut the primary interface, remove the NFAS members of the same NFAS group, and unconfigure the RLM group.

CSCei88594

Symptoms: A router that is configured for Frame Relay crashes and generates the following error message:

%ALIGN-1-FATAL: Illegal access to a low address
addr=0x68, pc=0x621D6C50 , ra=0x621D8214 , sp=0x649990A8

Conditions: This symptom is observed on a Cisco router that has Frame Relay end-to-end fragmentation configured on an interface and hardware compression on a PVC.

Workaround: Configure map-class fragmentation with Frame Relay traffic-shaping instead of interface level fragmentation.

CSCei94893

Symptoms: AToM PVCs on an MFR interface that has keepalives disabled do not pass traffic after the router is rebooted.

Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0S.

Workaround: Enable LMI keepalives.

CSCsa73159

Symptoms: No final billing record is made for a call.

Conditions: This symptom is observed when a call is made using a Two B-Channel Transfer (TBCT) TCL script in the following scenario:

The Telco switch signals the TBCT call with a special FACILITY message.

A call leg is created between point A and point B, and another call leg is created between point C and point D.

TBCT connects point A to point D to release the TDM resources.

A billing start record is made for each call leg.

When the final call between point A and point D is released and a NOTIFY message is received, no final billing record is made for this call.

Workaround: There is no workaround.

CSCsb26163

Symptoms: Tracebacks are generated in the "isdn_carrier_timeout" function during a dialout test.

Conditions: This symptom is observed only when the dialer order round-robin command is enabled.

Workaround: Try a different dialer order such as last successful or sequential to prevent the tracebacks from being generated.

CSCsb58447

Symptoms: In a VPDN callback configuration, a callback call is successfully initiated and connected. However, when IPCP is successfully negotiated, the LNS receives an LCP CONFREQ message, causing the established PPP session to be disconnected and LCP to renegotiate again. This situation repeats itself continuously and may cause sporadic IP connectivity. Eventually, the call is cleared completely because the tunnel is disconnected by the LAC.

The output of the debug ppp negotiation command on the LAC shows that the LAC never finishes the PPP LCP negotiation with the client during the callback call. This situation causes the LAC to disconnect the tunnel.

Conditions: This symptom is observed on a Cisco 3660. However, the symptom is platform-independent.

Workaround: Enter the no ppp lcp fast-start command on the relevant asynchronous interfaces on the LAC.

CSCsb83459

Symptoms: A router may reload when many PPPoE sessions are being initiated while memory availability is low or when many PPPoE sessions are being initiated and terminated.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(12.5) or a later release, interim Release 12.3(12.4)T or a later release, or any release of Release 12.4 or Release 12.4T.

Workaround: There is no workaround.

CSCsc07033

Symptoms: The status of an ATM VC becomes "INAC" after DBS QoS RADIUS attributes are applied.

Conditions: If DBS QoS RADIUS attributes specified are above the usable line bandwidth of an ATM link, the status of the VC they are applied to will become "INAC".

Workaround: Don't specify DBS QoS RADIUS attributes (atm:peak-cell-rate, atm:sustainable-cell-rate) that are above the usable line bandwidth (149760 for an OC3 ATM link).

CSCsc25964

Symptoms: A PPPoE client router does not honor the ip mtu settings configured on the PPPoE Dialer interface when the IP MTU is different from the interface MTU.

Fragmentation of IP packets larger than the configured IP MTU will not happen which can create problems in a PPPoE environment.

Conditions: This symptom occurs whenever a vaccess is cloned from the dialer interface and could be PPPoE, multilink or PPPoA.

Workaround: Configure the interface mtu command to the required value.

CSCsc33439

Symptoms: A virtual-access interface fails to come up after you have configured virtual templates.

Conditions: This symptom is observed on a Cisco router that is configured for MFR.

Workaround: There is no workaround.

CSCsc34911

Symptoms: After applying a RADIUS DBS UBR QoS to an ATM virtual circuit (VC), the QoS becomes QoS VBR, with an SCR of 1, instead of QoS UBR.

Conditions: This symptom has been observed when specifying a RADIUS DBS QoS UBR and applying it to an ATM VC.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(16a)

Cisco IOS Release 12.3(16a) is a rebuild release for Cisco IOS Release 12.3(16). The caveats in this section are resolved in Cisco IOS Release 12.3(16a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsa83644

Symptoms: A Cisco MC3810 that is configured for LLQ drops packets from the priority queue and these drops are not accounted for in the output of the show policy-map interface output command.

Conditions: This symptom is observed on a Cisco MC3810 that runs Cisco IOS interim Release 12.3(14.7).

Workaround: There is no workaround.

Miscellaneous

CSCsb84354

Symptoms: A memory leak occurs when a midcall INVITE fails media negotiation for an incoming "200". Eventually, this leak causes memory fragmentation and causes the platform to reload.

Conditions: This symptom is observed on a Cisco AS5850 gateway that runs Cisco IOS Release 12.3(14)T3 but may also occur in Release 12.4 and Release 12.4T. The symptom occurs when the gateway sends a "a=T38MaxBitRate:7200" and when the other side responds incorrectly with a "a=T38MaxBitRate:14400". The gateway functions properly by failing media negotiation but the incorrect SDP data is released, causing the leak.

Workaround: There is no workaround.

CSCsc02825

Symptoms: In Cisco IOS software that is running the Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP), the router could reload while trying to access a bad virtual address.

Conditions: This symptom may be observed when LDP is being used. It will not be observed with TDP. It may happen when LDP receives a protocol message larger than 512 bytes right after receiving several Label Mapping messages smaller than 25 bytes. This problem is likely to be accompanied by the presence of one of the following error message:

Address Error (load or instruction fetch) exception, CPU signal 10, PC =

0xD0D0D0D

The above error message may be preceded by one of the following four error messages:

%ALIGN-1-FATAL: Corrupted program counter 19:45:07 CET Mon Sep 26 2005
pc=0xD0D0D0D, ra=0x61164128, sp=0x64879B98

%TDP-3-BAD_PIE: peer x.x.x.x; unknown pie type 0x11E

%TDP-3-UNEXPECTED_PIE: peer x.x.x.x unexpected pie type 0x0

%TDP-3-PTCLREAD: peer x.xx.x0, read failure

This problem may be seen in releases that include the fix for CSCeg74562 but do not have the fix associated with this defect.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(16)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(16). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(16). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCed71593

Symptoms: When the radius-server retransmit 1 command is enabled on a NAS, the number of retransmit counts for a transaction with MS-IAS is more than the expected value.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.3(7.4).

Workaround: There is no workaround.

CSCeh33492

Symptoms: A router may generate a %HAL-1-INITFAIL error message and may crash when you insert a PA-MC-STM-1MM port adapter via an OIR.

Conditions: This symptom is observed on a Cisco 7200 series.

Workaround: There is no workaround.

CSCeh33531

Symptoms: A traceback is generated when you successfully insert a PA-MC-STM-1MM port adapter via an OIR.

Conditions: This symptom is observed on a Cisco 7200 series.

Workaround: There is no workaround.

CSCeh65692

Symptoms: Spurious memory access errors and tracebacks may be generated on a Cisco AS5800.

Condition: This symptom is observed on a Cisco AS5800 that processes TCPclear calls.

Workaround: There is no workaround.

CSCeh82694

Symptoms: A router crashes when an snmpwalk is performed on the ifTable.

Conditions: This symptom is observed when an interface that is registered for high capacity (HC) counters deregisters directly.

Workaround: Disable SNMP or do not poll the ifTable through SNMP.

CSCei61732

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

CSCin92442

Symptoms: You may not be able to establish an outbound Telnet connection on a router, nor may you be able to establish a reverse Telnet connection into a modem from the router console.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or interim Release 12.4(2.2)T but may also occur in Release 12.3.

Workaround: There is no workaround.

CSCsa92212

Symptoms: A Path Echo Service Assurance Agent (SAA) operation misses hops.

Conditions: This symptom is observed when you perform a Path Echo SSA operation from a Cisco router that runs Cisco IOS Release 12.3.

Workaround: There is no workaround. Note that the symptom does not occur in Release 12.2.

CSCsa92394

Symptoms: A router may crash while loading the image for a secondary RSP from a disk during the boot process.

Conditions: This symptom is observed on a Cisco 7500 series that is configured with redundant RSPs when the hw-module slot slot-number image disk0: image command is configured.

Workaround: There is no workaround.

CSCsb27960

Symptoms: When the local method is used at the beginning of a PPP authentication method list and when a user does not exist in the local database, failover to the next method in the method list does not occur. This situation prevents users that are listed in the database of a RADIUS or TACACS+ server from being authenticated.

Conditions: This symptom is observed on a Cisco router that is configured for AAA.

Workaround: Temporarily remove the local method from the beginning of the method list.

Interfaces and Bridging

CSCef49896

Symptoms: Packets that enter an interface that is configured for IP may not be switched via dCEF.

Conditions: This symptom is observed on a Cisco 7500 series.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.

ALternate Workaround: If many interfaces are affected, reload all port adapters by entering the microcode reload command on the control plane of the RSP.

CSCef82084

Symptoms: Spurious memory accesses occur on a Cisco 7200 series and ALIGN-3-SPURIOUS error messages are generated.

Conditions: This symptom is observed after you have configured a new MLP interface and a new EBGP neighbor.

Workaround: There is no workaround.

CSCei25164

Symptoms: A Cisco 7xxx series router may crash because of a bus error exception and may report CPUHOG message when you perform an OIR of an ATM PA-A3 or ATM PA-A6 port adapter.

Conditions: This symptom is observed on a Cisco 7xxx series router that runs Cisco IOS Release 12.3 when PVC auto-provisioning is enabled on the ATM PA-A3 or ATM PA-A6 port adapter and when many PPP sessions are in transition.

Workaround: There is no workaround.

CSCin77104

Symptoms: Packet forwarding fails when the Ethertype is configured to 0x9100.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(9.7)T when you enter the dot1q tunneling ethertype 0x9100 command. The symptom could also occur in Release 12.3 or Release 12.4.

Workaround: There is no workaround.

CSCsa83897

Symptoms: A channelized T3 port adapter cannot detect C-bit errors and does not shut down after continuous C-bit errors.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with a channelized T3 port adapter.

Workaround: There is no workaround.

CSCsa87986

Symptoms: A router may intermittently transmit corrupt PPP packets. When you enter the debug ppp nego and debug ppp errors commands, it appears that "protocol reject" packets are received from the remote end.

Conditions: This symptom is observed on a Cisco 7500 series that has only one OC3 POS port adaptor per VIP and that is configured for PPP encapsulation.

Workaround: There is no workaround.

CSCsb04481

Symptoms: CEF may fail and the following error message is generated:

Interface Serial0/0:63 changed state to down
%CT3-3-LOVEFAIL: CT3-SW-PA-0/0: failed to send T3 line state change love letter %AMDP2_FE-5-LATECOLL: Ethernet0/0 transmit error

Conditions: This symptom is observed on a Cisco 7500 series that is configured with a channelized T3 port adapter.

Workaround: There is no workaround.

CSCsb53847

Symptoms: After a Cisco IOS upgrade to Cisco IOS Release 12.3(15) release and a router reload, the Path Payload Label Mismatch (PPLM) Packet-over-SONET (POS) alarm is reported on the upgraded router and PRDI is reported on the remote end of POS link.

Conditions: This symptom has been observed with Cisco IOS Release 12.3(15) on Cisco 7xxx routers after a router reload.

Workaround: On the Cisco 7xxx router where PRDI is reported on the POS interface, change the configuration of C2 byte to any other value different than the current value and then change it back to the original value. The PPLM alarm will be cleared and, after few secound, PRDI will clear, too.

After a reload, this symptom will be present again and the workaround will have to be performed again.

IP Routing Protocols

CSCef21601

Symptoms: Calls may not complete because ResvConfirm messages are dropped. You can enter the debug ip rsvp messages command to track RSVP messages as they traverse routers.

Conditions: This symptom is observed when RSVP is configured for call admission control in a network with routers that do not have RSVP and a proxy ARP enabled. The symptom occurs because the RSVP-capable hop that sends the ResvConfirm messages uses the next RSVP-capable hop as the next IP hop for the packets and does not have the MAC address that is needed to encapsulate the IP packets for this next IP hop.

Workaround: Configure a static ARP entry that enables the router to properly encapsulate the packet by entering the arp ip-address hardware-address arpa command. The ip-address argument is the address of the next hop (that is visible via the RSVP debugs) for the ResvConfirm messages and the hardware-address argument is the MAC address of the interface of the next IP hop through which the ResvConfirm messages should be routed.

CSCeh37200

Symptoms: A router crashes when PIM is enabled on a VIF interface.

Conditions: This symptom is observed on a Cisco 7500 series but may be platform-independent.

Workaround: There is no workaround.

CSCeh47763

Symptoms: A Cisco router may erroneously send ACK packets in response to RST packets for non-local TCP sessions. This can cause high CPU utilization on the router.

Conditions: This symptom occurs when using Port Address Translation (PAT).

Workaround: Use the clear ip nat translation * command.

CSCeh53906

Symptoms: A stale non-bestpath multipath remains in the RIB after the path information changes, and BGP does not consider the stale path part of the multipath.

Conditions: This symptom is observed on a Cisco router that has the soft-reconfiguration inbound command enabled and occurs only when the BGP Multipath Loadsharing feature is enabled for three or more paths, that is, the number-of-paths argument of the maximum-paths number-of-paths command has a value of three or more.

Workaround: Disable the soft-reconfiguration inbound command for the neighbor sessions for which the BGP Multipath Loadsharing feature is enabled or reduce the maximum number of paths for the BGP Multipath Loadsharing feature to two.

CSCin65241

Symptoms: IS-IS redistribute commands are not synchronized to the standby RP. The routes that depend on these commands fail after a switchover.

Conditions: This symptom is observed on a Cisco 7500 series but is platform-independent.

Workaround: There is no workaround.

CSCsa75512

Symptoms: A crash that is related to OSPF flooding may occur on a Cisco router that is configured for OSPF and MPLS traffic engineering.

Conditions: This symptom is observed when 1600 OSPF interfaces are configured in an OSPF area that is also configured for MPLS traffic engineering and when OSPF interfaces and OSPF adjacencies flap. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCef16096. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: Reduce the number of OSPF interfaces in the OSPF area to 300 or less. You can check the number of OSPF interfaces by entering the show ip ospf or show ip ospf interface interface-type interface-number brief command. Note that all interfaces that are covered by network statements are counted.

CSCsb13988

Symptoms: A router that is configured for NAT may crash because of a bus error.

Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(9a) but is not platform-specific. The crash occurs while NAT attempts to translate an IP address in an H.323 RAS messages that does not contain an IP address.

Workaround: Disable H.323 RAS in NAT by entering the no ip nat service ras command. If you must use H.323 RAS in NAT, there is no workaround.

ISO CLNS

CSCeh41328

Symptoms: IPv6 routes that are learned from other IPv6 routers are not installed in the RIB.

Conditions: This symptom is observed on a Cisco router that is configured for Multi-topology IS-IS in transition mode. This symptom does not occur when the router is configured for Multi-topology IS-IS without the transition mode.

Workaround: Use the default IS-IS metric on the interfaces that are configured for IPv6 IS-IS.

CSCsa90719

Symptoms: A router running Cisco IOS software will reload unexpectedly, when the no passive-interface command is issued under the router isis configuration.

Conditions: This symptom has been observed when the interface is configured to run ISIS and later changed to passive interface.

Workaround: Disable ISIS on the interface before changing it to passive, using the no ip router isis interface command.

Miscellaneous

CSCed63564

Symptoms: The calling-station ID field of an access-request message that is sent to a RADIUS server may be corrupted; a character in the calling-station ID may be removed. For example, if the calling-station ID is "cisco.bookworm" or "cisco/bookworm", the calling-station ID that is sent in the access-request message is "ciscobookworm". This situation is not limited to a dot or a forward slash.

Conditions: This symptom is observed on a Cisco AS5400HPX that runs Cisco IOS Release 12.3(2) or a later release, or Release 12.3(4)T2.

Workaround: Try to avoid unusual characters such as a dot or a forward slash in a calling-station ID.

CSCee41831

Symptoms: A SegV exception may occur on a router when you enter the write memory or copy running-config startup-config command.

Conditions: This symptom is observed on a Cisco 1700 series and Cisco 2600 series when you enter the write memory or copy running-config startup-config command and when the NVRAM is corrupted.

Workaround: Erase the NVRAM and then enter the write memory or copy running-config startup-config command.

CSCee89537

Symptoms: NBAR classification fails for GRE output packets.

Conditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series that run Cisco IOS Release 12.3(8)T, that are configured for IPSec in GRE tunnel mode, and that have the ip nbar protocol-discovery command enabled. The symptom may also occur in other releases.

Workaround: There is no workaround.

Further Problem Description: The symptom occurs both with software and hardware encryption.

CSCef07167

Symptoms: A VIP may crash and generate tracebacks when you perform and OIR of the VIP.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFI and MPLS VPN.

Workaround: There is no workaround.

CSCef08173

Symptoms: A VIP in which a PA-2FE port adapter is installed may reload because of memory corruption that is caused by a hardware issue of the PA-2FE port adapter.

Conditions: This symptom is observed when the VIP and port adapter function under stress, when the VIP is unable to serve memory read/write requests from the port adapter, and when there are PCI retry timeouts.

Workaround: There is no workaround.

CSCef82962

Symptoms: A call treatment plays only a busy tone instead of the audio file that is configured in the call treatment.

Conditions: This symptom is observed when call treatment is configured on a router that functions as a Cisco CallManager Express (CME) and when the call threshold is met.

Workaround: There is no workaround.

CSCeg02918

Symptoms: A Cisco router that is configured with an HTTP authentication proxy may reload because of a bus error.

Conditions: This symptom is observed on a Cisco router that runs a crypto image of Cisco IOS Release 12.3(9) or Release 12.3(10).

Workaround: Disable the HTTP authentication proxy. If this is not an option, there is no workaround.

CSCeg16631

Symptoms: When you enter the distribute-list interface command in a global RIP routing context and the interface that is specified in the command is a VRF interface, the command is rejected with the following error message:

% The interface is not in the same VRF as the process

Because the distribute-list interface command is not implemented in the IPv4 VRF address-family, there is no other way to filter networks received in updates via a VRF interface.

Conditions: This symptom is observed in all Cisco IOS releases that integrate the fix for CSCee32557. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCee32557. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: In a configuration that is mentioned above, to filter networks received in updates, enter the distribute-list extended-ACL-reference command in which the "source-part" of the extended ACL specifies the prefixes and the "destination part" matches on the IP address of the RIP neighbor.

CSCeg24422

Symptoms: Packet drops occur in the ingress direction on a dMLP or dMLFR link with traffic at 95-percent of the line rate and when the number of packets with a small size is high.

Conditions: This symptom is observed on a Cisco 7500 series that functions as a provider edge (PE) router, that is configured for L2TPv3 L3VPN, and that has dMLP or dMLFR links to a customer edge (CE) router.

Workaround: There is no workaround.

CSCeg26528

Symptoms: The performance of a router may be severely degraded (at approximately 90 percent of the line rate) when large packets are processed, when the MLP bundle link flaps, and when the router does not recover the MLP sequence numbers of the packets.

Conditions: This symptom is observed on a Cisco 7500 series and Cisco 7600 series that are configured for dMLP only when large packets are processed.

Workaround: There is no workaround.

CSCeg35786

Symptoms: 20 percent of received faxes fails. Faxes arrive either partially, as a compressed page, or as invalid TIFF files.

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(7)T when the T.37 Store and Forward Fax feature is configured and when the faxes are received by a mail server that is connected to the Cisco AS5850.

Workaround: There is no workaround.

CSCeg36362

Symptoms: A Cisco 7200 series that is configured with an NPE-G1 may reload unexpectedly because of a bus error.

Conditions: This symptom is observed when the Cisco 7200 series is configured for Fast Switching.

Workaround: There is no workaround.

CSCeg51272

Symptoms: A router may reload when you enter the show ip nbar protocol-discovery command.

Conditions: This symptom is observed when NBAR protocol discovery is enabled on a virtual-template interface.

Workaround: There is no workaround.

CSCeg52468

Symptoms: A Cisco router intermittently stops encrypting and forwarding packets, and the following error messages are generated:

%VPN_HW-1-PACKET_ERROR slot 0 Packet Encryption/Decryption error, Output Authentication error (0x20000000)

or

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Invalid Packet

Conditions: This symptom is observed under rare circumstances on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series that are configured with an AIM-VPN-BPII, AIM-VPN/EPII, or AIM-VPN/HPII Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM). The symptom occurs after an IPSec SA rekeying.

Workaround: Use the appropriate AIM-VPN-BPII-Plus or AIM-VPN/EPII-Plus or AIM-VPN/HPII-Plus AIM.

Further Problem Description: HSP firmware version 2.3.1 was committed through CSCeg15422 to address the most common conditions that could result in PCI NULL writes that cause memory corruption. The fix for this caveat (CSCeg52468) implements HSP firmware version 2.3.2 to address additional conditions that could result in PCI NULL writes.

CSCeg71662

Symptoms: A Cisco 7301 may generate duplicate packets.

Conditions: This symptom is observed on the onboard Gigabit Ethernet interfaces and subinterfaces of the Cisco 7301.

Workaround: Enter the standby use-bia command on the physical interface.

CSCeg80842

Symptoms: The output of serial interfaces on a PA-MC-8TE1 may become stuck after several days of proper operation.

Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(10a) and that has MLP configured on the serial interfaces of the PA-MC-8TE1.

Temporary Workaround: Perform an OIR of the PA-MC-8TE1 or reload the router until the symptom occurs again.

Further Problem Description: The symptom occurs during normal operation of the router. If many errors occur on the link, the symptom is more likely to occur.

CSCeg83460

Symptoms: Bidirectional PIM DF election does not occur correctly when a PIM neighbor expires.

Conditions: This symptom is observed when the PIM neighbor that expires is the designated forwarder (DF) for multiple RPs. The DF election is triggered only for the first RP on the list and does not occur for all the other RPs.

Workaround: Clear the state of the DF or toggle the interface state of the DF.

CSCeh08363

Symptoms: Bidirectional DTR does not function. The output of the show dialer command shows the incorrect dialer type.

Conditions: This symptom is observed on a Cisco 3660 that runs Cisco IOS interim Release 12.3(12.9)T.

Workaround: There is no workaround.

CSCeh17756

Symptoms: The PIM assert mechanism may not function properly, causing PE routers to remove VRF subinterfaces from output interface lists, and, in turn, causing multicast traffic to be dropped.

Conditions: This symptom is observed when redundant PE routers and CE routers are located on one LAN segment and when the CE routers select different PE routers as their next hop.

Workaround: Change the configuration in such a way that all CE routers on one LAN segment select the same PE router as their next hop.

CSCeh32332

Symptoms: RIP removes the interface information for an interface that has the ip unnumbered command enabled from the RIP database when another interface that has the transmit-interface command enabled goes down.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(12a).

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that has the ip unnumbered command enabled.

CSCeh35457

Symptoms: A policy map may be removed from an ATM PVC range configuration without a check for an exact match of the policy map name. This situation may cause the wrong policy map to be removed from the ATM PVC range configuration.

Conditions: This symptom is observed when you enter the no service-policy output policy-map-name command on a subinterface that is administratively shut down. Any policy map that is attached to this subinterface may be deleted, regardless of whether or not the name of the policy map that is removed matches with the name of the policy map that should be removed. The symptom occurs only in a PVC range configuration on ATM subinterfaces.

Workaround: There is no workaround.

CSCeh40161

Symptoms: When a branch router attempts to access the Internet via HTTP or TCP, the HTP or TCP session times out unexpectedly.

Conditions: This symptom is observed when the router at the headquarter has a Cisco IOS Firewall and resets the HTTP or TCP connection.

Workaround: Configure a GRE+IPSec connection between the branch router and the router at the headquarter.

Alternate Workaround: Disable the Cisco IOS Firewall on the router at the headquarter.

CSCeh41272

Symptoms: After you perform an OIR of a PA-SRP-OC12 port adapter on a Cisco 7200 series, the router may not show any nodes in the SRP ring and may stop forwarding traffic. with IOS release

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(13) or Release 12.3(11)T3.

Workaround: There is no workaround.

CSCeh56358

Symptoms: Missing entries in an MPLS forwarding table cause a ping failure.

Conditions: This symptom is observed when the following events occur in an MPLS environment:

One router (router A) learns about a second router (router B) via a third router (router C) and router B has the no mpls ip global configuration command enabled. Between router A and router B, there is also an interface that is initially in the shutdown state and that has the mpls ip interface configuration command enabled.

The connection between router A and router C is dropped and the interface between router A and router B is brought up by entering the no shutdown interface configuration command.

The expected behavior is that router A learns about router B directly from router B and that router A updates its LFIB with "Untagged" as the outgoing label because router B has the no mpls ip global configuration command enabled. However, this does not occur: the LFIB of router A is not updated properly, causing incoming labeled packets on router A to be dropped.

Workaround: Enter the clear ip route network EXEC command on router A.

CSCeh73049

Symptoms: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.

Conditions: Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability.

This vulnerability is present in all versions of Cisco IOS that support the tclsh command.

Workaround: This advisory with appropriate workarounds is posted at

http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml

CSCeh78918

Symptoms: When a line card has reloaded because you reloaded the router, the line card crashed, or you entered a command to reload the line card, the following message may appear on the console:

%MDS-2-RP: MDFS is disabled on some line card(s). Use "show ip mds stats linecard" to view status and "clear ip mds linecard" to reset.

This message may be generated because MDFS is erroneously disabled on the reloaded line card. Erroneous disabling of MDFS may unnecessarily extend network convergence time.

Conditions: This symptom is observed on a distributed router or switch such as a (Cisco Catalyst 6000 series, Cisco 7500 series, Cisco 7600 series, Cisco 10000 series, and Cisco 12000 series. The symptom occurs when the router has the ip multicast-routing distributed command enabled for any VRF and when a line card is reloaded more than 50 seconds into the 60-second MDFS flow-control period.

Workaround: The symptom corrects itself after 60 seconds. Alternatively, you can enter the clear ip mds linecard slot number command.

CSCeh91772

Symptoms: If an existing file is extended, an ATA file system may become corrupted. When this situation occurs, the output of the dir command or of a show command does not list the files because the files are corrupted.

Conditions: This symptom is observed when you enter any command that extends a file such as the show interfaces ethernet | append disk0:file command.

Workaround: Do not enter a command that extends a file.

CSCeh94557

Symptoms: When you reload a platform that generates calls and that is connected to a Cisco AS5400 or Cisco AS5850, some controllers fail to come up.

Conditions: This symptom is observed when a platform that generates digital calls and a platform that generates analog calls are connected via a Cisco AS5400 or Cisco AS5850.

Workaround: Reload the AS5400 or Cisco AS5850.

CSCei01321

Symptoms: You cannot bring up a serial interface of a channelized E1 or T1 port. The interface remains in the down/down state.

Conditions: This symptom is observed on a Cisco 3600 series.

Workaround: There is no workaround.

CSCei05553

Symptoms: A Modular QoS CLI (MQC) CoS marking disappears after you reload a router and QoS does not work.

Conditions: This symptom is observed on a Cisco router when the policy map is configured with a class using CoS marking via the set cos command. After the router has reloaded, the CoS marking is still present in the configuration but does not appear in the output of the show policy-map interface command.

Workaround: Remove and re-apply the service policy on the main interface.

CSCei08347

Symptoms: When you ping a Gigabit Ethernet (GE) interface on an NPE-G1 that has the ip pim sparse-mode or ip pim sparse-dense-mode command enabled, the ping fails.

Conditions: This symptom is observed on a Cisco 7200 series after you have entered the shutdown interface configuration command followed by the no shutdown interface configuration command on the GE interface of the NPE-G1.

Workaround: After you have shut down and brought up the GE interface, enter the no ip pim sparse-mode or no ip pim sparse-dense-mode command and then reconfigure the command.

CSCei08458

Symptoms: The FIB may be disabled or the output interface may be stuck on an A3 ATM port adapter.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoATM.

Workaround: Reload the microcode or perform an OIR to recover the A3 ATM port adapter.

CSCei37015

Symptoms: A router that is configured to use RSA signature authentication and that deploys certificates during IKE phase 1 crashes when you boot the router with a new image.

Conditions: This symptom is observed on a Cisco 1721 when you boot the router with Cisco IOS Release 12.3(9d). However, the symptom is platform-independent. The crash occurs during the setup of the IKE SA.

Possible Workaround: Disable IKE before you reload the router with the new image.

CSCei62348

Symptoms: A Cisco 2691 crashes because of a bus error exception and alignment errors.

Conditions: This symptom is observed when SNMP passes invalid VLAN IDs to VTP.

Workaround: There is no workaround.

CSCei66542

Symptoms: SGBP AAA authentication fails in a large scale dial-in configuration.

Conditions: This symptom is observed when a bid is processed and when ab incorrect name is retrieved, causing an incorrect user name to be sent and the AAA authentication to fail.

Workaround: There is no workaround.

CSCin79522

Symptoms: A Cisco router that runs Cisco IOS Release 12.3T may reload when the ATM interfaces are swapped.

Conditions: This symptom is observed when an ATM IMA port adaptor is removed and a PA-A3 port adaptor is inserted in the same slot and when there is at least one PVC configured that has the inarp enabled. The symptom may also occur in Release 12.3 or Release 12.4.

Workaround: There is no workaround.

CSCin83881

Symptoms: A VIP may crash on a Cisco 7500 series that is configured for dMLP.

Conditions: This symptom is observed when MLP member links flap while traffic is being processed.

Workaround: There is no workaround.

CSCin88273

Symptoms: After an RPR+ or SSO switchover occurs, an MLP sequence number mismatch may occur, a ping between back-to-back interfaces may not go through, and the routing protocol through this link may go down.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dMLP and RPR+ or SSO.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the multilink interface of the Cisco 7500 series.

CSCin90300

Symptoms: Controllers do not come up after you have manually configured the card type for a PA-VXC-2TE1+ port adapter.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.4(0.6) but may also occur in Release 12.3.

Workaround: Reload the router to enable the controllers come up.

CSCin91163

Symptoms: Packets may be dropped as reassembly drops on a distributed (dMLP) ingress interface that has interleaving configured.

Conditions: This symptom is observed on a PA-MC-STM-1 port adapter when more than two DS0 members are part of an dMLP bundle that is configured for interleaving.

Workaround: There is no workaround.

CSCin91267

Symptoms: You may not be able to bind interfaces to an uplink or downlink.

Conditions: This symptom is observed on a Cisco platform that is configured for SSG.

Workaround: There is no workaround.

CSCin91677

Symptoms: The Unavailable Seconds (UAS) that are displayed in the output of the show controllers serial slot/port command are incorrect. The display of the UAS starts only after 20 contiguous severely errored seconds (SES) instead of after 10 contiguous SES.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with a PA-T3+ port adapter.

Workaround: There is no workaround.

CSCin93609

Symptoms: A Cisco 7200 series or Cisco 7500 series may crash when bridged PVCs are deleted and added to an IMA interface of a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter.

Conditions: This symptom is observed when the router is configured for bridging across ATM IMA PVCs, when the PVCs carry traffic, and when a script runs that deletes and adds PVCs across the IMA links. These PVCs are not among the bridged PVCs that carry traffic. The router crashes in about one to two hours.

Workaround: There is no workaround.

CSCsa46484

Symptoms: A VIP or FlexWAN module in which a PA-POS-2OC3 port adaptor is installed may crash.

Conditions: This symptom is observed rarely and at random on a Cisco 7xxx series router or Cisco Catalyst 6000 series switch.

Workaround: There is no workaround.

CSCsa53117

Symptoms: Multi-Layer Switching (MLS) CEF may stop functioning when an interface status changes. Ping and connectivity problems may also occur.

Conditions: This symptom is observed on a Cisco Catalyst 6000 series switch and Cisco 7600 series when you shut down an interface or change VRF routes and as a result no other interfaces can be provisioned.

Temporary Workaround: Reload the supervisor engine.

CSCsa56901

Symptoms: Cisco Fax Relay calls both to and from computer-based fax devices fail. Calls to and from traditional fax machines work fine. Calls to and from computer-based fax devices via the PSTN instead of via a Cisco Fax Relay network work fine too.

Conditions: This symptom is observed on a Cisco 3700 series that is configured for Cisco Fax Relay and VoIP.

Workaround: There is no workaround.

CSCsa59000

Symptoms: A Cisco AS5850 reloads with an "unknown reload cause."

Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(10) when you enter the following commands:

interface controller e1 1/17

no extsig mgcp

Workaround: There is no workaround.

CSCsa60026

Symptoms: Cells loss occurs on a single ATM link of PA-A3-8T1IMA or PA-A3-8E1IMA port adapter.

Condition: This symptom is observed on a Cisco 7500 and 7200 series when one of the T1 or E1 member interfaces of an IMA group that is configured on a PA-A3-8T1IMA or PA-A3-8E1IMA port adapter is disconnected or when you enter the shutdown command on one of these T1 or E1 member interfaces. The symptom is not platform-specific and may also occur in other releases.

Workaround: There is no workaround.

CSCsa61523

Symptoms: The following error message is generated on a Cisco 7200 series that has Multilink PPP (MLP) configured on serial interfaces of a PA-MC-STM-1 port adapter:

%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0

Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(11)T3 only when MLP is configured on the serial interfaces. The symptom may also occur in Release 12.3 or 12.4.

Workaround: Unconfigure MLP on the serial interfaces.

CSCsa64278

Symptoms: The "CallID not found" error message is generated several times, followed by a call failure.

Conditions: This symptom is observed on a Cisco AS5300 that is configured for Tcl IVR.

Workaround: There is no workaround.

CSCsa72313

Symptoms: The following error messages may be generated on a router that has IP ACL enabled:

%SYS-2-INSCHED: suspend within scheduler
-Process= "<interrupt level>", ipl= 3
-Traceback= 40525388 40628848 4060AED4 403F15BC 403F34F8 403F37EC 400901C8 4008E730 406A0EEC 40621120

Conditions: This symptom is observed on a Cisco router such as a Cisco 7200 series, Cisco 7304, and Cisco 7500 series when a Turbo ACL compilation is configured along with an ACL on an ingress interface and when traffic passes through the ingress interface. The symptom does not affect the Cisco 10000 series.

Workaround: There is no workaround.

CSCsa74893

Symptoms: An SSH server crashes when an SSH client attempts to connect to it.

Conditions: This symptom is observed when the SSH server is configured to connect to a TACACS+ server for AAA authentication and when there is no TACACS+ server.

Workaround: Configure a valid AAA authentication service on the SSH server.

CSCsa77411

Symptoms: When a bandwidth change occurs, a router may crash because of a difficulty with traffic engineering link management.

Conditions: This symptom is observed on a Cisco router that integrates the fix for caveat CSCef16096 when the following conditions are present:

The router is configured for OSPF and MPLS traffic engineering (TE).

The interfaces, OSPF adjacencies, and TE tunnels are flap.

There are more than 300 OSPF interfaces (in any state, including administratively down) in the OSPF area that is configured for MPLS TE.

You can check the number of interfaces by entering the show ip ospf or show ip ospf interface brief command. Note that all interfaces that are covered by network statements are included in the command output, even those that are in the administratively down state.

A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCef16096. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.

Workaround: There is no workaround.

CSCsa79580

Symptoms: A Cisco AS5300 that is configured with a call switching module (CSM) may generate tracebacks that are related to a B-channel IDB. This situation may cause 64-kbps digital calls to be answered by modems instead of via High-Level Data Link Control (HDLC).

Conditions: This symptom is observed on a Cisco AS5300 that runs Cisco IOS Release 12.3.

Workaround: There is no workaround.

CSCsa80223

Symptoms: The following error message may be generated on a Cisco router that is configured with a large number of interfaces:

Error adding idb to <listtype> idb list

In this error message, <listtype> can be a list name such as "macaddr".

Conditions: This symptom is observed on a Cisco router that is configured with a large number of interfaces.

Workaround: There is no workaround.

CSCsa82222

Symptoms: A Cisco router may reload because of a watchdog timeout in the SNMP engine process.

Conditions: This symptom is observed on a Cisco 3700 series that runs Cisco IOS Release 12.3(6a) when you query the ifStackStatus MIB object. The symptom occurs because the query enters an infinite loop. Note that the symptom may be platform-independent.

Workaround: Disable SNMP on the router.

CSCsa82886

Symptoms: A router crashes when you enter the tftp-server command.

Conditions: This symptom is observed when the filename argument of the tftp-server command has a length of more than 67 characters.

Workaround: Ensure that the length of the filename argument does not exceed 67 characters.

CSCsa86572

Symptoms: A large configuration in NVRAM on a primary or secondary RSP may become corrupted and the router may generate relevant warning messages during the execution of a copy system:running-config nvram: startup-config command.

When you erase NVRAM by entering the erase nvram command and then enter the copy system:running-config nvram: startup-config command, the router may crash.

Conditions: This symptom is observed on a Cisco 7500 series but is platform-independent.

Workaround: If the configuration file is significantly large, place a copy of the configuration file on a flash card or disk with ample space and enter the boot config slot0:startup-config command to force the startup configuration file to be read from the flash card.

When you enter the copy system:running-config nvram: startup-config command, the current running configuration is saved to the flash card or disk and the configuration is auto-synchronized to the corresponding flash card on the secondary RSP.

Caution: Do not remove the flash card while the boot config slot0:startup-config command is being executed.

CSCsa88145

Symptoms: In some scalability cases with a large number of tunnels, SVIs, or VLANs, FIB tracebacks occur after an SSO switchover.

Conditions: This symptom is observed because traceback recording for the general event log and the interface event log is on by default.

Workaround: There is no workaround. Note, however, that there is no functional impact.

Further Problem Description: The fix for this caveat turns off traceback recording for the general event log and the interface event log.

CSCsa93883

Symptoms: No error condition is detected when a properly structured IPv4 packet has an invalid version value in the IP header. For example, IPv4 packets that have a version value other than 4 are forwarded without an error.

Condition: This symptom is platform-independent and occurs under normal operating conditions.

Workaround: There is no workaround.

CSCsa94064

Symptoms: When the speed kbps argument of the channel-group channel-group-number timeslots range speed kbps controller configuration command is set to 64 kbps for a T1 channel group, the speed does not take affect and the T1 controller functions with the default speed of 56 kbps even though the output of the show running-config command shows that the controller is configured to function with 64 kbps.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.3(11.7) or a later release, including Release 12.4, and that is configured with a T1 module.

Workaround: Select a channel-group number that is one number less than the timeslot range. For example, for a timeslot range of 10-22, select a channel-group number between 9-21 to enable the speed setting to function properly.

CSCsa97663

Symptoms: An ATM interface is unexpectedly removed from an IMA group even though the ATM interface is still in the up/up state, causing T1 links to be disconnected.

Conditions: This symptom is observed on a Cisco 2600 series when you change the Cisco IOS software from Release 12.2(13)T8 to Release 12.3(12b).

Workaround: Re-add the ATM interface to the IMA group by removing and reconfiguring the IMA configuration on the ATM interface.

CSCsb11124

The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.

Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.

Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml

CSCsb01043

Symptoms: When a Turbo ACL classification table grows beyond a certain size, a memory allocation failure may occur or the router may crash.

If the router runs Cisco IOS Release 12.3, memory corruption may occur, causing the router to crash. If the router runs Cisco IOS Release 12.2S, an error message similar to the following may appear during a Turbo ACL compilation, the compilation will fail, and a recompilation is forced:

%SYS-2-CHUNKBADELESIZE: Chunk element size is more than 64k for TACL Block
-Process= "TurboACL", ipl= 0, pid= 82

These symptoms do not occur because of an out-of-memory condition.

Conditions: This symptom is observed on a Cisco router that is configured for Turbo ACL. The Cisco 10000 series is not affected.

Workaround: Monitor the output of the show access-lists compiled command and force the Turbo ACL tables to be cleared if a table is at risk of growing large enough to trigger the symptoms.

The tables that have significant sizes are the first and third tables shown next to "L1:" and the first table shown next to "L2:". When the number after the slash for one of these tables is greater than 16384 for the "L1" tables or greater than 32768 for the "L2" table, the table is already too large and the symptom may occur any moment.

When the number is in the range from 10924 to 16384 inclusive for the "L1" tables or the range from 21846 to 32768 inclusive for the "L2" tables, the table size will be too large on the next expansion. An expansion occurs when the number to the left of the slash reaches 90 percent of the value to the right of the slash. When the value to the left of the slash approaches 90 percent of the value to the right, enter the no access-list compiled command followed by the access-list compiled command to disable and re-enable Turbo ACL. Doing so causes the tables to be cleared and, therefore, delay the expansion. This workaround may be impractical when there is a high rate of incoming packets and when entries are added frequently to the tables.

Alternative Workaround: Disable Turbo ACL by entering the no access-list compiled command.

Note that neither of these workarounds are supported on a Cisco 7304 that is configured with an NSE-100: there is no workaround for this platform.

CSCsb03192

Symptoms: When you change the NHRP mapping configuration, an incorrect NHRP cache entry and incorrect crypto socket entry may occur.

Conditions: This symptom is observed when you change the NHRP static mapping entry by entering the ip nhrp map command. The NHRP cache entry is not updated with the new mappings, causing the crypto socket entry to be incorrect.

Workaround: To change the NHRP static mapping configuration, remove the NHRP mapping entry by entering the no ip nhrp map command and then add the NHRP mapping entry by entering the ip nhrp map command.

CSCsb05381

Symptoms: MGCP BRI backhaul calls fail, and debugs for the call failure show the following information:

400 67 Voice call setup failed-Incoming-Outgoing call collision

//-1/xxxxxxxxxxxx/VTSP:():-1:-1:-1/vtsp_call_setup_request:

CALL_ERROR_INFORMATIONAL; Glare Occurred B-Channel=1, Call Id=9

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4(1) but may also occur in Release 12.3 or Release 12.4T.

Workaround: There is no workaround.

CSCsb09190

Symptoms: A router misses an entry in its label forwarding table, which is shown in the output of the show tag-switching forwarding-table EXEC command for the missing entry and in the output of the show ip cef detail EXEC command for the prefix.

Conditions: This symptom is observed on a Cisco router that is configured for Multiprotocol Label Switching (MPLS) and that learns its routes through iBGP from redundant route reflectors (RRs) when BGP labeling is not enabled.

Workaround: There is no workaround. However, when you enter the clear ip route EXEC command for the affected prefix, the prefix is reinstalled in the label forwarding table.

CSCsb28315

Symptoms: The "tunnel protection malloc" process may cause a memory leak in the Crypto IKMP process.

Conditions: This symptom is observed on a Cisco platform that runs a crypto image and that functions as a spoke when the interface that connects to the hub flaps and receives a new IP address after the flap.

Workaround: There is no workaround.

CSCsb37645

Symptoms: A router may crash during a basic H.323 call with carrier ID routing.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(3.3).

Workaround: There is no workaround.

TCP/IP Host-Mode Services

CSCeh54596

Symptoms: A router that is configured as an SSH client may hang.

Conditions: This symptom is observed when you attempt to make a connection to an SSH server by entering the ssh -l userid ip-addr command.

Workaround: There is no workaround.

Wide-Area Networking

CSCea75722

Symptoms: A Cisco IOS voice gateway may fail to receive a call from the public switched telephone network (PSTN) on its PRI port.

Conditions: This symptom is observed on a Cisco 2651XM that runs Cisco IOS Release 12.2(13)T3 or Release 12.3 and that functions as a voice gateway when it does not send a Q.931 Call Proceeding message upon receiving the call.

Workaround: There is no workaround.

CSCee85138

Symptoms: A SegV exception crash may occur on a Cisco router that is configured for voice calls.

Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.3(6a) or Release 12.3(9) but may not be platform-dependent.

Workaround: There is no workaround.

CSCeg42148

Symptoms: Attempts to change a B-channel service state by entering the isdn service nfas-int number b_channel number {state {0 | 1 | 2} [hard | immediate | soft]} command appear to succeed but the service state does not change.

Conditions: This symptom is observed when a voice application uses a B-channel. The output of the show isdn service detail command shows a locale of ISDN_NEAR_END_APP.

Workaround: There is no workaround.

CSCeh11771

Symptoms: On a leased line (non-dialup) serial connection that is configured for PPP encapsulation, the line protocol may not come back up when the connection is reset. The PPP LCP remains in the closed state, even though the link is up physically.

Conditions: This symptom is observed when an active PPP session is reset and when the underlying link is not simultaneously reset, that is, when PPP goes down but when the link does not go down physically. This situation would occur, for example, when a PPP session is terminated because of keepalive failures.

Workaround: There is no workaround.

CSCeh11994

Symptoms: A reply of an LNS to a LAC may be delayed.

Conditions: This symptom is observed on a Cisco router that is configured as an LNS that has several tunnels to different LACs.

Workaround: There is no workaround.

CSCeh25440

Symptoms: InvARP packets on multiple MFR bundle interfaces may be dropped, causing traffic to fail after you have reloaded microcode onto a line card that processes a high load of traffic over many PVCs on MFR interfaces.

Conditions: This symptom is observed on a Cisco 12000 series that runs Cisco IOS Release 12.0(31)S when 42 MFR bundles are configured over 336 full T1s and when egress MQC is configured on the 42 MFR bundle interfaces. However, the symptom is not platform- and release-specific.

Workaround: There is no workaround.

CSCeh48987

Symptoms: The CEF-Dialer feature fails to add an adjacency for a Virtual-Access1 CEF interface.

Conditions: This symptom is observed during a test on a Cisco router that runs Cisco IOS interim Release 12.3(14.10).

Workaround: There is no workaround.

CSCeh56780

Symptoms: A router may crash when you enter the no interface atm command.

Conditions: This symptom is observed on a Cisco router while PPPoE sessions come up.

Workaround: First enter the shutdown command on the interface before you enter the no interface atm command.

CSCei19546

Symptoms: The output of the show ppp mppe {serial | virtual-access} [number] command does not show the current connection information.

Conditions: This symptom is when you check the MPPE negotiation status.

Workaround: There is no workaround.

CSCsa55747

Symptoms: The RADIUS L2TP-specific disconnect code value for the Ascend-Disconnect-Cause RADIUS attribute (195) is incorrectly generated as 607 instead of 605.

Conditions: This symptom is observed when an L2TP tunnel setup failure occurs between a LAC and an LNS.

Workaround: There is no workaround.

CSCsa66756

Symptoms: The B channel on an NFAS "none" group member may hang with its channel state set to PROPOSED, which you can see in the output of the show isdn service command.

Conditions: This symptom is observed when the first activity on an NFAS "none" member is an outgoing call. After the first incoming or outgoing call, the symptom does no longer occur.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(15b)

Cisco IOS Release 12.3(15b) is a rebuild release for Cisco IOS Release 12.3(15). The caveats in this section are resolved in Cisco IOS Release 12.3(15b) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCeh65692

Symptoms: Spurious memory access errors and tracebacks may be generated on a Cisco AS5800.

Condition: This symptom is observed on a Cisco AS5800 that processes TCPclear calls.

Workaround: There is no workaround.

CSCei61732

Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.

Cisco has made free software available that includes the additional integrity checks for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.

Miscellaneous

CSCsa97663

Symptoms: An ATM interface is unexpectedly removed from an IMA group even though the ATM interface is still in the up/up state, causing T1 links to be disconnected.

Conditions: This symptom is observed on a Cisco 2600 series when you change the Cisco IOS software from Release 12.2(13)T8 to Release 12.3(12b).

Workaround: Re-add the ATM interface to the IMA group by removing and reconfiguring the IMA configuration on the ATM interface.

CSCsb37645

Symptoms: A router may crash during a basic H.323 call with carrier ID routing.

Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(3.3).

Workaround: There is no workaround.

Wide-Area Networking

CSCsa55747

Symptoms: The RADIUS L2TP-specific disconnect code value for the Ascend-Disconnect-Cause RADIUS attribute (195) is incorrectly generated as 607 instead of 605.

Conditions: This symptom is observed when an L2TP tunnel setup failure occurs between a LAC and an LNS.

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(15a)

Cisco IOS Release 12.3(15a) is a rebuild release for Cisco IOS Release 12.3(15). The caveats in this section are resolved in Cisco IOS Release 12.3(15a) but may be open in previous Cisco IOS releases.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Basic System Services

CSCsa78812

Symptoms: Login authentication fails without prompting for a password when an invalid user name is entered.

Conditions: This symptom has been observed when the "local" method is being used for authentication and if it is followed by either "enable" or RADIUS/TACACS+ groups with servers that do not respond.

Workaround: If the Login authentication method list is being configured with "local" as one of the methods, it should be either the last method or should be followed by RADIUS/TACACS+ with servers which respond to the authentication request. Avoid configuring "enable" following "local".

CSCsb27960

Symptoms: When the local method is used at the beginning of a PPP authentication method list and when a user does not exist in the local database, failover to the next method in the method list does not occur. This situation prevents users that are listed in the database of a RADIUS or TACACS+ server from being authenticated.

Conditions: This symptom is observed on a Cisco router that is configured for AAA.

Workaround: Temporarily remove the local method from the beginning of the method list.

Interfaces and Bridging

CSCsa94002

Symptoms: A Cisco 7500 series router may experience an unexpected Versatile Interface Processor (VIP) restart.

Conditions: This symptom occurs when a Fast Ethernet interface installed in the VIP is configured for 802.1q trunking, there is a QoS service policy applied to one of the subinterfaces, and an untagged frame (i.e., on the native VLAN) needs to be sent from the router.

Workaround: Disable QoS on all 802.1q subinterfaces or do not configure a native VLAN.

IP Routing Protocols

CSCeh47763

Symptoms: A Cisco router may erroneously send ACK packets in response to RST packets for non-local TCP sessions. This can cause high CPU utilization on the router.

Conditions: This symptom occurs when using Port Address Translation (PAT).

Workaround: Use the clear ip nat translation * command.

CSCin65241

Symptoms: IS-IS redistribute commands are not synchronized to the standby RP. The routes that depend on these commands fail after a switchover.

Conditions: This symptom is observed on a Cisco 7500 series but is platform-independent.

Workaround: There is no workaround.

ISO CLNS

CSCsa72878

Symptoms: A Cisco router running IS-IS routing for CLNS might not populated the router's IS-IS database or routing table for a directly-connected ES neighbor even if the CLNS adjacency comes up correctly.

Conditions: This symptom has been observed on routers with IS-IS configured for CLNS routing.

Workaround Enter the clear isis command.

CSCsa90719

Symptoms: A router running Cisco IOS software will reload unexpectedly, when the no passive-interface command is issued under the router isis configuration.

Conditions: This symptom has been observed when the interface is configured to run ISIS and later changed to passive interface.

Workaround: Disable ISIS on the interface before changing it to passive, using the no ip router isis interface command.

Miscellaneous

CSCec32603

Symptoms: If the ima-group command and the interface atm 0/ima group- number command were configured and saved, the ima-group command cannot be properly removed from ATM interface after the router reloads. The router rejects the no ima-group command with a console output message "config in process please re-enter command". If an attempt is made to remove the mode atm [aim] command from the E1 controller and unconfigure the IMA interface, the router crashes.

Conditions: This symptom has been observed when an IMA group is created using the ATM interface from the WIC slot with AIM-ATM.

Workaround: Configure a valid IP address under the ATM interface from the WIC.

CSCee41831

Symptoms: A SegV exception may occur on a router when you enter the write memory or copy running-config startup-config command.

Conditions: This symptom is observed on a Cisco 1700 series and Cisco 2600 series when you enter the write memory or copy running-config startup-config command and when the NVRAM is corrupted.

Workaround: Erase the NVRAM and then enter the write memory or copy running-config startup-config command.

CSCeg17954

Symptoms: Data MDT messages drops are seen at the socket level.

Conditions: This symptom has been observed when a large number of data MDT are signaled at the same time.

Workaround: There is no workaround.

CSCeh58163

Symptoms: Late collisions are seen on Ether 0 interface of WIC-1ENET even though it is configured as FULL duplex. The following messages are displayed:

Mar 30 13:43:27: %PQUICC_ETHER-5-LATECOLL: Unit 0, late collision error Mar 30 13:45:41: %PQUICC_ETHER-5-LATECOLL: Unit 0, late collision error Mar 30 13:46:18: %PQUICC_ETHER-5-LATECOLL: Unit 0, late collision error Mar 30 13:51:55: %PQUICC_ETHER-5-LATECOLL: Unit 0, late collision error Mar 30 13:57:40: %PQUICC_ETHER-5-LATECOLL: Unit 0, late collision error

Conditions: The symptom has been seen only after a router is reloaded with a cable disconnected.

Workaround: Enter a shutdown command followed by a no shutdown command or enter a clear interface command.

CSCei05553

Symptoms: A Modular QoS CLI (MQC) CoS marking disappears after you reload a router and QoS does not work.

Conditions: This symptom is observed on a Cisco 1721 that runs Cisco IOS Release 12.3(14)T4 and that is configured with MQC class-based weighted fair queueing (CBWFQ). The policy map is configured with a class using CoS marking via the set cos command. After the router has reloaded, the CoS marking is still present in the configuration but does not appear in the output of the show policy-map interface command.

Workaround: Remove and re-apply the service policy on the main interface.

CSCei08458

Symptoms: The FIB may be disabled or the output interface may be stuck on an A3 ATM port adapter.

Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoATM.

Workaround: Reload the microcode or perform an OIR to recover the A3 ATM port adapter.

CSCsa63913

Symptoms: Dial-out fails on Cisco NM-16AM(-V2) and Cisco NM-30DM modems when a WIC-AM is also in the router.

Conditions: This symptom has been observed on a Cisco 3800 router with a WIC- AM installed.

Workaround: Remove the WIC-AM temporarily.

CSCsa64278

Symptoms: The "CallID not found" error message is generated several times, followed by a call failure.

Conditions: This symptom is observed on a Cisco AS5300 that is configured for Tcl IVR.

Workaround: There is no workaround.

CSCsa82172

Symptoms: Calls are unsuccessful to a Cisco MGCP Gateway.

Conditions: Under high call volume, the Cisco MGCP trunking gateway sends 400 <TransID> Call Setup Failed in response to a CRCX.

Workaround: There is no workaround.

CSCsb01043

Symptoms: When a Turbo ACL classification table grows beyond a certain size, a memory allocation failure may occur or the router may crash.

If the router runs Cisco IOS Release 12.3, memory corruption may occur, causing the router to crash. If the router runs Cisco IOS Release 12.2S, an error message similar to the following may appear during a Turbo ACL compilation, the compilation will fail, and a recompilation is forced:

%SYS-2-CHUNKBADELESIZE: Chunk element size is more than 64k for TACL Block -Process= "TurboACL", ipl= 0, pid= 82

These symptoms do not occur because of an out-of-memory condition.

Conditions: This symptom is observed on a Cisco router that is configured for Turbo ACL. The Cisco 10000 series is not affected.

Workaround: Monitor the output of the show access-lists compiled command and force the Turbo ACL tables to be cleared if a table is at risk of growing large enough to trigger the symptoms.

The tables that have significant sizes are the first and third tables shown next to "L1:" and the first table shown next to "L2:". When the number after the slash for one of these tables is greater than 16384 for the "L1" tables or greater than 32768 for the "L2" table, the table is already too large and the symptom may occur any moment.

When the number is in the range from 10924 to 16384 inclusive for the "L1" tables or the range from 21846 to 32768 inclusive for the "L2" tables, the table size will be too large on the next expansion. An expansion occurs when the number to the left of the slash reaches 90 percent of the value to the right of the slash. When the value to the left of the slash approaches 90 percent of the value to the right, enter the no access-list compiled command followed by the access-list compiled command to disable and re-enable Turbo ACL. Doing so causes the tables to be cleared and, therefore, delay the expansion. This workaround may be impractical when there is a high rate of incoming packets and when entries are added frequently to the tables.

Alternative Workaround: Disable Turbo ACL by entering the no access-list compiled command.

Note that neither of these workarounds are supported on a Cisco 7304 that is configured with an NSE-100: there is no workaround for this platform.

CSCsb09190

Symptoms: A router misses an entry in its label forwarding table, which is shown in the output of the show tag-switching forwarding-table EXEC command for the missing entry and in the output of the show ip cef detail EXEC command for the prefix.

Conditions: This symptom is observed on a Cisco router that is configured for Multiprotocol Label Switching (MPLS) and that learns its routes through iBGP from redundant route reflectors (RRs) when BGP labeling is not enabled.

Workaround: There is no workaround. However, when you enter the clear ip route EXEC command for the affected prefix, the prefix is reinstalled in the label forwarding table.

TCP/IP Host-Mode Services

CSCeh54596

Symptoms: A router that is configured as an SSH client may hang.

Conditions: This symptom is observed when you attempt to make a connection to an SSH server by entering the ssh -l userid ip-addr command.

Workaround: There is no workaround.

Wide-Area Networking

CSCeh11994

Symptoms: A reply of an LNS to a LAC may be delayed.

Conditions: This symptom is observed on a Cisco router that is configured as an LNS that has several tunnels to different LACs.

Workaround: There is no workaround.

CSCeh48987

Symptoms: The CEF-Dialer feature fails to add an adjacency for a Virtual-Access1 CEF interface.

Conditions: This symptom is observed during a test on a Cisco router that runs Cisco IOS interim Release 12.3(14.10).

Workaround: There is no workaround.

Resolved Caveats—Cisco IOS Release 12.3(15)

This section describes possibly unexpected behavior by Cisco IOS Release 12.3(15). All the caveats listed in this section are resolved in Cisco IOS Release 12.3(15). This section describes severity 1 and 2 caveats and select severity 3 caveats.

The following information is provided for each caveat:

Symptoms—A description of what is observed when the caveat occurs.

Conditions—The conditions under which the caveat has been known to occur.

Workaround—Solutions, if available, to counteract the caveat.

Access Server

CSCeb41363

Symptoms: Handset calls may intermittently be reported with values in RADIUS accounting attribute 77, 197, and 255.

Conditions: This symptom is observed on a Cisco AS5800.

Workaround: There is no workaround.

Basic System Services

CSCds33629

Symptoms: Closing an existing Telnet session may cause a router to crash.

Conditions: This symptom is platform-independent

Workaround: There is no workaround.

CSCed44414

Symptoms: When the slave RSP crashes, a QAERROR is observed in the master console, resulting in a cbus complex. The cbus complex will reload all the VIPs in the router.

Conditions: This symptom happens when the slave crashes in a period when there is a large number of packets going towards the RSP. A large number of packets go to the RSP when CEF switching is configured or when routing protocol updates are numerous.

Workaround: There is no workaround.

CSCed71593

Symptoms: When the radius-server retransmit 1 command is enabled on a NAS, the number of retransmit counts for a transaction with MS-IAS is more than the expected value.

Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release Cisco IOS 12.3(7.4).

Workaround: There is no workaround.

CSCef84254

Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, OAM drops may occur, which may cause PVCs to go down.

Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have ATM PVCs that are configured for any type of ATM QoS (VBR-nrt, UBR, UBRr+, and so on) and that have VCs that function at less than the line rate.

Workaround: Configure a VC (with any QoS type) to function at the line rate.

Possible Alternate Workaround: Remove the OAM configuration.

CSCeg41120

Symptoms: The configuration of the snmp-server host command overrides an existing entry.

Conditions: This symptom is observed when the snmp-server host command is used in conjunction with port numbers. When you configure multiple host entries with the same host address but with different port numbers, the existing entries are overridden.

Workaround: Do not configure multiple host entries with the same host address but with different port numbers.

CSCeg41734

Symptoms: The console of a router may stop responding and the router may stop forwarding traffic.

Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(6b) and that is configured with an NPE-G1 when the native Gigabit Ethernet interfaces of the NPE-G1 are used. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCeg52893

Symptoms: Several tty lines may become stuck in the "Carrier Dropped" modem state. You can verify this situation by entering the show line line-number EXEC command for an individual line. However, when you enter the show line EXEC command (that is, you do not enter a value for the line-number argument), the output shows that the same tty lines are active (that is, they are in the "*" state):

......

I   2/47 Digital modem - DialIn - - -   7   0   0/0   - Idle   

I   2/48 Digital modem - DialIn - - -   7   0   0/0   - Idle   

*   2/49 Digital modem - DialIn - - -   5   0   0/0   - Carrier Dropped

I   2/50 Digital modem - DialIn - - -   7   0   0/0   - Idle   

I   2/51 Digital modem - DialIn - - - 13   0   0/0   - Idle   

I   2/52 Digital modem - DialIn - - - 10   0   0/0   - Idle   

......

In addition, both the output of the show users EXEC command and the output of the show caller EXEC command do not show a user or caller name or show an incorrect user or caller name. The output of the show caller EXEC command does show that the service is "TTY."

Conditions: These symptoms are observed on a Cisco AS5400 that is configured for modem dialin with PPP and EXEC connectivity and for login authentication via a TACACS+ server.

Workaround: To clear the stuck line, enter the clear port slot/port EXEC command.

CSCeg64124

Symptoms: The operation result of an IP SLA jitter probe shows a high packet MIA that is equal to the jitter's number of packets minus one. In the responder router, the responder debug message shows many error packets.

Conditions: This symptom is observed when multiple jitter probes (either from the same router or from different routers) are configured to send packets to the same destination IP address and the same destination port number and when the responder is turned off for a short time and turned on again.

Workaround: To prevent the symptom from occurring, configure the jitter probe to use a unique destination port number.

Alternate Workaround: If the symptom has occurred, turn off the responder by entering the no rtr responder global configuration command, wait until all jitter probes report "No connection," and then turn on the responder by entering the rtr responder global configuration command.

CSCeh04755

Symptoms: When you reload a router by entering the reload command, the router may unexpectedly enter the ROMmon mode and generate the following error message:

%SYS-5-RELOAD: Reload requested by console.
Reload Reason:Reload command.
monitor: command "boot" aborted due to user interrupt
rommon 1 >

Conditions: This symptom is observed only on a Cisco 7200 that is configured with an NPE-G1, and on UBR7246VXR with UBR-NPE-G1

Workaround: Enter the confreg 0x2002 command.

CSCsa53912

Symptoms: You cannot log on when a TACACS+ server is used for authentication. You get a message that authentication fails and you are asked again to enter your user name.

Conditions: This symptom is observed when you make a Telnet connection to a router that is configured for TACACS+ after you have entered you user name and your TACACS password.

Workaround: Configure the TACACS+ single connection option by entering the tacacs-server host host-name single-connection command.

IBM Connectivity

CSCeg78046

Symptoms: A router that is configured for BSTUN and BIP may generate an "%ALIGN-3-SPURIOUS" memory access error message.

Conditions: This symptom is observed when you change the BSTUN BIP configuration on an interface that is processing traffic.

Workaround: Shut down the interface that is configured for BSTUN and BIP before you make any configuration changes.

CSCeh18295

Symptoms: DLSw circuits do not connect.

Conditions: This symptom is observed when DLSw Ethernet redundancy is configured via the dlsw transparent switch-support command.

Workaround: Recycle DLSw on the master router.

Further Problem Description: The output of the show dlsw transparent cache command shows the NEGATIVE state for the circuits on the master router although no actual circuits exist on either the master router or the slave router.

CSCsa45750

Symptoms: DLSw circuits are established over the same peer connection when there are multiple remote peer connections to the same remote MAC address.

Conditions: This symptom is observed when DLSw load-balancing is configured and when there are multiple peers that have the dlsw icanreach mac-address mac-addr command enabled with the same remote MAC address for the mac-addr argument.

Workaround: Bounce the DLSw peer connection either by entering the dlsw disable command or by removing and reconfiguring the DLSw remote peer statement.

Further Problem Description: You can verify that the symptom occurs when the output of the show dlsw reachability command does not show the remote peer with the MAC address displayed as UNCONFIRMED or FOUND.

Interfaces and Bridging

CSCef01220

Symptoms: A Versatile Interface Processors (VIP) with a PA-MC-8TE1 port adapter may report its memory size as unknown even though the VIP appears to function normally, and Distributed Multicast Fast Switching (DMFS) may fail to function properly.

Conditions: This symptom is observed on a Cisco 7500 series when any of the following conditions are present:

The mode of the controller of the PA-MC-8TE1 port adapter is not set to T1 or E1 and you insert or remove another VIP with any port adapter via an OIR.

Irrespective of whether or not the mode of the controller of the PA-MC-8TE1 port adapter is set to T1 or E1, you insert or remove a standby RSP via an OIR.

Workaround: Enter the card type {t1 | e1} slot [bay] command on the PA-MC-8TE1+ port adapter and ensure that none of the controllers on this port adapter are shut down.

CSCef23253

Symptoms: When you activate a serial interface on a PA-MC-8TE1+ port adapter that is installed in a VIP, dCEF may be disabled on the slot in which the PA is installed (in this example, in slot 3) and the following error message is generated:

%FIB-3-FIBDISABLE: Fatal error, slot 3: IPC Failure: timeout

The output of the show controller vip 3 logging command may time out, indicating problems with IPC.

The failure may cause additional error messages or may cause the VIP to reset, affecting all port adapters that are installed in the VIP.

Conditions: This symptom is observed on a Cisco 7500 series with a faulty PA-MC-8TE1+ port adapter that is installed in a VIP.

Workaround: There is no workaround. This fix for this caveat eases the detection of a faulty port adapter (see below).

Further Problem Description: The fix for this caveat will detect and shut down a faulty port adapter so that the VIP and the other port adapters in the VIP are not affected. The error message that is added by the fix is the following:

%VIP2 R5K-1-MSG: slot3 PA BAD - disabling the PA in bay 1

This message indicates that the PA-MC-8TE1+ in bay 1 is faulty and must be replaced.

CSCeg17576

Symptoms: Traffic loss may occur when you enter the ip multicast-routing and ip pim commands on an Ethernet interface that is already configured for Xconnect.

Conditions: This symptom is observed only on a Cisco 7200 series and Cisco 7500 series.

Workaround: To enable Xconnect traffic to resume, unconfigure and reconfigure the Xconnect statement on the Ethernet interface.

CSCeg73645

Symptoms: A Versatile Interface Processor 2-50 (VIP2-50) crashes because of a Cybus error with DMA receive errors.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.1 and that is configured with a PA-2FE that is installed in a VIP2-50. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCeh10624

Symptoms: A Cisco 7206VXR may reload unexpectedly because of a bus error.

Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(10a) and that is configured with an NPE-G1 and a couple of PA-MC-8TE1+ port adapters. The symptom may also occur in other releases.

Workaround: There is no workaround.

CSCeh17935

Symptoms: When you perform an OIR of an ATM port adapter, tracebacks are generated.

Conditions: This symptom is observed on a Cisco 7200 series when the ATM port adapter is up and has a VC configured.

Workaround: There is no workaround.

CSCeh43864

Symptoms: The line protocol on the POS interface of a PA-POS-OC3 port adapter flaps continuously.

Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS interim Release 12.3(14.10) but may also occur in other releases.

Workaround: There is no workaround.

CSCin67809

Symptoms: CEF, dCEF, and fast-switching counters are not accurate on outbound serial E1 or T1 interfaces.

Conditions: This symptom is observed on a Cisco 7200 series when CEF, dCEF, and fast-switching are enabled on a serial E1 or T1 interface.

Workaround: There is no workaround.

CSCin86455

Symptoms: Auto-provisioning may be disabled on a Cisco 7200 series that is configured with a PA-A3 port adapter.

Conditions: This symptom is observed when a VC class that is configured for create on-demand is attached to the main ATM interface and then the create on-demand configuration is removed and re-applied to the VC class.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the ATM interface of the PA-A3 port adapter.

CSCin86673

Symptoms: A VC may become stuck and stop transmitting traffic.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with a PA-A3 or PA-A6 port adapter when there is a high traffic load and when the QoS class of the VC is changed.

Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that contains the affected VC.

CSCsa46510

Symptoms: When you enter the microcode reload command, an error message similar to the following and a traceback may be generated:

RSP-3-RESTART: interface Serial3/0/1/4:0, not transmitting -Traceback= 404436B4 4044DE10

Conditions: This symptom is observed on a Cisco 7500 that is configured with a E1, T1, E3, or T3 port adapter.

Workaround: There is no workaround.

CSCsa83897

Symptoms: A channelized T3 port adapter cannot detect C-bit errors and does not shut down after continuous C-bit errors.

Conditions: This symptom is observed on a Cisco 7200 series that is configured with a channelized T3 port adapter.

Workaround: There is no workaround.

CSCsa83907

Symptoms: Layer-1 alarm handling does not meet the ANSI T1.231 standard on a PA-A3-T3 interface. The PA-A3-T3 port adapter does not provide a soaking time to declare and clear near-end failures such as LOS, LOF, and AIS. Also, PA-A3-T3 interfaces do not properly handle P-bit and C-bit errors and do not bring down the controller when the threshold is reached for such errors.

Conditions: These symptoms are observed on a Cisco 7200 series that is configured with a PA-A3-T3 port adapter.

Workaround: There is no workaround.

IP Routing Protocols

CSCef60452

Symptoms: A router may stop receiving multicast traffic.

Conditions: This symptom is observed rarely during convergence when a router receives a Join message on an RPF interface and when a downstream router converges faster than the first router that receives the Join message.

In this situation, the router does not populate the RPF interface into the OIL (that is, the OIL remains null) because the old SP-tree has already been pruned by the downstream router. When the RPF interface of the router changes to the new path later, it does not trigger a Join message toward the multicast source until the router receives a next periodic Join message from the downstream router and populates the OIL. As a result, multicast traffic stops temporarily but no longer than the periodic Join message interval.

Workaround: There is no workaround.

CSCef60659

A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).

These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:

1. Attacks that use ICMP "hard" error messages

2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks

3. Attacks that use ICMP "source quench" messages

Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.

Multiple Cisco products are affected by the attacks described in this Internet draft.

Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.

The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.cpni.gov.uk/docs/re-20050412-00303.pdf.

CSCef85199

Symptom: The router can crash when there is continuous flow of traffic and entire mroute table is cleared via clear ip mroute * command or unconfiguring multicast.

Conditions: This symptom is observed during a test on a Cisco router with the Network Service Engine 100 (NSE-100) when there is continuous flow of traffic and entire mroute table is cleared via clear ip mroute * command or unconfiguring multicast. The crash was only seen on a Cisco router with the Network Service Engine 100 (NSE-100).

Workaround: There is no workaround.

CSCef93215

Symptoms: A router that is configured for OSPF may reload une