Table Of Contents
Caveats for Cisco IOS Release 12.3T
Resolved Caveats—Cisco IOS Release 12.3(14)T7
Resolved Caveats—Cisco IOS Release 12.3(14)T6
Resolved Caveats—Cisco IOS Release 12.3(14)T5
Resolved Caveats—Cisco IOS Release 12.3(14)T4
Resolved Caveats—Cisco IOS Release 12.3(14)T3
Resolved Caveats—Cisco IOS Release 12.3(14)T2
Resolved Caveats—Cisco IOS Release 12.3(14)T1
Open Caveats—Cisco IOS Release 12.3(14)T
Resolved Caveats—Cisco IOS Release 12.3(14)T
Resolved Caveats—Cisco IOS Release 12.3(11)T12
Resolved Caveats—Cisco IOS Release 12.3(11)T11
Resolved Caveats—Cisco IOS Release 12.3(11)T10
Resolved Caveats—Cisco IOS Release 12.3(11)T9
Resolved Caveats—Cisco IOS Release 12.3(11)T8
Resolved Caveats—Cisco IOS Release 12.3(11)T7
Resolved Caveats—Cisco IOS Release 12.3(11)T6
Resolved Caveats—Cisco IOS Release 12.3(11)T5
Resolved Caveats—Cisco IOS Release 12.3(11)T4
Resolved Caveats—Cisco IOS Release 12.3(11)T3
Resolved Caveats—Cisco IOS Release 12.3(11)T2
Resolved Caveats—Cisco IOS Release 12.3(11)T
Resolved Caveats—Cisco IOS Release 12.3(8)T11
Resolved Caveats—Cisco IOS Release 12.3(8)T10
Resolved Caveats—Cisco IOS Release 12.3(8)T9
Resolved Caveats—Cisco IOS Release 12.3(8)T8
Resolved Caveats—Cisco IOS Release 12.3(8)T7
Resolved Caveats—Cisco IOS Release 12.3(8)T6
Resolved Caveats—Cisco IOS Release 12.3(8)T5
Resolved Caveats—Cisco IOS Release 12.3(8)T4
Resolved Caveats—Cisco IOS Release 12.3(8)T3
Resolved Caveats—Cisco IOS Release 12.3(8)T1
Resolved Caveats—Cisco IOS Release 12.3(8)T
Resolved Caveats—Cisco IOS Release 12.3(7)T12
Resolved Caveats—Cisco IOS Release 12.3(7)T11
Resolved Caveats—Cisco IOS Release 12.3(7)T10
Resolved Caveats—Cisco IOS Release 12.3(7)T9
Resolved Caveats—Cisco IOS Release 12.3(7)T8
Resolved Caveats—Cisco IOS Release 12.3(7)T7
Resolved Caveats—Cisco IOS Release 12.3(7)T6
Resolved Caveats—Cisco IOS Release 12.3(7)T4
Resolved Caveats—Cisco IOS Release 12.3(7)T3
Resolved Caveats—Cisco IOS Release 12.3(7)T2
Resolved Caveats—Cisco IOS Release 12.3(7)T1
Resolved Caveats—Cisco IOS Release 12.3(7)T
Resolved Caveats—Cisco IOS Release 12.3(4)T11
Resolved Caveats—Cisco IOS Release 12.3(4)T10
Resolved Caveats—Cisco IOS Release 12.3(4)T9
Resolved Caveats—Cisco IOS Release 12.3(4)T8
Resolved Caveats—Cisco IOS Release 12.3(4)T7
Resolved Caveats—Cisco IOS Release 12.3(4)T6
Resolved Caveats—Cisco IOS Release 12.3(4)T4
Resolved Caveats—Cisco IOS Release 12.3(4)T3
Resolved Caveats—Cisco IOS Release 12.3(4)T2
Resolved Caveats—Cisco IOS Release 12.3(4)T1
Resolved Caveats—Cisco IOS Release 12.3(4)T
Resolved Caveats—Cisco IOS Release 12.3(2)T9
Resolved Caveats—Cisco IOS Release 12.3(2)T8
Resolved Caveats—Cisco IOS Release 12.3(2)T7
Resolved Caveats—Cisco IOS Release 12.3(2)T6
Resolved Caveats—Cisco IOS Release 12.3(2)T5
Resolved Caveats—Cisco IOS Release 12.3(2)T4
Resolved Caveats—Cisco IOS Release 12.3(2)T3
Resolved Caveats—Cisco IOS Release 12.3(2)T2
Resolved Caveats—Cisco IOS Release 12.3(2)T1
Resolved Caveats—Cisco IOS Release 12.3(2)T
Obtaining Documentation, Obtaining Support, and Security Guidelines
Caveats for Cisco IOS Release 12.3T
September 24, 2008
Cisco IOS Release 12.3(14)T7
Text Part Number: OL-4748-06 Rev. J1
This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.3T, up to and including Release 12.3(14)T7. Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in this section.
Because Cisco IOS Release 12.3T is based on Cisco IOS Release 12.3, many caveats that apply to Cisco IOS Release 12.3 also apply to Cisco IOS Release 12.3T. For information on severity 1 and 2 caveats in Cisco IOS Release 12.3, see the Caveats for Cisco IOS Release 12.3 document located on Cisco.com.
How to Use This Document
This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats:
•
The "Open Caveats" section lists open caveats that apply to the current release and may apply to previous releases.
•
Within the sections the caveats are sorted by technology in alphabetical order. For example, AppleTalk caveats are listed separately from, and before, IP caveats. The caveats are also sorted alphanumerically by caveat number.
The Dictionary of Internetworking Terms and Acronyms contains definitions of acronyms that are not defined in this document:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm
If You Need More Information
Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation, Obtaining Support, and Security Guidelines" section.
For more information on caveats and features in Cisco IOS Release 12.3T, refer to the following sources:
•
•
•
•
•
Note
The most recent release notes when this caveats document was published were Release Notes for Cisco IOS Release 12.3T, for Cisco IOS Release 12.3(14)T on April 17, 2007.
Contents
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.3(14)T7
Cisco IOS Release 12.3(14)T7 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T7 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The IPSLA test packets returned by the IPSLA responder for the UDP jitter operation have ToS value of 0 instead of the value configured for the operation. Because of this, the two IPSLA UDP jitter operations between same source and responder routers with just the different ToS configurations will report the same round trip time even though the expected values are different.
Conditions: This symptom has been observed on the routers configured with an IP SLA User Datagram Protocol (UDP) jitter operation with microseconds precision and has the ToS value configured.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: POS interfaces may remain in the up/down state after the router has been reloaded.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series, Cisco 7500 series, and Cisco 7600 series.
Workaround: Reload the FlexWAN or VIP in which the POS port adapter is installed.
IP Routing Protocols
•
Symptoms: A Cisco 7200 router that is performing NAT could drop IPSec packets.
Conditions: This symptom is observed on a Cisco 7200 router that is performing NAT functionality for IPSec transit packets. The router will NAT and forward the Inside to Outside IPSec (ESP) packets, but might drop the return IPSec packets from Outside to Inside.
Workaround: Disable NAT for IPSec.
Miscellaneous
•
Symptoms: Bidirectional DTR does not function. The output of the show dialer command shows the incorrect dialer type.
Conditions: This symptom is observed on a Cisco 3660 that runs Cisco IOS interim Release 12.3(12.9)T.
Workaround: There is no workaround.
•
Symptoms: The FXSLS voice port is stuck in an on-hook state, and the digital signal processor (DSP) is not released.
Condition: This symptom occurs when the FXSLS user stays offhook at the end of the call after Cisco IOS software sends a Howler tone to the FXSLS port.
Workaround: There is no workaround.
•
Symptoms: Policing does not drop any packets after the packets are sent or received at a rate that is much higher than the committed information rate (CIR).
Conditions: This symptom is observed on a Cisco 7500 series router but is not platform dependent.
Workaround: There is no workaround.
•
Symptoms: CEF may not be updated with a new path label that is received from the BGP peer.
If a router configured for BGP IPv4+labels multipath receives a BGP update that only changes the MPLS label for a non-bestpath multipath, the router fails to update the forwarding plane. This results in dropping or mis-branding the traffic.
Conditions: In a IPv4+labels multipath setup, if a label is changed for the non-bestpath multipath and that is the only change in the new update received from the neighbor, the new label will not be programmed in forwarding, hence there will be label inconsistency between the BGP and the forwarding tables.
Workaround: There is no workaround.
•
Symptoms: A large configuration in NVRAM on a primary or secondary RSP may become corrupted and the router may generate relevant warning messages during the execution of a copy system:running-config nvram: startup-config command.
When you erase NVRAM by entering the erase nvram command and then enter the copy system:running-config nvram: startup-config command, the router may crash.
Conditions: This symptom is observed on a Cisco 7500 series but is platform-independent.
Workaround: If the configuration file is significantly large, place a copy of the configuration file on a flash card or disk with ample space and enter the boot config slot0:startup-config command to force the startup configuration file to be read from the flash card.
When you enter the copy system:running-config nvram: startup-config command, the current running configuration is saved to the flash card or disk and the configuration is auto-synchronized to the corresponding flash card on the secondary RSP.
Caution: Do not remove the flash card while the boot config slot0:startup-config command is being executed.
•
Symptoms: An inconsistency may occur in the outlabel information that is used by BGP and MPLS forwarding.
Conditions: This symptom is observed when there are two route reflectors (RRs) that advertise the same route and when one of the routes is the best path. The symptom occurs when the following conditions are present:
–
–
This situation causes BGP to function with the new label but MPLS forwarding to function with the old label.
Workaround: Enter the clear ip route network command for the affected prefix.
•
Symptoms: Intermittent one-way audio (PSTN hears dead air) on inbound ISDN call through Cisco VoIP AS5850 gateway.
Conditions: This symptom has been observed to occur with inbound ISDN calls with outbound SIP calls towards a Cisco MeetingPlace server. Numerous calls which are transferred via SIP REFER contribute to the gateway get into this state.
Workaround: There is no workaround to prevent the gateway from getting into this state. Once in this state, reloading the gateway will help clear this condition for awhile.
•
Symptoms: The fix for busyout slot on the Cisco AS5400 platform causes build issues.
Conditions: This symptom is observed on a Cisco AS5400 platform.
Workaround: There is no workaround.
•
Symptoms: When you enter the show voice call status command five to six times in quick succession, the CPU use of a Cisco AS5850 reaches 99 percent. The Cisco AS5850 thereafter becomes very unstable in accepting incoming calls. This situation can be highly service-impacting under stress conditions.
Conditions: This symptom is observed on a Cisco AS5850 that is running a special image of Cisco IOS Release 12.3(11)T6 and occurs only when there are more than 900 H.323 voice calls.
Workaround: Do not enter the show voice call status command in a stress situation.
•
Symptoms: Incorrect outgoing labels are installed for BGP-IPv4 Multipath prefixes.
Conditions: This symptom has been observed anytime that a label changes from a BGP-IPv4 Multipath peer.
Workaround: Clearing the BGP neighbor should allow the correct labels to be installed.
•
Symptoms: The on-board FastEthernet 0/0 results in state "FastEthernet0/0 is up, line protocol is down" after a reload, power-up or a shutdown and no shutdown operation. This is verified when the FastEthernet 0/0 is connected to Telsey and Pirelli Media Converters in series.
This symptom is not present if the Cisco 1718 and Cisco 2950 routers are connected directly, without any media converters in between. This symptom may not be present using a media converter from other vendors.
Conditions: This symptom has been observed connecting the on-board port of a Cisco 17xx router running Cisco IOS Release 12.3(11)T to Telsey and Pirelli Media Converters in series, like:
1718(fa0/0)--Telsey MC ----------- Pirelli MC--(fa 0/1)2950
This symptom has also been observed with Cisco IOS Release 12.4(5), which is the latest available image for this platform.
Workaround: Replace the media converter with one from another vendor.
•
Symptoms: The BGP table and CEF forwarding table may have mismatched labels for prefixes that are learned from a remote PE router.
Conditions: This symptom is observed on a Cisco router that functions as a PE router when an eBGP session flap or route flap occurs on the remote PE router. A new label for the prefix is learnt from the remote PE router, but forwarding may not be updated properly.
Workaround: There is no workaround. When the symptom has occurred, and to correct the situation, enter the clear ip route vrf vrf-name network command on the PE router that has mismatched labels.
•
Symptoms: The router crashes on busyout of a CT3 card.
Conditions: This symptom has been observed only after the router is booted with no T1 configuration on the T3 controller.
Workaround: There is no workaround.
•
Symptoms: The Media Gateway Control Protocol (MGCP) gateway hangs when getting voice calls from either the IP or the PSTN side in which a leg of the call is on a BRI Voice Interface Card (VIC). The gateway stops responding and does not process any traffic. The only way to bring the router back is to power-cycle it.
Conditions: This problem can be seen for every call over a BRI VIC/WIC if the router is running Cisco IOS Release 12.4(4)T1 or later releases, but it is not seen when the router is running Cisco IOS Release 12.4(4)T.
Workaround: For an MGCP GW with BRI interfaces, do not use the Cisco IOS release for later than Cisco IOS Release 12.4(4)T.
•
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
•
Symptoms: The callee's phone rings continuously even after the caller goes on- hook.
Conditions: When the caller goes on-hook, the gateway receives idle and does not recognize the idle. The call does not get disconnected and the callee keeps hearing the ringing tone continuously.
Workaround: The callee has to pick up the phone for the call to be dropped.
•
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by default in Cisco IOS.
Cisco has made free software available to address this vulnerability for affected customers.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
Wide-Area Networking
•
Symptoms: A LAC does not send an Accounting-Start RADIUS record to a RADIUS server for a user session.
Conditions: This symptom is observed on a Cisco platform that functions as a LAC and that runs Cisco IOS Release 12.3(14)T1 when a switchover occurs from one LNS to another LNS while the user session is brought up.
Workaround: There is no workaround.
•
Symptoms: A router may crash when the encapsulation is set to PPP and removed repeatedly.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3 or Release 12.4 and that is configured for PPP Link Control Protocol (LCP).
Workaround: There is no workaround.
•
Symptoms: Using the show caller full or show caller interface Virtual-Access XX full commands on a PPPoE client interface causes the router to unexpectedly reload.
Conditions: This symptom has been observed on routers using Cisco IOS Release 12.4(3.3) and later versions.
Workaround: Avoid using those commands.
•
Symptoms: A Cisco router configured for Virtual Private Dialup Network (VPDN) may unexpectedly reload with Bus Error.
Conditions: This symptom was observed on a Cisco7200VXR series router equipped with NPE-G1 processor card running Cisco IOS Release 12.3(14)T3.
Workaround: There is no workaround.
Further Problem Description: The crash was preceded by "SYS-2-INPUT_GETBUF: Bad getbuffer" error messages.
Resolved Caveats—Cisco IOS Release 12.3(14)T6
Cisco IOS Release 12.3(14)T6 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T6 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: Ping/Telnet may fail across a Network Address Translation (NAT) box when static NAT configuration is on.
Conditions: This symptom is observed with Cisco IOS Releases 12.4(3) and 12.4 (4)T.
Workaround: There is no workaround.
•
Symptoms: A router that is running Cisco IOS may crash unexpectedly.
Conditions: NAT must be enabled for this symptom to occur. The problem is seen when an application uses two well known ports: one for source and the other for destination. The outgoing translation is created, but on the return trip, using the previous source port as the destination, NAT may use the incorrect algorithm.
For example, if a PPTP session is initiated to the well known port 1723 from source port 21 (FTP), then the outgoing packet will create a FTP translation (we look at source information when going from in->out). When the packet is returned, we again look at the source information to know what kind of packet this is. In this case we have the source port will be 1723, and NAT will assume this is a PPTP packet. This will try to perform PPTP NAT operations on a data structure that NAT built for a FTP packet and may lead to a crash.
Workaround: There is no workaround.
•
Symptoms: One router (R2) may begin sending updates to another router (R1) before R2 has received the BGP prefix list from R1.
R1 does apply its inbound BGP prefix list so routes are denied if they need to be. However, R2 sends routes to R1 which are denied by R1.
Conditions: This symptom is observed when both routers have negotiated a BGP outbound route filter (ORF) and when R1 sends its BGP prefix list to R2.
Workaround: There is no workaround.
•
Symptoms: A (*,G) prune is not processed on a non-Designated Router (DR), causing a link that is shut down on a DR router to continue to receive multicast packets.
Conditions: This symptom is observed in a configuration with a DR router that has a link (link A) to a PIM neighbor and a backup router that has a link (link B) to another PIM neighbor. The symptom occurs when you shut down link A and bring up link B. The OIL of the DR router is Null on (S,G) but on its PIM neighbor, the OIL on (S, G) still points to the interface that is connected to the DR router, that is, to link A. The OIL on the PIM should be pruned immediately, but it takes three minutes before this occurs. This situation causes the DR router to continue to receive multicast packets until the OIL on the PIM is finally pruned.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: WRED counters do not function on distributed platforms such as a Cisco 7500 series and a Cisco 7600 series.
Conditions: This symptom is observed on a distributed Cisco platform that runs Cisco IOS Release 12.0(26)S3, 12.0(29)S, 12.2(25)S, 12.3(10), or 12.3(11)T and that has dWRED configured.
Workaround: There is no workaround.
•
Symptoms: The router may not be able to detect busy and congestion on the cptone Japan voice-port configuration.
Conditions: This symptom is observed on Cisco 2600, Cisco 3660, and Cisco 3640 routers when the cptone command is configured for Japan.
Workaround: There is no workaround.
•
Symptoms: There is no QoS classification at a main interface when packets are switched from a GRE tunnel that also has a QoS policy enabled.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3T or Release 12.4 when a QoS policy is enabled on both the GRE tunnel and the main interface in the output direction. The symptom may also occur in other releases.
Workaround: Move the complete QoS configuration to the QoS policy on the main interface (that is, use an hierarchical policy).
•
Symptoms: Weighted Random Early Detection (WRED) does not match packets based on any marking done.
Conditions: This symptom has been observed when qos pre-classification (the qos pre-classify command) is turned on.
Workaround: Remove the qos pre-classify command.
•
Symptoms: Packets are not shaped when traffic shaping is configured on a tunnel interface.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(27)SBA but may also occur in other releases.
Workaround: Configure class-based shaping. If this is not an option, there is no workaround.
•
Symptoms: One or more VIP slot controllers reset.
Conditions: This symptom is observed on a Cisco 7500 series when the ip nbar protocol-discovery command is enabled. The symptom may not be platform-dependent and may also occur on other platforms in a similar configuration.
Workaround: Disable protocol discovery by entering the no ip nbar protocol-discovery command.
•
Symptoms: A Modular QoS CLI (MQC) CoS marking disappears after you reload a router and QoS does not work.
Conditions: This symptom is observed on a Cisco router when the policy map is configured with a class using CoS marking via the set cos command. After the router has reloaded, the CoS marking is still present in the configuration but does not appear in the output of the show policy-map interface command.
Workaround: Remove and re-apply the service policy on the main interface.
•
Symptoms: A router that is configured for QoS crashes because of a bus error.
Conditions: This symptom is observed when you bring up a session that has a policy map attached in both directions.
Workaround: There is no workaround.
•
Symptoms: A Cisco device that is running Cisco IOS software may drop traffic because the routing table and the CEF forwarding table are inconsistent.
Conditions: This problem is exposed when the routing table is reloaded by clearing the routing table or on a box that supports hardware forwarding resetting the forwarding complex, for example, PXF. This is a rare situation due to the prefix distribution and timing required to expose the condition.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400 might not release all voice resources for an MGCP call after it is disconnected.
Conditions: This symptom is observed on both the Cisco AS5400 and Cisco AS5850 platforms but is not platform dependent. The symptom is associated with the simultaneous disconnection of a large number of calls.
Workaround: There is no workaround.
•
Symptoms: The packets are not switched correctly using the Fast Switching with IPSec tunnel protection feature.
Condition: This symptom has been observed in Cisco IOS Release 12.4(1b) when tunnel protection IPSec is configured and tunnel source interface has Fast- switching (but not CEF) configured.
Workaround: Use CEF switching.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A Cisco Gateway that is running Session Initiation Protocol (SIP) calls might run out of processor memory due to hung SIP calls.
Conditions: Active and hung calls can be seen using the show sip-ua calls command. The following specific scenario will result in a hung call: 1) The gateway initiates an INVITE. 2) The gateway receives a 100/180 response. 3) The gateway sends a CANCEL. 4) The gateway receives the 200ok for the CANCEL. 5) The gateway receives an invalid final response for the INVITE (or no final response) and drops the message.
Each hung call will use a little more memory, and eventually the gateway will run out of memory.
Workaround: Downgrade to Cisco IOS Release 12.3(14)T3, Release 12.3(11)T6, Release 12.4(2)T1, or Release 12.4(1a).
•
Symptoms: QoS information disappears from a FlexWAN module or VIP that is configured with a distributed MFR interface.
Conditions: This symptom is observed after the FlexWAN module or VIP resets or after the interface flaps.
Workaround: Remove the service policy from the interface and reapply it to the interface.
•
Symptoms: A PVC is unexpectedly removed from an IMA interface when one or more IMA links go down.
Conditions: This symptom is observed on a Cisco router when the bandwidth that is configured for the PVC cannot be supported after one or more IMA links go down.
Workaround: Reconfigure the PVC with a bandwidth that can be supplied by the remaining IMA links.
•
Symptoms: A VIP that has a dMLFR configuration may crash when you enter the microcode reload global configuration command.
Conditions: This symptom is observed on a Cisco 7500 series when traffic flows through the VIP.
Workaround: There is no workaround.
•
Symptoms: When performing the show policy-map interface MFR command, the counters do not increment.
The counters in show policy-map interface MFR do not increment for any type/class of service. Even the class-default shows 0 packets. The counters in the show frame-relay pvc command show the packets correctly.
Conditions: A map-class is configured under an MFR (FRF.16) bundle (sub- interface). This map-class consists of both an input and output service-policy.
Workaround: There is no workaround.
•
Symptoms: The committed information rate (CIR) of policers is calculated incorrectly.
Conditions: This symptom is observed when Frame Relay Traffic Shaping (FRTS) is applied using Modular QoS CLI (MQC) (that is, it is applied on the shaper in the parent service policy) and when the classes of the child policy include percentage-based policers.
Workaround: There is no workaround.
•
Symptoms: All incoming packets on a Frame Relay Link have the DE bit set.
Conditions: This symptom is observed on a Cisco 2811 that runs Cisco IOS Release 12.3 or Release 12.3(11)T2 under normal traffic conditions.
Workaround: There is no workaround. Note that the symptom does not occur on a Cisco 1760 that runs Cisco IOS Release 12.3(10).
•
Symptoms: A Cisco IPSec router may restart because of a bus error.
Conditions: This symptom is observed when you remove a crypto map entry that includes the dynamic keyword in its definition, as in the following example:
router#show running
...
crypto map map-name 5 ipsec-isakmp dynamic dyn-map
...
router(config)#no crypto map map-name 5Workaround: Before you delete the crypto map entry that includes the dynamic keyword in its definition, manually configure all dynamic crypto maps that must be deleted to point to a nonexistent ACL, as in the following example:
router#show running
...
crypto dynamic-map dyn-map 5
...
router(config)#crypto dynamic-map dyn-map 5
router(config-crypto-map)#match address no-such-acl•
Symptoms: A router crashes because of a bus error when ICMP or UDP packets that are larger than 1393 bytes are transmitted through an IPSec tunnel.
Conditions: This symptom is observed when a policy map and crypto map are applied to the tunnel interface.
Workaround: Remove the policy map.
•
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not enabled the SGBP protocol are not affected by this vulnerability.
Cisco has made free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
Cisco has published a Security Advisory on this issue; it is available at http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml
•
Symptoms: When using a Cisco 3845 router with Cisco IOS Release 12.4 and entering the show ip inspect statistics command, the number for the half-open session keeps increasing, never decreasing. If it reaches the maximum, then no one can establish any new SSL sessions. It can cause a potential router crash.
Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4(1) but is not platform dependent. This has been seen when ICMP inspection is enabled with the ip inspect name name icmp.
Workaround: Increase the half-open session limit with the ip inspect max-incomplete high command.
•
Symptoms: There are two symptoms:
1. When a policy is attached to the incoming interface, an aggregate control- plane policing policy will not classify traffic correctly.
2. When a control-plane policing policy is attached to the aggregate path, a similar policy attached to the host, transit or cef-exception paths will not classify traffic correctly.
Conditions: This symptom has been observed on a Cisco platform that runs Cisco IOS Release 12.3T or Release 12.4.
Workaround: Any existing interface policy would have to be removed for the aggregate control-plane policing policy to work. Any existing aggregate policing policy will have to removed for the host/cef-exception/transit path control-plane policing policy to work.
•
Symptoms: The SNMP process hangs while a QoS MIB object is queried.
Conditions: This symptom is observed when the execution of a QoS show command is in the "More" state while the QoS MIB object is queried. The SNMP process resumes when the show command is finished. Depending on the SNMP configuration, different symptoms may occur while the SNMP process is waiting for the QoS show command to finish.
Workaround: Do not leave the show policy-map command or the show class-map in the more state or prior to executing one of these commands issue the exec command term len 0 and after the show command is complete issue the exec command term len 24.
•
Symptoms: A Cisco gateway may fail to initiate a T.38 call to a third party gateway. When the third party gateway sends T.38 open logical channel to the Cisco gateway, no open logical channel acknowledgement is sent by the Cisco gateway. After waiting for 30 seconds for T.38 open logical channel acknowledgement, the third party gateway closes its T.38 open logical channel.
Conditions: This happens when T.38 fax relay calls are originated or terminated on a Cisco gateway that is running Cisco IOS Release 12.3(4)T and later releases.
Workaround: There is no workaround.
•
Symptoms: A Voice Gateway crashes when running under a heavy voice call load.
Conditions: This symptom is observed on a Voice Gateway that is running Cisco IOS Release 12.3(11)T6. The gateway is under heavy voice call load with access to media/application documents residing on local gateway flash, http and tftp servers.
Workaround: The following is not quite a workaround:
call threshold global cpu-5sec low value high value
For example:
call threshold global cpu-5sec low 50 high 70
The CLI can ease the CPU load on the gateway by reducing the probability for a crash.
•
Symptoms: A Foreign Exchange Station (FXS) port may lock up after having functioned fine for a long time.
Conditions: This symptom is observed on a Cisco 2821 that runs Cisco IOS Release 12.3(11)T5. This symptom typically occurs when fax lines are configured on the FXS port.
Workaround: There is no workaround.
•
Symptoms: IKE negotiation will fail. Any tunnel that requires IKE to successfully negotiate a security association will not work.
Conditions: This symptom occurs when authentication for IKE is configured as RSA encryption (authentication rsa-encr).
Workaround: There is no workaround.
•
Symptoms: The following commands used for detecting memory leaks would crash the router which uses external memory such as the RPM-XF platforms.
show memory debug leaks
show memory debug leaks chunks
show memory debug leaks largest
show memory debug leaks summaryConditions: This symptom has been observed on the RPM-XF cards using Cisco IOS interim release 12.4(4.6).
Workaround: There is no workaround.
•
Symptoms: After loading "flash:c2600-entservicesk9-mz.123-11.T7.bin", the E1 controller is missing from the snmpwalk command of IF-MIB.
Conditions: This symptom has been observed on a Cisco2621XM.
Workaround: There is no workaround.
•
Symptoms: If a Media Gateway Control Protocol (MGCP) Create Connection (CRCX) request is received containing a request for a clear-channel codec, the Cisco 1760 router fails to find a matching codec, and the call fails.
Conditions: This symptom has been observed on a Cisco 1760 router.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router configured with Cisco IOS IPS may reload after a new signature file (SDF) is loaded on the router.
Conditions: There are two ways to load a new signature file on the router. Conditions leading to the reload are different based on which method is used:
1. When using this method, no other conditions need to be met.
Execute the copy url ips- sdf command.
2. When using this method, the conditions necessary for a reload are when any global inspect parameters are configured in the Cisco IOS configuration.
a. Remove all configured ip ips sdf location commands.
b. Configure the ip ips sdf location url command.
c. Place the new signature file at the url argument.
d. Unconfigure ips from all interfaces.
e. Reconfigure ips on the appropriate interfaces.
Workaround: Use method 2 above to load the signature file with the following modifications.
a. Remove all configured ip ips sdf location commands.
b. Configure the ip ips sdf location url command.
c. Place the new signature file at the url argument.
d. Unconfigure ips from all interfaces
e. Unconfigure all global inspect parameters
f. Reconfigure ips on the appropriate interfaces
g. Reconfigure the global inspect parameters
•
Symptoms: PSTN is sending in an "*" and the router is reading it in as a "D". PSTN is also sending in a "#" and router is reading it in as an "*".
Conditions: This symptom has been observed on an MGCP T1-CAS gateway connected to Cisco CallManager doing MF and using Cisco IOS Release 12.3(8)T11, Release 12.3(11.T7), or Release 12.3(14)T4.
Workaround: There is no workaround.
•
Symptoms: The error message "Got WATCHDOG Interrupt from NM at slot x" is displayed, and CEM stops passing traffic.
Conditions: This symptom occurs when an adaptive clock is configured on the CEM.
Workaround: Disable adaptive clock or configure a different payload-size.
Further Problem Description: The problem is caused by a floating point exception that caused the firmware to crash.
•
Symptoms: When performing the show policy-map interface MFR command, the counters do not increment.
The counters in show policy-map interface MFR do not increment for any type/class of service. Even the class-default shows 0 packets. The counters in show frame-relay pvc show the packets correctly.
Conditions: A map-class is configured under an MFR (FRF.16) bundle (sub- interface). This map-class consists of both an input and output service-policy.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS gateway using Cisco IOS Release 12.3(8)T or later versions will use an ephemeral port to send a response to any SIP request. This may not work with port restricted NAT, which is expecting a response on the same connection as the one on which the request was sent and may drop the response.
Conditions: This symptom is observed on a Cisco IOS gateway with Cisco IOS Release 12.3(8)T or later releases and a port restricted NAT.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: A switch or router that is either configured with a PA-A3 ATM port adapter may eventually run out of memory. The leak occurs when the FlexWAN or VIP that contains the PA-A3 port adapter is removed from the switch or router and not re-inserted.
The output of the show processes memory command shows that the "ATM PA Helper" process does not have sufficient memory. The output of the show memory allocating-process totals command shows that the "Iterator" process holds the memory.
Symptom 2: A switch or router that has certain PIM configurations may eventually run out of memory.
The output of the show processes memory command shows that the "PIM process" does not have sufficient memory. The output of the show memory allocating-process totals command shows that the "Iterator" process holds the memory.
Condition 1: This symptom is observed on a Cisco Catalyst 6500 series, Cisco 7500 series, and Cisco 7600 series.
Condition 2: This symptom observed on a Cisco 2811 and Cisco 3845 and occurs only in Cisco IOS Release 12.2(30)S, interim Release 12.4(2.10), and interim Release 12.4(2.10)T, or in any later releases.
Workaround 1: Either do not remove the PA-A3 ATM port adapter from the FlexWAN or VIP or re-insert the PA-A3 ATM port adapter promptly. The memory leak stops immediately when you re-insert the PA-A3 ATM port adapter.
Workaround 2: When the ip multicast-routing command is configured, enable at least one interface for PIM. When the ip multicast-routing vrf vrf-name command is configured, enter the ip vrf forwarding vrf-name command on at least one interface that has PIM enabled.
•
Symptoms: A Cisco AS5850 may restart because of a software forced crash preceded by the following error:
%SYS-6-STACKLOW: Stack for process VTSP running low, 0/12000Conditions: This symptom has been observed on Cisco IOS Release 12.3(11)T.
Workaround: There is no workaround.
•
Symptoms: A standard ingress ACL for transit traffic does not function on an interface that is configured for MFR.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(11)T8 and that has an MFR bundle that is configured on a PA-MC-8TE1 port adapter. The symptom may also occur in other releases.
Workaround: There is no workaround.
Protocol Translation
•
Symptoms: You may not be able to download a complete file from an FTP during a V.120 session.
Conditions: This symptom is observed on a Cisco AS5400 and Cisco AS5850 that runs Cisco IOS Release 12.2(15)ZK6 or Release 12.3(11)T5. The symptom could also occur in other releases such as Release 12.3 or Release 12.4.
Workaround: This problem can be circumvented by disabling the negotiation of multilink on the client adapter or the router. Alternatively, configuring ppp multilink queue depth fifo 10 on the Virtual-Template interface should allow for a successful FTP download.
Wide-Area Networking
•
Symptoms: Drops occur in a class in which the throughput does not oversubscribe the allocated bandwidth for the class.
Conditions: This symptom is observed when multilink Frame Relay is configured along with generic traffic shaping or Frame Relay traffic shaping and when several class maps are configured.
When one class map starts dropping packets because the throughput is greater than the allocated bandwidth (which is normal behavior), drops may also occur in another class map even though this class map is not oversubscribed. The root cause of this symptom is that the bundle is oversubscribed and tx rings are building up, causing excessive misordering that the receiver cannot handle.
Workaround: Configure a fancy queue on the bundle interface through which the traffic is sent.
•
Symptoms: A dialed circuit that carries a PPP connection over a tunnel between an LNS and a LAC is not dropped when the tunnel is reset.
Conditions: This symptom is observed when you enter the clear vpdn all command, when the LNS reloads, when the IP link between the LSN and LAC is disrupted, or when any other event occurs that causes the tunnel to be reset.
Workaround: There is no workaround.
•
Symptoms: Attempts to remove a PRI group fail.
Conditions: This symptom is observed when an NFAS group has group number 0 and when you attempt to remove a FAS PRI group.
Workaround: Shut down the NFAS group before you remove the FAS PRI group.
•
Symptoms: AAA method may fail on calls in the Cisco IOS 12.3(11)T releases.
Conditions: This symptom was observed on a Cisco AS5850 that was running Cisco IOS Release 12.3(11)T8 but is not platform dependent.
Workaround: There is no workaround.
•
Symptoms: ISDN NFAS failover issues are observed in Cisco IOS Release 12.3(11) T7. If the primary NFAS d-channel is bounced, the switch sees some of the b- channels in "remote busy" (RMB).
Conditions: This symptom only happens when the primary NFAS d-channel is bounced.
Workaround: There is no workaround.
•
Symptoms: If a PPPoE client session is timed out (e.g. due to a network outage), and a restart of the session is subsequently unsuccessful (e.g. because network outage persists or the PPPoE server has not timed out the prior session) and if the user then manually clears the session, then the router will no longer be able to bring up this session until a reload is performed.
Conditions: This symptom has been observed when the PPPoE session is unexpectedly interrupted with Cisco IOS Release 12.3(8)T8 or Release 12.3(11) T5. The next feature also needs to be configured.
pppoe-client dial-pool-number 1 dial-on-demand
Workaround: Use the following procedure:
1. Reload.
2. Do not configure the DDR feature for the PPPoE session. This problem is limited to PPPoE client sessions using the DDR feature.
Resolved Caveats—Cisco IOS Release 12.3(14)T5
Cisco IOS Release 12.3(14)T5 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T5 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When command accounting is enabled, Cisco IOS routers will send the full text of each command to the ACS server. Though this information is sent to the server encrypted, the server will decrypt the packet and log these commands to the logfile in plain text. Thus sensitive information like passwords will be visible in the server's log files.
Conditions: This problem happens only with command accounting enabled.
Workaround: Disable command accounting.
•
Symptoms: A memory leak may occur when you delete a RADIUS server group.
Conditions: This symptom is observed when the server is configured with a key.
Workaround: There is no workaround.
•
Symptoms: Spurious memory access errors and tracebacks may be generated on a Cisco AS5800.
Condition: This symptom is observed on a Cisco AS5800 that processes TCPclear calls.
Workaround: There is no workaround.
•
Symptoms: Memory allocations fail on the gateway though there is enough free memory. If this failure happens in ISDN, the gateway crashes subsequently.
Conditions: This symptom has been observed when the H323 aaa accounting command is enabled.
Workaround: There is no workaround.
Further Problem Description: Memory allocations for a block of 3k bytes fail with memory fragmentation as the cause. When this failure occurs, there is approximately 20MB of free memory on a gateway with 220MB of processor memory.
IP Routing Protocols
•
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE) and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
This vulnerability is addressed by Cisco bug IDs CSCin95836 for non-12.2 mainline releases and CSCsi23231 for 12.2 mainline releases.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml.
•
Symptoms: A router that is configured for Resource Reservation Protocol (RSVP) generates the following error messages on the console and then crashes:
%LINK-0-REENTER: Fatal reentrancy, level=3, intfc=FastEthernet0/1
-Process= "RSVP", ipl= 3, pid= 251
%SYS-6-STACKLOW: Stack for process RSVP running low, 0/24000Conditions: This symptom is observed when the ip rsvp bandwidth and service-policy output commands are configured on the same interface and when the policy map for the service policy is configured with the fair-queue command.
Workaround:
Option 1: Enter the ip rsvp resource-provider none command on the interface.
Option 2: Configure the ip rsvp bandwidth value command such that value is equal to the value displayed in the "Available Bandwidth" line of output in the show interfaceinterface display plus the value shown in the "allocated" column of the show ip rsvp int display.
Miscellaneous
•
Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange) messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group (OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20051114-ipsec.shtml.
•
Symptoms: When a single bundle link associated with a Multilink Frame Relay (MFR) interface is brought up, LMI exchanges over the MFR interfaces may not happen.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for MFR.
Workaround: There is no workaround.
•
Symptoms: Under some circumstances when eBGP flaps on the PE, packets from another VRF are forwarded to an incorrect interface.
Conditions: This symptom occurs when eBGP flaps on the PE.
Workaround: There is no workaround.
•
Symptoms: A Cisco voice gateway may drop a voice or fax relay call during CNG tone detection.
Conditions: This symptom is observed on a Cisco voice gateway that is configured with a VXML application script on the incoming POTS dial peer and that receives a fax CNG tone.
Workaround: There is no workaround. However, this is the limitation on voice gateways that use VXML applications: such platforms only support T.37.
Further Problem Description: The fix for this caveat includes support for T.38 on voice gateways that use VXML applications.
•
Symptoms: When CRTP is enabled on a PPP over Frame Relay PVC via a policy-map configuration, the service policy on the PVC does not function properly because packets are not placed in the priority queue. The output of the show policy-map interface command does not show a class counter.
Conditions: This symptom is observed when you attach a policy map with CRTP on a virtual-template interface and then attach a policy map with a priority feature on the Frame relay PVC. Note that the symptom does not occur for a PPP over ATM PVC or PPP over Ethernet configuration.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway that has the garbage detector (a tool that is used for debugging memory leaks) enabled may hang indefinitely.
Conditions: This symptom is observed when you enter the garbage detector-related show memory debug leaks command or show memory debug incremental leaks command.
Workaround: There is no workaround.
•
Symptoms: The maintenance mode on a Cisco AS5850 that is configured for RPR+ may not function.
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(11)T but is release- and platform-independent.
Workaround: There is no workaround.
•
Symptoms: When you enter the show crypto session command, tracebacks and %SYS-3-BADLIST_DESTROY error messages may be generated.
Conditions: This symptom is observed on a Cisco router that is configured for IPSec and multiple crypto tunnels.
Workaround: There is no workaround.
•
Symptoms: When a branch router attempts to access the Internet via HTTP or TCP, the HTP or TCP session times out unexpectedly.
Conditions: This symptom is observed when the router at the headquarter has a Cisco IOS Firewall and resets the HTTP or TCP connection.
Workaround: Configure a GRE+IPSec connection between the branch router and the router at the headquarter.
Alternate Workaround: Disable the Cisco IOS Firewall on the router at the headquarter.
•
Symptoms: A Cisco router that contains the fix for CSCef84400 may experience a reload due to memory corruption in I/O memory when using telnet, reverse telnet, rsh or other vty based applicatoins such as accessing service-modules.
Conditions: This symptom is observed on a Cisco 2851, Cisco 3745, and Cisco 3845.
Workaround: There is no workaround.
•
This caveat consists of the two symptoms, two conditions, and two workarounds:
Symptom 1: After you have disabled MVPN on a VRF interface, the CPU use for the PIM process increases to 99 or 100 percent and remains at that level.
Condition 1: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SB, Release 12.2SX, or a release that is based on these releases.
Workaround 1: Before you disable MVPN on the VRF interface, enable and then disable multicast routing by entering the ip multicast-routing vrf vrf-name global configuration command followed by the no ip multicast-routing vrf vrf-name global configuration command.
Symptom 2: A router that functions under stress and that is configured with a VRF interface may crash when an MDT group is removed from a remote PE router.
Condition 2: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SB, Release 12.2SX, or a release that is based on these releases, and occurs only when there are frequent link flaps or other multicast topology changes that affect the VRF interface.
Workaround 2: There is no workaround.
•
Symptoms: A vulnerability exists within the Cisco IOS Authentication, Authorization, and Accounting (AAA) command authorization feature, where command authorization checks are not performed on commands executed from the Tool Command Language (TCL) exec shell. This may allow authenticated users to bypass command authorization checks in some configurations resulting in unauthorized privilege escalation.
Conditions: Devices that are not running AAA command authorization feature, or do not support TCL functionality are not affected by this vulnerability.
This vulnerability is present in all versions of Cisco IOS that support the tclsh command.
Workaround: This advisory with appropriate workarounds is posted at
http://www.cisco.com/warp/public/707/cisco-response-20060125-aaatcl.shtml
•
Symptoms: A Cisco router may reload when removing a Frame Relay map from a dial interface.
Conditions: This symptom occurs when a dial (ISDN) interface is configured for Frame Relay encapsulation with a map that includes IP Header Compression.
Workaround: There is no workaround.
•
Symptoms: The FIB may be disabled or the output interface may be stuck on an A3 ATM port adapter.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoATM.
Workaround: Reload the microcode or perform an OIR to recover the A3 ATM port adapter.
•
Symptoms: A Cisco 2851 may crash at the tsp_search_voice_port function.
Conditions: This symptom is observed when the no ccm-manager mgcp command is entered very rapidly, for example, via an automated script.
Workaround: There is no workaround.
•
Symptoms: No more than 930 H.323 terminating calls can be brought up on a Cisco 5850 because socket allocation failures occur.
Conditions: This symptom is observed on a Cisco 5850 that functions as a TGW in RPR+ mode when H.323 slow start is enabled and when H.245 tunneling is disabled. Note that the symptom does not occur when H.245 tunneling is enabled or when the Cisco 5850 functions as an OGW.
Workaround: Configure H.245 tunneling and fast start by entering the following commands:
Router(config)# voice service voip Router(conf-voi-serv)#h323 Router(conf-serv-h323)#no h245 tunnel disable
•
Symptoms: A router that is configured for IPSec may reload because of a stack or program counter corruption.
Conditions: This symptom is observed on a Cisco router that uses a certificate with a very long subject name of several hundred bytes when the distinguished name (DN) is used as an ISAKMP identity. The symptom does not occur for shorter subject names (for example, 290 characters). In most environments, a subject name of 80 characters or less is common.
Workaround: Use certificates with a shorter subject name.
•
Symptoms: A Fast Ethernet (FE) interface on a Cisco AS5850 may reset unexpectedly.
Conditions: This symptom is observed when you attempt to program the FE controller for multicast or broadcast traffic such as OSPF, EIGRP, RIP, or PIM.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 that functions in RPR+ mode reloads unexpectedly because for each call an MGCP application holds an increasing amount of memory that is not freed up.
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(11)T7. The symptom could also occur in Release 12.4 or Release 12.4T.
Workaround: There is no workaround.
•
The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include:
–
–
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.
•
Symptoms: A disconnect event is not thrown or caught on a Cisco AS5400.
Conditions: This symptom is observed when the platform functions under a heavy load with a large number of calls that are disconnected from the gateway during VXML page execution. The disconnect event may not be thrown or get caught by the catch blocks of the root document.
Workaround: There is no workaround.
•
Symptoms: After a call is made between H.323 and SIP on the IPIPGW, executing the show call active voice command does not reflect the call leg information.
Conditions: This symptom occurs when doing SIP-H323 calls.
Workaround: There is no workaround.
•
Symptoms: After upgrading from Cisco IOS Release 12.3 mainline to Cisco IOS Release 12.3T, some information is not getting passed along correctly that is causing failures, for example third party Message Waiting Indication (MWI).
Conditions: This problem is seen when routers are upgraded to Cisco IOS 12.3T when QSIG signaling is used.
Workaround: Downgrade all routers involved to a version prior to Cisco IOS 12.3 (4)T.
•
Symptoms: A router does not attempt to autoinstall a software configuration via a Frame Relay WAN segment when it receives a response to a DHCP request on an Ethernet LAN, even though the DHCP server does not support autoinstall via TFTP.
Conditions: This symptom is observed when a software configuration is replaced on a failed remote router or installed on a new remote router. The router is connected to an existing Ethernet LAN and a Frame Relay WAN segment. You would expected that the router autoinstalls over the Frame Relay WAN segment because it is supposed to download the configuration from a central TFTP server. However, this does not occur.
When the router has a response to its DHCP request on the Ethernet LAN, it attempts to autoinstall over DHCP. Although the DHCP server does not support autoinstall over DHCP, the router does not attempt to autoinstall over the Frame Relay WAN segment.
Workaround: Prevent the DHCP server from responding to the router request or ensure that someone is physically present to disconnect the Ethernet LAN link from the router to force the router to autoinstall over the Frame Relay WAN segment. When the router has autoinstalled over the Frame Relay WAN segment, the router should be reconnected to the Ethernet LAN.
•
Symptoms: An IP phone line is not released for some calls between Cisco CallManagers.
Conditions: This symptom is observed when calls between the Cisco CallManagers are made via a Cisco Multiservice IP-to-IP Gateway (IPIPGW) that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3825 or Cisco 3845 may display the following error message and traffic may be interrupted:
%SBETH-3-ERRINT: GigabitEthernet0/0, error interrupt, mac_status = 0x0000000000840000Conditions: This symptom is observed when multiple users that are connected to a downstream switch attempt to log into network resources across a WAN that traverses the router. The symptom is most likely to occur when AppleTalk is configured over a Gigabit Ethernet connection.
Workaround: There is no workaround.
•
Symptoms: Packets that enter on an interface that has the ssg direction downlink command enabled are not translated even though the ip nat inside is enabled.
Conditions: This symptom is observed on a Cisco router that is configured for SSG with the TP, TT, or TX type of service and that runs Cisco IOS Release 12.3(11)T4 or Release 12.3(14)T. The symptom may also occur in Release 12.3 but does not occur in Release 12.3(11)T3.
Note that when you disable the ssg direction downlink command on the interface, NAT works fine.
Workaround: There is no workaround.
•
Symptoms: A Cisco router shows ALIGN-3-TRACE traceback and DSPDUMP in log and spurious access counter if show align is not zero.
Conditions: This symptom occurs when error message is observed during stress calls.
Workaround: There is no workaround.
•
Symptoms: The User Adaptation Layer for a Digital Private Network Signaling System (DPNSS) path does not come up.
Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series that function as a gateway and that run Cisco IOS Release 12.3(14)T or Release 12.4. The DPNSS path is configured on a VWIC-2MFT-E1-DI Multiflex Voice/WAN interface card that is installed in an NM-HDV2 network module.
Workaround: There is no workaround.
•
Symptoms: A memory leak occurs on an originating gateway.
Conditions: This symptom is observed when Fast Start is enabled, when a call fails after the call proceeding has been received from a primary or alternate endpoint, and when the call falls back to the next alternate endpoint.
Workaround: There is no workaround.
Further Problem Description: The fast-start elements that are received in the call proceeding are freed only once for each call instead of being freed for each endpoint that is tried (assuming that the call falls back to alternate endpoints). This situation causes the memory leak.
•
Symptoms: An ATM interface is unexpectedly removed from an IMA group even though the ATM interface is still in the up/up state, causing T1 links to be disconnected.
Conditions: This symptom is observed on a Cisco 2600 series when you change the Cisco IOS software from Release 12.2(13)T8 to Release 12.3(12b).
Workaround: Re-add the ATM interface to the IMA group by removing and reconfiguring the IMA configuration on the ATM interface.
•
Symptoms: A router misses an entry in its label forwarding table, which is shown in the output of the show tag-switching forwarding-table EXEC command for the missing entry and in the output of the show ip cef detail EXEC command for the prefix.
Conditions: This symptom is observed on a Cisco router that is configured for Multiprotocol Label Switching (MPLS) and that learns its routes through iBGP from redundant route reflectors (RRs) when BGP labeling is not enabled.
Workaround: There is no workaround. However, when you enter the clear ip route EXEC command for the affected prefix, the prefix is reinstalled in the label forwarding table.
•
Symptoms: A Cisco 2651XM may not drop unicast Ethernet frames that are not destined for its MAC address.
Conditions: This symptom is observed on a Cisco 3800 series that runs Cisco IOS Release 12.3(11)T5 or an earlier release or Release 12.3(14)T1 or an earlier release and that has subinterfaces that are configured for HSRP.
Workaround: Enter the standby use-bia command on the main interface.
•
Symptoms: A router may reload unexpectedly when the SSG queue for RADIUS requests that are in the waiting state becomes too large.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(14)T1 or Release 12.4(1a) and that is configured for SSG. When there is a large number of RADIUS requests or a connectivity problem between SSG and the RADIUS server, the SSG queue for RADIUS requests that are in the waiting state may become too large.
Workaround: There is no workaround.
•
Symptoms: A Fast Ethernet (FE) interface on a Cisco AS5400 may reset unexpectedly.
Conditions: This symptom is observed when you attempt to program the FE controller for multicast or broadcast traffic such as OSPF, EIGRP, RIP, or PIM.
Workaround: There is no workaround.
•
Symptoms: A router may crash during a basic H.323 call with carrier ID routing.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(3.3).
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when the stack for VTSP runs low in memory.
Conditions: This symptom is observed on a Cisco router that functions as a voice gateway.
Workaround: There is no workaround.
•
Symptoms: You cannot create a maximum session number for a DSPfarm profile conference.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(11)T or Release 12.4(1a) when time slot 1 through 24 of the PRI group are configured before you attempt to create a maximum session number. The symptom occurs on an NM-HDV2 that has a PVDM2-64 installed.
Workaround: First configure a maximum session number for the DSPfarm profile conference, then configure time slot 1 through 24 of the PRI group.
Do not reload the gateway or enter the shutdown command for the DSPfarm profile after everything is properly configured because otherwise the PRI group would grasp all the DSP resources again.
•
Symptoms: A PPP may stay active after the idle-timer zeroes out. These might affect other services, which rely on the disconnect.
Conditions: This symptom was observed in a SSG setup, where the host object was disconnected whereas the PPP connection stayed up, leading to an incorrect re-direct.
Workaround: There is no workaround.
Further Problem Description: Was troubleshooted through the debug ssg events command, following the host idle-timeout/user idle-timeout in the output of the related virtual access interface.
•
Symptoms: Cisco AS5400 and AS5350 T1 CAS calls fail with "no users answer," and a traceback is seen at vtsp_tsp_call_setup_ind, along with the following error:
%SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt levelConditions: This problem is seen when making CAS calls in Cisco AS5400 and AS5350 platforms.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A SegV exception crash may occur on a Cisco router that is configured for voice calls.
Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.3(6a) or Release 12.3(9) but may not be platform-dependent.
Workaround: There is no workaround.
•
Symptoms: A router may crash while performing an SNMP walk on VPDN-related MIB Objects. SNMP get and set operations function fine.
Conditions: This symptom is observed on a Cisco router that is configured with MLP interfaces.
Workaround: Reload the router and do not perform an SNMP walk. Instead use get operations.
•
Symptoms: A Cisco 5850 reloads when an RLM group is unconfigured.
Conditions: This symptom is observed when you enter the no isdn rlm-group number command and when there are more than 31 NFAS members in the same NFAS group.
Workaround: Shut the primary interface, remove the NFAS members of the same NFAS group, and unconfigure the RLM group.
•
Symptoms: The RADIUS L2TP-specific disconnect code value for the Ascend-Disconnect-Cause RADIUS attribute (195) is incorrectly generated as 607 instead of 605.
Conditions: This symptom is observed when an L2TP tunnel setup failure occurs between a LAC and an LNS.
Workaround: There is no workaround.
•
Symptoms: The B channel on an NFAS "none" group member may hang with its channel state set to PROPOSED, which you can see in the output of the show isdn service command.
Conditions: This symptom is observed when the first activity on an NFAS "none" member is an outgoing call. After the first incoming or outgoing call, the symptom does no longer occur.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(14)T4
Cisco IOS Release 12.3(14)T4 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T4 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Cisco IOS may permit arbitrary code execution after exploitation of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software, as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco has made free software available that includes the additional integrity checks for affected customers.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml.
•
Symptoms: When the local method is used at the beginning of a PPP authentication method list and when a user does not exist in the local database, failover to the next method in the method list does not occur. This situation prevents users that are listed in the database of a RADIUS or TACACS+ server from being authenticated.
Conditions: This symptom is observed on a Cisco router that is configured for AAA.
Workaround: Temporarily remove the local method from the beginning of the method list.
Interfaces and Bridging
•
Symptoms: ISDN is not properly established.
Conditions: This symptom is observed on a Cisco 7500 series that has distributed switching enabled via the ip cef distributed command.
Workaround: Disable distributed switching.
IP Routing Protocols
•
Symptoms: A router may stop receiving multicast traffic.
Conditions: This symptom is observed rarely during convergence when a router receives a Join message on an RPF interface and when a downstream router converges faster than the first router that receives the Join message.
In this situation, the router does not populate the RPF interface into the OIL (that is, the OIL remains null) because the old SP-tree has already been pruned by the downstream router. When the RPF interface of the router changes to the new path later, it does not trigger a Join message toward the multicast source until the router receives a next periodic Join message from the downstream router and populates the OIL. As a result, multicast traffic stops temporarily but no longer than the periodic Join message interval.
Workaround: There is no workaround.
•
Symptoms: When a switchport is detected at boot time, the IP subsystem initializes all ports that do not have an explicit IP configuration to the shutdown state. This can be seen when a router with an L2 switchport is started with no (IP) configuration on those ports.
Conditions: On a Layer (L2), or switched, port, an IP address is not meaningful, and therefore shutting it down is inappropriate.
Workaround: If an explicit no ip address configuration is put onto each switchport, IP will not place the ports into shutdown state.
Further Problem Description: IP should ignore L2 ports, as they don't exist at the same layer as IP.
The proper behavior, when not disabled by IP, is for switchports with no configuration to come up (i.e. no shutdown) and handle L2 traffic. In the presence of VLAN switching, they will default to being members of the native VLAN, i.e. VLAN 1.
A potential security implication is that if ports are connected with attached remote devices, these remote devices will now see traffic that was previously (implicited) blocked from reaching them.
•
Symptoms: A Cisco router may crash when it is reloaded with PIM traffic on the network.
Conditions: This symptom is observed on a Cisco 7200 series router with multicast enabled but is not platform dependent. Bootup is the most likely place where this will happen, but the router may crash anytime if an interface flap happens at the right time while receiving PIM traffic.
Workaround: There is no workaround.
•
Symptoms: A router terminates 102,000 VPNv4 routes but route reflectors (RRs) report only a a subset of the total.
Conditions: This symptom is observed on a Cisco MGX RPM-XF that runs Cisco IOS Release 12.3(11)T4 when 204 routes are configured per VRF over 496 VPNs (one VPN has about 1000 routes). However, Cisco MGX RPM-PRs that function as RRs show that only 76245 routes are terminated on the Cisco MGX RPM-XF. The symptom is platform-independent and may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may erroneously send ACK packets in response to RST packets for non-local TCP sessions. This can cause high CPU utilization on the router.
Conditions: This symptom occurs when using Port Address Translation (PAT).
Workaround: Use the clear ip nat translation * command.
•
Symptoms: Conditional advertisement of the default route via a route map does not work when you enter the neighbor default-originate command.
Conditions: This symptom is observed on a Cisco router that is configured for BGP.
Workaround: Disable the route map entirely. If this is not an option, there is no workaround.
•
Symptoms: A router reloads because of a watchdog timeout when you perform an snmpwalk.
Conditions: This symptom is observed on a Cisco 7200 series but may be platform-independent. The traceback stack decode points to an EIGRP function although EIGRP is not configured on the router.
Possible Workaround: Configure a dummy EIGRP router process, for example one for which the network covers only a loopback interface, so that the snmpwalk does not cause the router to crash.
•
Symptoms: When you reset a BGP peer, some prefixes are missing.
Conditions: This symptom is observed on a Cisco MGX8850 RPM-XF that runs Cisco IOS Release 12.3(11)T. However, the symptom is platform-independent and may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly with a bus error exception.
Conditions: This symptom has been observed on a router with Network Address Translation (NAT) enabled.
Workaround: There is no workaround.
•
Symptoms: IS-IS may not update redistributed BGP network changes.
Conditions: This symptom is observed when the network network-number command is enabled to introduce connected networks into a BGP topology and when, afterwards, BGP is redistributed into IS-IS. The symptom occurs after one of the interfaces that forms a network connection goes down and comes up again; the network re-enters the BGP topology but is no longer redistributed into IS-IS.
Workaround: There is no workaround.
•
Symptoms: RFC3550 states the following:
"For applications in which the RTP and RTCP destination port numbers are specified via explicit, separate parameters (using a signaling protocol or other means), the application MAY disregard the restrictions that the port numbers be even/odd and consecutive although the use of an even/odd port pair is still encouraged. The RTP and RTCP port numbers MUST NOT be the same since RTP relies on the port numbers to demultiplex the RTP data and RTCP control streams."
The Cisco IOS NAT SIP ALG gateways comply with the snippet from the RFC above. The Cisco IOS NAT SIP ALG gateways currently select the next available port+1 for SIP fixup in the NAT translations. The NAT gateway does not check for even and odd pair for RTP and RTCP port numbers. As a result, some issues can arise with SIP User Agents that are strictly following the encouraged even and odd pair for RTP and RTCP port numbers.
The Cisco IOS NAT SIP ALG gateways need a configurable parameter to enable even and odd pair port numbering for RTP and RTCP port numbers with SIP fixup or the gateways need to change to always follow the encouraged behavior of even and odd pair port numbering for RTP and RTCP port numbers with SIP fixup.
Conditions: This symptom has been observed when an application is supplied with an odd number for use as the RTP port.
Workaround: There is no workaround.
•
Symptoms: A BGP speaker may fail to send all of its prefixes to a neighbor if the neighbor sends a refresh request to the BGP speaker at the same time that the BGP speaker is generating updates to the neighbor. This situation causes the neighbor to miss some prefixes from its BGP table.
Conditions: This symptom may occur between any pair of BGP speakers.
A common scenario is that a VPNv4 PE router is reloaded and then fails to learn all prefixes from its route reflector (RR). In this configuration, the symptom occurs when the processing of a VRF configuration causes the PE router to automatically generate a route-refresh request to the RR, while the RR is still generating updates to the PE.
Workaround: There is no workaround.
•
Symptoms: When you enter the traceroute command from an IP address that is different from the address in the NAT default configuration, the incoming PAT sends the reply packets to the NAT default address that is defined in the NAT default configuration and not to the original source address from which the traceroute command was entered. Note that the outside PAT works fine.
Conditions: This symptom is platform-independent. NAT overload traffic and other TCP traffic is not affected.
Workaround: There is no workaround.
•
Symptoms: NAT H.323 does not create an entry in the NAT translation table even though debugging shows that NAT processes the packet correctly. This situation causes one-way voice for the called party, preventing them from hearing the calling party.
Conditions: This symptom is observed only when ICMP error messages are processed by NAT.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for NAT may crash because of a bus error.
Conditions: This symptom is observed on a Cisco 7206VXR that runs Cisco IOS Release 12.3(9a) but is not platform-specific. The crash occurs while NAT attempts to translate an IP address in an H.323 RAS messages that does not contain an IP address.
Workaround: Disable H.323 RAS in NAT by entering the no ip nat service ras command. If you must use H.323 RAS in NAT, there is no workaround.
•
Symptoms: When an IP phone that is located at a central site leaves a conference, a one-way voice condition occurs for the remaining two phones in the conference.
Conditions: This symptom is observed in a Hub-and-Spoke configuration in which both sites perform NAT when a voice conference is created by an IP phone that is located at a central site with two IP phones that are located at a remote site. NAT is configured on the hub and at the remote site, SCCP is the voice signaling protocol, and the conference occurs between the hub and the remote site.
Workaround: Enter the clear ip nat translation * command.
Miscellaneous
•
Symptoms: When the redundancy mode is changed from classic-split to RPR-plus through the command line interface (CLI), the peer Route Switch Controller (RSC) goes to the initial configuration setup dialogue.
Conditions: This symptom has been observed on a Cisco AS5850 universal gateway.
Workaround: Load the configurations with RPR-plus configured onto the startup configurations of both RSCs. The symptom will not be seen.
•
Symptoms: A SegV exception may occur on a router when you enter the write memory or copy running-config startup-config command.
Conditions: This symptom is observed on a Cisco 1700 series and Cisco 2600 series when you enter the write memory or copy running-config startup-config command and when the NVRAM is corrupted.
Workaround: Erase the NVRAM and then enter the write memory or copy running-config startup-config command.
•
Symptoms: Resuming a call that was placed on hold fails on a Cisco CallManager.
Conditions: This symptom is observed when a Cisco CallManager that runs version 4.0 and that is not configured for Message Transport Protocol (MTP) is connected via an IPIPGW to another Cisco CallManager that runs version 4.0 and that is not configured for MTP.
The symptom occurs on the second Cisco CallManager because the IPIPGW sends an incorrect ICT version for the first Cisco CallManager to the second Cisco CallManager and because the IPIPGW drops the non-standard fields in the callproc, alert, and connect messages from the second Cisco CallManager to the first Cisco CallManager.
Workaround: Configure MTP.
•
Symptoms: A router that functions as an H.323 gateway crashes.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T when authentication is enabled.
Workaround: Enter the no memory lite command.
•
Symptoms: TCPClear sessions on a Cisco AS5850 may have throughput issues and slow response time. Conditions: This symptom was observed on a Cisco AS5850 with TCPclear sessions. Workaround: There is no workaround.
•
Symptoms: When you bring up and tear down SSG sessions quickly, a router may crash because of a bus error exception.
Conditions: This symptom is observed on a Cisco router that is configured for SSG when you use a tool that initializes the interface and quickly brings sessions back up while the old sessions are still being cleared.
Workaround: There is no workaround.
•
Symptoms: PPP forwarding may fail between two virtual access interfaces.
Conditions: This symptom is observed on a Cisco AS5850 but is not platform dependent.
Workaround: Disable PPP multilink on the asynchronous interfaces.
•
Symptoms: A Cisco 831 may display the following message on the console:
pktFlowLink() logic error, pMatch and pEmptySlotConditions: This symptom is observed very rarely after the router has been up for a long time. The functionalities of the router are not affected.
Workaround: There is no workaround.
•
Symptoms: A Cisco CallManager uses different versions of the G.729 codec when setting up Message Transfer Protocol (MTP) calls across intercluster trunks. The Cisco CallManager should set up the call legs with the same versions of the G.729 codec.
Conditions: This symptom is observed when a Cisco 3700 series that runs Cisco IOS Release 12.3(11)T2 connects to a Cisco CallManager that runs version 4.1.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the in the "CCH323_CT" and "VTSP" processes.
Conditions: This symptom is observed on a Cisco 3660 that is configured for AAA.
Workaround: There is no workaround.
•
Symptoms: A policy map may be removed from an ATM PVC range configuration without a check for an exact match of the policy map name. This situation may cause the wrong policy map to be removed from the ATM PVC range configuration.
Conditions: This symptom is observed when you enter the no service-policy output policy-map-name command on a subinterface that is administratively shut down. Any policy map that is attached to this subinterface may be deleted, regardless of whether or not the name of the policy map that is removed matches with the name of the policy map that should be removed. The symptom occurs only in a PVC range configuration on ATM subinterfaces.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3745 reloads when you enable the H.323 proxy.
Conditions: A reload may be seen if the OGW is trying to tunnel QSIG APDUs or other UUIEs.
Workaround: Disable proxy mode.
•
Symptoms: Web Cache Communication Protocol (WCCP) may fail.
Conditions: This symptom is observed on a router that is configured with IPSec, CBAC (that is, the ip inspect command is enabled), and NAT. One specific scenario in which WCCP fails is when a single interface is configured to terminate one or more IPSec tunnels and has the ip nat outside source command, ip inspect out command, and ip wccp web-cache redirect out command enabled.
Workaround: When the ip inspect out command is enabled on the WCCP-redirected interface but the ip inspect in command is not configured on the client interface, configure a WCCP redirect list that excludes the address of the WCCP-redirected interface.
•
Symptoms: If a spoke cannot complete IKE phase I because of a bad certificate, the failed IKE sessions may not be deleted on an IPSec/IKE responder. Such failed sessions may accumulate, eventually causing router instability. These failed sessions can be seen in the output of the show crypto isakmp sa | i MM command:
172.18.95.21 10.253.34.80 MM_KEY_EXCH 898 0 ACTIVE
172.18.95.21 10.253.34.80 MM_KEY_EXCH 896 0 ACTIVE
172.18.95.21 10.253.34.80 MM_KEY_EXCH 895 0 ACTIVE
172.18.95.21 10.253.34.80 MM_KEY_EXCH 894 0 ACTIVE
172.18.95.21 10.253.34.80 MM_KEY_EXCH 893 0 ACTIVE
...Conditions: These symptoms are observed when RSA signatures are used as the authentication method.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the interface that is used for the IKE sessions or re-apply the crypto map to this interface.
•
Symptoms: The domain name does not appear in the accounting records.
Conditions: This symptom is observed when EzVPN clients use digital certifications that are terminated on a Cisco router and when RADIUS accounting is enabled.
Workaround: Use the accounting information that is available such as the Group-ID.
•
Symptoms: One-way audio or no audio may occur during a call that is made through a Cisco AS5400.
Conditions: This symptom is observed when the Cisco AS5400 functions as a terminating gateway and is connected to a Cisco 3600 series or Cisco 3800 series that functions as an originating gateway. All platforms run Cisco IOS Release 12.3(14)T. The symptom may also occur in later releases.
Workaround: Enter the playout-delay nominal 200 command on the voice port that is used for the call.
•
Symptoms: The HSRP feature does not work on the L3 switchport on NM-16/36ESW for the Cisco 2800 series and Cisco 3700 series routers. HSRP works correctly on the VLAN interface and onboard L3 interfaces.
Conditions: This symptom has been observed on the Cisco 2800 series and Cisco 3700 series routers.
Workaround: Use either of the following workarounds as necessary:
1.
or
2.
interface FastEthernet1/0
no switchport
ip address 10.116.216.2 255.255.255.0
standby use-bia
standby 2 ip 10.116.216.1
standby 2 preempt
end•
Symptoms: The output of the show resource user iosprocess brief command does show the resource owner (RO) and its usage by resource user (RU) but only for the first RU. Starting from the second RU, the ROs are displayed incorrectly, that is, only the buffer RO is shown. Other RO information such as CPU use are not displayed.
Conditions: This symptom is observed on a Cisco router that has the Embedded Resource Manager (ERM) enabled.
Workaround: Do not enter the show resource user iosprocess brief command. Rather, enter the show resource owner command as in the following example: show resource owner cpu user iosprocess. The output of this command shows the CPU use for the RO for all RUs in the "iosprocess" Resource User Type (RUT). Note that the symptom does not impact the functionality of the ERM or the router.
•
Symptoms: A VPN hub router may reload when you enter the clear crypto session remote ip-address command.
Conditions: This symptom is observed after a remote peer disconnects ungracefully (that is, the peer is suddenly powered-off or the LAN cable is disconnected) and immediately reconnects to the VPN hub router with a different public address.
Workaround: Do not enter the clear crypto session remote ip-address command. Rather, enter the clear crypto sa command.
•
Symptoms: A router may generate "SYS-2-LINKED: Bad enqueue" error messages.
Conditions: This symptom is observed when both the following conditions are present:
–
–
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CCSCeg43855. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround.
Further Problem Description: When the error message is generated, a crash may also occur in the following configuration in which hub-n-spoke GRE tunnels are configured for IPSec and EIGRP: When the spokes have a primary hub and a backup hub (that is, a GRE tunnel to each) and when a switchover from the primary hub to the backup hub occurs multiple times, the spoke man crash. This particular situation is observed on a Cisco 1841 and Cisco 3825.
A workaround for this particular situation is to prevent multiple hub switchovers from occurring or to refrain from configuring GRE tunnels with IPSec and EIGRP.
•
Symptoms: The wrong IKE SA is deleted when the SA deletion is triggered by the idle timer.
Conditions: This symptom has been observed when the clients are behind a firewall or NAT device and their public address is set by Port Address Translation (PAT) to the same IP address as their LAN IP address.
Workaround: Use NAT instead of PAT.
•
Symptoms: A Cisco 7200 series or Cisco 7301 that is equipped with a VAM, VAM2 or VAM2+ accelerator may refuse a valid RSA key and generate an error message such as the following:
% Error in generating keys: did not validate % Key pair import failed.Conditions: This symptom is observed under rare circumstances when a valid RSA key is composed of unusually short or long prime numbers and coefficient.
When the VAM is deactivated during the importation of the RSA key, the router accepts the key but when the VAM, VAM2, or VAM2+ is inserted into the chassis, the router miscomputates the signature payload of the IKE/ISAKMP exchanges.
Workaround: Create a new RSA key.
Further Problem Description: The result of the wrong operation can be seen on the other side of the connection by activating the debug crypto engine and debug crypto isakmp commands. The following messages are related to the failure:
crypto_engine: public key verify
crypto_engine: public key verify, got error no available resources
ISAKMP:(0:2:HW:2): signature invalid!•
Symptoms: A spurious memory access is generated after you have entered the show running-config command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(13) when a range of PVCs is configured on an interface or subinterface.
Workaround: There is no workaround.
•
Symptoms: A VIP may pause indefinitely or quality of service (QoS) may not work as expected on an interface that is configured for distributed MLP (dMLP).
Conditions: This symptom is observed on a Cisco 7500 series when the VIP processes dMLP and LFI traffic.
Possible Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
•
Symptoms: When you remove and re-enter the zone circuit-id command, the command may not take effect.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper.
Workaround: Reload the gatekeeper after you have made the configuration changes.
•
Symptoms: A virtual-access interface flaps continuously.
Conditions: This symptom is observed Cisco 3745 router that functions in a PPPoA environment during normal working conditions.
Workaround: Disable keepalives on the dialer interface on the remote router.
•
Symptoms: Cisco Fax Relay calls both to and from computer-based fax devices fail. Calls to and from traditional fax machines work fine. Calls to and from computer-based fax devices via the PSTN instead of via a Cisco Fax Relay network work fine too.
Conditions: This symptom is observed on a Cisco 3700 series that is configured for Cisco Fax Relay and VoIP.
Workaround: There is no workaround.
•
Symptoms: The following error message is generated on a Cisco 7200 series that has Multilink PPP (MLP) configured on serial interfaces of a PA-MC-STM-1 port adapter:
%SYS-2-BADSHARE: Bad refcount in datagram_done, ptr=3, count=0Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(11)T3 only when MLP is configured on the serial interfaces. The symptom may also occur in Release 12.3 or 12.4.
Workaround: Unconfigure MLP on the serial interfaces.
•
Symptoms: IP data traffic does not pass via MLP.
Conditions: This symptom is observed on a Cisco 3825 that runs the c3825-advsecurityk9-mz image of Cisco IOS Release 12.3(11)T3 when STAC compression on an AIM-COMPR4 fails.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash when you enter the dialplan-pattern command.
Conditions: This symptom is observed on a Cisco router that is configured with a high number of ephone-dns when you enter the dialplan-pattern command.
Workaround: There is no workaround.
•
Symptoms: Memory allocation (malloc) failures may occur on a Cisco router that functions as a gatekeeper and that runs an H.323 stack.
Conditions: This symptom is observed on the gatekeeper when gateways attempt to register a list of terminal aliases that consists of user names and H.323 IDs with the gatekeeper. The gatekeeper attempts to authenticate each terminal alias by allocating memory and sending an authentication request to the AAA server for each entry. Because the gatekeeper does not free the allocated memory when it receives a response from the AAA server, a memory allocation failure occurs eventually.
Workaround: There is no workaround.
•
Symptoms: The default port 1720 on an H.323 gatekeeper is used for H.225 Messaging. This fix allows users to configure H.225 listen port from 1 - 65535.
Conditions: This symptom is observed on an H.323 gatekeeper.
Workaround: There is no workaround.
•
Symptoms: An E1 controller on an MGCP trunking gateway reports Loss of Frames (LOF).
Conditions: This symptom is observed when you configure a Cisco 3660 as an MGCP trunking gateway.
Workaround: There is no workaround.
•
Symptoms: When you make 21 calls and place one call on hold, the callee at the PSTN side does not hear the MoH.
Conditions: This symptom is observed on a Cisco 2621XM and Cisco 3745 that run and IP voice image of Cisco IOS Release 12.3(7)T4 and that are configured with an NM-HD-2VE, a VWIC-1MFT-T1 or VWIC-2MFT-T1, codec complexity flex, and multicast MoH.
Workaround: Add another NM-HD-2VE and configure codec complexity medium.
•
Symptoms: The firewall performance of an NPE-G1 is below expectations, causing high CPU use.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(14)T1 and that is configured with an NPE-G1.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may display the following error messages and then reload because of a bus error:
HDLC32_RX_ISR_ERR: no particles available!
HDLC32_RX_ISR_ERR: no particles available!
HDLC32_RX_ISR_ERR: no particles available!
HDLC32_RX_ISR_ERR: no particles available!
%SYS-2-BADSHARE: Bad refcount in retparticle, ptr=64689BC0, count=0
-Traceback= 0x6100C244 0x604B9F4C 0x60955894 0x60959690 0x60AFCE14 0x60AFF7E4
%ALIGN-1-FATAL: Illegal access to a low address
addr=0x0, pc=0x609560C0 , ra=0x609596BC , sp=0x6476BBF8
%ALIGN-1-FATAL: Illegal access to a low address
addr=0x0, pc=0x609560C0 , ra=0x609596BC , sp=0x6476BBF8
TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x609560C0
-Traceback= 0x609560C0 0x609596BC 0x60AFCE14 0x60AFF7E4Conditions: This symptom is observed on a Cisco router when you enter the channel group command to create a serial interface on an NM-HD or NM-HDV2 network module or on an onboard controller of an Integrated Services Router (ISR) such as a Cisco 2800 series or Cisco 3800 series.
Workaround: There is no workaround.
•
Symptoms: When a Turbo ACL classification table grows beyond a certain size, a memory allocation failure may occur or the router may crash.
If the router runs Cisco IOS Release 12.3, memory corruption may occur, causing the router to crash. If the router runs Cisco IOS Release 12.2S, an error message similar to the following may appear during a Turbo ACL compilation, the compilation will fail, and a recompilation is forced:
%SYS-2-CHUNKBADELESIZE: Chunk element size is more than 64k for TACL Block -Process= "TurboACL", ipl= 0, pid= 82These symptoms do not occur because of an out-of-memory condition.
Conditions: This symptom is observed on a Cisco router that is configured for Turbo ACL. The Cisco 10000 series is not affected.
Workaround: Monitor the output of the show access-lists compiled command and force the Turbo ACL tables to be cleared if a table is at risk of growing large enough to trigger the symptoms.
The tables that have significant sizes are the first and third tables shown next to "L1:" and the first table shown next to "L2:". When the number after the slash for one of these tables is greater than 16384 for the "L1" tables or greater than 32768 for the "L2" table, the table is already too large and the symptom may occur any moment.
When the number is in the range from 10924 to 16384 inclusive for the "L1" tables or the range from 21846 to 32768 inclusive for the "L2" tables, the table size will be too large on the next expansion. An expansion occurs when the number to the left of the slash reaches 90 percent of the value to the right of the slash. When the value to the left of the slash approaches 90 percent of the value to the right, enter the no access-list compiled command followed by the access-list compiled command to disable and re-enable Turbo ACL. Doing so causes the tables to be cleared and, therefore, delay the expansion. This workaround may be impractical when there is a high rate of incoming packets and when entries are added frequently to the tables.
Alternative Workaround: Disable Turbo ACL by entering the no access-list compiled command.
Note that neither of these workarounds are supported on a Cisco 7304 that is configured with an NSE-100: there is no workaround for this platform.
•
Symptoms: A router may crash when you make basic IPIPGW fax calls.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(11)T6.
Workaround: There is no workaround.
•
Symptoms: A fax call that is made over a VoIP MGCP link may fail when both the originating and terminating gateways have the mgcp fax t38 gateway force command enabled.
Conditions: This symptom is observed on Cisco routers that run Cisco IOS Release 12.4 or interim Release 12.4(2.2)T.
Workaround: There is no workaround.
•
Symptoms: The logging buffer is full with strange messages such as "readreadread."
Conditions: This symptom is observed on a Cisco router with a 4-wire DSL WIC module that has the logging buffered debugging command enabled when an invalid message is accepted via the debug port TCP 1666.
Workaround: Configure buffer logging to the informational level or lower by entering the logging buffered informational command.
Access to the debug port can be blocked by deploying an interface access list that blocks access to the debug port TCP 1666 for traffic that is destined for any of the IP addresses of the router.
For information about deploying access lists, see the "Transit Access Control Lists: Filtering at Your Edge" document: http://www.cisco.com/warp/public/707/tacl.html
For further information about deploying access lists, see the "Protecting Your Core: Infrastructure Protection Access Control Lists" document: http://www.cisco.com/warp/public/707/iacl.html
For information about using control plane policing to block access to the debug port, see the "Deploying Control Plane Policing White Paper:" http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_paper091 86a0080211f39.shtml
Note that the symptom does not impact other applications and services.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A Cisco platform that is configured for SSG may reload unexpectedly because of a bus error, and generate a crashinfo file that shows the following error message:
%ALIGN-1-FATAL: Corrupted program counterConditions: This symptom is observed when the no host overlap command is enabled and when users connect and disconnect.
Workaround: Remove the no host overlap command. If this is not an option, there is no workaround.
•
Symptoms: A Cisco 7301 that is configured for SSG may reload unexpectedly because of a bus error.
Conditions: This symptom is observed when a user with an active session logs in again. The symptom may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: When a dialer interface is configured as an endpoint for a IPSec+GRE tunnel, tracebacks with bad refcount may be generated.
Conditions: This symptom is observed on a Cisco 837 when router-generated packets such as routing updates are being switched.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: A Cisco IOS voice gateway may fail to receive a call from the public switched telephone network (PSTN) on its PRI port.
Conditions: This symptom is observed on a Cisco 2651XM that runs Cisco IOS Release 12.2(13)T3 or Release 12.3 and that functions as a voice gateway when it does not send a Q.931 Call Proceeding message upon receiving the call.
Workaround: There is no workaround.
•
Symptoms: E1R2 SS7 calls fail to come up when more than one call is made with the following ISDN error:
ISDN Se1/6:15 SC **ERROR**: call_connect: call_id not found, rejecting call
ISDN **ERROR**: Module-CCPRI Function-CCPCC_CallConnected Error-Unknown
event received in message from L3 or Host: 4FConditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(11)T.
Workaround: There is no workaround.
•
Symptoms: Calls fail to connect when they are switched from the primary D channel to the backup D channel.
Conditions: This symptom is observed when you either unplug the cable or shut down the controller of the primary D channel.
Workaround: There is no workaround.
•
Symptoms: A signal-only call fails when an INVALID message is generated because a B-channel IDB is not found.
Conditions: This symptom is observed when ISDN PRI QSIG Voice Signaling is configured.
Workaround: There is no workaround.
•
Symptoms: Attempts to change a B-channel service state by entering the isdn service nfas-int number b_channel number {state {0 | 1 | 2} [hard | immediate | soft]} command appear to succeed but the service state does not change.
Conditions: This symptom is observed when a voice application uses a B-channel. The output of the show isdn service detail command shows a locale of ISDN_NEAR_END_APP.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series periodically shows incorrect adjacencies for the loopback address. The output of the show ip cef events ip-prefix command shows the following:
<ip-prefix>/32, version 8177, epoch 0, attached, connected
0 packets, 0 bytes
tag information set
local tag: implicit-null
via Loopback0, 0 dependencies
valid discard adjacencyConditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(9b) and that is configured for PPP and CEF. However, the symptom maybe platform-independent.
Workaround: There is no workaround.
•
Symptoms: PPTP tunnels do not come up.
Conditions: This symptom is observed when VPDN is configured.
Workaround: There is no workaround.
•
Symptoms: On a leased line (non-dialup) serial connection that is configured for PPP encapsulation, the line protocol may not come back up when the connection is reset. The PPP LCP remains in the closed state, even though the link is up physically.
Conditions: This symptom is observed when an active PPP session is reset and when the underlying link is not simultaneously reset, that is, when PPP goes down but when the link does not go down physically. This situation would occur, for example, when a PPP session is terminated because of keepalive failures.
Workaround: There is no workaround.
•
Symptoms: A POS interface on a VIP4-80 that is configured for PPP goes down and remains down.
Conditions: This symptom is observed on a Cisco 7513 that runs Cisco IOS Release 12.0S only when PPP receives an LCP PROTOCOL REJECT message for PAP or CHAP. The symptom may also occur in other releases.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected POS interface.
•
Symptoms: The CEF-Dialer feature fails to add an adjacency for a Virtual-Access1 CEF interface.
Conditions: This symptom is observed during a test on a Cisco router that runs Cisco IOS interim Release 12.3(14.10).
Workaround: There is no workaround.
•
Symptoms: None of the digits in INFO messages are passed to an ISDN switch.
Conditions: This symptom is observed on a Cisco 1760 that runs Cisco IOS Release 12.3(11) or Release 12.3(11)T4 when overlap is configured and when the setup acknowledgement arrives late from the terminating switch after some of the INFO messages have already been received from the OGW. The symptom may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: The output of the show pppoe session or show vpdn session command does not show PPPoEoA session details.
Conditions: This symptom is observed for a point-to-point ATM interface.
Workaround: There is no workaround.
•
Symptoms: A Cisco 5400HPX may crash when conditional debugging runs.
Conditions: This symptom is observed on a Cisco 5400HPX that runs Cisco IOS Release 12.3(11)T3 when ISDN globally unique identifier (GUID) is configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 may reload with a software forced crash.
Conditions: This symptom occurs when configuring the isdn ie oli interface configuration command.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.3(14)T3
Cisco IOS Release 12.3(14)T3 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T3 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Closing an existing Telnet session may cause a router to crash.
Conditions: This symptom is platform-independent
Workaround: There is no workaround.
•
Symptoms: When you reload a router by entering the reload command, the router may unexpectedly enter the ROMmon mode and generate the following error message:
%SYS-5-RELOAD: Reload requested by console. Reload Reason:Reload command. monitor: command "boot" aborted due to user interrupt rommon 1 >Conditions: This symptom is observed only on a Cisco 7200 that is configured with an NPE-G1, and on UBR7246VXR with UBR-NPE-G1
Workaround: Enter the confreg 0x2002 command.
•
Symptoms: No "Accounting On" message is sent at boot up when an ADSL interface is used, however, this message is sent when a FastEthernet card is used.
Conditions: This symptom has been observed when the aaa accounting system default start-stop group ssg-proxy command is configured on the router.
Workaround: There is no workaround.
•
Symptoms: You cannot open a specific port on a Cisco IOS IP SLA responder.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(14)T1 or Release 12.4 when you attempt to open a specific port on the responder instead of using normal control protocol.
Workaround: Use normal control protocol.
Interfaces and Bridging
•
Symptoms: When you perform an Online Insertion and Removal (OIR) of an ATM port adapter, tracebacks are generated.
Conditions: This symptom is observed on a Cisco 7200 series when the ATM port adapter is up and has a VC configured.
Workaround: There is no workaround.
Further Problem Description: Tracebacks were seen on a Cisco 7200 platform when the ATM PA is removed and replaced online while traffic was still passing through ATM interface and the interface is oversubscribed.
•
Symptoms: The transmit rate is higher than the configured committed information rate (CIR), causing the network to drop frames.
Conditions: This symptom is observed only when traffic is process-switched and when software payload compression and header compression are configured.
Workaround: Enable either CEF or fast-switching. If process-switching must be used, add a compression adaptor and configure FRF9 data compression instead of packet-by-packet payload compression. You can enable FRF9 data compression in the following ways:
–
frame-relay payload-compression frf9 stac
–
frame-relay map ip ip-address dlci payload-compression frf9 stac
Further Problem Description: We do not recommend process-switching in combination with software payload compression because it is not possible to provide latency guarantees.
IP Routing Protocols
•
Symptoms: Calls may not complete because ResvConfirm messages are dropped. You can enter the debug ip rsvp messages command to track RSVP messages as they traverse routers.
Conditions: This symptom is observed when RSVP is configured for call admission control in a network with routers that do not have RSVP and a proxy ARP enabled. The symptom occurs because the RSVP-capable hop that sends the ResvConfirm messages uses the next RSVP-capable hop as the next IP hop for the packets and does not have the MAC address that is needed to encapsulate the IP packets for this next IP hop.
Workaround: Configure a static ARP entry that enables the router to properly encapsulate the packet by entering the arp ip-address hardware-address arpa command. The ip-address argument is the address of the next hop (that is visible via the RSVP debugs) for the ResvConfirm messages and the hardware-address argument is the MAC address of the interface of the next IP hop through which the ResvConfirm messages should be routed.
•
Symptoms: An LNS with a VRF configuration does not send an echo reply when it receives a ping to loopback interface 0.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-300, a Cisco 7200 series that is configured with an NPE-400, and a Cisco 7400 series.
Workaround: Wait about 20 minutes to enable the LNS to send an echo reply or enter the clear arp-cache command.
•
Symptoms: A router may reload because of a bus error when the NAT MIB is polled via SNMP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(11)T2.
Workaround: There is no workaround.
•
Symptoms: Suboptimal routing occurs in an OSPF configuration or a routing loop occurs between two border routers that redistribute BGP into OSPF.
Conditions: These symptoms are observed when at least two border routers are connected via eBGP to another autonomous system, receive the same prefix over these connections, and redistribute the prefix into OSPF. Under certain conditions, for example when the eBGP session from the preferred BGP exit point to the eBGP peer flaps, the second router in the local autonomous system becomes the preferred path and redistributes the eBGP route into OSPF. When the eBGP session with the first router comes back up, the LSA should be flushed but this does not occur. This situation may create routing problems on other OSPF routers or, when BGP has a higher administrative distance than OSPF, routing loops between both border routers.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: The endpoint max-calls h323id gatekeeper configuration command works only in one direction.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper and that runs Cisco IOS Release 12.3(5b) but may also occur in Release 12.3 T. When the limit that is defined in the endpoint max-calls h323id gatekeeper configuration command is reached, calls are only restricted via an ARJ message when they are originated at the endpoint that is defined in the endpoint max-calls h323id gatekeeper configuration command. Calls that are originated at any other gateway and that are terminated at the gateway that is defined in the endpoint max-calls h323id gatekeeper configuration command are not rejected by the gatekeeper via an ARJ message as they should be.
Workaround: There is no workaround.
•
Symptoms: A PCMCIA flash card that is installed in either slot 0 or slot 1 of a Cisco 3620 may become read-only.
Conditions: This symptom is observed occasionally on a Cisco 3620 that runs Cisco IOS Release 12.3(6b).
Workaround: There is no workaround.
•
Symptoms: Various commands that include the virtual access keywords do not work as expected. For example, the show policy-map interface virtual-access2.1 produces no output even when there is policy map data associated with interface virtual-access2.1.
Conditions: This symptom is observed only on certain commands and only when these commands specify a virtual access interface.
Workaround: There is no workaround. However, the symptom is not service-affecting.
•
Symptoms: After a DSP restarts, RTP packets are not sent from the DSP to a trunk connection.
Conditions: This symptom is observed on a Cisco 7200 VXR router that runs Cisco IOS Release 12.3(10a) or Release 12.3(11)T when the connection trunk command is enabled.
Workaround: There is no workaround. To re-enable the DSP to send RTP packets, enter the enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the voice port that is associated with the DSP.
•
Symptoms: An encrypting router may send traffic that is locally originated (such as keepalive packets or routing update packets) out of order after the packets have been encrypted. Because of the anti-replay check failure, these packets are dropped on the receiving router.
Conditions: This symptom is observed when a multipoint GRE (mGRE) and IPSec tunnel is build between two routers.
Workaround: Turn off packet authentication for the configured IPSec transform.
Further Problem Description: On a Cisco 7200 series that functions as the receiving router, you can observe the symptom in the output of the show crypto ipsec sa detail or show pas isa interface command.
•
Symptoms: When a router has the moh-live dn-number out-call command enabled with 1234 for the dn-number argument and 9876 for the out-call argument, the outcall to an FXO port does not occur. Only when the router is manually placed into SRST mode does the outcall occur.
Conditions: This symptom is observed on a Cisco 2800 series that is configured as a MGCP gateway.
Workaround: Place the gateway into SRST mode, force the outcall to the live feed, then place the router back into MGCP mode.
Further Problem Description: This caveat is an enhancement to the MOH Live-Feed Support feature. The fix for this caveat ensures that MoH works in any configuration, not only when the router functions in SRST mode.
•
Symptoms: A Cisco router intermittently stops encrypting and forwarding packets, and the following error messages are generated:
%VPN_HW-1-PACKET_ERROR slot 0 Packet Encryption/Decryption error, Output Authentication error (0x20000000)or
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Invalid PacketConditions: This symptom is observed under rare circumstances on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series that are configured with an AIM-VPN-BPII, AIM-VPN/EPII, or AIM-VPN/HPII Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM). The symptom occurs after an IPSec SA rekeying.
Workaround: Use the appropriate AIM-VPN-BPII-Plus or AIM-VPN/EPII-Plus or AIM-VPN/HPII-Plus AIM.
Further Problem Description: HSP firmware version 2.3.1 was committed through CSCeg15422 to address the most common conditions that could result in PCI NULL writes that cause memory corruption. The fix for this caveat (CSCeg52468) implements HSP firmware version 2.3.2 to address additional conditions that could result in PCI NULL writes.
•
Symptoms: The following tracebacks may be generated when VFR handles fragmented packets:
%SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 0 data 6472EE80 chunkmagic 0 chunk_freemagic 6484FA7C -Process= "IP Input", ipl= 4, pid= 60Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS interim Release 12.3(12.11)T1. The symptom may also occur on a Cisco 2651XM.
Workaround: Disable virtual-reassembly using the "no ip virtual-reassembly" command.
•
Symptoms: MGCP calls fail with a fast busy signal. When you enter the debug mgcp packet command, the output indicates that the 400 Voice Call Setup failed.
Conditions: This symptom is observed when MGCP PRI backhaul is configured on a Cisco 2800 series that is configured with PVDM2 DSPs. Calls fail only after the router is reloaded. The symptom may also occur on a Cisco 3800 series that functions in the same configuration.
Workaround: Enter the following sequence of commands:
1.
2.
3.
4.
5.
•
Symptoms: Prioritized encrypted traffic is dropped.
Conditions: This symptom is observed when the Low Latency Queuing (LLQ) for IPSec Encryption Engines feature is enabled.
Workaround: Disable QOS preclassification on the crypto map.
•
Symptoms: Poor voice quality may be experienced as the default impedance selection may not yield the best ERL.
Conditions: This symptom has been observed when using the default impedance selection on a Cisco 2800 router.
Workaround: Use the test voice port [slot] /[subunit]/[port] inject-tone local sweep [sweep step] [high amplitude] [low amplitude] command to manually calibrate the best ERL.
•
Symptoms: When multicast is configured as part of a dial-peer configuration and you enter the shutdown command quickly followed by the no shutdown command on a voice port that is part of the dial-peer configuration, the router may generate tracebacks and may crash.
Conditions: This symptom is observed on a Cisco 1760 that runs Cisco IOS Release 12.3(11)T4.
Workaround: There is no workaround.
•
Symptoms: The following error message may be generated when a Cisco AS5850 voice gateway boots:
Could not enable MACThis situation may prevent line cards from booting up and pings over the Fast Ethernet and Gigabit Ethernet interfaces may fail.
Conditions: This symptom is observed on a Cisco AS5850 voice gateway that runs Cisco IOS Release 12.3T.
Workaround: There is no workaround.
•
Symptoms: Configuring an AUX port through a non-slotted notation such as "interface async 1" may not be possible on a Cisco 1841 and a Cisco 2801.
Conditions: This symptom is observed on a Cisco 1841 and Cisco 2801 that run Cisco IOS interim Release 12.3(11.9)T or a later release.
Workaround: Configure the AUX port through the slotted notation such as "interface async 0/0/0".
•
Symptoms: When a router detects "invalid identity" failures while decrypting IPsec packets, a memory leak occurs for the packet memory that is associated with these failed packets.
Conditions: This symptom is observed only when an "invalid identity" error occurs, which is an uncommon error that indicates that the originating router does not send packets according to what was originally negotiated. However, if there is another error that causes a "bad" decryption, the packet could be invalid and may also cause the symptom to occur.
Workaround: There is no workaround.
•
Symptoms: A router reloads unexpectedly when the show policy interface EXEC command is entered.
Conditions: This symptom is observed on a Cisco router when two users are connected to the router and simultaneously enter the show policy interface EXEC command.
Workaround: Ensure that only one user at a time enters the command.
•
Symptoms: Authentication, Authorization, and Accounting (AAA) for IKE fails with the following message when trying to begin session accounting:
ISAKMP AAA: Unable to allocate AAA User ID: no peerConditions: This error occurs when IKE accounting is configured in a site-to- site IPSec VPN. It will not occur when IKE accounting is configured in conjunction with mode configuration, XAUTH or EZVPN.
Workaround: There is no workaround.
•
Symptoms: A T.37 fax fails on a Cisco 2800 series because of clocking problems with a BRI. The fax that is sent or received via the BRI may be incomplete with cut pages or a part lost. About 40 to 50 percent of the faxes fail.
Conditions: This symptom is observed in the following topology:
A fax is sent from a fax machine via the PSTN to a BRI on a Cisco 2800 series. The Cisco 2800 series connects via an IP interface to an SMTP mail server.
Workaround: There is no workaround. Note that a fax that is sent via FXS instead of via a BRI goes through fine.
•
Symptoms: Tracebacks are generated on a Cisco AS5850 that is configured for analog and digital bulk calls.
Conditions: This symptom is observed on a Cisco AS5850 that is configured with ERSCs and that functions under stress.
Workaround: There is no workaround. However, the symptom does not impact service because the calls are processed by the Cisco AS5850.
•
Symptoms: A router that is configured for GRE+IPSec tunnel protection and VRF drops packets that are larger than the size of the MTU of the tunnel interface. The router should fragment the packets.
Conditions: This symptom is observed on a Cisco 2600 series when the size of a (cleartext) packet is larger than 1434 bytes (which is the Ethernet MTU minus the IPSec overhead). However, the symptom is platform-independent and occurs with both software encryption and onboard hardware encryption engines.
Workaround: On the tunnel interface that is configured for GRE+IPsec tunnel protection and VRF, configure an MTU size that is smaller than the MTU size of the physical interface of the tunnel source minus the IPSec overhead, as in the following example:
interface tunnel0 ip mtu 1400(This example assumes that the physical interface of the tunnel source is an Ethernet interface with an MTU of 1500 bytes.)
•
Symptoms: Performing Telnet results in the session pausing indefinitely after accepting 13 characters or carriage returns.
Conditions: This symptom has been observed when performing a Telnet session through ATM PVC which is PPPoA but that a Telnet session through Fast Ethernet works fine.
Workaround: Avoid using Telnet session through ATM PVC which is PPPoA. Use Fast Ethernet for Telnet sessions if possible.
•
Symptoms: Before you start a BACD script, you cannot log out all agents from an ephone hunt group and activate the Do Not Disturb (DND) feature.
Conditions: This symptom is observed on a Cisco gateway that has an ephone hunt group configured.
Workaround: There is no workaround.
•
Symptoms: If a crypto map has RRI enabled and is applied to more than one interface, removing the map from one interface removes all active routes that are associated with other instances of this crypto map. In particular, this situation affects dialup termination and VPN connectivity on the same physical router. When you use a virtual template, the disconnection of one virtual-access interface that is spawned from the virtual template causes all routes for all other virtual-access interfaces to be removed.
Not all IKE and IPSec SAs on active connections are impacted, and when IPSec is rekeyed, routes are restored on the active interfaces.
Conditions: These symptoms are observed on a Cisco router under the following conditions:
–
–
–
–
Workaround: Do not remove a crypto map from an interface when there are active connections on other interfaces that use the same crypto map. First clear all SAs from the crypto map and then remove the interface.
•
Symptoms: A router may unexpectedly reload and generate the following error message:
TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x60FB1F70Conditions: This symptom is observed on a Cisco 7200 series when one interface is configured for IP Header Compression (IPHC) and when another interface has a crypto map that includes the qos pre-classify command. However, the symptom is platform-independent.
Workaround: There is no workaround.
•
Symptoms: You cannot bring up a serial interface of a channelized E1 or T1 port. The interface remains in the down/down state.
Conditions: This symptom is observed on a Cisco 3600 series.
Workaround: There is no workaround.
•
Symptoms: After an upgrade to Cisco IOS Release 12.3(11)T5 so that QoS could be configured on an IMA group in an ATM interface, the following error messages were generated:
%SYS-3-INVMEMINT: Invalid memory action (free) at interrupt level
-Traceback= 611D46E8 6002160C 61D4EF90 602C329C 602C6574 602C6D40 61D52170
61D54F2C 61D553E8 61D55784 61D6FF84 61D550EC 61D5516C 604818FC 6047E89C
6047E9C8
%SYS-3-INVMEMINT: Invalid memory action (malloc) at interrupt level
-Traceback= 611D46E8 600177F4 6145DCB4 6145DDFC 6146B8E8 6146E174 616AB8B0
616ABB58 6205C598 62066DE0 6205C640 61D557F0 61D6FF84 61D550EC 61D5516C
604818FC
%SYS-2-MALLOCFAIL: Memory allocation of 19 bytes failed from 0x6145DCAC,
alignment 0
Pool: Processor Free: 139749528 Cause: Interrupt level allocation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "<interrupt level>", ipl= 1, pid= 3
-Traceback= 611D46E8 60012958 6001822C 6145DCB4 6145DDFC 6146B8E8 6146E174
616AB8B0 616ABB58 6205C598 62066DE0 6205C640 61D557F0 61D6FF84 61D550EC
61D5516CConditions: This symptom has been observed on a Cisco 3745 router with the c3745-adventerprisek9-mz.123-11.T5 image installed and when configuring QoS on an IMA group in an ATM interface.
Workaround: There is no workaround.
•
Symptoms: When a voice call is made via the G726r16 or G726r24 codec via a Cisco Multiservice IP-to-IP Gateway (IPIPGW) using H.323-to-SIP interworking, the following symptoms may occur:
–
–
Conditions: This symptom is observed when H.323 is configured to use a static payload type for the G726r16 or G726r24 codec and when SIP is configured to use a dynamic payload type for the G726r16 or G726r24 codec. This situation causes a mismatch of payload type for the G726r16 or G726r24 codec.
Workaround: There is no workaround.
•
Symptoms: A router crashes during a conference call.
Conditions: This symptom is observed on a Cisco 3700 series that is configured with a DSP Farm.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for SSG may reload when you configure a local service profile.
Conditions: This symptom is observed when the local service profile is configured with more than 150 service network entries.
Workaround: There is no workaround.
•
Symptoms: Auto-logon services do not automatically log on when you connect via a Service Selection Gateway (SSG).
Conditions: This symptom is observed when the user profile that is downloaded via the Access-Accept response from a RADIUS server contains a netmask (RADIUS attribute 9) that is smaller than 32 bits and when the SSG functions in PBHK mode.
Workaround: Increase the netmask bits in such a way that the bitwise and ampersand (&) operation between the netmask and the SSG PBHK source IP address results in an SSG PBHK source IP address without any alteration.
•
Symptoms: When AAA accounting is configured for an EZ-VPN server, the EZ-VPN server may stop sending periodic updates for an idle client. When the symptom occurs, the output of the show aaa sessions command shows that the user name is not available for the idle client. The user name appears to be lost.
Conditions: This symptom is observed on a Cisco 7200 series that functions as an EZ-VPN server and that runs Cisco IOS Release 12.3(8)T or a later release. The symptom may not be release-specific.
Workaround: Add an IPSec idle time of a shorter duration than the IPSec lifetime to enable idle clients to send stop records.
•
Symptoms: A Cisco 2800 series that is configured for encryption, CBAC, and IPS crashes and reloads during the inspect process.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS 12.3T when it functions under a heavy load of mixed application traffic and IP telephony traffic.
Workaround: There is no workaround.
•
Symptoms: A security gateway may crash when ISAKMP accounting is enabled at aggressive time intervals such as 1-minute updates.
Conditions: This symptom is observed when ISAKMP accounting is enabled at very frequent update intervals together with ISAKMP NAT-T.
Workaround: Use ISAKMP accounting timers with a longer duration.
•
Symptoms: A router that is configured for SSG intermittently resets itself and generates a spurious memory access.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T with a prepaid or proxy service that has an idle or session timeout configured in the service profile.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series may reload because of a bus error when you enter a show atm command that accesses deleted VCs structures.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.3(12a).
Workaround: There is no workaround.
•
Symptoms: A DSMP-3-DSP_TIMEOUT error message may be generated when you place a fax call via a VoIP gateway.
Conditions: This symptom is observed when the fax call is torn down and the gateway attempts to obtain call statistic information from the DSP. The DSMP state in this case is S_DSMP_COLLECTING_STATS as displayed in the error message. The timeout occurs only when MGCP PRI-backhaul mode is enabled. The symptom does not occur in standalone mode.
The timeout itself does not impact the call for which it occurs because the timeout occurs at the end of the call while the call is being torn down and cleaned up. However, on some network modules, specifically, the 549 and 5421 DSP-based modules such as the NM-HDV and AIM network modules, when the timeout occurs, a DSP recovery mechanism is triggered and may impact other active calls on other channels on the same DSP as the one that reports the timeout. For this problem, caveat CSCsb14481 has been opened.
Although the timeout may occur on a 5510-based DSP network module such as the NM-HDV2 network module, the DSP itself does not appear to be reset so no impact to other active calls is observed.
To verify which DSP is currently in use on a gateway, enter the show voice dsp EXEC command.
Workaround: When MGCP PRI-backhaul is configured in a Cisco CallManager environment, you can disable Fax Relay on a gateway to prevent timeouts from occurring by entering the no ccm-manager fax protocol cisco global configuration command on the gateway.
Alternate Workaround: To prevent timeouts from occurring, configure the gateway to function in standalone mode.
•
Symptoms: When SSG functions in RADIUS proxy mode, SSG sends the RADIUS Framed IP Netmask Attribute value that it receives from a RADIUS server as the Framed IP Address Attribute value towards a GGSN or CSG downlink RADIUS client.
Conditions: This symptom is observed when the RADIUS Framed IP Netmask Attribute value is less then a 32-bit mask.
Workaround: Avoid using the RADIUS Framed IP Netmask Attribute or use a 32-bit mask value for it.
•
Symptoms: A Cisco Aironet AIR-AP1131AG-E-K9-P access point may not function because it does not receive power.
Conditions: This symptom is observed when an EtherSwitch NM-16ESW-PWR network module or EtherSwitch NMD-36ESW-PWR network module does not detect and supply power to the AIR-AP1131AG-E-K9-P access point.
Workaround: Use a power injector or external power supply.
•
Symptoms: A clicking sound is heard after each .wav audio file is played from a VoiceXML (VXML) document.
Conditions: This symptom occurs in Cisco IOS Release 12.3(14)T on a Cisco AS5400. The problem only occurs when there are multiple .wav files in a single VXML document that are concatenated together to play to the caller. A VXML document containing a single .wav file does not experience the problem.
Workaround: There is no workaround.
•
Symptoms: A DHCP client router has an old static route and a new static route concurrently. The output of the debug dhcp detail on the DHCP client router shows that the old static route is removed but that the routing table still contains the old static route. Also, the old static route is not removed after the static configuration is deleted.
Conditions: This symptom is observed when a DHCP server renews the DHCP address and the DHCP gateway.
Workaround: There is no workaround.
•
Symptoms: A call from an originating gateway (OGW) that is configured for SIP via an IPIPGW to a terminating gateway (TGW) that is configured for H.323 may fail when certain codecs are configured on the IPIPGW and H.323 TGW.
Conditions: This symptom is observed under either one of the following conditions:
–
–
Workaround: There is no workaround.
•
Symptoms: Reload is caused by memory corruption.
Conditions: This symptom has been observed when the router is a Cisco IPSec gateway which implements XAUTH. One example of this situation is a Cisco EZVPN server.
Workaround: There is no workaround.
Further Problem Description: The problem occurs if the username given to XAUTH is exactly 7, 19 or 43 characters long (given a default configuration). The exact lengths which tickle the symptom may vary depending on the memory lite configuration.
•
A vulnerability exists in certain Cisco IOS software release trains running on the Cisco IAD2400 series, Cisco 1900 series Mobile Wireless Edge Routers and Cisco VG224 Analog Phone Gateways. Vulnerable versions may contain a default hard-coded Simple Network Management Protocol (SNMP) community string when SNMP is enabled on the device. The default community string is a result of inadvertently identifying these devices as supporting Data Over Cable Service Interface Specification (DOCSIS) compliant interfaces. The consequence of this error is that an additional read-write community string may be enabled if the device is configured for SNMP management, allowing a knowledgeable attacker the potential to gain privileged access to the device.
Cisco is making free software available to address this vulnerability for affected customers. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20060920-docsis.shtml.
•
Symptoms: A Cisco 3725 that is configured as an H.323 gateway does not provide three beeps for a tone-on-hold. Instead, it generates the no-circuit tone.
Conditions: This symptom is observed on a Cisco 3725 that runs Cisco IOS Release 12.3(14)T2 and that is not configured for Music on Hold.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.3(11)T5.
•
Symptoms: A Cisco 3800 series may not drop unicast Ethernet frames that are not destined for its MAC address.
Conditions: This symptom is observed on a Cisco 3800 series that runs Cisco IOS Release 12.3(11)T5 or an earlier release or Release 12.3(14)T1 or an earlier release and that has subinterfaces that are configured for HSRP.
Workaround: Enter the standby use-bia command on the main interface.
•
Symptoms: A router may crash when a VPN tunnel is established.
Conditions: This symptom is observed on a Cisco router when an interface has both IPSec and the ip verify unicast reachable-via command enabled and when a hardware encryption engine is used for IPSec.
Workaround: Remove the ip verify unicast reachable-via command from the interface.
•
Symptoms: Active voice and fax calls may stop unexpectedly on a gateway, that is, either the call may drop or two-way audio may stop.
Conditions: This symptom is observed when a DSP recovery algorithm on the gateway is started in response to a DSMP-3-DSP_TIMEOUT error condition. The timeout may occur on one of the channels of the DSP, but the reset algorithm impacts other calls on other channels that are active on the same DSP.
Network modules with 549 and 5421 DSPs such as the NM-HDV and AIM-VOICE network modules are reset when this timeout occurs, causing other active voice and fax calls on other channels of the same DSP to be reset. Network modules that use 5510 DSPs such as the NM-HDV2 network module do not seem to be reset when this timeout occurs during statistics collection.
To verify which DSP is currently in use on a gateway, enter the show voice dsp EXEC command.
Workaround: Disable the DSP recovery algorithm by entering the test dsp recovery disable command. However, use this command with caution because disabling the auto-recovery mechanism prevents voice and fax calls from functioning properly when a DSP enters a valid non-responding state.
Further Problem Description: This fix for this caveat suppresses the resetting of the DSP when the timeout occurs under a statistics collection state as shown in the sample output below where the state is equal to S_DSMP_COLLECTING_STATS:
%DSMP-3-DSP_TIMEOUT: DSP timeout on DSP 1/5:4: event 0x6, DSMP timed out,
while waiting for statistics from the DSP. DSMP State =
S_DSMP_COLLECTING_STATSThe timeout may occur when an internal software error causes some invalid statistics to be polled, leading to the timeout. As an example, see caveat CSCsa72951.
Wide-Area Networking
•
Symptoms: As soon as the ISDN switch deactivates layer 2, the router immediately activates layer 2.
Conditions: This problem is seen in Cisco IOS Release 12.3(11)T2. It was not seen in Cisco IOS Release 12.3(11)T.
In the ISDN q921 debugs, the following can be seen:
Dec 10 13:48:17.558: ISDN BR0 Q921: User RX <- DISCp sapi=0 tei=65
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
....
Dec 10 13:48:17.562: ISDN BR0 Q921: User TX -> UAf sapi=0 tei=65
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^In 6 milliseconds, the router activated the layer 2. (This was not the case in Cisco IOS Release12.3(11)T.)
Workaround: There is no workaround. However, to get rid of the consecutive line up/down messages, the following can be configured on the interface level as a temporary workaround:
conf t
int bri x
no logging event link-status•
Symptoms: A Cisco router crashes when PVCs are deleted while the show pppoe session or show vpdn command is entered.
Conditions: This symptom is observed on a Cisco 10000 series that is configured for PPP over Ethernet (PPPoE) when there are two concurrent Telnet sessions. PVCs are deleted via one Telnet session while the show pppoe session or show vpdn command is entered via the other Telnet session. The symptom is platform-independent.
Workaround: Do not delete PVCs via one session and enter the show pppoe session or show vpdn command via another session at the same time.
•
Symptoms: The asynchronous resources on a NAS may remain active after a VPDN setup because the LAC does not close the L2TP session on receipt of the L2TP Call Disconnect Notification (CDN) from the LNS.
Conditions: This symptom is observed on a NAS that is configured with digital modems when the L2TP session is abnormally aborted, for example, when the L2TP session is aborted before the LNS sends an LCP termination request to the dialin user.
Workaround: Manually free the asynchronous resources on the NAS by entering the clear line line-number command or ask the remote dialin user to disconnect the modem.
•
Symptoms: PPP does not establish new sessions.
Conditions: This symptom is observed on a Cisco router that is configured with full virtual-access interfaces when a PPP leak occurs.
Workaround: Reload the router and configure virtual-access subinterfaces instead of full virtual-access interfaces.
•
Symptoms: An LNS router crashes on establishing a large number of PPPoA L2TP sessions.
Conditions: This symptom is observed only when you establish sessions at a high rate. When you attempt to establish 8000 sessions, the router crashes shortly after 5000 sessions are established.
Workaround: Establish sessions at a low rate.
Resolved Caveats—Cisco IOS Release 12.3(14)T2
Cisco IOS Release 12.3(14)T2 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T2 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When T+ accounting or authorization is configured, many CPU cycles are consumed. The messages are not sent out, and the box is unusable.
Conditions: When T+ accounting/authentication/authorization is enabled with a faulty server, the server sends back unsolicited data when the socket is being set up. This symptom is observed on any Cisco IOS 12.3 release.
Workaround: Disable T+.
•
Symptoms: High CPU utilization may occur during the TPLUS process on a platform.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(6c) and that is configured for TACACS.
Workaround: There is no workaround.
•
Symptoms: The operation result of an IP SLA jitter probe shows a high packet MIA that is equal to the jitter's number of packets minus one. In the responder router, the responder debug message shows many error packets.
Conditions: This symptom is observed when multiple jitter probes (either from the same router or from different routers) are configured to send packets to the same destination IP address and the same destination port number and when the responder is turned off for a short time and turned on again.
Workaround: To prevent the symptom from occurring, configure the jitter probe to use a unique destination port number.
Alternate Workaround: If the symptom has occurred, turn off the responder by entering the no rtr responder global configuration command, wait until all jitter probes report "No connection," and then turn on the responder by entering the rtr responder global configuration command.
IP Routing Protocols
•
Symptoms: When performing a snmpwalk on OSPF-MIB that supports the ospfExtLsdbTable, a router can crash. In other instances alignment errors are observed when you enter the show alignment command.
Conditions: These symptoms are observed on a Cisco platform that runs Open Shortest Path First (OSPF) and supports the ospfExtLsdbTable in OSPF-MIB.
Workaround: There is no workaround.
•
Symptoms: A router may continue to redistribute an eBGP route into EIGRP after the eBGP route is deleted or EIGRP may not redistribute an eBGP route after the eBGP route has been installed.
Conditions: This symptom is observed on a Cisco router that runs Cisco 12.0S, 12.2S, or 12.(18)SXD1 and that redistributes eBGP routes into EIGRP when the router functions in a multihoming environment.
The symptom occurs in a configuration with two PE routers that advertise routes via eBGP and a border router that is configured with a higher local preference than the PE routers when the eBGP route of the primary path is withdrawn and the route of the secondary path is installed.
Workaround: If a route is still redistributed into EIGRP after the eBGP route is deleted, clear the BGP peer from which the eBGP route used to be learned so EIGRP stops advertising the route.
If a route is not redistributed into EIGRP after an eBGP route is installed, clear the route so EIGRP starts advertising it. Another workaround is to enter the bgp redistribute-internal command to cause EIGRP to redistribute iBGP routes and to prevent EIGRP from failing to redistribute an updated BGP route.
•
Symptoms: A router that is configured with the OSPF routing protocol may reload.
Conditions: This symptom is observed when the OSPF process is simultaneously deconfigured via one session and configured via another session.
Workaround: There is no workaround. Cisco strongly discourages you to configure a router via two different but simultaneous sessions.
•
Symptoms: A platform (that is, a switch or a router) may crash when you enter the ip routing command followed by the configure memory command and the no ip routing command multiple times. Multiple tracebacks may also be generated.
Conditions: The symptom is observed on a Cisco platform that functions as the master in a stacked environment and that is configured for OSPF. The symptom is more likely to occur when the platform functions under a heavy traffic load.
Workaround: Do not enter the ip routing command followed by the configure memory command and the no ip routing command multiple times.
•
Symptoms: On a PE router with a parallel path to a destination where one path is over the OSPF sham-link and the other path is over the backdoor link, traffic is not getting load balanced. Only a backdoor connection is being used to forward the traffic.
Conditions: This symptom occurs on a PE router where traffic is not getting load balanced.
Workaround: Configure OSPF metric in a way that sham-link path and backdoor paths do not have the same cost.
•
Symptoms: TE tunnels do not come up.
Conditions: This symptom is observed when a new loopback interface is created with an IP address on an MPLE TE head router that is configured with MPLS TE tunnels and when you reload the router. The symptom occurs because of a change in router ID.
Workaround: Shut down the newly created loopback interface, save the configuration, and reload the router.
•
Symptoms: A router reloads when you clear NAT entries from the NAT table.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)T7 only when Stateful Network Address Translation (SNAT) is configured on the router.
Workaround: There is no workaround.
•
Symptoms: Tracebacks may occur when you enter an ipv6 prefix-list command and BGP is not enabled or when you enter an ipv6 prefix-list command after you have entered the no router bgp as-number global configuration command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(13) or Release 12.3(14)T.
Workaround: First enter the router bgp as-number global configuration command before you enter an ipv6 prefix-list command.
•
Symptoms: When BGP nexthop information for a prefix changes because of topology changes, BGP properly updates its path information and IP routing table entry but CEF may not update the corresponding CEF entry, causing a stale entry. This inconsistency between BGP and CEF may cause a connectivity problem.
Conditions: This symptom is observed when the nexthop information changes to an existing prefix entry in the BGP routing table. Typically, this occurs when the interface through which the prefix is learned goes down.
Workaround: Flush out the stale CEF entry by entering the clear ip bgp command or withdraw and readvertise the prefix by the source router, which enables the affected router to refresh the CEF entry.
Miscellaneous
•
Symptoms: A failed LDP session may still show up in the output of the show mpls ldp neighbors command as well as the new working session after the neighborship is re-established. The display of two sessions, one not working and one working to the same neighbor, may mislead the MPLS network operator.
Conditions: This symptom may occur after an LDP session has gone down and then re-established.
Workaround: There is no workaround.
•
Symptoms: A Cisco IP Phone connected behind a Cisco Router on a interface configured for Authentication Proxy may not get access to network resources as it cannot perform HTTP/FTP/Telnet based authentication.
Conditions: This symptom has been observed on a Cisco IP Phone connected behind a Cisco Router on a interface configured for Authentication Proxy.
Workaround: Add the Cisco IP Phone source IP as a deny entry in the Authentication Proxy Intercept ACL so that IP phone is bypassed from authentication. Also make sure that the interface ACL has a permit for the IP Phone.
•
Symptoms: An EZVPN tunnel does not come up and becomes stuck in the "VALID_CFG" state even though the tunnel is configured to come up automatically.
Conditions: This symptom is observed on a router that is rebooted with EZVPN enabled on an interface.
Workaround: Unconfigure and reconfigure EZVPN on the interface.
•
Symptoms: Modem relay over TCCS works fine when you save the configuration and reload the router. However, a modem call goes into pass-through mode when you enter the shutdown voice-port configuration command followed by the no shutdown voice-port configuration command on the trunked voice port.
Conditions: This symptom is observed on a Cisco 3700 series that functions as a voice gateway.
Workaround: After the router has booted, do not enter the shutdown voice-port configuration command followed by the no shutdown voice-port configuration command on the trunked voice port.
•
Symptoms: A router may not properly detect supervisory tones.
Conditions: This symptom is observed on a Cisco 3640 and Cisco 3660 and may also occur on other routers.
Workaround: There is no workaround.
•
Symptoms: An invalid packet causes Cisco IP Communicator to loose audio for the first 6 seconds.
Conditions: This symptom is observed on a Cisco router that is configured for the G.729 codec when the router sends a single G.711ulaw packet while it terminates an H.323 Voice over IP (VoIP) call.
Workaround: There is no workaround.
•
Symptoms: After a router is rebooted, a tunnel interface does not acquire the IP address of the async serial interface that is the tunnel source.
Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.3(8)T3.
Workaround: Enter the tunnel source interface-type interface-number command on the tunnel interface.
•
Symptoms: There may be a large latency in responding to EAPoUDP events from a host, causing the idle timer to expire and network access for users to be delayed.
Conditions: This symptom is observed on a Cisco router that is configured for Network Admission Control (NAC).
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for PPPoE may stop forwarding packets that need to be fragmented.
Conditions: This symptom is observed after a link flap occurs on the dialer interface or after you enter the clear interface command on the dialer interface.
To re-enable the affected packets to be forwarded, enter the no ip cef command followed by the ip cef command.
Possible Workaround: Enter the ip tcp adjust-mss 1400 command to force the maximum segment size (MSS) of the TCP SYN packets to be small enough to prevent the router from fragmenting the packets.
•
Symptoms: A Cisco voice gateway may reload unexpectedly because of a bus error, pointing to an invalid address.
Conditions: This symptom is observed on a Cisco AS5350 and Cisco AS5400 that run Cisco IOS interim Release 12.3(12.5).
Workaround: There is no workaround.
•
Symptoms: One-way voice occurs when an IP phone transfers a call back to the PSTN via a Cisco AS5850 after having received the call from the PSTN via the same Cisco AS5400. The caller at the PSTN side hears the transferee at the (other) PSTN side, but not the other way around.
Conditions: This symptom is observed when the Cisco AS5850, which runs Cisco IOS Release 12.3T, connects to the PSTN via an PRI in the following topology:
Caller--Phone--PSTN--PRI--AS5850--CCM--IP Phone Transfer--CCM--AS5850--PRI-- PSTN--Transferee
Workaround: Enable MTP or the Cisco CallManager.
Further Problem Description: Although the symptom is not observed in Cisco IOS Release 12.3, the fix is included in Cisco IOS Release 12.3 as a precaution.
•
Symptoms: A Cisco AS5850 reloads when it fetches a TDM connection object for a TDM hairpinned call. while handing over peer resources to the standby RSC.
Conditions: This symptom is observed when you enter the redundancy handover peer-resource command and when the Cisco AS5850 functions in the extra-load state.
Workaround: Clear all existing calls that use peer resources and mark the calls as busyout before you enter the redundancy handover peer-resource command.
•
Symptoms: A Cisco AS5850 reloads when you enter the redundancy handover peer-resources command to hand over the peer resources to the other RSC.
Conditions: This symptom is observed when the RSC that hands over the peer resources is in the "ACTIVE_EXTRALOAD" mode and when an SNMP trap is sent to obtain the card status.
Workaround: There is no workaround.
•
Symptoms: A gateway that has a higher IP address in comparison with its peer may fail to open a TCP connection for a logical channel.
Conditions: This symptom is observed during fast start when a glare condition occurs while both gateways indicate to each other (in facility or other H.225 messages) that the H.245 control channel should be opened.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3745 reloads because of a bus error. Just before the crash, the following error messages are generated:
%SYS-3-BAD_RESET: Questionable reset of process 149 on tty123
%SYS-3-HARIKARI: Process Exec top-level routine exitedConditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.2(26) or Release 12.3(12) and that has an NM-2CE1T1-PRI network module that is configured for ISDN dial-in.
Workaround: There is no workaround.
•
Symptoms: The sockets associated with the TLS connections to the SRST gateway are not getting cleared when the switch link is down for the phones.
Conditions: When the ethernet connectivity between the ephone and the SRST router goes down, the sockets are not cleared. This happens when the ephone is not in the fall-back mode.
Workaround: There is no workaround.
•
Symptoms: When IP header compression is enabled on a PPPoATM or PPPoFR interface, compressed packets are not correctly classified by any QoS policy that has been applied to the supporting ATM or Frame Relay PVC.
Conditions: This symptom is observed when CRTP is enabled on the virtual-template interface via the service policy command or ip rtp header-compression command and when the IP RTP Priority feature is enabled in the PVC policy.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reloads because of a bus error at an address that falls just short of the I/O memory range such as address 0x4E7FD5B8, whereas the iomem address starts at 0x4E800000.
Conditions: This symptom is observed when the router has some of the following security feature commands enabled on one or more interfaces:
ip nbar protocol-discovery
ip virtual-reassembly
ip access-group in
ip access-group out
ip inspect in
ip inspect out
ip ips in
ip ips out
auto discovery qos
crypto map
Workaround: Remove the ip access-group out command.
•
Symptoms: When you enter the following commands on the Fast Ethernet port of an NM-16ESW network module, the router may crash:
ip dhcp client hostname
no switchport mode
switchport mode
Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series in which an NM-16ESW network module is installed.
Workaround: Do not enter IP commands in switchport mode.
•
Symptoms: A Service Selection Gateway (SSG) that is deployed in a GPRS access environment and that is configured for L2TP tunnel service with an extended autodomain may reload when duplicate GPRS PDP context create requests are sent.
Conditions: This symptom is observed when the PDP context create requests contain the static addressing, that is, the IP address of the MS instead of all zeros in the end user address field.
Workaround: There is no workaround. Note that for corporate access through a GPRS access-based solution using SSG, generally dynamic addressing is used. With dynamic addressing, the end-user address field is sent with all zeros and the corporate network provides the address, and the symptom does not occur.
•
Symptoms: A Cisco 2800 series or Cisco 3800 series may crash when you configure the interface of an NM-16ESW.
Conditions: This symptom is observed when you enter the ip rsvp bandwidth command on FE port 1/10 of the NM-16ESW and then you enter the no switchport mode command followed by the switchport mode command.
Workaround: Do not enter IP commands in switchport mode.
•
Symptoms: Packets that are larger than 4400 bytes or packets that require fragmentation may be dropped when they traverses a xDSL WIC.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(6)T or a later release when a sweep ping is performed from one peer to another and when the WIC is a WIC-1ADSL, WIC-1ADSL-DG, WIC-1ADSL-I-DG, WIC-SHDSL, or WIC-SHDSL-V2.
Workaround: Avoid fragmentation on the DSL link or enter the ip mtu bytes command to change the maximum MTU to 4400 on the DSL interface.
•
Symptoms: A Cisco 2800 series that is configured for software or hardware encryption and CBAC may reload.
Conditions: This symptom is observed when IPSec SAs and CBAC sessions are established and when the traffic is blocked by an ACL on the outgoing WAN interface of a neighboring crypto router. When you send encrypted traffic from the neighboring crypto router to another router via the Cisco 2800 series, the Cisco 2800 series reloads.
Workaround: Permit the encrypted traffic on the outgoing interface of the neighboring crypto router.
•
Symptoms: High CPU utilization occurs on a Cisco AS5850.
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(11)T3 when dCEF is not applied to packets because of a slow start configuration.
Workaround: Remove the slow start configuration.
•
Symptoms: A Cisco router crashed when the name of the EEM TCL Policy is longer than 12 characters.
Conditions: This symptom is observed on a Cisco IOS software image if the user names an EEM TCL Policy with more than 12 characters.
Workaround: Name the EEM TCL Policy with no more than 12 characters.
•
Symptoms: A call fails when the codec is changed from G.729 to G.711ulaw during the call.
Conditions: This symptom is observed when fax pass-through is configured and when the following events occur:
- The initial codec for the call is negotiated as G.729.
- A reinvite message with a codec change to G.711ulaw is sent to the gateway.
- The gateway accepts the change with a 200 OK message but continues to send the call with codec G.729 in the RTP stream.
Workaround: Remove the fax pass-through configuration.
•
Symptoms: The WIC-DSU-T1-V2 card can get stuck and will not be able to detect any alarms, loopback events, etc.
Conditions: When this symptom occurs, the DSU-T1-V2 may still be able to pass traffic.
Workaround: Bring the card up again by issuing the clear service- module serial slot|port command.
•
Symptoms: NAT-PT stops working after a reload.
Conditions: This symptom occurs when the v6v4 static NAT configuration exists, and NAT-PT fails to install ARP entries due to the system not being yet fully initialized.
Workaround: Remove and then reconfigure the mapping.
•
Symptoms: A 4-port OC-12 POS Engine 2 line card may crash repeatedly when the Cisco 12000 series in which the line card is installed comes up after a software-forced crash has occurred on the router.
Conditions: This symptom is observed on a Cisco 12000 series that runs the c12kprp-p-mz image of a Cisco IOS interim release for Release 12.0(31)S, that is configured with two RPS, and that is configured for SSO. The symptom is more likely to occur when the ipv6 unicast-routing command is enabled.
Workaround: To diminish the chance that the symptom occurs, disable the ipv6 unicast-routing command.
•
Symptoms: EEM Tcl policies leak a significant amount of memory every time they run.
Conditions: This symptom occurs because the memory model that is currently implemented in Cisco IOS software that supports Tcl assumes a single threaded model in which global memory is not released when the Tcl script completes.
Workaround: There is no workaround.
•
Symptoms: Embedded Event Manager (EEM) does not pass the configured session CLI username in applet callbacks. If a customer is using TACACS authentication, EEM applets will not correctly interact with the CLI library.
EEM action CLI can cause a router to crash due to the TTY output buffers not being null terminated.
Conditions: If customers are using TACACS authentication, this symptom occurs upon triggering of the EEM applets that interact with the CLI through the Action "action <label> cli ...".
Workaround: See the following: 1) Disable TACACS authentication. or 2) Configure an EEM script to perform the same EEM actions upon the triggering of an event. 3) If crash occurs using action CLI in EEM applet, refer to workaround #2 above.
•
Symptoms: A Cisco platform reloads when you bring up bulk asynchronous and digital SS7/VPDN calls.
Conditions: This symptom is observed on a Cisco AS5850.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the in SDP library on an IPIPGW.
Conditions: This symptom is observed when a fax call is made between a platform that is configured for SIP and a platform that is configured for T.38 H.323.
Workaround: There is no workaround.
•
Symptoms: An error message similar to the following may be logged in a router:
*Dec 20 16:29:37.899: %FIB-2-IF_NUMBER_ILLEGAL: Attempt to create CEF interface
for unknown if with illegal if_number: 0 followed by a traceback.Conditions: This symptom occurs when the router creates virtual interfaces such as Loopback or Virtual.
Workaround: There is no workaround.
•
Symptoms: A bargeinable prompt aborts right after it starts playing, almost as if it is being barged in to.
Conditions: This symptom is observed in the following scenario with an application that requests DTMF input using two to four digits with an asterisk as the termination character:
- You let the prompt play (that is, you do not barge in).
- You enter "123*". The next prompt is a VXML Transfer element containing three .wav files (1.wav, 2.wav, and 3.wav).
- This prompt is bargeinable, but you do not barge in. You hear a brief "burp", but not the three .wav files.
- The final prompt is non-bargeinable TTS "Test Passed", which you hear just fine.
Workaround: Make the .wav files non-bargeinable.
•
Symptoms: A high error rate may occur on a WIC-1DSU-T1-V2. Because of the large number of errors, the interface of the WIC-1DSU-T1-V2 may not come up.
Conditions: These symptoms are observed on a WIC-1-DSU-T1-V2 that is installed in a Cisco router.
Possible Workaround: The symptoms may clear when you replace the in-house cabling with cat.5 cables.
•
Symptoms: An AIM that is installed in a Cisco 2851 or Cisco 3845 may time out when it receives non-multiples of a 64-bits public key from a third-party vendor router. This situation causes the router to crash rather than verifying the key.
The Cisco 2851 crashes because of a memory corruption. The Cisco 3845 crashes because of an "ALIGN-1-FATAL" bus error.
Conditions: This symptom is observed on a Cisco 2851 and Cisco 3845 that run Cisco IOS Release 12.3(11)T3.
Workaround: Ensure that the AIM receives multiples of the 64-bits public key.
Alternate Workaround: Disable the AIM hardware encryption by entering the no crypto engine aim 0 command. Doing so causes onboard encryption to occur.
•
Symptoms: SIP messages from Cisco IOS gateways fail to reach the remote endpoint. This is seen for UDP transport only.
Conditions: This symptom happens when interworking with a third party SIP device, which sends responses to SIP Requests to the source port of the request packet instead of sending them to the header port (5060). This is in violation of the RFC3261 rules for UDP (unreliable transports).
Workaround: There is no workaround.
•
Symptoms: SSG uses a duplicate Acct-session-id (attribute 44) in a RADIUS accounting packet.
Conditions: This symptom is observed for post-paid users.
Workaround: There is no workaround.
•
Symptoms: Service Selection Gateway (SSG) does not update tariff switch information to the users when the user logs in exactly at tariff switching time.
Conditions: This symptom is observed for postpaid users only.
Workaround: There is no workaround.
•
Symptoms: After fallback occurs from CCM to secure a Survivable Remote Site Telephony (SRST) gateway (GW), during full-consult transfer from a secure to nonsecure IP phone and then back to a secure IP phone, which are all in single line mode, one-way voice is heard. There is a loud noise on the other side.
Conditions: This symptom happens only when the transfer-system is full- consult, and there is a nonsecure to secure call transfer.
Workaround: Use IP phone with dual line.
•
Symptoms: The prompt file that is stored on an HTTP file server and that is invoked by a VXML document is not heard by a caller.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.3(12.12)T5 when a VXML document attempts to retrieve and render a wav file that is stored on an HTTP file server.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the processor memory pool of a router that runs encrypted traffic with an SA-VAM2.
Conditions: This symptom is observed when the SA-VAM2 encrypts traffic and when underlying "no buffer" conditions exist in the I/O particle pools for the encrypted packets.
Workaround: There is no workaround.
•
Symptoms: An ATM interface of a PA-A3 ATM port adaptor may stop transmitting traffic, the output of the show interface atm slot/port command may show that output drops increment, and the connectivity may stop entirely.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS interim Release 12.3(12.7).
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
Alternate Workaround: Enter the clear interface atm slot/port command on the affected interface.
Wide-Area Networking
•
Symptoms: The CEF-Dialer feature fails to add an adjacency for a virtual-access1 CEF interface because the IP route is installed after the feature attempts to add the adjacency.
Conditions: This symptom is observed during a test on a Cisco router that runs Cisco IOS Release 12.3 or interim Release 12.3(10.3)T.
Workaround: Configure a static host entry for the neighbor in the routing table, pointing to the Dialer interface:
ip route prefix mask 255.255.255.255 Dialer1
For the prefix mask argument, enter the IP address of the neighbor.
•
Symptoms: A LNS intermittently routes packets to an incorrect interface in the process-switching path, preventing some applications from working properly. These applications such as ARP, CBAC, and NAT depend on the first packet to go to process-switching for their initialization operation. Consequently, this situation may affect user connectivity to the Internet.
Conditions: This symptom is observed when the next-hop ISP router is connected via static routes and when there is no ARP entry on the LNS.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that functions as an L2TP Network Server (LNS) may drop sessions when multilink is enabled and negotiated on a forwarded inbound VPDN session.
Conditions: This symptom is observed when LCP renegotiation of proxy negotiations is disabled (which is the default) and when the multilink Endpoint Discriminator option that is advertised by the LAC does not match the Endpoint Discriminator on the LNS.
Workaround: Enable the LNS to renegotiate LCP when necessary by entering the lcp renegotiation on-mismatch VPDN group configuration command.
Alternate Workaround: Avoid the need to renegotiate by entering the ppp chap hostname or ppp multilink endpoint command to configure matching Endpoint Discriminators on the LAC and LNS.
Warning: Technically, the current behavior of the Cisco IOS software is correct. An LNS should not accept the results of a LAC proxy negotiation when the LAC negotiates values that do not accurately represent the LNS. A platform must be configured to either enable the LNS to renegotiate when necessary, or (if it is desired to avoid such renegotiations, which may be necessary to get around problematic client implementations) enable the LAC to negotiate adequately as a substitute for the LNS.
The fix for CSCsa78148 deliberately introduces the behavior that a mismatched multilink Endpoint Discriminator is ignored when the LNS is configured to terminate connections on mismatched conditions. This behavior is introduced to prevent the termination of a connection for a condition that is harmless for the majority of VPDN users. From a technical standpoint, this behavior is improper because it means that the VPDN clients have an invalid notion of the identity of the peer. This situation may pose problems for clients who have more than one multilink-capable link active at a time because the invalid Endpoint Discriminators may prevent links from being properly bundled at the client end. In such circumstances, enabling LCP renegotiation or ensuring that the LAC and LNS agree on negotiation parameters is the only valid option.
Resolved Caveats—Cisco IOS Release 12.3(14)T1
Cisco IOS Release 12.3(14)T1 is a rebuild release for Cisco IOS Release 12.3(14)T. The caveats in this section are resolved in Cisco IOS Release 12.3(14)T1 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
NetFlow Feature Acceleration has been deprecated and removed from Cisco IOS. The global command ip flow-cache feature-accelerate will no longer be recognized in any IOS configuration.
If your router configuration does not currently contain the command ip flow-cache feature-accelerate, this change does not affect you.
The removal of NetFlow Feature Acceleration does not affect any other aspects of Netflow operation, for example Access-list processing. The features are separate and distinct.
Cisco Express Forwarding (CEF) supercedes the deprecated NetFlow Feature Acceleration.
Additionally, the following MIB objects and OIDs have been deprecated and removed from the netflow mib (CISCO-NETFLOW-MIB):
cnfFeatureAcceleration 1.3.6.1.4.1.9.9.99999.1.3
cnfFeatureAccelerationEnable 1.3.6.1.4.1.9.9.99999.1.3.1
cnfFeatureAvailableSlot 1.3.6.1.4.1.9.9.99999.1.3.2
cnfFeatureActiveSlot 1.3.6.1.4.1.9.9.99999.1.3.3
cnfFeatureTable 1.3.6.1.4.1.9.9.99999.1.3.4
cnfFeatureEntry 1.3.6.1.4.1.9.9.99999.1.3.4.1
cnfFeatureType 1.3.6.1.4.1.9.9.99999.1.3.4.1.1
cnfFeatureSlot 1.3.6.1.4.1.9.9.99999.1.3.4.1.2
cnfFeatureActive 1.3.6.1.4.1.9.9.99999.1.3.4.1.3
cnfFeatureAttaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.4
cnfFeatureDetaches 1.3.6.1.4.1.9.9.99999.1.3.4.1.5
cnfFeatureConfigChanges 1.3.6.1.4.1.9.9.99999.1.3.4.1.6Open Caveats—Cisco IOS Release 12.3(14)T
This section describes possibly unexpected behavior by Cisco IOS Release 12.3(114)T. All the caveats listed in this section are open in Cisco IOS Release 12.3(14)T. This section describes severity 1 and 2 caveats and select severity 3 caveats.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A NAS may reload after functioning for a couple of days in a high-call capacity scenario.
Conditions: This symptom is observed when the NAS is configured for AAA and connects to a RADIUS server.
Workaround: There is no workaround.
•
Symptoms: A platform reloads after you enter the aaa route download 2 command.
Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(11)T2.
Workaround: There is no workaround.
•
Symptoms: The performance on a Cisco router that has the ip nat outside command enabled may be degraded.
Conditions: This symptom is observed on a Cisco 7200 series when you upgrade the router from Cisco IOS Release 12.3(4)T or a later 12.3T release.
Workaround: There is no workaround.
•
Symptoms: A Cisco router hangs and the console connectivity disappears. When you break the hanging process and enable the router to enter ROMmon, a stack dump is generated.
Conditions: This symptom is observed on a Cisco 7206 that runs Cisco IOS Release 12.3(8)T4 and that is configured for SSG to access gateway services for an ISPs that provides ADSL services.
Workaround: There is no workaround.
•
Symptoms: A router crashes when an RTR probe is configured.
Conditions: This symptom is observed when the RTR and the fallback system process are not synchronized. For each RTR probe, the fallback system creates a cache entry and keeps it for cache timeout. During the cache timeout, the fallback system process sends an event to RTR and frees the entry, but RTR sends an event after the cache entry is deleted.
Workaround: There is no workaround. Note that caveat CSCeg89043 fixes the problem from the fallback system process side but not the above-mentioned symptom.
•
Symptoms: A Cisco AS5350 may crash because of a software bus error.
Conditions: This symptom is observed on a Cisco AS5350 that runs Cisco IOS Release 12.3(7)T7.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for AAA reloads because of a software-forced crash.
Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS Release 12.3(11)T3 and that is configured for SSG when SSG has a client with an extensible authentication protocol-subscriber identity module (EAP-SIM).
Workaround: There is no workaround.
EXEC and Configuration Parser
•
Symptoms: If the netConfigSet and hostConfigSet variables of the OLD-CISCO-SYS-MIB MIB are set, the corresponding commands may not be executed, and the following error messages and tracebacks may be generated:
%SYS-4-SNMP_NETCONFIGSET: SNMP netConfigSet request.
Loading configuration from 10.10.10.10
%SYS-3-TIMERNEG: Cannot start timer (0x545E1928) with negative offset (-1).
-Process= "SNMP ENGINE", ipl= 6, pid= 143
-Traceback= 502308BC 5022E3F8 50233358 501B0A24 501B298C 501C3618 501C3800 50259C00 50255290 5024F444 502574BC 502576FC 5017C4F4 508EBE04 508EBBBC 508D4D8C
%PARSER-4-BADCFG: Unexpected end of configuration file.Conditions: This symptom is platform independent.
Workaround: There is no workaround.
Interfaces and Bridging
•
Symptoms: A router that is configured for VLANs may generate a traceback during the "gext_next_swidb_from_vlan_bucket" process.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.3(8)T1 but may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: ISDN is not properly established.
Conditions: This symptom is observed on a Cisco 7500 series that has distributed switching enabled via the ip cef distributed command.
Workaround: Disable distributed switching.
•
Symptoms: When you perform an OIR of an ATM port adapter, tracebacks are generated.
Conditions: This symptom is observed on a Cisco 7200 series when the ATM port adapter is up and has a VC configured.
Workaround: There is no workaround.
•
Symptoms: When you enter the microcode reload command, an error message similar to the following and a traceback may be generated:
RSP-3-RESTART: interface Serial3/0/1/4:0, not transmitting
-Traceback= 404436B4 4044DE10Conditions: This symptom is observed on a Cisco 7500 that is configured with a E1, T1, E3, or T3 port adapter.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: When RSVP and IP Header Compression are configured on an interface, the show ip rsvp installed detail command shows a compression factor of 0, and some of the flow is being treated as non-conformant.
Conditions: This occurs when using RSVP and header compression on fast or CEF switched interfaces.
Workaround: Enter the ip rsvp flow-assist command on the outbound interface of the flow.
•
Symptoms: A router crashes after processing an H.323 or skinny VoIP call.
Conditions: This symptom is observed on a Cisco router that is configured to translate H.323 and skinny IP packets using Network Address Translation (NAT).
Workaround: There is no workaround.
•
Symptoms: Calls may not complete because ResvConfirm messages are dropped. You can enter the debug ip rsvp messages command to track RSVP messages as they traverse routers.
Conditions: This symptom is observed when RSVP is configured for call admission control in a network with routers that do not have RSVP and a proxy ARP enabled. The symptom occurs because the RSVP-capable hop that sends the ResvConfirm messages uses the next RSVP-capable hop as the next IP hop for the packets and does not have the MAC address that is needed to encapsulate the IP packets for this next IP hop.
Workaround: Configure a static ARP entry that enables the router to properly encapsulate the packet by entering the arp ip-address hardware-address arpa command. The ip-address argument is the address of the next hop (that is visible via the RSVP debugs) for the ResvConfirm messages and the hardware-address argument is the MAC address of the interface of the next IP hop through which the ResvConfirm messages should be routed.
•
Symptoms: A VRF ping fails to reach an OSPF neighbor interface.
Conditions: This symptom is observed when the platform on which the ping originates and the OSPF neighbor interface are connected via an OSPF sham link that is used for interconnecting traffic between two VPN sites.
Workaround: There is no workaround.
•
Symptoms: A router reloads when you clear NAT entries from the NAT table.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)T7 only when Stateful Network Address Translation (SNAT) is configured on the router.
Workaround: There is no workaround.
•
Symptoms: A router may reload because of a bus error exception. The crashinfo file shows an address error (a load or instruction fetch) and a spurious memory access.
Conditions: These symptoms are observed on a Cisco router that performs NAT on H.323 voice traffic.
Workaround: There is no workaround.
•
Symptoms: After the active HSRP router in a redundant network reloads, a Stateful NAT (SNAT) inconsistency occurs when the router that reloaded becomes active again after the preemption delay. This situation causes a TCP connectivity timeout.
Conditions: This symptom is observed in a configuration with SNAT failover and occurs only after the active HSRP router is reloaded (or crashes) and later becomes active once again.
Workaround: There is no workaround.
•
Symptoms: An LNS with a VRF configuration does not send an echo reply when it receives a ping to loopback interface 0.
Conditions: This symptom is observed on a Cisco 7200 series that is configured with an NPE-300, a Cisco 7200 series that is configured with an NPE-400, and a Cisco 7400 series.
Workaround: Wait about 20 minutes to enable the LNS to send an echo reply or enter the clear arp-cache command.
•
Symptoms: A router may reload because of a bus error when the NAT MIB is polled via SNMP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(11)T2.
Workaround: None.
ISO CLNS
•
Symptoms: A memory leak may occur on a router that has the Multi-Topology IS-IS for IPv6 feature enabled and the router may reload.
Conditions: This symptom is platform-independent and release-independent.
Workaround: Disable the Multi-Topology IS-IS for IPv6 feature.
Miscellaneous
•
Symptoms: A Cisco 12000 series may reload when you enable Fast Reroute (FRR) on the headend of a tunnel.
Conditions: This symptom is observed when the tunnel carries Any Transport over Multiprotocol Label Switching (AToM) traffic.
Workaround: There is no workaround.
•
Symptoms: The SRC address and destination address for an RTP stream are the same for all calls between gateways, preventing load-balancing from functioning properly.
Conditions: This symptom is observed when RTP traffic is configured to be load-balanced among multiple links. In this situation, the SRC address or destination address should change, but neither is changed.
Workaround: Use multilink PPP.
First Alternate Workaround: Use PBR based on DSCP values that are set in the dial peer.
Second Alternate Workaround: Enter the source interface interface-name command to change the SRC address of the RTP streams.
•
Symptoms: Incoming or outgoing voice calls may encounter no-way audio on some specific channels.
Conditions: This symptom is observed on a Cisco 2600 series that functions as a PRI voice gateway and that uses DSPs of an ATM AIM to place the voice calls.
Workaround: Reboot the voice gateway.
•
Symptoms: Resuming a call that was placed on hold fails on a Cisco CallManager.
Conditions: This symptom is observed when a Cisco CallManager that runs version 4.0 and that is not configured for Message Transport Protocol (MTP) is connected via an IPIPGW to another Cisco CallManager that runs version 4.0 and that is not configured for MTP.
The symptom occurs on the second Cisco CallManager because the IPIPGW sends an incorrect ICT version for the first Cisco CallManager to the second Cisco CallManager and because the IPIPGW drops the non-standard fields in the callproc, alert, and connect messages from the second Cisco CallManager to the first Cisco CallManager.
Workaround: Configure MTP.
•
Symptoms: An SS7 link-state goes into the "PROCESSOR_OUTAGE" state and the link does not recover.
Conditions: This symptom is observed on a link between two gateways when there are active calls in a configuration with multiple OPCs and when a switchover occurs.
Workaround: There is no workaround. Reload the gateways to bring the link back in service.
•
Symptoms: When the codec complexity is changed from flex mode to medium or high complexity mode, a maximum of six signaling channels can be assigned on each DSP in high-complexity mode or a maximum of eight signaling channels can be assigned on each DSP in medium-complexity mode.
If more than six signaling channels are assigned in flex mode and you change to high-complexity mode, the signaling channels beyond six are not reassigned to another DSP after the codec complexity change.
If more than eight signaling channels are assigned in flex mode and you change to medium-complexity mode, the signaling channels beyond eight are not reassigned to another DSP after the codec complexity change.
Conditions: This symptom is observed on a Cisco router that supports flexible DSPs.
Workaround: Use flex mode instead of medium or high complexity mode.
Alternate Workaround: Reload the router after the codec complexity change to enable the signaling channels to be assigned correctly.
•
Symptoms: A voice call fails on a router that is configured with an NM-HDV or NM-2VE network module.
Conditions: This symptom is observed when some of the dialed digits become lost in the call setup phase when FXS or FXO-melcas is configured over an E1 line.
Workaround: When you pick up the phone, wait for two seconds before you start dialing.
•
Symptoms: Disconnecting and reconnecting a Gigabit Ethernet cable on an RPM-XF may cause the TCP/IP connection to be lost on the VISM.
Conditions: This symptom is observed on an RPM-XF that runs Cisco IOS Release 12.2(11)YP or Release 12.3T.
Workaround: There is no workaround.
•
Symptoms: The legacy command syntax to configure an authentication proxy may not function.
Conditions: This symptom is observed when an authentication proxy is configured along with Network Admission Control (NAC).
Workaround: Use the new command syntax to configure an authentication proxy.
•
Symptoms: Traffic does not flow after a switchover in RPR+ mode.
Conditions: This symptom is observed on a Cisco router when distributed LFI over ATM (dLFIoA), QoS, and RPR+ are configured.
Workaround: There is no workaround.
•
Symptoms: A router that functions as an H.323 gateway crashes.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T when authentication is enabled.
Workaround: Enter the no memory lite command.
•
Symptoms: The "its-CISCO.2.0.1.0.tcl" CCM Express IVR script assumes that a called number is busy when there is another active call connected via the IVR script on the same trunk. As a result, the IVR script plays the "en_dest_busy.au" busy message instead of the "en_welcome.au" welcome message.
Conditions: This symptom is observed for T1 CAS calls only.
Workaround: There is no workaround.
•
Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0
ipv6 traffic-filter nofragments in
!
ipv6 access-list nofragments
deny ipv6 any <my address1> undetermined-transport
deny ipv6 any <my address2> fragments
permit ipv6 any any
This must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.
We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at /en/US/products/products_security_advisory09186a00807cb0fd.shtml contain fixes for this issue.
•
Symptoms: A memory leak may occur in the IP RIB update process of a router.
Conditions: This symptom is observed on a Cisco 3745 that runs Cisco IOS Release 12.3(8)T.
Workaround: There is no workaround.
•
Symptoms: A standby RP may reboot when you enable or disable the ip rtp header-compression command on the active RP.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(7)T4.
Workaround: There is no workaround.
•
Symptoms: All IPSec sessions may be dropped from a Cisco 7200 series and the router generates the following error messages continuously:
%VPN_HW-1-ERROR: slot: 2 - ENOSPACE tx cmd 2 ring. Head 83, Tail 82, Used 255, buf 0 IPSECcard: an error coming back 0x1510Other symptoms that may occur during this time include the following:
–
–
Conditions: This symptom is observed on a Cisco 7200 series that is equipped with two VPN acceleration modules (SA-VAMs) that are configured for VRF-aware IPSec.
Workaround: There is no workaround. To temporarily clear the symptoms, reload the router.
•
Symptoms: A router crashes when you remove an ATM subinterface.
Conditions: This symptom is observed when the subinterface is configured with a LANE client that is configured for Multiprotocol over ATM (MPOA).
Workaround: There is no workaround.
•
Symptoms: IP inspection for SIP traffic fails.
Conditions: This symptom is observed when there is an access control list applied on an inside interface.
Workaround: There is no workaround.
•
Symptoms: An EZVPN tunnel does not come up and becomes stuck in the "VALID_CFG" state even though the tunnel is configured to come up automatically.
Conditions: This symptom is observed on a router that is rebooted with EZVPN enabled on an interface.
Workaround: Unconfigure and reconfigure EZVPN on the interface.
•
Symptoms: Modem relay over TCCS works fine when you save the configuration and reload the router. However, a modem call goes into pass-through mode when you enter the shutdown voice-port configuration command followed by the no shutdown voice-port configuration command on the trunked voice port.
Conditions: This symptom is observed on a Cisco 3700 series that functions as a voice gateway.
Workaround: After the router has booted, do not enter the shutdown voice-port configuration command followed by the no shutdown voice-port configuration command on the trunked voice port.
•
Symptoms: When you send traffic via a VIP on a Cisco 7500 series, the VIP crashes because of memory corruption.
Conditions: This symptom is observed when the Cisco 7500 series is configured for dLFI over a leased line.
Workaround: There is no workaround.
•
Symptoms: A Cisco RPM-XF is reset by the PXM because of an SCM poll timeout. A PCI information file is generated in the bootflash memory just before the Cisco RPM-XF resets.
Conditions: This symptom is observed when a PCI error interrupt occurs along with SDRAM parity errors that are continuously serviced.
Workaround: There is no workaround.
•
Symptoms: All IPSec sessions may be dropped from a Cisco 7200 series and the router generates the following error messages continuously:
%VPN_HW-1-ERROR: slot: 2 - ENOSPACE tx cmd 2 ring. Head 83, Tail 82, Used 255, buf 0 IPSECcard: an error coming back 0x1510Other symptoms that may occur during this time include the following:
–
–
Conditions: This symptom is observed on a Cisco 7200 series that is equipped with two VPN acceleration modules 2 (SA-VAM2s).
Workaround: There is no workaround. To temporarily clear the symptoms, reload the router.
•
Symptoms: A Cisco RPM-XF resets when you enter the clear ip mroute * command repeatedly.
Conditions: This symptom is observed when the Cisco RPM-XF is configured for low speed.
Workaround: There is no workaround.
•
Symptoms: PIM neighbors continue to flap after you have reloaded microcode.
Conditions: This symptom is observed on a Cisco MGX 8850 series RPM-XF that runs Cisco IOS Release 12.3T.
Workaround: Enter the clear ip mroute * command to clear the symptoms.
•
Symptoms: A router may shown a warning message similar to the following:
%SYS-6-STACKLOW: Stack for level Network interfaces running low, 0/9000Conditions: This symptom is observed on a router that is configured for Cisco IOS Firewall.
Workaround: Configure a reduced maximum fragment, maximum reassembly, and timeout value in the ipv6 virtual-reassembly command, as in the following example:
ipv6 virtual-reassembly max-fragments 2 max-reassemblies 5 timeout 1
•
Symptoms: A ping from a home agent (HA) to a mobile access router (MR) fails with CEF is enabled on the foreign agent (FA).
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T when the MR or the mobile node (MN) roams to another interface on the same FA.
Workaround: There is no workaround.
•
Symptoms: An invalid packet causes Cisco IP Communicator to loose audio for the first 6 seconds.
Conditions: This symptom is observed on a Cisco router that is configured for the G.729 codec when the router sends a single G.711ulaw packet while it terminates an H.323 Voice over IP (VoIP) call.
Workaround: There is no workaround.
•
Symptoms: After a router is rebooted, a tunnel interface does not acquire the IP address of the async serial interface that is the tunnel source.
Conditions: This symptom is observed on a Cisco 2600 series that runs Cisco IOS Release 12.3(8)T3.
Workaround: Enter the tunnel source interface-type interface-number command on the tunnel interface.
•
Symptoms: A Cisco 3745 may display the following error message:
%C542-1-NO_RING_DESCRIPTORS: No more ring descriptors on Foreign Exchange Station 3/0/0. Msg id=00, Len=36Conditions: This symptom is observed on a Cisco 3745 that functions as a VoIP dial peer and that is configured with FXS ports that function in connection trunk mode and that are not configured for VAD.
Workaround: Configure VAD and reload the router.
•
Symptoms: When a router has the moh-live dn-number out-call command enabled with 1234 for the dn-number argument and 9876 for the out-call argument, the outcall to an FXO port does not occur. Only when the router is manually placed into SRST mode does the outcall occur.
Conditions: This symptom is observed on a Cisco 2800 series that is configured as a MGCP gateway.
Workaround: Place the gateway into SRST mode, force the outcall to the live feed, then place the router back into MGCP mode.
Further Problem Description: This caveat is an enhancement to the MOH Live-Feed Support feature. The fix for this caveat ensures that MoH works in any configuration, not only when the router functions in SRST mode.
•
Symptoms: A Cisco 831 may display the following message on the console:
pktFlowLink() logic error, pMatch and pEmptySlotConditions: This symptom is observed very rarely after the router has been up for a long time. The functionalities of the router are not affected.
Workaround: There is no workaround.
•
Symptoms: There may be a large latency in responding to EAPoUDP events from a host, causing the idle timer to expire and network access for users to be delayed.
Conditions: This symptom is observed on a Cisco router that is configured for Network Admission Control (NAC).
Workaround: There is no workaround.
•
Symptoms: A VIP on a Cisco 7500 series may crash.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoFR when traffic is sent through the VIP.
Workaround: There is no workaround.
•
Symptoms: An MPLS LSC fails to set up a cross connection between an XTagATM interface on an RPM and an XTagATM interface on an AXSME service module.
Conditions: This symptom is observed on a Cisco MGX 8850 that functions as an MPLS LSC but may be platform-independent.
Workaround: There is no workaround.
•
Symptoms: A router reloads when you remove the ip address dhcp command.
Conditions: This symptom is observed when the interface on which the ip address dhcp command is configured is also configured to perform an IETF DDNS update.
Workaround: Do not update the IETF DDNS.
•
Symptoms: A Cisco 7500 series may crash when you enter the clear virtual-access command on a peer router.
Conditions: This symptom is observed on a Cisco 7500 series that is configured for dLFIoATM and that is connected to a Cisco 7200 series that functions as a peer router to the Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: The output of the show voice call summary command does not show the correct codec for a fax call.
Conditions: This symptom is observed on a Cisco router when the fax protocol t38 and the modem passthrough dial-peer configuration commands are enabled. The output of the show voice call summary command should show "14400" rather than "7200". However, the fax call goes through fine.
Workaround: There is no workaround.
•
Symptoms: There is no voice path.
Conditions: This symptom is observed when a call is hunted from one FXS POTS dial peer to another FXS POTS dial peer because there is no answer.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is configured for Cisco CallManager Express (CME) crashes intermittently during a period of two to three weeks with a "TclEvalByteCodeFromObj" SegV exception.
Conditions: This symptom is observed under normal operation when the router functions without a high CPU load.
Workaround: There is no workaround.
•
Symptoms: The following tracebacks may be generated when VFR handles fragmented packets:
%SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 0 data 6472EE80
chunkmagic 0 chunk_freemagic 6484FA7C
-Process= "IP Input", ipl= 4, pid= 60Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS interim Release 12.3(12.11)T1. The symptom may also occur on a Cisco 2651XM.
Workaround: There is no workaround.
•
Symptoms: A Cisco router intermittently stops encrypting and forwarding packets, and the following error messages are generated:
%VPN_HW-1-ERROR: slot: 0 - ENOSPACE tx cmd 2 ring. Head 235, Tail 234, Used 255, buf 0
IPSECcard: an error coming back 0x1510
%CRYPTO-3-CONNID_ALLOC_FAIL: Crypto engine failed to allocate a connection ID for negotiation from
10.0.0.1 to 10.0.0.2
%SYS-2-MALLOCFAIL: Memory allocation of 20000 bytes failed from 0x60021B4C, alignment 0
Pool: Processor Free: 6093876 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Crypto IKMP", ipl= 0, pid= 169 -Traceback= hex numbersConditions: This symptom is observed on a Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series that are configured with an AIM-VPN-BPII, AIM-VPN-BPII-PLUS, AIM-VPN/EPII, AIM-VPN/EPII-PLUS, AIM-VPN/HPII or AIM-VPN/HPII-PLUS Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM).
Workaround: There is no workaround.
•
Symptoms: No IPS alerts are generated.
Conditions: This symptom is observed when an IPS rule is configured wit ACL logging. The symptom occurs because ACLs logging functions at process context only. For any IPS rule with ACL logging in the following configuration, the packets are not processed in fast path or CEF path:
access-list 100 permit any 192.168.1.0 0.0.0.255 log
ip ips name test list 100Workaround: Do not configure ACL logging. Instead, for example, enter the following command:
access-list 100 permit any 192.168.1.0 0.0.0.255
•
Symptoms: Path MTU discovery fails.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(12.12)T5 and that is configured for PPP, HDLC, and miscellaneous features over a WAN tunnel that use IP as the transport protocol.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3640 may hang when you configure PRI signaling.
Conditions: This symptom is observed inconsistently on a Cisco 3640 that runs Cisco IOS Release 12.3(11)T3.
Workaround: There is no workaround. Power-cycle the router to bring it back up.
•
Symptoms: When the buffered calling name functionality is enabled, calls from an ISDN gateway to a SIP device do not reflect correct screening and presentation indicators (as set in Octect3A by the originating switch) in the Remote-Party-Id header of an outgoing INVITE message. In addition, the gateway does not include the calling number in the Remote-Party-Id.
Conditions: This symptom is observed for calls that come from the PSTN via an ISDN gateway to a SIP device when the buffered calling name functionality is enabled so that the gateway has to wait for an ISDN FACILITY message for the calling name information before it can send an INVITE message.
Workaround: Disable the buffered calling name functionality.
•
Symptoms: Some calls may go as modem-passthrough rather than modem-relay.
Conditions: This symptom is observed on a Cisco gateway either when a DSP does not detect a CM tone or when an ANSam tone is not received correctly.
Workaround: There is no workaround.
•
Symptoms: End-to-end connectivity is broken in a basic EoMPLS configuration even though the VC on a PE router in the UP state.
Conditions: This symptom is observed on a Cisco router that functions as a PE router in a configuration in which packets are sent from a CE router on one end, are processed correctly through the PE router, but fail to reach the CE router on the other end.
Workaround: Enter the shutdown command followed by the no shutdown command on the VC on the PE router.
•
Symptoms: Traffic, including cell-based MPLS traffic, may be affected (that is, traffic may be dropped, or its behavior may be modified) after you have modified a QoS policy map that is already attached to an interface by way of adding a new class or deleting an existing class.
Additionally, when a cell-based interface is affected by the above-mentioned symptom, traffic on other switch subinterfaces may also be affected even though the same policy map is not applied to these subinterfaces.
Conditions: These symptoms are observed on when the following conditions are present:
–
–
–
Workaround: To prevent the symptoms form occurring: enter the shutdown command on the interface before you modify the policy map. Enter the no shutdown command after you have modified the policy map.
Alternate Workaround: When the symptom has occurred and the interface is already affected, enter the shutdown command followed by the no shutdown command on all affected subinterfaces.
•
Symptoms: The transfer rate of data through a modem may be slightly less than the expected value of 1200 bytes/sec. The rate varies from 974 bytes/sec to 1122 bytes/sec.
Conditions: This symptom is observed when the modem sends the data over an AAL2 trunk of Cisco router that runs Cisco IOS interim Release 12.3(12.12)T1.
Workaround: There is no workaround.
•
Symptoms: The CISCO-CDP-MIB is missing.
Conditions: This symptom is observed only on a Cisco 831.
Workaround: There is no workaround.
•
Symptoms: A Cisco 831 may run out of memory and reload.
Conditions: This symptom is observed on a Cisco 831 that is configured for DMVPN and other security features such as Cisco IOS firewall, NAT, and CBAC.
Workaround: There is no workaround.
•
Symptoms: Fragmented DNS packets fail.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.3(12.12)T1 when inside static NAT is configured.
Workaround: There is no workaround.
•
Symptoms: You cannot turn off the comfort noise that is generated by a DSP by entering the no comfort-noise voice-port configuration command.
Conditions: This symptom is observed on a Cisco router that functions as a voice gateway and that is a configured with a network module or DSP module that uses 5510 DSPs such as an NM-HD-2V, NM-HDV2, and PVDM.
Workaround: There is no workaround.
•
Symptoms: In a point-to-point connection setup, the ATM interface on a Cisco 3660 may become stuck, causing packets to be dropped.
Conditions: This symptom is observed under unique test conditions with a Cisco 3660 that runs Cisco IOS interim Release 12.3(12.4)T1. The symptom is not reproducible with a manual configuration.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected ATM interface or recreate the PVC.
•
Symptoms: When IP header compression is enabled on a PPPoATM or PPPoFR interface, compressed packets are not correctly classified by any QoS policy that has been applied to the supporting ATM or Frame Relay PVC.
Conditions: This symptom is observed when CRTP is enabled on the virtual-template interface via the service policy command or ip rtp header-compression command and when the IP RTP Priority feature is enabled in the PVC policy.
Workaround: There is no workaround.
•
Symptoms: Bidirectional DTR does not function. The output of the show dialer command shows the incorrect dialer type.
Conditions: This symptom is observed on a Cisco 3660 that runs Cisco IOS interim Release 12.3(12.9)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco gateway that has the garbage detector (a tool that is used for debugging memory leaks) enabled may hang indefinitely.
Conditions: This symptom is observed when you enter the garbage detector-related show memory debug leaks command or show memory debug incremental leaks command.
Workaround: There is no workaround.
•
Symptoms: The output of the show call active fax brief command shows output even when a fax call over a connection trunk is switched back to voice mode. In addition, the output of the show call history fax brief command shows no call leg even when the last fax call is successful and the output may not be updated for a second call and subsequent calls. However, the is no impact on the success of the calls.
Conditions: This symptom is observed on a Cisco 3700 series that is configured for VoIP and fax.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reloads because of a bus error at an address that falls just short of the I/O memory range such as address 0x4E7FD5B8, whereas the iomem address starts at 0x4E800000.
Conditions: This symptom is observed when the router has some of the following security feature commands enabled on one or more interfaces:
ip nbar protocol-discovery
ip virtual-reassembly
ip access-group in
ip access-group out
ip inspect in
ip inspect out
ip ips in
ip ips out
auto discovery qos
crypto map
Workaround: Remove the ip access-group out command.
•
Symptoms: The maintenance mode on a Cisco AS5850 that is configured for RPR+ may not function.
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.3(11)T.
Workaround: There is no workaround.
•
Symptoms: An extended access list does not function when it is applied to an interface even though the access list is configured correctly.
Conditions: This symptom is observed on a Cisco MGX 8850 RPM-XF that runs Cisco IOS Release 12.3(7)T3.
Workaround: Use an external device to filter the traffic. Apply the filter at another location in the network to accommodate your needs. If this is not possible, call Cisco TAC and reference this caveat with DDTS ID CSCeh15949.
Further Problem Description: An example of this caveat is shown below.
When a router attempts to access the Fast Ethernet interface of the RPM-XF, the router is able to access the RPM-XF even though its Fast Ethernet interface has an access list applied to it.
Topology:
RPM-XF-(FE)-------(FE)--Router
ip: 10.10.10.2 .1
Router_RPM09_XF#show running-config
Building configuration...
Current configuration : 1190 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_RPM09_XF
!
boot-start-marker
boot system x:rpmxf-p12-mz.123-7.T3
boot system bootflash:rpmxf-p12-mz.123-7.T3
boot-end-marker
interface FastEthernet2/0
ip address 10.10.10.2 255.255.255.252
ip access-group 101 in
duplex auto
speed auto
access-list 101 deny tcp any host 10.10.10.2 eq telnet
access-list 101 permit ip any any
Router_RPM09_XF#show ip access-list 101
Extended IP access list 101 (Compiled)
10 deny tcp any host 10.10.10.2 eq telnet
20 permit ip any any (96 matches)
Router_RPM09_XF#The information below shows that the access list does not function:
Router#telnet 10.10.10.2
Trying 10.10.10.2 ... Open•
Symptoms: A router reloads when you connect a third-party USB card reader.
Conditions: This symptom is observed when you connect a third-party USB card reader to the USB ports of a Cisco 2851 and Cisco 3845. It does not matter whether or not there is compact flash card in the USB card reader.
Workaround: There is no workaround.
•
Symptoms: When you enter the following commands on the Fast Ethernet port of an NM-16ESW network module, the router may crash:
ip dhcp client hostname
no switchport mode
switchport mode
Conditions: This symptom is observed on a Cisco 2800 series and Cisco 3800 series in which an NM-16ESW network module is installed.
Workaround: Do not enter IP commands in switchport mode.
•
Symptoms: The DHCP interface address is not switched when you enter the ip dhcp smart-relay command.
Conditions: This symptom is observed on a Cisco platform that has the VRF-aware DHCP feature enabled.
Workaround: There is no workaround.
•
Symptoms: A Service Selection Gateway (SSG) that is deployed in a GPRS access environment and that is configured for L2TP tunnel service with an extended autodomain may reload when duplicate GPRS PDP context create requests are sent.
Conditions: This symptom is observed when the PDP context create requests contain the static addressing, that is, the IP address of the MS instead of all zeros in the end user address field.
Workaround: There is no workaround. Note that for corporate access through a GPRS access-based solution using SSG, generally dynamic addressing is used. With dynamic addressing, the end-user address field is sent with all zeros and the corporate network provides the address, and the symptom does not occur.
•
Symptoms: When MLP is configured and when the policy map of a CE router does not have a real-time class map configured in its output policy map, TCP packets are policed incorrectly. This situation may affect the traffic throughput.
Conditions: This symptom is observed on a Cisco MGX RPM-XF that functions as a PE router and that runs Cisco IOS Release 12.3(11)T3 or releases later than Release 12.3(2)T6. The symptom occurs when TCP packets are sent via class-b data with 73 bytes of payload from a CE router to a PE router.
When the output policy map of the CE router does not have a real-time class map configured, the PE router shows that the 73-byte packet requires three ATM cells instead of just two ATM cells.
When the output policy map of the CE router does have a real-time class map configured, the PE router shows that the 73-byte packet requires two ATM cells, as it should be.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2800 series or Cisco 3800 series may crash when you configure the interface of an NM-16ESW.
Conditions: This symptom is observed when you enter the ip rsvp bandwidth command on FE port 1/10 of the NM-16ESW and then you enter the no switchport mode command followed by the switchport mode command.
Workaround: Do not enter IP commands in switchport mode.
•
Symptoms: A Cisco MGX RPM-XF resets because a PCI retry counter expires.
Conditions: This symptom is observed when a Galileo PCI interrupt is asserted on SAR command timeouts.
Workaround: There is no workaround.
•
Symptoms: The output queue of a Fast Ethernet back card of a Cisco MGX RPM-XF may be stuck at 40/40.
Conditions: This symptom is observed when the Cisco MGX RPM-XF runs Cisco IOS Release 12.3(2)XZ and when the interface of the Fast Ethernet back card is configured in half-duplex mode and is connected to a hub. This symptom may also occur in Release 12.3T.
Workaround: Clear the affected interface of the Fast Ethernet back card by entering the clear interface fastethernet slot/port command.
•
Symptoms: Packets that are larger than 4400 bytes or packets that require fragmentation may be dropped when they traverses a xDSL WIC.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(6)T or a later release when a sweep ping is performed from one peer to another and when the WIC is a WIC-1ADSL, WIC-1ADSL-DG, WIC-1ADSL-I-DG, WIC-SHDSL, or WIC-SHDSL-V2.
Workaround: Avoid fragmentation on the DSL link or enter the ip mtu bytes command to change the maximum MTU to 4400 on the DSL interface.
•
Symptoms: A Cisco 2800 series that is configured for software or hardware encryption and CBAC may reload.
Conditions: This symptom is observed when IPSec SAs and CBAC sessions are established and when the traffic is blocked by an ACL on the outgoing WAN interface of a neighboring crypto router. When you send encrypted traffic from the neighboring crypto router to another router via the Cisco 2800 series, the Cisco 2800 series reloads.
Workaround: Permit the encrypted traffic on the outgoing interface of the neighboring crypto router.
•
Symptoms: When an input policy is defined on a Cisco 7500 series, counters do not increment.
Conditions: This symptom is observed when dLFIoFR QoS is configured in the egress path on the router.
Workaround: There is no workaround.
•
Symptoms: A call fails when the codec is changed from G.729 to G.711ulaw during the call.
Conditions: This symptom is observed when fax pass-through is configured and when the following events occur:
–
–
–
Workaround: Remove the fax pass-through configuration.
•
Symptoms: The IPSec idle timer does not delete an inactive IKE SA.
Conditions: This symptom is observed when the timer expires. IPSec SAs are properly deleted but the IKE SA is left up.
Workaround: There is no workaround.
•
Symptoms: An H.323 modem call is dropped rather than processed via modem pass-through.
Conditions: This symptom is observed when modem relay is configured on both the originating gateway (OGW) and the terminating gateway (TGW), when the OGW is configured for high complexity, and when the TGW is configured with a modem card in which an NM-HDV network module is installed.
The expected behavior is that the modem call passes as a modem pass-through call because modem relay is not supported on a modem card.
Workaround: There is no workaround.
•
Symptoms: E1R2 SS7 calls fail and a traceback is generated on a Cisco AS5400.
Conditions: This symptom is observed on a Cisco AS5400 when you bring up more than one E1R2 SS7 call. However, when you bring up only a single call, the call is successful and stable for the call duration.
Workaround: There is no workaround.
•
Symptoms: A traceback is generated when multicast traffic is flowing.
Conditions: This symptom is observed when PIM is enabled on multiple interfaces and when the counters are cleared.
Workaround: There is no workaround.
•
Symptoms: There is no hornbook tone from a second ephone in a hunt group when the ringing of the first ephone in the hunt group times out and the call is forwarded to the second ephone.
Conditions: This symptom is observed when a TCL IVR application is configured on an incoming POTS dial peer.
Workaround: There is no workaround.
•
Symptoms: The IPSec Path Maximum Transmission Unit (PMTU) is not updated correctly when the IP MTU of the underlying physical interface is changed. When the IP MTU of the physical interface is changed to a smaller size, fragmentation may occur.
Conditions: These symptoms are observed when you configure a crypto map on tunnel interfaces that use the IP address of the physical interface as the tunnel source.
Workaround: There is no workaround. However, when the IP MTU of the physical interface is not changed, IPSec traffic should not be negatively affected.
•
Symptoms: A router may crash when a certificate server is removed while the certificate storage is inaccessible.
Conditions: This symptom is observed under the following conditions:
–
–
–
Workaround: Do not remove the Cisco IOS Certificate Server via one Telnet or console session while the Cisco IOS Certificate Server is busy processing a CLI in another Telnet or console session.
•
Symptoms: Configuring an AUX port through a non-slotted notation such as "interface async 1" may not be possible a Cisco 1841 and a Cisco 2801.
Conditions: This symptom is observed on a Cisco 1841 and Cisco 2801 that run Cisco IOS interim Release 12.3(11.9)T or a later release.
Workaround: Configure the AUX port through the slotted notation such as "interface async 0/0/0".
•
Symptoms: A gateway attempts to register with a gatekeeper more than once but fails, and the following error message and tracebacks are generated:
CCH323-2-GTWY_REGSTR_FAILED: Gateway egsin-3845-vw@cisco.com failed to register with Gatekeeper egsj-3745-gk even after 2 retriesConditions: This symptom is observed on a Cisco router that functions as an H.323 gateway when you manually shut down the interface through which the gatekeeper is reachable.
Workaround: There is no workaround.
•
Symptoms: The line protocol on a serial link stays down and input CRC errors are generated.
Conditions: This symptom is observed when a T1 WIC is connected to a 56K DSU WIC via a switch and mux, when the switch provides the clock, and when the network-clock-select command is enabled on the T1 WIC side to route the clock to the TDM backplane.
Workaround: There is no workaround.
•
Symptoms: Accounting does not start after a tunnel goes down and comes back up again.
Conditions: This symptom is observed when multiple clients are connected to a head-end router through a platform that is configured for NAT.
The tunnel interface should be down when clients try to re-key an IPSec SA and accounting should fail. After the permitted number of re-key attempts, the IKE SA and peer structures should be eliminated. However, when the tunnel interface goes up and IKE negotiation starts again, accounting should also start again.
Workaround: There is no workaround.
•
Symptoms: EEM Tcl policies leak a significant amount of memory every time they run.
Conditions: This symptom occurs because the memory model that is currently implemented in Cisco IOS software that supports Tcl assumes a single threaded model in which global memory is not released when the Tcl script completes.
Workaround: There is no workaround.
•
Symptoms: In a test in which an ACL is triggered by EzVPN, a tunnel does not come up for interesting traffic.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.3(12.12)T5.
Workaround: There is no workaround.
•
Symptoms: A T.37 fax fails on a Cisco 2800 series because of clocking problems with a BRI. The fax that is sent or received via the BRI may be incomplete with cut pages or a part lost. About 40 to 50 percent of the faxes fail.
Conditions: This symptom is observed in the following topology:
A fax is sent from a fax machine via the PSTN to a BRI on a Cisco 2800 series. The Cisco 2800 series connects via an IP interface to an SMTP mail server.
Workaround: There is no workaround. Note that a fax that is sent via FXS instead of via a BRI goes through fine.
•
Symptoms: A Cisco 3745 reloads when you enable the proxy.
Conditions: This symptom is observed on a Cisco 3745 that functions as a gatekeeper.
Workaround: Disable the proxy mode.
•
Symptoms: A crypto tunnel is in the DOWN state after a Cisco 7200 series crashes because of a valid freeblock memory corruption.
Conditions: This symptom is observed when you change the Cisco IOS software image on the Cisco 7200 series from Release 12.3(8)T4 to Release 12.3(8)T7.
Workaround: There is no workaround.
•
Symptoms: Labeled packets drop when a crypto map is applied on an egress interface.
Conditions: This symptom is observed when the egress interface is configured for MPLS.
Workaround: There is no workaround.
Further Problem Description: While generating labeled packets from the router on which the crypto map is applied, the output of the debug ip packet access-list-number command shows the following information:
IP: tableid=1, s=10.1.1.1 (local), d=10.1.2.1 (GigabitEthernet0/2),routed via FIB
IP: s=10.1.1.1 (local), d=10.1.2.1 (GigabitEthernet0/2), len 100,sending
IP: s=10.1.1.1 (local), d=10.1.2.1 (GigabitEthernet0/2), len 100,output crypto map check failed.•
Symptoms: A packet is dropped because of a CEF encapsulation failure.
Conditions: This symptom is observed when the packet passing through a GRE tunnel interface.
Workaround: Turn off CEF switching on the GRE tunnel interface.
•
Symptoms: A SAR ucode reload is not recorded.
Conditions: This symptom is observed on a Cisco MGX RPM-XF when you enter a command that causes a reload of the SAR microcode.
Workaround: Check the log for references to the SAR ucode reload.
•
Symptoms: A VIP may crash at "ct3sw_rx_interrupt" when dMLFR is configured on the RSP.
Conditions: This symptom is observed on a Cisco 7500 series that is configured with a channelized T3 port adapter.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that runs Cisco IOS Release 12.3T may reload when the ATM interfaces are swapped.
Conditions: This symptom is observed when an ATM IMA port adaptor is removed and a PA-A3 port adaptor is inserted in the same slot and when there is at least one PVC configured that has the inarp enabled.
Workaround: There is no workaround.
•
Symptoms: After you have reloaded a Cisco 3745 that is configured with ATM AIM cards and that has a startup configuration that includes BERT functionality, a software-forced reload may occur on the router and the router does not come up.
Conditions: The symptom is observed on a Cisco 3745 that runs Cisco IOS interim Release 12.3(12.12)T1 when the codecs that are included in the startup configuration are LLCC. The software-forced reload does not occur after you have reloaded the router with the default configuration, that is, when codec information is not included and when ATM AIM cards are not configured. The router crashes only when all the voice ports are initialized and ATM AIM cards are in use.
Workaround: There is no workaround.
•
Symptoms: Routers generate tracebacks during a test with call setup and random call failures.
Conditions: This symptom is observed on Cisco 7xxx routers when E1R2 signaling is configured and when line signaling is used for the analog service.
Workaround: There is no workaround.
•
Symptoms: A VWIC multiflex trunk controller that has the alarm trigger-blue command enabled may not come up.
Conditions: This symptom is observed when you boot a Cisco 3745 that runs Cisco IOS Release 12.3(7)T6.
Workaround: Enter the shutdown command followed by the no shutdown command on the affected controller after the router has booted.
•
Symptoms: A Cisco router that is configured for SSG may reload when you configure a local service profile.
Conditions: This symptom is observed when the local service profile is configured with more than 150 service network entries.
Workaround: There is no workaround.
•
Symptoms: A TDM connect failure occurs and tracebacks are generated, causing voice call failures.
Conditions: This symptom is observed when Voice over IP (VoIP) is configured on a Cisco 7200 series and a Cisco 7500 series, when the signaling is E1 R2 analog with medium complexity, when you change the framing from CRC4 to non-CRC4 on the E1 controllers, and when you enter the shutdown controller configuration command followed by the no shutdown controller configuration command on the E1 controllers of both the Cisco 7200 series and the Cisco 7500 series.
Workaround: There is no workaround.
•
Symptoms: The PRI voice-call path confirmation may fail and a %DSMP-3-DSP_TIMEOUT message may be generated.
Conditions: This is symptom is observed on a Cisco 3660 while PRI voice calls are made.
Workaround: There is no workaround.
•
Symptoms: The G.728 codec calls fail on a SIP call leg of an IPIPGW.
Conditions: This symptom is observed when the G.728 codec is configured on the SIP leg and when a "ptime" translation error occurs.
Workaround: There is no workaround.
•
Symptoms: Though an active call disconnects, the SCCP connection is not torn down.
Conditions: This symptom is observed on a Cisco platform that functions as an IPIPGW only after you reload the router and test transcoding for the first time. The SCCP connection exists for a long duration or until you enter the no sccp command.
Workaround: Enter the no sccp command to tear down the SCCP connection.
•
Symptoms: A "Diagnostic Minor Error" may occur on a Multiprocessor WAN (MWAN) application module and processor 6 ("complex 0") may fail to come up on the MWAM application module. This situation causes only four processor to be up and one processor to remain inaccessible.
Conditions: This symptom is observed when the MWAN application module runs a GGSN image.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS IPv6 firewall may crash and generate the following error message:
%ALIGN-1-FATAL: Illegal access to a low addressConditions: This symptom is observed when you enter the clear ipv6 inspect all command while many TCP sessions are being created.
Workaround: Prevent that so many TCP sessions are created: limit the session creation rate to 200 sessions per minute by lowering the onemin threshold for the IPv6 firewall via the ipv6 inspect onemin high 200 command.
•
Symptoms: When you remove and re-enter the zone circuit-id command, the command may not take effect.
Conditions: This symptom is observed on a Cisco platform that functions as a gatekeeper.
Workaround: Reload the gatekeeper after you have made the configuration changes.
•
Symptoms: A memory leak may occur in the in SDP library on an IPIPGW.
Conditions: This symptom is observed when a fax call is made between a platform that is configured for SIP and a platform that is configured for T.38 H.323.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may unexpectedly reload while attempting to resequence an access list.
Conditions: This symptom is observed when you delete a few ACEs and then immediately enter the ip access-list resequence access-list-name starting-sequence-number increment command.
Workaround: There is no workaround.
•
Symptoms: When AAA accounting is configured for an EZ-VPN server, the EZ-VPN server may stop sending periodic updates for an idle client. When the symptom occurs, the output of the show aaa sessions command shows that the user name is not available for the idle client. The user name appears to be lost.
Conditions: This symptom is observed on a Cisco 7200 series that functions as an EZ-VPN server and that runs Cisco IOS Release 12.3(8)T or a later release. The symptom may not be release-specific.
Workaround: Add an IPSec idle time of a shorter duration than the IPSec lifetime to enable idle clients to send stop records.
•
Symptoms: A bargeinable prompt aborts right after it starts playing, almost as if it is being barged in to.
Conditions: This symptom is observed in the following scenario with an application that requests DTMF input using two to four digits with an asterisk as the termination character:
–
–
–
–
Workaround: Make the .wav files non-bargeinable.
•
Symptoms: A high error rate may occur on a WIC-1DSU-T1-V2. Because of the large number of errors, the interface of the WIC-1DSU-T1-V2 may not come up.
Conditions: These symptoms are observed on a WIC-1-DSU-T1-V2 that is installed in a Cisco router.
Possible Workaround: The symptoms may clear when you replace the in-house cabling with cat.5 cables.
•
Symptoms: A disconnect event is not thrown or caught on a Cisco AS5400.
Conditions: This symptom is observed when the platform functions under a heavy load with a large number of calls that are disconnected from the gateway during VXML page execution. The disconnect event may not be thrown or get caught by the catch blocks of the root document.
Workaround: There is no workaround.
•
Symptoms: A Cisco 837 may report a memory leak in the I/O pool caused by a buffer leak in the VeryBig buffer pool.
Conditions: This symptom is observed on a Cisco 837 that runs Cisco IOS Release 12.3(11)T2, that is configured for IPSec, and that receives SNMP pols from a server.
Workaround: Stop the SNMP pols that check the operational status (via the ifOperStatus object) and administrative status (via the ifAdminStatus object) of the interfaces on the router. Alternatively, temporarily disable SNMP on the router.
•
Symptoms: When a voice call is made, a spurious memory access may occur on a Cisco AS5400 or the Cisco AS5400 may reload unexpectedly because of a bus error.
Conditions: These symptoms are observed in the following Cisco IOS software releases:
–
–
Workaround: Enter the no voice-fastpath enable command to prevent the symptoms from occurring.
•
Symptoms: SSG subscribers that are connected on a downlink VRF are not able to access SSG open garden services.
Conditions: This symptom is observed when downstream traffic from the open garden service to the subscriber is routed using the global routing table and is dropped when it appears to be unroutable.
Workaround: Add a route to the subscriber IP address in the global routing table.
Alternate Workaround: Do not bind the interface to the open garden service as an uplink interface and enable VRF-based NAT to translate the subscriber IP address to a global IP address.
•
Symptoms: A Cisco 2800 series that is configured for encryption, CBAC, and IPS crashes and reloads during the inspect process.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS interim Release 12.3(12.12)T2 when it functions under a heavy load of mixed application traffic and IP telephony traffic.
Workaround: There is no workaround.
•
Symptoms: An AIM that is installed in a Cisco 2851 or Cisco 3845 may time out when it receives non-multiples of a 64-bits public key from a third-party vendor router. This situation causes the router to crash rather than verifying the key.
The Cisco 2851 crashes because of a memory corruption. The Cisco 3845 crashes because of an "ALIGN-1-FATAL" bus error.
Conditions: This symptom is observed on a Cisco 2851 and Cisco 3845 that run Cisco IOS Release 12.3(11)T3.
Workaround: Ensure that the AIM receives multiples of the 64-bits public key.
Alternate Workaround: Disable the AIM hardware encryption by entering the no crypto engine aim 0 command. Doing so causes onboard encryption to occur.
•
Symptoms: A Cisco router on which URL filtering is used may reload because of memory corruption.
Conditions: This symptom is observed on a Cisco 1700 series that runs Cisco IOS Release 12.3(7)XR3 or interim Release 12.3(7.11)T.
Workaround: There is no workaround.
•
Symptoms: A security gateway may crash when ISAKMP accounting is enabled at aggressive time intervals such as 1-minute updates.
Conditions: This symptom is observed when ISAKMP accounting is enabled at very frequent update intervals together with ISAKMP NAT-T.
Workaround: Use ISAKMP accounting timers with a longer duration.
•
Symptoms: A router that is configured for SSG intermittently resets itself and generates a spurious memory access.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3T with a prepaid or proxy service that has an idle or session timeout configured in the service profile.
Workaround: There is no workaround.
•
Symptoms: SSG uses a duplicate Acct-session-id (attribute 44) in a RADIUS accounting packet.
Conditions: This symptom is observed for post-paid users.
Workaround: There is no workaround.
•
Symptoms: IP data traffic does not pass via MLP.
Conditions: This symptom is observed on a Cisco 3825 that runs the c3825-advsecurityk9-mz image of Cisco IOS Release 12.3(11)T3 when STAC compression on an AIM-COMPR4 fails.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3660 may reload when an IP phone is placed on hold.
Conditions: This symptom is observed on a Cisco 3660 that runs Cisco IOS Release 12.3(11)T4.
Workaround: There is no workaround.
•
Symptoms: When calls are made from an IP phone to the PSTN and when the PSTN side transfers the call to another PSTN number, one-way audio occurs. The IP phone caller can hear the new PSTN callee, but the PSTN callee cannot hear the IP phone caller.
There is no pattern to the number of calls that fail, but eventually the router to which the IP phone is connected has CPU high utilization and crashes.
Conditions: This symptom is observed on a Cisco 2600XM that runs Cisco IOS Release 12.2(15)ZJ or Release 12.3(11)T2.
Workaround: There is no workaround.
•
Symptoms: A severe memory leak occurs when accounting is enabled on a gatekeeper. When all memory has been consumed, the following error message is generated:
%AAA-3-ACCT_IOMEM_LOW: AAA ACCT process suspended: low I/O memoryAfter this message has been generated, you cannot enter any CLI command and calls fail. You must reload the router to recover the lost memory.
Conditions: This symptom is observed on a Cisco router that functions as a terminating gatekeeper and that is placed between a VoIP call generator and an originating gatekeeper that is also connected to a VoIP call generator. The symptom occurs after the following events have occurred:
–
–
–
Workaround: There is no workaround.
•
Symptoms: When calls come in from the PSTN while you manually shut down a BRI of a VIC2-BRI, the Cisco gateway activates ISDN layer 1. This is improper behavior.
Conditions: This symptom is observed on a Cisco gatekeeper that runs Cisco IOS Release 12.3(4)T6 or Release 12.3(11)T3, but could also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: A router does not attempt to autoinstall a software configuration via a Frame Relay WAN segment when it receives a response to a DHCP request on an Ethernet LAN, even though the DHCP server does not support autoinstall via TFTP.
Conditions: This symptom is observed when a software configuration is replaced on a failed remote router or installed on a new remote router. The router is connected to an existing Ethernet LAN and a Frame Relay WAN segment. You would expected that the router autoinstalls over the Frame Relay WAN segment because it is supposed to download the configuration from a central TFTP server. However, this does not occur.
When the router has a response to its DHCP request on the Ethernet LAN, it attempts to autoinstall over DHCP. Although the DHCP server does not support autoinstall over DHCP, the router does not attempt to autoinstall over the Frame Relay WAN segment.
Workaround: Prevent the DHCP server from responding to the router's request or ensure that someone is physically present to disconnect the Ethernet LAN link from the router to force the router to autoinstall over the Frame Relay WAN segment. When the router has autoinstalled over the Frame Relay WAN segment, the router should be reconnected to the Ethernet LAN.
•
Symptoms: Pings from a PE router to the Ethernet interface of a CE router fail.
Conditions: This symptom is observed on a Cisco MGX RPM-XF that functions as a PE router and that runs Cisco IOS Release 12.3(2)XZ. The symptom could also occur in Release 12.3T.
Workaround: Clear the IP route.
•
Symptoms: An E1 controller on an MGCP trunking gateway reports Loss of Frames (LOF).
Conditions: This symptom is observed when you configure a Cisco 3660 as an MGCP trunking gateway.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400 gateway crashes and reboots at random.
Conditions: This symptom is observed on a Cisco AS5400 that runs Cisco IOS Release 12.3(11)T4 when you run a load test with a Customer Voice Portal (CVP) configuration for one to two hours and then stop the load test and place a single call using an IP phone.
Workaround: There is no workaround.
•
Symptoms: The prompt file that is stored on an HTTP file server and that is invoked by a VXML document is not heard by a caller.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS interim Release 12.3(12.12)T5 when a VXML document attempts to retrieve and render a wav file that is stored on an HTTP file server.
Workaround: There is no workaround.
•
Symptoms: When you make 21 calls and place one call on hold, the callee at the PSTN side does not hear the MoH.
Conditions: This symptom is observed on a Cisco 2621XM and Cisco 3745 that run and IP voice image of Cisco IOS Release 12.3(7)T4 and that are configured with an NM-HD-2VE, a VWIC-1MFT-T1 or VWIC-2MFT-T1, codec complexity flex, and multicast MoH.
Workaround: Add another NM-HD-2VE and configure codec complexity medium.
•
Symptoms: When you enter the crypto ipsec client ezvpn command, the platform may crash because of memory corruption and error messages similar to the following may be generated:
validblock_diagnose, code = 10
current memory block, bp = 0x655B127C, memorypool type is Processor data check, ptr = 0x655B12A4
next memory block, bp = 0x655B13C4, memorypool type is Processor data check, ptr = 0x655B13EC
previous memory block, bp = 0x655B10CC, memorypool type is Processor data check, ptr = 0x655B10F4Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.3(11)T3.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7301 may restart because of a bus error.
Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS Release 12.3(8)T5 and that is configured for IPSec.
Workaround: There is no workaround.
•
Symptoms: When SSG functions in RADIUS proxy mode, SSG sends the RADIUS Framed IP Netmask Attribute value that it receives from a RADIUS server as the Framed IP Address Attribute value towards a GGSN or CSG downlink RADIUS client.
Conditions: This symptom is observed when the RADIUS Framed IP Netmask Attribute value is less then a 32-bit mask.
Workaround: Avoid using the RADIUS Framed IP Netmask Attribute or use a 32-bit mask value for it.
•
Symptoms: An IP phone line is not released for some calls between Cisco CallManagers.
Conditions: This symptom is observed when calls between the Cisco CallManagers are made via a Cisco Multiservice IP-to-IP Gateway (IPIPGW) that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of an unexpected exception to CPUvector 1200.
Conditions: This symptom is observed on a low-end Cisco router such as a Cisco 2650 series that runs Cisco IOS Release 12.3(11)T3 when a basic QoS configuration such as CBWFQ is applied to a legacy dialer interface and when traffic is flowing through this interface.
Workaround: Remove the output service policy from the dialer interface before any traffic goes through the ISDN backup interface.
•
Symptoms: A Cisco 3745 may display the following error message:
%C542-1-NO_RING_DESCRIPTORS: No more ring descriptors on Foreign Exchange Station 3/0/0. Msg id=00, Len=36Conditions: This symptom is observed on a Cisco 3745 that functions as a VoIP dial peer and that is configured with FXS ports that function in connection trunk mode and that are not configured for VAD.
Workaround: Configure VAD and reload the router.
Further Problem Description: The above-mentioned information comes from the Release-note enclosure for caveat CSCeg49448. This caveat, CSCsa74911, documents (and corrects) a flaw within the DSP firmware that is observed only in conjunction with the occurrence of caveat CSCeg49448.
•
Symptoms: A Cisco 3825 may display the following error message and traffic is interrupted:
%SBETH-3-ERRINT: GigabitEthernet0/0, error interrupt, mac_status = 0x0000000000840000Conditions: This symptom is observed when multiple users that are connected to a downstream switch attempt to log into network resources across a WAN (traversing the router).
Workaround: There is no workaround.
•
Symptoms: DMVPN sessions fail.
Conditions: This symptom is observed when a Cisco 7200 series that is configured as a DMVPN hub runs out of memory.
Workaround: There is no workaround.
•
Symptoms: The line protocol goes down on an NM-1T3/E3 network module when 2 MB of traffic flows through the NM-1T3/E3 network module.
Conditions: This symptom is observed on a Cisco 3725 router that runs Cisco IOS Release 12.3(11)T3 and that functions as a PE
Guest
