Table Of Contents
Caveats for Cisco IOS Release 12.4T
Resolved Caveats—Cisco IOS Release 12.4(24)T2
Resolved Caveats—Cisco IOS Release 12.4(24)T1
Open Caveats—Cisco IOS Release 12.4(24)T
Resolved Caveats—Cisco IOS Release 12.4(24)T
Resolved Caveats—Cisco IOS Release 12.4(22)T3
Resolved Caveats—Cisco IOS Release 12.4(22)T2
Resolved Caveats—Cisco IOS Release 12.4(22)T1
Resolved Caveats—Cisco IOS Release 12.4(22)T
Resolved Caveats—Cisco IOS Release 12.4(20)T4
Resolved Caveats—Cisco IOS Release 12.4(20)T3
Resolved Caveats—Cisco IOS Release 12.4(20)T2
Resolved Caveats—Cisco IOS Release 12.4(20)T1
Resolved Caveats—Cisco IOS Release 12.4(20)T
Resolved Caveats—Cisco IOS Release 12.4(15)T11
Resolved Caveats—Cisco IOS Release 12.4(15)T10
Resolved Caveats—Cisco IOS Release 12.4(15)T9
Resolved Caveats—Cisco IOS Release 12.4(15)T8
Resolved Caveats—Cisco IOS Release 12.4(15)T7
Resolved Caveats—Cisco IOS Release 12.4(15)T6
Resolved Caveats—Cisco IOS Release 12.4(15)T5
Resolved Caveats—Cisco IOS Release 12.4(15)T4
Resolved Caveats—Cisco IOS Release 12.4(15)T3
Resolved Caveats—Cisco IOS Release 12.4(15)T2
Resolved Caveats—Cisco IOS Release 12.4(15)T1
Resolved Caveats—Cisco IOS Release 12.4(15)T
Resolved Caveats—Cisco IOS Release 12.4(11)T4
Resolved Caveats—Cisco IOS Release 12.4(11)T3
Resolved Caveats—Cisco IOS Release 12.4(11)T2
Resolved Caveats—Cisco IOS Release 12.4(11)T1
Resolved Caveats—Cisco IOS Release 12.4(11)T
Caveats for Cisco IOS Release 12.4T
November 2, 2009
Cisco IOS Release 12.4(24)T2
Text Part Number OL-8003-09 Rev. I0
This document lists severity 1 and 2 caveats and select severity 3 caveats for Cisco IOS Release 12.4T, up to and including Cisco IOS Release 12.4(24)T2. Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
Because Cisco IOS Release 12.4T is based on Cisco IOS Release 12.4, many caveats that apply to Cisco IOS Release 12.4 will also apply to Cisco IOS Release 12.4T. For information on severity 1 and severity 2 caveats in Cisco IOS Release 12.4, see the Caveats for Cisco IOS Release 12.4 document located on Cisco.com.
To improve this document, we would appreciate your comments. If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically at http://www.cisco.com/feedback/ or contact caveats-doc@cisco.com. For more information, see the "Obtaining Documentation and Submitting a Service Request" section on page 1242.
Contents
•
Resolved Caveats—Cisco IOS Release 12.4(24)T2
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
How to Use This Document
This document describes open and resolved severity 1 and 2 caveats and select severity 3 caveats:
•
•
Within the sections, the caveats are sorted alphanumerically by caveat number. The following information is provided for each caveat:
•
•
•
If You Need More Information
Cisco IOS software documentation can be found on the web through Cisco.com. For information on Cisco.com, see the "Obtaining Documentation and Submitting a Service Request" section on page 1242.
For more information on caveats and features in Cisco IOS Release 12.4T, refer to the following sources:
•
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
(If the defect that you have requested cannot be displayed, this may be due to one of more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
•
•
•
Note
The most recent release notes when this caveats document was published were Release Notes for Cisco IOS Release 12.4T, for Cisco IOS Release 12.4(24)T, published on October 30, 2009.
Resolved Caveats—Cisco IOS Release 12.4(24)T2
Cisco IOS Release 12.4(24)T2 is a rebuild release for Cisco IOS Release 12.4(24)T. The caveats in this section are resolved in Cisco IOS Release 12.4(24)T2 but may be open in previous Cisco IOS releases.
•
Symptoms: A router that is running Cisco IOS software may mistakenly fail a CRC check on files in NVRAM.
Conditions: This symptom has been observed with large files, such as large startup configurations.
Workaround: There is no workaround.
•
Symptoms: The interface MTU is not user configurable. When you attempt to configure "interface level command mtu", the following message is printed:
% Interface {Interface Name} does not support user settable mtu.
Conditions: The symptom is observed with a 2-Port FE on a Cisco 7200 series router.
Workaround: There is no workaround.
Further Problem Description: The Cisco.com document entitled "MPLS MTU Command Changes" further discusses this enhancement.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed.
This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix CSCso04657 and CSCsg00102.
•
Symptoms: Console port can lock up after 10-15 minutes. Telnet sessions fail.
Conditions: Occurs when terminal server is connected to router's console port.
Workaround: There is no workaround.
•
Symptoms: The RP crashes due to a watchdog timeout of the uRPF stats process.
Conditions: The symptom is observed when issuing the interface range port-channel <number> - <number> command.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1811 router reloads when trying to connect to irc.freenode.net during the first 36 hours following a reload.
Conditions: The symptom is observed only in the first 36 hours following a reload.
Workaround: Do not connect to irc.freenode.net the first 36 hours following a reload.
•
Symptoms: Configuring and unconfiguring hierarchical QoS may cause memory leak on a Cisco router.
Conditions: This symptom occurs on a Cisco router that is running Cisco IOS Release 12.4(15)T4.
Workaround: There is no workaround.
•
Symptoms: LiveRcd softkey label is shown as "???" instead of localized string.
Conditions: The symptom is observed with Cisco IOS Release 12.4(15)XZ with Japanese locale.
Workaround: There is no workaround.
•
Symptoms: The connected interface prefix that is redistributed to OSPF is not seen as a Type 5 LSA in the OSPF database.
Conditions: The symptom is observed with the prefix that is initially covered by a "network ..." statement under router ospf ... and later removed by doing no router ospf ... instead of no network ....
Workaround: Perform a shut then no shut on the interface with the prefix that is not being redistributed.
•
Symptoms: When some port-channels go down at the same time on a router, it can cause EIGRP SIA errors.
Conditions: The symptom occurs with full mesh four routers which are connected via port-channels. Additionally, it occurs with over five routers which are connected via a partial mesh port-channel.
Workaround: Use the port-channel interface settings below:
(config)# interface port-channel <port-channel interface number>
(config-if)# bandwidth <bandwidth value>
(config-if)# delay <delay value>
Further Problem Description: If a test is done with a physical interface, not a port-channel, this issue is not seen.
•
Symptoms: Router crashes during traceback generation with a bus error.
Conditions: When CPUHOG occurs, traceback is generated. In some cases, it may lead to crash due to uninitialized internal data.
Workaround: There is no workaround.
•
Symptoms: Session is not getting disconnected when the locally configured timers expire.
Conditions: Occurs while testing an internal build of Cisco IOS Release 12.4(22)T on the Cisco 7200.
Workaround: There is no workaround.
•
Symptoms: One-way audio is observed after use of TCL [connection create] command.
Conditions: Occurs with TCL application playing media in incoming_leg and leg setup without bridging incoming leg [leg setup $dnis callInfo].
Workaround: There is no workaround.
•
Symptoms: Redistributed routes are not being advertised after a neighbor flap.
Conditions: This symptom is observed if BGP is redistributing local routes and if there are multiple neighbors in the same update-group and then a neighbor flaps. For the flapped neighbor, some redistributed routes are not being advertised.
Workaround: Undo and redo the redistribution.
•
Symptoms: A router crashes with the following error:
%SYS-6-STACKLOW: Stack for process NHRP running low, 0/6000
Conditions: The symptom is seen on routers that are running Dynamic Multipoint VPN (DMVPN) when a routing loop occurs while an NHRP resolution request is received by the router. If the routing loop leads to a tunnel recursion (where the route to the tunnel endpoint address points out of the tunnel itself) the crash may be seen.
Workaround: Use PBR for locally-generated traffic to force the GRE packet out of the physical interface which prevents the lookup that can lead to the recursion. For example (note: the interfaces and IPs will need to be changed to the appropriate values):
interface Tunnel97 ... tunnel source POS6/0 ...
interface POS6/0 ip address 10.2.0.1 255.255.255.252
ip local policy route-map Force-GRE
ip access-list extended Force-GRE permit gre host 10.2.0.1 any
route-map Force-GRE permit 10 match ip address Force-GRE set interface POS6/0
•
Symptoms: Spurious memory access occurs.
Conditions: Occurs while attempting to unconfigure the EzVPN client configuration on an EzVPN client inbound interface.
Workaround: There is no workaround.
•
Symptoms: The following errors are logged:
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99
%SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162 -Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99 %SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162 -Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99
%SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162-Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99
%SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162 -Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99 %SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162 -Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
%ISDN-4-ISDN_UNEXPECTED_EVENT: INVALID INPUT: Occurred at ../isdn/isdnif_modem.c:99
%SYS-2-QCOUNT: Bad dequeue 62D74734 count -1 -Process= "ISDN", ipl= 4, pid= 162 -Traceback= 0x6046769C 0x605B2E64 0x60158F0C 0x600B2204 0x600B2238 0x600B220C
Conditions: Occurs when ISDN is enabled.
Workaround: There is no workaround.
•
Symptoms: Packets may be incorrectly classified under child and parent classes.
Conditions: The symptom is observed when a two or three-level policy is configured/reconfigured coupled with the command clear counters. The symptom also occurs if a second level policy-map is detached and then re-attached to a grandparent policy. Some of the packets go through the intended parent (or grandparent) class and incorrectly go through the default class or no class at all of the child policy.
The issue is seen with a Cisco 7200 series router that is running Cisco IOS Release 12.4(20)T2, 12.4(22)T2 or 12.4(24)T.
Workaround: Reload the router. In some cases, unconfiguring and reconfiguring the policies will work.
•
Symptoms: The error message %SYS-2-CHUNKBOUNDSIB and traceback are seen.
Conditions: The symptoms are observed when the show running- config/write memory command is issued.
Workaround: There is no workaround.
•
Symptoms: The Fast Ethernet driver code may cause several errors. The observed symptoms of this issue include:
–
–
%L2TP-3-ILLEGAL: _____:________: ERROR: unsupported transport protocol; defaulting to UDP if possible
Conditions: The symptoms are observed with the following hardware platforms: UC520, Cisco 880 series, Cisco VG202, Cisco VG204, IAD2435-8FXS and Cisco 1861 routers. In addition, the following conditions exist:
–
interface BVI1 ip address 192.168.0.1 255.255.255.0
–
pseudowire-class l2tpv3
encapsulation l2tpv3
ip local interface Loopback0
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255 !
interface FastEthernet0
no ip address xconnect 192.168.0.1 1 pw-class l2tpv3
Workaround: There is no workaround.
Further Problem Description: The issue is caused by an underlying driver vulnerability that exists in the UC520, Cisco 880 series, Cisco VG202, Cisco VG204, IAD2435-8FXS and Cisco 1861 routers. No other model of Cisco routers/switches are known to be affected by this issue. The symptoms can be triggered with specific TCP sequences.
•
Symptoms: NM-CEM-4SER modules installed in Cisco 3845 routers will not use network clock if one is available. Instead, they will use the local oscillator. This can be observed by using the show cem slot/port/0 command.
Conditions: This behavior is observed on a NM-CEM-4SER module installed in Cisco 3845 routers running Cisco IOS Release 12.4(20)T or later.
Workaround: Use adaptive clocking to improve clock accuracy.
•
Symptoms: When using PKI for identifying group members, a group member may fail to register with the key server if the certificate is not installed at the time that Group Domain of Interpretation (GDOI) is enabled.
Conditions: The symptom is observed when SCEP is used for certificate enrolment.
Workaround: Clear the current GDOI registration with the following command: clear crypto gdoi.
•
Symptoms: The previous primary crashes.
Conditions: Occurs when a fresh Key Server with higher priority comes up and election is triggered.
Workaround: There is no workaround.
•
Symptoms: When RTP-NTE and T.38 are both enabled, the re-invite for T.38 incorrectly includes Session Description Protocol (SDP) with RTP-NTE.
Conditions: Occurs when both RTP-NTE and T.38 are enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7301 router may experience a lot of CPU hogs due to the SSGTimeout process:
%SYS-3-CPUHOG: Task is running for (2008)msecs, more than (2000)msecs (116/59),process = SSGTimeout.
Conditions: The symptom is observed on a Cisco 7301 router that is running Cisco IOS Release 12.4(21).
Workaround: There is no workaround.
•
Symptoms: There is a rapid memory leak.
Conditions: The symptom is observed with a running configuration with Zone-based Firewall (ZBFW) and QOS setup.
Workaround: There is no workaround.
•
Symptoms: A core dump may fail to write or write very slowly (less than 10KB per second).
Conditions: The symptom is observed when the cause of the crash is processor memory corruption. When this occurs, the corrupted memory pool cannot be used to write the core dump so it will likely fail. (IO memory corruption crashes should not have this problem.)
Workaround: There is no workaround.
•
Symptoms: If fail-close is unconfigured when a GDOI crypto map is in fail-close mode (after an unsuccessful registration), the crypto map will drop all unencrypted traffic regardless of a subsequent successful registration.
Conditions: The symptom is observed when a GDOI crypto map configured with fail-close. Fail-close is unconfigured while crypto map is in fail-close mode.
Workaround: Remove and reapply the crypto map to the interface or the fail-close configuration.
•
Symptoms: Memory leak occurs with "CCSIP_SPI_CONTROL" process.
Conditions: The error is found on a Cisco 3825 running the c3845-spservicesk9-mz.124-20.T1.bin image and using Skinny Call Control Protocol.
Workaround: There is no workaround. Reload the router.
•
Symptoms: On a Cisco 880 router, the UUT crashes when the PVC comes up and when "auto qos voip" is configured.
Conditions: The symptom is observed when "auto qos voip" is configured under ATM and when the PVC is toggled (due to, for example, a shut/no shut of the ATM interface or a cable being pulled and then restored).
Workaround: There is no workaround.
•
Symptoms: Intermittent one-way audio occurs during a call.
Conditions: Calls through a Cisco IOS transcoding device may experience one-way audio when certain signaling RTP payload types are received.
Cisco IOS VoIP gateways utilize named signaling events (NSE) to signal certain transitions to other states for active calls. Modem passthrough is a feature by which two gateways can upspeed to g711 an active RTP session. This is signaled through the use of certain NSE packets between these devices.
Modem passthrough using NSE through a transcoding session is not supported. However, under some situations on a voice call (no modems on the call), it is possible that the modem detection algorithm on the DSP may falsely detect a modem signal. If this occurs, a NSE will be sent out if modem passthrough is configured on the VoIP gateway. If the transcoder session that is bridging the two calls between the VoIP gateways receives this NSE packet, all further processing of RTP packets will stop in that direction.
Workaround: Disable modem passthrough on the end VoIP gateways.
•
Symptoms: An outgoing call from an IP phone to PSTN through ISDN PRI fails on a channel due to a DSP allocation failure (not enough DSPs to support the call). Subsequent calls through that same channel continue to fail with "resource unavailable" cause value equal to 47 even after DSP resources have been made available to handle the call.
Conditions: The symptom occurs on a router running Cisco IOS Release 12.4(15)T8 or higher. The call must first fail with a legitimate DSP allocation error. Any call made through the same channel as the failed call will also fail.
DSP allocation failures on gateway can be checked through the use of the exec command show voice dsp group all. The last line of the show command output includes a counter for "DSP resource allocation failure".
This issue can be seen also in some cases upon bootup. When a gateway is reloaded, system resources will come up with slightly different timing. If, for example, a PRI interface comes up before the DSP resources have fully initialized, there may be a similar failure.
Workaround:
1.
2.
3.
•
Symptoms: The system may display a %SYS-3-NOELEMENT message, similar to:
%SYS-3-NOELEMENT: data_enqueue:Ran out of buffer elements for enqueue -Process= "<interrupt level>", ipl= 6
after which system behavior can be unpredictable. If the interrupts are rapid enough, the system may become unresponsive (hang), use all available memory to create more buffer elements, or crash due to CSCsj60426.
Conditions: The message is caused by extremely rapid changes in flow control or modem control lead status on a console port.
Workaround: Eliminate the source of the rapid lead changes. As modem control and flow control are generally not supported on the console, these changes are usually due to misconfigured devices attached to the console.
•
Symptoms: Pseudowire switching configured between ASBR routers does not work and tracebacks are seen.
Conditions: Occurs when Cisco 7200 router is used as Autonomous System Border Router (ASBR) and pseudowire switching is configured.
Workaround: There is no workaround.
•
Symptoms: A router configured for SSL-VPN and with TE tunnels may truncate packets when sending traffic from SSLVPN over the TE tunnel. This does not affect all packets, as some transmit correctly. When the issue is seen, 14 bytes are missing from the tail of the data packet.
Conditions: The symptom is observed with SSL-VPN traffic that transmits over a TE tunnel.
Workaround: Disable hardware encryption.
•
Symptoms: High CPU usage is observed on a Cisco 2821 router. An increase of almost 10 percent in CPU utilization is observed with every voice call.
Conditions: This symptom is observed when an AIM compression card is present on the motherboard (specifically AIM-COMPR2-V2).
Workaround: Remove the AIM compression card from the motherboard.
•
Symptoms: Router with QoS configuration crashes after removing bandwidth from the policy-map.
Conditions: The symptom is observed when the policy-map is attached to the router interface.
Workaround: Remove the policy-map from the interface and then remove bandwidth from the policy-map.
•
Symptoms: Call fails when Nortel endpoint is at remote end.
Conditions: Nortel endpoint sends a long contact header field value, which exceeds the maximum limit of the Cisco device. This remote contact overwrites memory for the from header and results in a dialog mismatch from the new message generated by the gateway.
Workaround: There is no workaround.
•
Symptoms: A router may crash with a bus error and with a corrupted program counter:
%ALIGN-1-FATAL: Corrupted program counter pc=0x66988B14 , ra=0x66988AFC , sp=0x66A594D0
Conditions: The symptom is observed on a Cisco IOS Voice over IP (VOIP) gateway configured for IPIPGW (CUBE) as well as Cisco Unified Communications Manager (CUCM) controlled MTP on the same gateway. Under situations where a call loop is present (same call routing back-forth through the same gateway), the system may reload if an MTP is also present in the loop.
Workaround: Find and break the source of the call loop. Be careful of default destination-pattern/route-patterns that may kick in under some conditions.
Alternate workaround: Separate the MTP functionality from the gateway.
•
Symptoms: Spoke-to-spoke TCP applications fail over a GRE/IPSec tunnel on a hub and spoke scenario, when traffic flows through the hub.
Conditions: The symptom is observed with the following conditions:
–
–
Workaround: Use tunnel protection instead of crypto maps.
Alternate workaround: Disable CEF globally on hub (this may impact performance, so should be used with care).
•
Symptoms: A router crashes after enabling and disabling NBAR on an interface if a class-map with match protocol is configured first ("match protocol rtp audio").
Conditions: The symptom is observed if the "match protocol rtp audio" statement is found in the class-map configuration. RTP uses a label heuristic which quickly reproduces the bug.
Workaround: Do a config/no-config on one interface while keeping NBAR configured on any other interface.
•
Symptoms: The IOSD-crash is seen and is affecting the main functionality.
Conditions: This symptom is observed when a large number of groups (i.e. 50) is configured. The IOSD-crash is seen when we give the show crypto gdoi command after applying the general configuration and after checking the ping between all the PIM neighbors.
Workaround: Use the show crypto gdoi group group- name command to display a specific group's information.
•
Symptoms: When a router is about to renew a certificate, the following syslog message is seen
%PKI-6-CERTRENEWAUTO: Renewing the router certificate for trustpoint xxx
However, no certificate is received until a few hours later.
Conditions: The issue only happens on a Cisco 871 running Cisco IOS Release 12.4(15)T8 and 12.4(22)T1 or earlier releases. This issue is only seen with a very short certificate lifetime, such as 1 hour.
Workaround: Increase the certificate lifetime to a few days or more.
•
Symptoms: An invalid range of IP addresses are accepted at CLI.
Conditions: The symptom is observed when the following command format is used: range ipaddress1 ipaddress2 where the range of the IP addresses is not seen in same network.
Workaround: Avoid entering wrong ipaddress2.
•
Symptoms: Router experiences a bus error crash.
Conditions: Occurs when the router is configured for network address translation (NAT). The problem appears to occur when NAT tries to process fragmented Skinny Call Control Protocol (SCCP) packets.
Workaround: Configure no ip nat service skinny tcp port 2000. This will only work for networks where SCCP traffic does not need to be processed by NAT. Double-check before configuring this command.
•
Symptoms: A router reloads occasionally after the command show buffers leak is repeatedly issued.
Conditions: The symptom is observed when issuing the show buffers leak command. It occurs only with certain patterns and scale of traffic and does not occur all the time.
Workaround: There is no workaround.
•
Symptoms: A GETVPN group member might reload when removing "crypto map" from the interface, if that crypto map also contains a dynamic-map set together with the GDOI set.
Conditions: The symptom only occurs when a dynamic-map set is added to a crypto map that is already applied to an interface and then the whole crypto map is removed, added and removed again. It is on the second removal that the reload occurs.
Workaround: Execute the command clear crypto gdoi before removing the crypto map from the interface.
•
Symptoms: A router crashes.
Conditions: The symptom is observed with an "nhrp" configuration in an mGRE tunnel interface configuration related to NHRP/DMVPN.
Workaround: There is no workaround.
•
Symptoms: The VG224 endpoint does not connect to the callback destination, once the callback destination is idle.
Conditions: The symptom is observed with a multi-node cluster and when a VG224 endpoint is registered with a node other than the first node in the cluster.
Workaround: Have VG224 endpoints registered with the first node.
Further Problem Description: The activation of the callback is successful. The failure is when the callback destination becomes idle again and the VG224 endpoint gets notified (ring). After the VG224 endpoint goes offhook, the system should automatically connect to the callback destination. This does not happen and VG224 endpoint gets silence.
•
Symptoms: A call from a night hunt forwarded to BACD dial by an extension to an ephone (call forwarding no answer) to voicemail goes to the night hunt number and not the last redirected number.
Conditions: The symptom is observed with Cisco IOS Release 12.4(22)T.
Workaround: There is no workaround.
•
Symptoms: A T38 fax relay call may fail.
Conditions: The symptom is observed with an MGCP controlled T38 fax relay call and when the gateway is configured for CA control T38. The output of the command debug voip vtsp all will give fax relay as "DISABLED".
Workaround: Use Cisco IOS Release 12.4(15)T7 or Release 12.4(22)T.
•
Symptoms: Unable to configure inspect for any protocol in self zone.
Conditions: Occurs when configuring class-map with match protocol and trying to attach to self-zone pair.
Workaround: The issue is not seen when match access-group is used.
•
Symptoms: A Cisco 1841 router equipped with xDSL WIC will suddenly stop forwarding packets. The packets will appear as output drops on the ATM interface statistics. Under the PVC level, there are no drops. The DSL line is not flapping but the ATM interface(s) report output drops.
Conditions: The symptom is observed when using a Cisco 1800 and 2800 series router equipped with the same ADSL-WIC module. The ATM interface(s) need to be bridge-group configured. The bridge-group is in forwarding mode.
Workaround: Reload the router.
•
Symptoms: A big SDP HTML template causes an abrupt termination of the SDP process.
Conditions: The HTTP post to the HTTP server in an IOS router is size-limited. The limit is set to 32KiB by default. In the SDP process, the transition from introduction page to the completion page involves an HTTP post. The post contains information including the SDP bootstrap configuration and the completion template together with the overhead of HTTP post communication. The size limit might be reached with moderate usage of HTML elements. The HTTP post in SDP is base-64 encoded. The total size limit of the SDP bootstrap and the completion template is roughly (32KiB - 2KiB(overhead)) * 3/4(base-64 encoding) = 22.5KB.
Workaround: Reduce the size of the HTML template, and abridge the configuration. The total size of the two cannot exceed ~22.5KB. Example of abridged configuration:
configure terminal => config t Interface FastEthernet 1 => int Fa 1
•
Symptoms: On a PPP aggregator using dhcp-proxy-client functionality, in a situation where a PPP client session is torn down and then renegotiated within 5 seconds, the DHCP proxy client may send a DHCP RELEASE for the previous DHCP handle after the new DHCP handle (created as a result of new IPCP CONFREQ Address 0.0.0.0) has accepted the same IP address allocation from the offnet DHCP Server. This results in the offnet DHCP server having no record of the lease as it exists on the PPP aggregator which causes future addressing conflicts.
Conditions: The symptom is observed on a Cisco 7200 (NPE-400) and 7200 (NPE-G2) that is running Cisco IOS Release 12.4 T, or 12.2 SB.
Workaround:
1.
2.
Further Problem Description: This issue occurs because the DHCP client holdtime is static at 5 seconds and there are no IOS hooks to tie PPP LCP session removal and IPAM to suppress stale DHCPRELEASES waiting in queue for HOLDTIME to expire.
•
Symptoms: After disabling SSH, an alternate SSH port is still enabled on the router.
Conditions: Occurs on routers that have been configured to use a port other than Port 22 for SSH.
Workaround: Do not configure alternate SSH ports.
•
Symptoms: User group class matching fails when NAT is turned on.
Conditions: The symptom is observed with IOS FW user group inter-operated with NAT.
Workaround: There is no workaround.
•
Symptoms: A system may crash due to "Watchdog Time Expired" errors during normal operation without generating a crashinfo file or error messages prior to the crash.
Conditions: The symptom is observed when any code tries to generate traceback via trace_caller. It is more likely to occur if BFD is configured.
Workaround: There is no workaround.
•
Symptoms: The show ip ospf border-router may cause a router to crash.
Conditions: Occurs if the border table is recalculated in a significant way while the output is being printed on the console. The risk of a crash is reduced if you avoid using the auto-more feature and allow the entire output to display at once.
Workaround: There is no workaround.
•
Symptoms: A router may crash with the following (or similar) message:
%ALIGN-1-FATAL: Corrupted program counter
Conditions: The symptom is observed when IOS firewall/ip inspect on H323 traffic is configured ("ip inspect name MY_INSPECT h323").
Workaround: Do not inspect H323.
•
Symptoms: HTTP redirect intermittently uses IP address instead of FQDN, even though an FQDN is configured in the WebVPN gateway.
Conditions: The symptom is observed when the WebVPN gateway generates an HTTP redirect with an IP address when the HTTP Request from the client is not complete or split over multiple TCP packets.
Workaround: There is no workaround.
•
Symptoms: Call passing through a Cisco Unified Border Element (CUBE) is dropped after more than 1 hour.
Conditions: Occurs when there are multiple point-to-point calls going through CUBE at same time.
Workaround: There is no workaround.
•
Symptoms: With a VTI tunnel between a Cisco ASR 1000 and another device (non-ASR), the VPN peer of a Cisco ASR 1000 is reporting packets with an invalid SPI.
Conditions: The symptom is observed in the following scenario:
–
–
–
Workaround: There is no workaround.
Further Problem Description: At rekey, the Cisco ASR 1000 is sending delete-notify to the Cisco 7200 series router but still keeps using the old SA to encrypt, causing the drops.
•
Symptoms: IPIPGW reloads while making an RSVP-enabled voice call with media statistics configuration.
Conditions: The symptom is observed with Cisco IOS 12.4(24.6)T2 image.
Workaround: There is no workaround.
•
Symptoms: Zone based firewall drops packets that pass through a VPN tunnel (both forward and reverse traffic). The drops are usually seen for UDP traffic. The following traceback may be seen:
%SYS-3-INVMEMINT: Invalid memory action (free) at interrupt level
Conditions: Occurs when firewall is configured with crypto-map tunnels. Cisco IOS Release 12.4(20)T2 and 12.4(22)T and earlier releases are not affected.
Workaround: Change the UDP timeout to a reasonably larger value. The default value is 30 seconds, and changing it to something like 300 seconds has been found to make a difference. To do this
1.
parameter-map type inspect param-map-name
udp idle-time 300
2.
policy-map type inspect policy-name
class type inspect class-name
inspect param-map-name
•
Symptoms: Policy-based routing (PBR) fails to resolve next-hop.
Conditions: Occurs when PBR is configured on a Cisco 871 to forward traffic to a DHCP-enabled interface.
Workaround: There is no workaround.
•
Symptoms: When the configured TEK lifetime is greater than 65000, the remaining TEK lifetime on the secondary KS shows zero.
Conditions: The symptom is observed with a GDOI keyserver and where the TEK lifetime is configured to be greater than 65000.
Workaround: Use a TEK lifetime of less than 65000.
•
Symptoms: Connected route on port-channel sub-interface is not removed when port-channel is down.
Conditions: Happens when using /22 subnet. Does not happen when using /24 subnet.
Workaround: There is no workaround.
•
Symptoms: Cisco AS5400 shows memory leak for DSMP, VTSP, and MGCP processes. Occurs about once a month.
Conditions: After some time, the memory leak symptoms are seen on the gateway, although normal operations are not affected. Eventually all memory is consumed, and the gateway hangs. Only a manual reboot can bring it back to service.
Workaround: There is no workaround.
•
Symptoms: In an H323 IP-to-IP Gateway (IPIPGW), during call setup when the OLC-ACK is received after the connect message, the call is not completed and the return OLC-ACK is not forwarded by the IPIPGW. The issue is sporadic and does not occur all the time.
Conditions: This has been observed on a IPIPGW running Cisco IOS Release 12.4(20)T1-ES, having an H323 on both sides of the gateway. This only happens when the connect message is received before OLC-ACK exchange between the parties is complete.
Workaround: There is no workaround.
•
Symptoms: There are two unrelated problems fixed by this bug:
Problem 1: A core dump may fail to write, with the following errors seen on the console:
current memory block, bp = 0x4B5400A0,
memorypool type is Exception
data check, ptr = 0x4B5400D0
bp->next(0x00000000) not in any mempool
bp_prev(0x00000000) not in any mempool
writing compressed ftp://10.0.0.1/testuncached_iomem_region.Z
[Failed]
writing compressed ftp://10.0.0.1/testiomem.Z
[Failed]
writing compressed ftp://10.0.0.1/test.Z
[Failed]
%No memory available
Problem 2: A nested crash might occur while generating a crashinfo. That means that this bug only helps the crashinfo to write properly. It does not fix the cause of the original crash, but will aid investigation.
Conditions: Problem 1: This is only seen for memory corruption crashes when "exception region-size" is configured to a value that is not divisible by 4.
Problem 2: BFD must be configured and sending hellos.
Workaround: Problem 1: The recommended setting for exception region-size is 262144 in newer images. In older images, where the maximum configurable value is 65536, use the maximum.
Problem 2: Disable BFD.
•
Symptoms: Multicast traffic is dropped at decrypting side.
Conditions: This symptom occurs when traffic ACL on the KS is of the type:
permit ip host address any
permit ip any host address
Workaround: There is no workaround.
•
Symptoms: False positives are seen in matching object groups with variable masks.
Conditions: The symptom is observed when non-matching traffic is sent.
Workaround: Do not use variable masks and contiguous masks, such as 255.0.255.255. Use only contiguous masks.
•
Symptoms: Router reloads at "atm_update_bundle_counters".
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: A gateway may take an exception when receiving an inbound H320 call when the call is placed via ISDN overlap sending.
Conditions: The symptom is observed with Cisco IOS Release 12.4(22)T1.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly.
Conditions: The symptom is observed when the router has Bidirectional Forwarding Detection (BFD) configured and is actively sending keepalives. The crash has multiple possible triggers:
–
–
Workaround: Unconfigure BFD.
•
Symptoms: This is a rarely occurring crash when ssg portmap and Transparent Auto Logon (TAL) are enabled together on a PPP session.
Conditions: There is a timing issue that leads to a crash when ssg portmap and TAL are enabled together and when the PPP connection is terminated at the same time.
Workaround: There is no workaround when both features are present in the configuration. It can be avoided when only one feature is present.
Further Problem Description: When a session is being re-authenticated because of TAL and the PPP session is terminated at that time and also if it so happens that the connection has been idle for a while, then, because of timing issues in data structures, a situation might arise that can lead to a router crash.
The solution will be available in the next release.
•
Symptoms: Frame-relay DLCI is not released from interface in a certain configuration sequence.
Conditions: The symptom is observed on a Cisco router that is running Cisco IOS 12.4T images.
Workaround: There is no workaround.
•
Symptoms: LLC stops forwarding I frames, but continues to respond to poll frames.
Conditions: The symptom is detected when the output from show llc shows that frames are queued up for transmission in the Tx Queue. If DLSw is transporting the LLC frames, the associated DLSw circuit will show that the link is in a max congestion state.
Workaround: There is no workaround.
•
Symptoms: A router crashes.
Conditions: The symptom is observed when many (10 or more) SSLVPN clients are connected and router is under load (CPU>30%).
Workaround: There is no workaround.
Further Problem Description: Before the crash, typically the IO memory gets depleted. This can be verified with the show memory statistics history command.
•
Symptoms: A Cisco VG224 voice gateway displays the wrong secondary dialtone to the customer if "cptone CN" is configured under the voice-port.
Conditions: The symptom is observed with Cisco IOS Releases 12.4(24)T, 12.4(20)T1, and 12.4(9)T7.
Workaround: Upgrade to the latest IOS version (see bug CSCsk28301) and change the dial_tone2 to make it same as the dialtone by using the command test voice tone cn 2nd_dialtone:
event manager applet setCNsecondDialtone
event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"
action 1.0 syslog msg "Setting DIAL_TONE2 for cptone CN"
action 2.0 cli command "enable"
action 3.0 cli command "test voice tone CN 2nd_dialtone 1 450 0 -100 -100
-100 0 0 0 0xFFFF 0 0 0 0 0 0 0"
action 4.0 syslog msg "DIAL_TONE2 for cptone CN has been set"
Copy the script to the running-configuration and then save it to NVRAM. If the router reloads, the setting "test voice tone CN 2nd_dialtone 1 450 0 -100 -100 -100 0 0 0 0xFFFF 0 0 0 0 0 0 0" will automatically be re-asserted. If you want the command set immediately without a reload then cut and paste the command directly at the EXEC prompt.
•
Symptoms: A Cisco 7200 series router that is running Cisco IOS Release 12.4(15)T7 may experience an unexpected reset while forwarding traffic with a Cisco 7200 VSA.
Conditions: The symptom is observed on a Cisco 7200 series router running with a Cisco 7200 VSA installed on Cisco IOS 12.4(15)T code.
Workaround: There is no workaround.
•
Symptoms: The following command crashes the router:
demo-gm1(config)#int vlan 10
demo-gm1(config-if)#no ip igmp join-group group_address source src_addrs
Conditions: The problem happens when we do join and unjoin a particular source-group immediately. Also, the problem is seen only when the DNS server configured for IGMP SSM group to source mapping is not responding. If the DNS responds properly, the problem may not occur. Also, if DNS server is not present.
Workaround: Wait for 2 to 3 seconds after entering the igmp join-group command before unjoining the group. If the host has just booted, wait until the entire booting process is completed before unjoining the group.
•
Symptoms: A Cisco 3845 running Cisco IOS Release 12.4.(20)T2 reloaded due to software-forced crash while experiencing the following error:
%SYS-6-STACKLOW: Stack for process MGCP Application running low, 0/12000 %Software-forced reload
Conditions: The crash suggests that the issue is just one of inefficient stack usage.
Workaround: There is no workaround.
•
Symptoms: In the current implementation, "cwmp agent" identifies the WAN uplink if it has "cwmp wan default" configured on it. The WAN uplink interface differs, based on the router type used as a CPE. For the Cisco 871 router, WAN interface is FastEthernet 4 and for a Cisco 2811 router it is Fast Ethernet 0/0. This creates a problem in an SP-Managed service environment for the provisioning of CPEs (bulk deployment) using the TR-69 protocol.
Conditions: The symptom is observed in an SP-Managed service environment for the provisioning of CPEs (bulk deployment) using the TR-69 protocol.
Workaround: There is no work around.
•
Symptoms: Router continuously reboots.
Conditions: The symptom is observed when an NME-502 is installed in the router.
Workaround: Replace or take out the NME-502.
•
Symptoms: A Cisco 2821 router reloads sporadically, after enabling WebVPN using clientless web proxy method and extended access.
Conditions: The symptom is observed with a Cisco 1841 router and a Cisco 2800 series router that is running Cisco IOS Release 12.4(24)T under moderate to heavy traffic.
Workaround: There is no workaround.
•
Symptoms: GETVPN traffic stops. Upon entering show crypto engine accelerator statistic, you will see the "ppq full" counter going up.
Conditions: Occurs on a Cisco 3800 running Cisco IOS Release 12.4(22)T or 12.4(24)T.
Workaround: Either reload the router or enter the following sequence of commands:
configure terminal
no crypto engine accelerator
crypto engine accelerator
•
Symptoms: If a tunnel is configured over the 880-3G cellular interface, traffic forwarding stops when the packet size is greater than the tunnel MTU.
Conditions: The symptom is observed when a tunnel is configured over a cellular interface and running Cisco IOS Release 12.4(24)T.
Workaround: Disable "ip cef".
•
Symptoms: WORD option is not seen in some of the NTPv4 commands. Some NTP commands are not working properly.
Conditions: This happens on a Cisco router running an internal build of Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: Next Hop Resolution Protocol (NHRP) registration and tunnels are not up between first- and second-level hubs.
Conditions: Occurs in hierarchical topology.
Workaround: There is no workaround.
•
Symptoms: The firewall is configured to reset if an invalid command goes through the unit under test. But the reset action does not happen, and this functionality issue observed all inspected application traffic, such as IM, SIP, and P2P.
Conditions: This problem occurs both when Cisco Common Classification Policy Language (C3PL) is used, and when it is not used.
Workaround: There is no workaround.
•
Symptoms: A software-forced crash occurs after a show user command is performed.
Conditions: The crash occurs after the user performs a show user command and then presses the key for next page. It is observed on a Cisco 3845 that is running Cisco IOS Release 12.4(21a).
Workaround: Do not perform a show user command.
•
Symptoms: The Tunnel0 interface used on a DMVPN hub is reporting "Tunnel0 is reset, line protocol is down" or no traffic is passing through this interface anymore.
The IKE and IPSec SAs may still be up, but only the decaps counters will be seen increasing, not the encaps counters.
Conditions: This symptom is observed on Cisco 2821 routers that are running Cisco IOS Releases 12.4(9)T7 or 12.4(15)T9. Other platforms and releases may be affected.
Workaround: Shutdown Tunnel0 and create interface Tunnel1 with the same configuration instead, if you cannot reload the router.
Otherwise reloading the router will resolve the issue. Do not configure another identical Tunnel interface in this case or you will run into CSCsl87438. If you reload the router at a later time, be sure to remove the duplicate Tunnel interface prior to the reboot.
•
Symptoms: When using the Cisco Service Selection Gateway (SSG) feature in Cisco IOS Release 12.4(22)T with TCP-Redirect and SSG Port Bundle Host Key (PBHK)/port-map, redirected packets may be dropped and not be forwarded to the Cisco Subscriber Edge Services Manager (SESM).
Conditions: Occurs on a router running Cisco IOS Release 12.4(22)T and configured for SSG and with "ssg port-map" and "ssg tcp-redirect" configured.
Workaround: There is no workaround known other than using an older IOS release or disabling port-bundle host key (PBHK).
•
Symptoms: The cooperative GDOI keyserver starts printing %GDOI-5-COOP_KS_REACH and/or %GDOI-5-COOP_KS_UNREACH syslog messages.
Conditions: The symptom is observed if two or more ISAKMP connection attempts fail, which might be normal in production networks.
Workaround: There is no workaround.
Further Problem Description: In fixed versions, the logic of the reachability test was changed to avoid this problem.
•
Symptoms: Router crashes when a number of simultaneous PPPoE flow controlled sessions are cleared.
Conditions: The symptom is observed when a series of seven or more routers are set up, and the sessions are brought up and down within 10 seconds.
Workaround: There is no workaround.
•
Symptoms: On a Cisco 7200 series router with a VPN Services Adapter (VSA) installed, the outbound interface Access Control List (ACL) is not checked if a crypto map is applied to the interface and Cisco Express Forwarding (CEF) is enabled globally.
Conditions:
–
–
–
–
Workaround: Remove the VSA or the crypto map, or disable CEF.
•
Symptoms: WCCP stops functioning when GDOI SA is accelerated by VSA.
Conditions: The symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.4(24)T with VSA (FPD 0.23). It is seen when ip wccp 61 redirect out and ip wccp 62 redirect in are applied to the inside interface, and traffic gets WCCP GRE redirected to WAE. When GDOI crypto-map (currently in inbound-only state) is applied to the outside interface, traffic is returned from WAE via WCCP and GRE gets dropped within UUT.
Workaround: Disabling VSA with no crypto engine slot 0 restores connectivity to normal.
•
Symptoms: There is a delay in the propagation of interface link down state. Link failure is detected with a huge delay once the other end of the link gets disconnected.
Conditions: The symptom is observed on a Cisco 1861 router that is running Cisco IOS Release 12.4(24)T.
Workaround: The default keepalive period is 10 seconds and the periodic function which updates the link state change runs on the order of keepalive time, hence it takes long time to detect the link down state. If keepalive is set to 1 or 2 seconds, the time taken to detect link down is normal.
•
Symptoms: PPP negotiation does not occur.
Conditions: The symptom is observed on a Cisco 7200 router that is running Cisco IOS Release 12.4(22)T2.
Workaround: There is no workaround.
•
Symptoms: Firmware file download using the TR-069 Agent on a router fails.
Conditions: The symptom is observed when doing a firmware upgrade using the TR-069 Agent on a router and when the URL is given as "http://{ip address}/dir/filename.bin?{name}={value}". This issue is noticed only with the TR-069/CWMP Agent.
Workaround: Firmware download works if the URL is given as "http://{ip address}/dir/filename.bin".
•
Symptoms: A router reloads with a SegV exception.
Conditions: The symptom is observed with a router that is running Cisco IOS Release 12.4(20)T2 with both NAT and output ACLs configured. It occurs when the packet size changes due to NAT (this can happen with SIP/H.323 etc).
Workaround: There is no workaround.
•
Symptoms: In an EZVPN scenario, the traffic to the internet is not getting NATed.
Conditions: The symptom is observed in an EZVPN scenario with "identical addressing" and "split tunnel" configured.
Workaround: Use Cisco IOS Release 12.4(15)T3.
•
Symptoms: A Cisco 7301 router crashes with "protocol pptp" configured.
Conditions: The symptom is observed with a Cisco 7301 router when "protocol pptp" is configured.
Workaround: There is no workaround.
•
Symptoms: There is a crash on a Cisco AS5400 due to CPU signal 10.
Conditions: The symptom is observed on a Cisco router due to expiration of freed receive_digit timer in SIP
Workaround: There is no workaround.
•
Symptoms: On a router that has a PRI trunk towards the PSTN, you may hear dead air when calling any ISDN device that returns cause code 0x8484 in a PROGRESS message that also contains a progress_ind with value 8.
Conditions: The symptom is seen when using the primary-4ess (PRI 4ESS) and primary-5ess (PRI 5ESS) switch type.
Workaround: There is no workaround.
Further Problem Description: The problem was discovered when a user attempted to call a cell phone on a wireless network that was switched off. The user did not have voicemail, and the wireless network played a message in the band to alert that the phone was off. It is this message that should be heard - but it is not, due to this bug.
The issue is due to an invalid cause value sent from the provider for an outgoing to call to a mobile phone which is switched off. The cause value of 4 is not supported by PRI 4ESS switches. Hence ISDN will send a STATUS message reporting invalid information element contents and the provider disconnects the call.
•
Symptoms: A router may crash with a "STACKLOW" message or memory corruption.
Conditions: The symptom is observed when the router is configured for IP inspect (only a basic IP inspect configuration is necessary).
Workaround: Disable IP inspect.
•
Symptoms: A group member on a GETVPN network may stop passing encrypted traffic.
Conditions: A GETVPN group member (GM) may accept and process an old or duplicate rekey message from the designated key server (KS). If the rekey message includes a TEK which was previously used to encrypt data, but which has already expired, the GM may become unable to send and receive encrypted traffic.
Workaround: There is no workaround.
•
Symptoms: Group member router crashes.
Conditions: Occurs when unicast re-keys are received frequently (TEK 300).
Workaround: There is no workaround.
•
Symptoms: Users with level 15 privilege and a "view" cannot do a Secure Copy (SCP).
Conditions: The symptom is observed when a user with a "view" attempts to do an SCP.
Workaround: Remove view.
•
Symptoms: VPN client with certificates will fail IKE negotiations and show the following messages:
Sev=Warning/2IKE/0xE300009B Failed to validate the payloads (MsgHandler:105) Sev=Warning/2IKE/0xE300009B Failed to process MM Msg 6 (NavigatorMM:570
Conditions: The symptoms are observed with the following conditions:
–
–
Workaround: Use a Cisco IOS Release prior to 12.4(24)T.
Further Problem Description: This issue is due to a change in Cisco IOS Release 12.4(24)T where the router will send the IKE phase 1 lifetime notification in MM6 (main mode 6th packet) and the client will reject it.
•
Symptoms: A Cisco router may reload due to a bus error and show the following messages:
%ALIGN-1-FATAL: Illegal access to a low address 10:09:03 PDT Tue Sep 1 2009 addr=0x0, pc=0x4159DB10z , ra=0xFFFFB4DFz , sp=0x4F059900
%ALIGN-1-FATAL: Illegal access to a low address 10:09:03 PDT Tue Sep 1 2009 addr=0x0, pc=0x4159DB10z , ra=0xFFFFB4DFz , sp=0x4F059900
TLB (store) exception, CPU signal 10, PC = 0x415A2630
Conditions: The symptom is observed on a Cisco 2851 router that is running Cisco IOS Release 12.4(24)T1.
Workaround: There is no workaround.
•
Symptoms: HSRP authentication applied to secondary addresses fails, generating the following syslog message:
%HSRP-4-BADAUTH: Bad authentication from 172.16.123.2, group 2, remote state Active
Conditions: The symptom is observed with HSRP authentication applied to secondary addresses. (HSRP authentication applied to primary addresses are unaffected.) It is seen with Cisco IOS Release 12.4(24)T and 12.2(33)SXI.
Workaround: Disable authentication on HSRP groups configured with secondary addresses.
•
Symptoms: The Citrix server (XenApp 5.0) cannot be accessed through WebVPN when using IE. The following message is shown:
Cookies required
This web site uses cookies in order to provide you with access to your published resources. You must configure your browser to accept cookies. Contact your system administrator for assistance.
Conditions: The symptom is observed when using IE and XenApp 5.0.
Workaround: Use Firefox.
•
Symptoms: CPE WAN Management Protocol (CWMP) agent on a Cisco Unified CallManager Express (CME) causes CPU to spike to 96%.
Conditions: The symptom is observed when configuring the CWMP agent and placing a phone call.
Workaround: Disable the CWMP agent.
•
Symptoms: VPN routing/forwarding (VRF) Network Address Translation (NAT) is not translating UDP traffic at all. The inside local IP is still used after NAT. If the inside local IPs are not routable on the NAT outside side of the network this breaks all applications relying on UDP. ICMP and TCP traffic are not impacted
Conditions: Occurs when NAT is inside a VRF.
Workaround: Make sure the inside local is known on the NAT outside side of the network.
•
Symptoms: A Cisco router may experience a memory leak in the "ISDN Call Tabl" process, as seen in the output below:
Router# show memory all totals
Allocator PC Summary for: Processor
Displayed first 2048 Allocator PCs only
PC Total Count Name
0x6010B9E8 9891336 513 ISDN Call Tabl
Conditions: This has been experienced on a Cisco 3845 router running Cisco IOS Release 12.4(22)T with ISDN configured.
Workaround: There is no workaround.
•
Symptoms: Cisco Unified Border Element (CUBE) gives OLC reject during transfer despite correct codec negotiation. The cause code is 57.
Conditions: Occurs under reasonable load and with many call transfers (such as CVP or IPCC environment).
Workaround: There is no workaround.
•
Symptoms: EAP-FAST authentication fails between router and client (PC or laptop running ADU).
Conditions: The symptom is observed when the wireless client is running "ADUv2.x" and the router is running with Cisco IOS Release 12.4(15)T8.
Workaround: Upgrade the wireless client ADU to version 3.x or 4.x.
•
Symptoms: All show commands under crypto are showing blank outputs. For example show crypto pki certificates shows a blank output, even though there may be some crypto certificates on the device.
Conditions: This happens only when using web interface to an IOS device. The commands are:
certificates: Show certificates
counters: Show PKI Counters
crls: Show Certificate Revocation Lists
server: Show Certificate Server
session: Show PKI Session Data
timers: Show PKI Timers
token: Show PKI Token(s)
trustpoints: Show trustpoints
Workaround: There is no workaround.
Further Problem Description: CCA uses HTTP(s) service to get the output. Even when the certificate is shown using telnet/SSH, CCA GUI shows as unconfigured.
•
Symptoms: A BFD session cannot be established to the peer if the same IP address is configured on the device in a different VRF.
Conditions: The symptom is observed when BFD sessions stay in a down state.
Workaround: Remove the locally-configured IP address.
•
Symptoms: CPU hogging in IKE and traceback seen on headend router terminating large amount of DVTIs.
Conditions: The symptom is observed with any kind of outage on the remote site or clearing large amount of tunnels with the headend router actively participating in the routing and re-distributing the routes learned via the tunnel to the central site.
Workaround: There is no workaround.
•
Symptoms: GGSN may encounter a fatal error in VPDN/L2TP configurations.
Conditions: The symptom is observed in rare race conditions when physical connectivity on the interface to LNS is lost while there are active sessions and traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco router acting as an IP SLA Responder may leak memory in the chunk manager.
Conditions: The symptom is seen when the router is responding to VoIP RTP probes.
Workaround: Stop the probes.
•
Symptoms: Router crashes while configuring "no auto-summary" in EIGRP at startup.
Conditions: The symptom is observed on a Cisco 7200 series router that is running Cisco IOS 12.4M and 12.4T images.
Workaround: As the router processes the auto-summary command prior to any interfaces participating in EIGRP becoming fully established, the workaround is to defer configuring the auto-summary command until after interfaces have been fully enabled and are participating in EIGRP.
•
Symptoms: Cisco IOS allows duplicate installation of the same SSL VPN Client (SVC) packages with different sequence numbers.
Conditions: Because of this defect, uninstallation of the SVC package causes an error when the same package has been installed more than once.
Workaround: Install a SVC package only once on the router with the required sequence number.
•
Symptoms: The ping from CE1 to CE2 fails when VLAN xconnect is provisioned, even though the session is up.
Conditions: The symptom is observed with Cisco IOS Release 12.4(20)T4.
Workaround: There is no workaround.
•
Symptoms: When we change a policy-map from a pure precedence policy (only match precedence classes) to a pure DSCP policy (only match DSCP classes), it causes a crash.
Conditions: When we remove the last precedence/DSCP class from a pure policy and replace it with DSCP/QoS_group, it causes a crash. Occurs in Cisco IOS Release 12.4(20)T and 12.4(24)T throttles.
Workaround: Remove the service-policy from the interface, then make the change to the policy-map and reapply the service-policy on the interface again.
•
Symptoms: One-way voice may occur after a transfer through a CMM transcoder if the stream goes through an RTP-aware firewall such as an ASA. The transcoder in some transfer situations will reuse a previous SSRC, which causes a security violation.
Conditions: In a situation where there are 3 SSRCs in a single transfer, the outgoing stream from the transcoder will reuse the first SSRC in place of the third SSRC. This is against the RTP RFC, and some firewalls may drop the packet. Some gateways and endpoints may also not correctly process the packets, depending on the strictness of the RFC implemented.
Workaround: It was found that some endpoints, like the Cisco Unified IP Phone 7960, activated a transfer with only 2 SSRC changes. It was also found that a Cisco Unified IP Phone 7941 with firmware 8-3-2 had the problem, but the latest 8-4-X image did not. Some endpoints, such as an autoattendant, do not have the ability to change this behavior. The only other workaround is to use a different type of transcoder than the ACT CMM.
•
Symptoms: RTP timestamp on the RFC 2833 event is modified. IP Phones are using RFC2833 to transport the DTMF signals, which causes problems with the Voicemail systems.
Conditions: This symptom occurs when RTP header compression is enabled.
Workaround: There is no workaround.
Further Problem Description: The problem disappears if cRTP is disabled. The issue is seen with Class-Based cRTP configured and also with other cRTP configuration types.
•
Symptoms: System crash in L2TP. Following this, most of the L2TP setups fail.
Conditions: The symptom occurs at an L2TP control-plane event.
Workaround: Clear VPDN again or reload the router.
•
Symptoms: CLI does not accept white spaces in the DHCP option 60 Vendor Class Identifier (VCI) ASCII string, and shows the following error message:
Router(dhcp-config)#option 60 ascii Cisco AP c1240
% Invalid input detected at '^' marker.
Router(dhcp-config)#
Conditions: The symptom is observed with Cisco IOS Release 12.4(24)T1 and later.
Workaround: There is no workaround.
•
Symptoms: Packets are getting SSS switched on the LAC towards LNS.
Conditions: The symptom is observed when bringing up any PPPoE or PPPoA session.
Workaround: There is no workaround.
•
Symptoms: Contact and Via ports are rewritten to 0.
Conditions: The symptom is observed under the following conditions:
–
–
Workaround: There is no workaround.
•
Symptoms: Decrypted IPSec packets are not forwarded to the IVRF.
Conditions: The symptom is observed with dual ISPs. It is seen when the primary default route is via a higher numbered interface and when crypto map is applied to both interfaces which go to the different ISPs.
Workaround: Use the command no ip route-cache cef on the ingress interface of the incoming IPSec packet.
•
Symptoms: Unknown unicast packets are forwarded after bridging configuration is removed.
Conditions: The symptom is observed after bridging is unconfigured on the l2 ports of the router.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router crashes with a bus error.
Conditions: This symptom occurs when a Cisco IOS router is performing multihop VPDN (a.k.a. tunnel switching). The router may infrequently crash due to a bus error.
This crash is limited to cases where at least one of the following VPDN group commands are configured:
ip pmtu ip tos reflect
Workaround: Disable the above mentioned commands. However the consequences of this on user traffic must be evaluated first.
•
Symptoms: Packets received from the virtual-access CE-facing interface are not CEF-switched into the MPLS cloud.
Conditions: The symptom is observed on a MPLS/VPN PE router.
Workaround: There is no workaround.
•
Symptoms: Unable to export traffic from interfaces (other than Ethernet) using RITE.
Conditions: The symptom occurs when trying to configure "inteface integrated-service-engine 1/0" under "ip traffic-export profile test".
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: The symptom is observed with the following sequence:
1.
2.
3.
4.
Workaround: There is no workaround.
•
Symptoms: HTTPS connections suddenly fail with the following error:
//-1//HTTPC:/httpc_ssl_connect: EXIT err = -3, hs_try_count=1 //394376//HTTPC:/httpc_process_ssl_connect_retry_timeout: SSL socket_connect failed fd(0)
Conditions: The symptom is observed with CVP Standalone deployment running with HTTPS and with Cisco IOS Release 12.4(22)T1 or Release 12.4(24)T1.
Workaround: Reload the gateway.
•
Symptoms: The following error message is seen:
%CRYPTO-4-GM_REGSTER_IF_DOWN: Can't start GDOI registration as interface FastEthernet1.2 is down
Problem: The interface is not actually down. The registration should go through.
Conditions:
1.
2.
Workaround: Use the clear cry gdoi group command or remove and add the crytpo map. The manual deleting of rekey SAs is not a valid option.
Further Problem Description: An incomplete check in the code interprets this as "the associated interface is down". The registration fails with the GM_REGSTER_IF_DOWN error message.
•
Symptoms: Calls may intermittently be dropped or disconnected.
The debug output for "debug isdn q931" will reveal that the gateway is sending a Q.931 INFORMATION message similar to the following:
ISDN Se0/2/1:23 Q931: TX -> INFORMATION pd = 8 callref = 0x80AE
The connected service provider switch may respond with a Q.931 STATUS message similar to the following:
ISDN Se0/2/1:23 Q931: RX <- STATUS pd = 8 callref = 0x00AE Cause i = 0x81E17B - Message type not implemented Call State i = 0x0A
The connected service provider switch may also respond with a Q.931 DISCONNECT message similar to the following:
ISDN Se0/2/1:23 Q931: RX <- DISCONNECT pd = 8 callref = 0x00AE Cause i = 0x81E4 - Invalid information element contents
Conditions: This problem may occur when an ISDN PRI is configured to use "switch-type primary-4ess" or "switch-type primary-5ess."
This problem may occur when an IP phone user blind transfers a call to another destination (another IP phone, IVR, IPCC queue, etc). The transfer request triggers the Cisco Unified Communications Manager (CUCM) server to send an H.225 INFORMATION message with a Signal IE to the Cisco IOS H.323 gateway indicating to start/stop playing ringback tone toward the PSTN. The Cisco IOS H.323 gateway should generate the ringback tone, but it should NOT send the Q.931 INFORMATION message toward the connected service provider switch.
The 4ess spec indicates that the INFORMATION message is NOT supported per AT&T TR 41459 section 3.1.8. Also the Lucent AT&T 235-900-342 5ess spec does not even mention the INFORMATION message in section 4.2 which covers all other supported Q.931 message types.
Workaround: Another similar defect CSCsr38561 was previously opened for this same type of problem with "switch-type primary-ni" and has now been resolved.
If you are running a version of Cisco IOS, which has the fix for CSCsr3856, it may be possible to reconfigure the Cisco IOS gateway user side of the PRI to use "switch-type primary-ni" even though the connected service provider switch may be provisioned for 4ess or 5ess. This should only be used as a temporary workaround because it could expose other interworking errors due to switch-type mismatch configuration.
•
Symptoms: Using a break action within a programmatic Embedded Event Manager applet causes the policy to exit.
Conditions: The symptom is observed when a break action is executed within a loop. For example:
action 001 foreach line $output "
" action 002 if $line eq "" action 003 break action 004 end action 005 puts "Made it here"After the break is executed, the policy aborts. The "Made it here" string is not printed.
Workaround: If possible, use "if ... goto" statements to get out of the loop without calling break. For example:
action 001 foreach line $output "
" action 002 if $line eq "" goto 004 action 003 end action 004 puts "Made it here"•
Symptoms: A Cisco 3845 router crashes when key server is removed from the list.
Conditions: The symptom is observed with the following configuration on a GM router:
conf t
crypto gdoi group GetvpnScale1
identity number 1111
no server address ipv4 10.10.1.4
When a unicast rekey is received, the router crashes.
Workaround: There is no workaround.
•
Symptoms: With a CJPA connected back-to-back to a Cisco 7200 series router with a NPE-G1 or NPE-G2, the NPE-G2 sometimes crashes when executing the command clear int range multilink 1 10 and the NPE-G1 gives spurious access for the same command.
Conditions: The symptoms are observed with a CJPA connected back-to-back to a Cisco 7200 series router with a NPE-G1 or NPE-G2 and when 14 multilinks are configured with two members each. Pagents are sending bi-directional traffic.
Workaround: Do not perform commands across all interfaces using interface range. Perform the commands one-by-one, manually.
•
Symptoms: Multilink Frame Relay (MFR) bundle in HW mode.
Conditions: Occurs when different PA members are added to MFR on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: After a call is resumed from hold, the gateway sends a G.729 codec although a G.711 was negotiated in the H.245 messages.
Conditions: The symptom is observed with Cisco IOS Release 12.4(24)T1.
Workaround: There is no workaround.
•
Symptoms: SVTI tunnel flaps at phase 1 expiry when a DPD ACK is not received. The line protocol on the tunnel interface goes down.
Conditions: The symptom is observed with SVTI tunnels and when DPDs are enabled.
Workaround: Disable DPDs.
Alternate workaround: Use the no crypto isakmp keepalive command.
Further Problem Description: This may affect those scenarios where routing protocols like BGP are run over the tunnel. To diagnose this, the following debugs should be enabled on both sides:
debug crypto isakmp
debug crypto ipsec
debug crypto kmi
The following entry can be seen in debugs:
DPD sent to 10.1.1.1:500 & waiting: But IKE sa expired. Killing IPSec sas.
•
Symptoms: A device might crash with a bus error and the following error message:
%ALIGN-1-FATAL: Illegal access to a low address
Conditions: The symptom is observed on a device that is running Cisco IOS Release 12.4(24)T1. Other releases may be affected (those running with the Common Classification Engine). The condition seems to be temporary and after a while it goes away.
Workaround: There is no workaround.
•
Symptoms: The box crashes within "cns config notify code".
Conditions: This symptom is observed in the corner case when someone removes "cns config notify diff" from the config while adding other CLIs to the running config by using the method "config replace". The box can crash.
Workaround: Do not remove "cns config notify diff" using "config replace".
•
Symptoms: DNS A-answer from IPv4 DNS server (which is supposed to be forwarded to IPv6 side as AAAA-answer) is dropped on NAT-PT routers.
Conditions: The symptom is observed when DNS NAT-ALG is enabled.
Workaround: There is no workaround.
•
Symptoms: An incorrect NAS port ID is given when testing IDBless VLAN for PPPoE.
Conditions: The symptom occurs on a Cisco 7200 router that is running Cisco IOS Release 12.4(15)T10.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400XM may process switch all traffic through interfaces. Other platforms may be affected.
Conditions: The symptom is observed if you are running Cisco IOS Release 12.4(20)T or later and the interface is configured for netflow with one of the following feature sets:
–
–
–
Workaround: Disable netflow.
•
Symptoms: Autocommands configured on VTY line or user-profile are not executing while logging through VTY.
Conditions: The symptom is observed if the privilege level is not configured in the user profile.
Workaround: Explicitly configure user privilege in the user profile.
•
Symptoms: In certain network setups, every five days the router hangs and the following error message is seen:
SYS-2-BADSHARE: Bad refcount in datagram_done
Conditions: The symptom is observed with Cisco IOS Release 12.4(24)T.
Workaround: There is no workaround.
•
Symptoms: When you attempt to browse to a WebVPN portal you only see a blank page. The router does not send the browser a certificate and the portal login page is not displayed. The command debug webvpn sdps logs the following error message:
WV-SDPS: Sev 4:sslvpn_tcp_read_notify(),line 1569:No to notify read: already queued[1] 004549:
Conditions: The symptom is observed when the SSLVPN process is waiting for an HTTP REQUEST from a client on the port configured using the http-redirect <port no> command but the process does not wake up. This can happen because of an unexpected IPC message to the SSLVPN process by another IOS process.
Workaround: Remove http-redirect from the WebVPN gateway and reload the device.
•
Symptoms: A Cisco router may experience a bus error crash.
Conditions: The symptom has been experienced on a Cisco 2851 router that is running Cisco IOS Release 12.4(20)T3 and when "callmonitor" is enabled.
Workaround: There is no workaround.
•
Symptoms: The command mgcp behavior g729-variants static-pt is the default and will show up in the configuration. This causes a problem when you save the configuration and downgrade to an earlier Cisco IOS Release where this behavior is not present. There, the command will now be enabled when it was not previously.
Conditions: Using an earlier version of a Cisco IOS Release will enable the command.
Workaround: After downgrading to a lower version where mgcp behavior g729-variants static-pt is not the default, configure no mgcp behavior g729-variants static-pt to remove the CLI.
•
Symptoms: The GM router might reload.
Conditions: The symptoms is observed if the following conditions are met:
1.
2.
3.
Workaround: There is no workaround.
•
Symptoms: With an IPv6 Policy Based Routing (PBR) configuration, the route-map clause "set interface null0" may cause a router to crash.
Conditions: The symptom is observed with IPv6 PBR. The trigger traffic is traceroute packets (ping packets will not cause the crash).
Workaround: Configure "route-map" as [set interface loop0].
•
Symptoms: Unable to detect SIT and disconnect an FXO call.
Conditions: The symptom is observed on an FXO port configured with "supervisory sit us immediate-release" or "supervisory sit us".
Workaround: Configure "supervisory sit us all-tones".
Resolved Caveats—Cisco IOS Release 12.4(24)T1
Cisco IOS Release 12.4(24)T1 is a rebuild release for Cisco IOS Release 12.4(24)T. The caveats in this section are resolved in Cisco IOS Release 12.4(24)T1 but may be open in previous Cisco IOS releases.
•
Symptoms: SNMPv3 "auth" and "priv" users are lost across reload.
Conditions: Occurs after a reload.
Workaround: There is no workaround.
•
Symptoms: DSMP is not programming the DSP for supervisory tone while alerting tone is there, which leads to FXO disconnect supervision issue.
Conditions: Occurs on routers running Cisco IOS Release 12.3(14)T and later releases.
Workaround: Downgrade to Cisco IOS Release 12.3(11)T.
•
Symptoms: Interface is reported by Optimized Edge Routing (OER) as being an invalid interface for sending an active probe.
Conditions: Occurs on an Optimized Edge Routing (OER) border router with an external interface defined as a tunnel interface (mGRE).
Workaround: There is no workaround.
•
Symptoms: The GETVPN rekey fails. The following error message shows in the syslog:
%GDOI-3-GM_NO_IPSEC_FLOWS: IPSec FLOW limit possibly reached
The show crypto engine connections flow will show that all flows are used. For hardware-accelerated platforms, use the show crypto eli command to see how many Phase IIs are supported.
Conditions: This problem is seen when the registration is not successful on a group member and then the flow IDs allocated for that incomplete registration are not cleaned up.
Workaround: Reload the router, if the all the flow IDs are leaked.
•
Symptoms: Cisco Express Forwarding (CEF) adjacency is going incomplete and local users are down. This may result in packet loss.
Conditions: When the Peak rate on the ATM PVP is changed and "atm route-bridge ip" is configured on sub-interface, then adjacency goes to "incomplete" state.
Config tinterface ATM1/0atm pvp 11 3000 << changesh ip cef vrf Internet det | incl comAdj source: IP adj out of ATM1/0.44604, addr x.x.x.x (incomplete)Workaround: Clear adjanency or perform a shut/no shut on the ATM interface.
•
Symptoms: A PRE-3 may crash at the "pppatm_pas_fs" function.
Conditions: This symptom is observed on a Cisco 10000 series that runs the c10k3-p11-mz image of Cisco IOS Release 12.2(31)SB1 and that is configured for PPP. The symptom occurs after a write operation. The symptom may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: High CPU usage may occur interrupt context on an RP, and spurious memory accesses may be generated when a route-map update is checked. You can verify this situation in the output of the show align command.
Conditions: This symptom is observed on a Cisco 7600 series that is configured for BGP.
Workaround: There is no workaround.
•
Symptoms: A device might crash when the QoS configuration is changed.
Conditions: This symptom is observed on a device that has a QoS configuration.
Workaround: There is no workaround.
•
Symptoms: Router crashes when jitter operation takes place.
Conditions: This crash is inconsistent and is seen while auto Ethernet operation is configured to carry on jitter operation on an interface configured with no ethernet cfm enable.
Workaround: There is no workaround.
•
Symptoms: When the cost-minimization feature is used in OER, prefixes are moved to minimize the cost, but it never reaches a stable point. In other words, prefixes are moved back and forth periodically.
Conditions: This symptom is observed only if OER cost-minimization is configured.
Workaround: There is no workaround.
•
Symptoms: Multicast data loss may be observed while changing the PIM mode of MDT-data groups in all core routers.
Conditions: The symptom is observed while changing the PIM mode of MDT-data groups from "Sparse" to "SSM" or "SSM" to "Sparse" in all core routers in a Multicast Virtual Private Network (MVPN).
Workaround: Using the command clear ip mroute MDT-data group will resolve the issue.
•
Symptoms: Brand new NVRAM chips will not have the magic numbers written for the primary, backup, and secondary backup NVRAM. This will cause error messages when trying to read/write to the NVRAM (see below).
Router# write eraseErasing the nvram filesystem will remove all configuration files! Continue?[confirm][OK]Erase of nvram: completeRouter#*Dec 17 23:08:52.319: %SYS-7-NV_BLOCK_INIT: Initialized the geometry ofnvramwrBuilding configuration...[OK]Bad configuration memory structure -- try rewritingBad configuration memory structure -- try rewritingRouter#Router#Router# wrBad configuration memory structure -- try rewritingBad configuration memory structure -- try rewritingBuilding configuration...[OK]Bad configuration memory structure -- try rewritingBad configuration memory structure -- try rewritingRouter#Workaround: Load an image older than Cisco IOS Release 12.4(20)T, which will write the magic numbers. Then load an image from Cisco IOS Release 12.4(20)T or a later release.
•
Symptoms: A Cisco 871 router may crash with error %SYS-2-NOTQ with Process= "DNS Resolver" after loading an image.
Conditions: Firewall application inspection for IM protocols is configured. Protocol-info parameter-map is configured to resolve the IM server host names and is associated to IM protocols in firewall class-map.
Trigger: Issue is caused when router uses "parameter-map protocol-info" which has a list of IM server host names, to resolve list of IM servers.
Workaround: Do not associate the protocol-type parameter-map to IM protocol in firewall class-map.
•
Symptoms: MSFC crashes with Red Zone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: There is no workaround.
•
Symptoms: Router crashes issuing "authentication network-eap eap_methods" under SSID in console line, when no SSID was issued from VTY line.
Conditions: Occurs when using both console and VTY on a Cisco 3845 running Cisco IOS Release 12.4(19.18)T2 and the C3825-ADVSECURITYK9-M image.
Workaround: There is no workaround.
•
Symptoms: A Cisco Catalyst 6000 reports the following message and unexpectedly reloads:
%SYS-2-ASSERTION_FAILED: Assertion failed: "wccp_acl_item_valid(item,NULL)"Conditions: This symptom is observed on a WS-C6509 that is running Cisco IOS Release 12.2(33)SXH2a.
A WCCP service is configured with a redirect-list referring to a simple ACL.
Workaround: Use an extended ACL as the WCCP redirect-list.
•
Symptoms: AnyConnect client is connecting to a Cisco ISR router that is running Cisco IOS Release 12.4(20)T with hardware encryption and CEF enabled. Client is unable to reach the inside interface IP address but can communicate with devices behind the router.
Conditions: This symptom is observed with Cisco IOS Release 12.4(20)T with hardware encryption and CEF enabled
Workaround: Disable CEF globally and/or disable hardware encryption.
•
Symptoms: Some of the route-maps configured for BGP sessions (eBGP) are not permitting the prefixes upon a router reload.
Conditions: The symptom is observed when a large number of route-maps for a BGP session are configured and the router is reloaded.
Workaround: Issue the command clear ip bgp * soft.
•
Symptoms: A PPPoA session fails to come up after modifying the PVC.
Conditions: The symptom was seen while testing the feature PPP over ATM with Subscriber Service Switch.
Workaround: There is no workaround.
•
Symptoms: Software-forced reload occurs on Cisco 870 router.
Conditions: Encountered during extended VLAN testing.
Workaround: There is no workaround.
•
Symptoms: A router reports "%SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header" and reloads.
Conditions: This symptom is observed with Cisco routers that are running Cisco IOS Release 12.4T under an increased traffic load.
Workaround: There are no known workarounds.
Further Problem Description: This issue is related to a classification engine in Cisco IOS software. This engine is used by all features that require classification (for example, QoS, NetFlow).
•
Symptoms: A Cisco 10000 PRE will reload unexpectedly when a radius server which is marked as dead is removed from the configuration during authentication of sessions.
Conditions: The issue is seen when a RADIUS server is marked as dead. There are attempts to retry and access the server during its removal from the configuration.
Workaround: There is no workaround.
•
Symptoms: The following bus error crash occurs:
Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0xXXXXXX
Conditions: "ntp broadcast destination" must be configured. Just having an NTP peer configured is not enough to trigger this crash.
Workaround: There is no workaround.
•
Symptoms: Router crashes due to memory corruption.
Conditions: WAN router crashes when feature combination includes Frame Relay, EIGRP, GRE, QoS, and multicast are configured on WAN aggregation and branches. The issue is seen only on PA-MC-2T3/E3-EC. The issue is seen only when frame-relay fragment and service-policy is part of map-class frame-relay configs
Workaround: Have either frame-relay fragment or service-policy as part of map-class frame-relay configurations.
•
Symptoms: Card crashed upon attaching the policy-map to the output interface.
Conditions: Happening in all types of VCs (PVC/SVC) when the service policy is defined with shape command.
Workaround: There is no workaround.
•
Symptoms: Commands run using the tclsh exec command fail with the error:
Command authorization failed.
Conditions: This occurs in Cisco IOS Release 12.4(20)T if the following is configured on the device:
aaa authorization commands 15 default group tacacs+
Workaround: The username being passed to the AAA server is an empty string. If there is a default profile on the AAA server that allows all commands to be run, then the tclsh exec commands will work. Otherwise there is no workaround.
•
Symptoms: A router remains in the init_process state when parsing the configuration.
Conditions: The symptom is observed when an IPv6 multicast group joins without MLD configured. When the groups unjoin, the system suspends.
Workaround: Configure MLD.
•
Symptoms: A Cisco 7600 PE router fails to redistribute a VRF prefix into BGP after the prefix or path to it flaps. The PE router will indicate the prefix being redistributed into BGP but the prefix will not get installed into the BGP table until the prefix is cleared:
PE2#PE2#sh ip route vrf foo 10.5.5.5Routing Table: foo Routing entry for 10.5.5.5/32Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 10Redistributing via bgp 666Advertised by bgp 666 metric 10 match internal external 1 & 2Last update from 10.45.45.2 on Ethernet1/0, 00:00:56 agoRouting Descriptor Blocks:* 10.45.45.2, from 10.5.5.5, 00:00:56 ago, via Ethernet1/0Route metric is 20, traffic share count is 1PE2#PE2#sh ip bgp vpnv4 vrf foo 10.5.5.5% Network not in table PE2#Conditions: The PE router redistributing the given prefix must have a sham-link configured for the given VRF and an alternate path to the prefix must exist once the primary (sham-link) is down.
Workaround: Use the following command: clear ip route vrf vrfname <prefix>.
Further Problem Description: This problem is seen only in Cisco IOS Release 12.2(33)SRB. Cisco IOS Releases 12.2(33)SRC/SRD, etc. are not affected.
•
Symptoms: A Cisco router may reload due to a bus error.
Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4(15)T7. The router is configured with NHRP.
Workaround: There is no workaround.
•
Symptoms: Problem with IPv6 when deactivating and then reactivating VPN routing/forwarding (VRF).
One symptom is a message "Can't activate address-family `ipv6'"
Another aspect is a reference to tableid 10000000 that is reserved and should not apply to VRF.
Conditions: Occurs when using VRFs. The problem only occurs if IPv6 routing is used and then fully removed. When IPv6 is removed from the system, the IPv6 RIB goes away. One way of reactivating the IPv6 RIB is indirectly to create some VRFs. In that case, it is possible that the tableid 10000000 be allocated to a VRF, in which case the problem occurs.
Workaround: The path that leads to the problem consists in allocating the IPv6 RIB indirectly via VRFs installation. The problem only occurs at reactivations. There are thus a few ways to workaround:
–
–
•
Symptoms: When an external interface is shutdown (on a controlling border router) all the applications (controlled) on that interface do not go to DEFAULT state.
Conditions: The symptom is observed when PfR is enabled with applications that are configured to be controlled. It is seen when more than one application that is controlled (on same border router) exits.
Workaround: There is no workaround.
•
Symptoms: Clearing the SSH sessions from a VTY session may cause the router to crash.
Conditions: The symptom is observed when a Cisco 7300 series router is configured for SSH and then an SSH session is connected. If the SSH session is cleared every two seconds using a script, the symptom is observed.
Workaround: There is no workaround.
•
Symptoms: Router crashed when 100 PPPoE sessions are created with policy protocol L2TP.
Conditions: This symptom occurs while PPPoE sessions are created.
Workaround: There is no workaround.
•
Symptoms: An 0.0.0.0 binding with a 0 minute lease gets created and subsequently removed on the DHCP unnumbered relay.
Conditions: The DHCP client sends a DHCPINFORM with ciaddr set to its address, but giaddr is empty. The relay fills in giaddr with its IP address and the server replies to giaddr. Since the DHCPACK is in response to DHCPINFOM, the lease-time option is absent. Relay receives the DHCPACK and tries to process it normally leading to the route addition.
Workaround: There is no workaround.
Further Problem Description: This behavior can indirectly have a negative impact on the system by triggering other applications to be called because the routing table change is triggered by such DHCP requests. Examining "debug ip routing" for 0.0.0.0/32 reveals 0.0.0.0/32 route flapping.
•
Symptoms: Router crashes with syslog CHUNKBADMAGIC.
Conditions: The symptom is observed with an ATM interface and NAT outside interface on a Cisco 3845 platform. It has been seen with a large number of flows from thousands of source addresses and with thousands of translated source addresses in a short period of time.
Workaround: Limit the number of source addresses available for NAT translation to less than 2000 or increase traffic slowly.
•
Symptoms: Cisco 7200 G2 router crashes when changing configuration of serial interfaces from PPP to SDLC and back to PPP, while running traffic.
Conditions: This is observed on a T3 link with 56 channel groups configured on a WAN aggregation device. All the serial interfaces have service-policy configured.
Workaround: Remove the service-policy before changing the encapsulation to SDLC.
•
Symptoms: When accounting is enabled for virtual private dial-up network (VPDN), there might be messages with termination cause "nas-error" and displaying impossible values in Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets and Acct-Output-Packets.
This causes accounting to be unreliable.
Conditions: Occurs with Cisco IOS Release 12.4T and configured for PPTP/L2TP with accounting.
Workaround: There is no workaround.
•
Symptoms: A router may write a crashinfo that lacks the normal command logs, crash traceback, crash context, or memory dumps.
Conditions: This might be seen in a memory corruption crash depending on precisely how the memory was corrupted.
Workaround: There is no workaround.
•
Symptoms: Cisco 7201 with Gi0/3 experienced communication failure.
Conditions: This problem does not occur with Gi0/0 or Gi0/2.
Workaround: Perform a shut/no shut on the Gi0/3. The problem will occur again.
•
Symptoms: BGP prefixes are not exchanged between route reflectors.
Conditions: Occurs when route reflectors are present in different AS and they have MP-EBGP relationship between them.
Workaround: There is no workaround.
•
Symptoms: After configuring random detect (WRED) on the ATM interface on a Cisco 888 Integrated Services router and traffic is sent through the VLAN input interface the to ATM interface, the router will display a continuous maclloc error. Additionally, the router crashes within 10-20 seconds after the traffic is stopped.
Conditions: The problem is only observed on Cisco 888 Integrated Services router when WRED is enabled on the ATM interface.
Workaround: Do not enable WRED on the ATM interface on the Cisco 888 Integrated Services router.
•
Symptoms: The System Activity (SYS ACT) LED may keep blinking even though there are no configurations or traffic.
Conditions: The symptom is observed on a Cisco 2800 series router with an NM-16A/S, which is connected to another device through a CAB-SS-X21MT. The problem is only seen on a couple random ports on a few random modules.
Workaround: Use RS-232 cables instead of X.21 cables.
•
Symptoms: High CPU utilization occurs after device receives a ARP packet with protocol type as 0x1000.
Conditions: This problem occurs on Supervisor 32 running Cisco IOS Release 12.2(33)SXI. This problem may also occur on Supervisor 720. The problem is only seen when you have bridge-group CLI being used, which leads to ARP packets with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.
Workaround: Filter the ARP packet. The device configuration should have bridge-group creation first, followed by interface-specific bridge-group options.
•
Symptoms: The router may crash if Group Domain of Interpretation (GDOI) configurations are removed concurrently with the execution of the show crypto gdoi command (that is, they are running on different TTY sessions).
Conditions: The symptom is observed when the removal of the configurations and the execution of the show command are concurrent.
Workaround: Avoid removing the configuration and executing the show crypto gdoi command concurrently.
•
Symptoms: A router reloads when a manually keyed crypto map is removed from an interface after unconfiguring the tunnel source.
Conditions: The symptom is observed when the manually keyed crypto map is applied on the tunnel interface. The crash happens when the user cuts and pastes several "no" forms of the CLI in order to delete the tunnel source interface as well as removing the crypto from the tunnel and deleting the tunnel interface itself:
conf tint tunnel0no ip addr x.x.x.x x.x.x.xno tunnel source e1/0no tunnel dest y.y.y.yno crypto map ! must be a manually keyed crypto mapexitno interface tunnel0The issue occurs only on a Cisco 7200 series router with VSA, a Cisco ASR 1000, or a Cisco Catalyst 6000 Series Switch with VPNSPA.
Workaround: Enter the commands one at a time, waiting after removing the tunnel source. This will prevent the race condition from occurring, avoiding the crash.
•
Symptoms: A router configured with BGP and VPN import may crash.
Conditions: This is a hard to hit race condition. BGP imports a path from VRF-A to VRF-B. The following steps have to take place in exactly this order for the crash to occur: 1. The next-hop for the path has to become unreachable. 2. BGP has to re-evaluate the bestpath on the net in VRF-A and result in no-bestpath on the net (because there is no alternative path available). 3. RIB installation has to process the importing BGP net under VRF-B.
Step 3 will result in the crash. If, before step 3, the next-hop re-evaluation manages to process the net in VRF-B then it will clear the bestpath and there will be no crash. If, before step 3, the import code gets a chance to process the net it will clean-up the imported path from VRF-B and then there will be no crash.
Workaround: There is no workaround.
•
Symptoms: Cisco router may crash pointing to OSPF code because of low memory access.
Conditions: Crash is specific to the following scenario:
1.
2.
3.
Workaround: If configuration changes need to be done during network changes, the following applies:
1.
2.
–
–
3.
•
Symptoms: SSL VPN client or AnyConnect client performance drops after a period of operation.
Conditions: Occurs when Cisco Express Forwarding (CEF) is enabled.
Workaround: Disable CEF if possible.
•
Symptoms: The router, which is configured as a hub in a Dynamic Multipoint VPN (DMVPN), may reload unexpectedly.
Conditions: The symptom is observed periodically in a scaled configuration when the router is connected to a live network and traffic is passing.
Workaround: There is no workaround.
•
Symptoms: A router may reload or crash at resource_owner_set_user_context while adding and removing MTU in the ATM main interface and subinterface.
Conditions: The symptom is observed when the command no mtu on the ATM subinterface modifies the minimum MTU size to zero.
Workaround: Set the MTU size of the subinterface to a default value or the value of the main interface's MTU instead of using no mtu.
Further Problem Description: The command no mtu on the ATM subinterface will modify the MTU size to zero. It should inherit the default value or value from the main interface if the main interface has an MTU value set. This issue does not affect any functionality of MTU.
•
Symptoms: VoIP RTP connections may dangle at TGW when a call failure occurs, due to a performance test.
Conditions: The symptom is observed during performance testing with many calls (more than 600) run for any duration above 5 minutes. The call failure occurs due to a network timeout issue from SIP server (acting as proxy server) causing hung VoIP connections at the TGW.
Workaround: There is no workaround.
Further Problem Description: The problem appears when the SIP server in the network delays responding to the messages sent from OGW and TGW due to network delays. The TGW is unable to clear the VoIP RTP sessions causing the hung RTP connections. If the calls run for more than an hour, the memory gets exhausted in the TGW causing it to crash.
•
Symptoms: Following errors are seen:
%IDMGR-3-INVALID_ID: bad id in id_to_ptr (bad id) (id: 0xFFFFFFFF) -Traceback= 60476EBC 60477400 60491664 616C5834 616C7EEC 61AB72CC 61AC2E64 61AC2EBC 60FE4274 60FDEFA4 60FD4180 60FD4874 60FD4BBC 60FD275C 60FD27A0 60FC8F74Conditions: This has been seen on a Cisco 7200 after upgrading to Cisco IOS Release 12.2(33)SRC2.
Workaround: There is no workaround.
•
Symptoms: The router processes SSLVPN_PROCESS, and pool manager may hold most of a Cisco 1811 router's memory, which may affect the routers capability to process SSLVPN traffic.
Conditions: This happens after many users log in to a router acting as an SSLVPN gateway.
Workaround: Disable the on-board crypto engine with the no crypto engine onboard 0 command
•
Symptoms: When ipv6 mld static-group is configured on a non-DF interface, IPv6 Protocol Independent Multicast (PIM) topology table is not seen after doing shut/no shut on non-DF interface.
Conditions: This happens with a Cisco 7200 router that is running Cisco IOS Release 12.4(24)T.
Workaround: There is no workaround.
•
Symptoms: Dynamic NAT entries are not timing out properly
Conditions: Occurs even after timer expired.
Workaround: There is no workaround.
•
Symptoms: Group members' rekey SAs that have the same IKE SA endpoints (source/destination addresses) are mistakenly deleted when one of the group members has to re-register.
Conditions: This occurs when one of the group members has to re-register.
Workaround: Have all the group members re-register at the same time (e.g. reapply the crypto map or use the clear crypto gdoi command).
•
Symptoms: Traceback is seen while configuring a policy in the virtual-template on LAC.
Conditions: The symptom is observed when the class-map under the policy has the following filter:
match vlan <vlan-id>
Workaround: There is no workaround.
•
Symptoms: A crash may occur upon disabling ccm-manager fallback.
Conditions: The symptom is observed when disabling and enabling MGCP application and ccm-manager fallback in quick succession.
Workaround: There is no workaround.
•
Symptoms: The CE does not learn the prefix from one of the PEs.
Conditions: The symptom is observed after configuring (on PE2):
router bgp 10address-family ipv4 vrf test1no neighbor <peer > route-map setsoo inendand then clearing using the following command: clear ip bgp peer vrf test1 soft out.
Workaround: Use the command clear ip bgp * soft on the PE after SOO is applied.
Alternate Workaround: On the CE, the command clear ip bgp * soft should not be applied within one minute after applying SOO route map to CE on UUT.
•
Symptoms: A router crash may be seen at ip_mcast_address_lookup when issuing the show ip igmp ssm-mapping multicast group on an SSM-mapping enabled router which makes use of DNS lookup for source list.
Conditions: The symptom is observed on a Cisco 7200 series router that is running Cisco IOS release 12.4(23.10)T.
Workaround: There is no workaround.
•
Symptoms: Dynamic Multipoint VPN (DMVPN) version 6 hub crashes.
Conditions: Occurs when traffic is passed from the router behind the spoke to another device.
Workaround: There is no workaround.
•
Symptoms: A router crashes after unconfiguring SCCP group using the following command: no sccp ccm group #.
Conditions: The symptom is observed when SCCP group is configured on the router, and DSPfarm profiles (conference and transcoding) are configured and active on the router. If the commands no sccp ccm group # and dspfarm profile <id> conference followed by shutdown are entered at the same time, the router crashes.
Workaround: Do not enter the commands no sccp ccm group # and dspfarm profile <id> conference followed by shutdown at the same time.
•
Symptoms: Router crashed after executing the no server name command.
Conditions: Occurs while removing the configured server name from a AAA server group on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: WISPr attributes could cause memory leak in ProxyLogon situation.
Conditions: The symptom is observed when the subscriber logs on using WISPr attributes.
Workaround: There is no workaround.
•
Symptoms: The router crashes when bringing up large number of sessions.
Conditions: Occurs when 500 sessions have to be cleared.
Workaround: There is no workaround.
•
Symptoms: Upon unconfiguring "channel-group" in one controller, the ping fails in another controller.
Conditions: The symptom is observed when a controller is configured and then unconfigured with "channel-group".
Workaround: Configure "channel-group" again.
•
Symptoms: The BFD configuration may be lost from the interface/sub-interface upon a router reload or physical module of OIR.
Conditions: The symptom is seen when BFD is configured on an interface in certain multi-slot chassis.
Workaround: Ethernet interfaces seem immune to this problem. Certain platforms, such as the Cisco 10000 series router, are also immune.
•
Symptoms: The secondary key server crashes when it sends a KEK rekey to the GMs soon after it takes over as the primary key server.
Conditions: The symptom is seen when the secondary key server switches to primary just before it is time to send the KEK rekeys to the group members. This problem can be seen in any co-operative key server environment.
Workaround: There is no workaround.
•
Symptoms: No new sessions can come up using VPDN after a few days.
Conditions: The root cause is that we leak and run out of SSM switch IDs.
Workaround: There is no workaround.
•
Symptoms: A call over the FXO loop-start cannot be established as the gateway's DSP detects a reverse-battery signal.
Conditions: The symptom is observed when the far-end is able to generate a reverse-battery signal when the called side is ringing. In addition, it is seen when "supervisory disconnect" is configured to either anytone or dualtone.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience the following errors:
%SYS-2-SHARED: Attempt to return buffer with sharecount 0, ptr= 659594E0-Process= "IP Input", ipl= 4, pid= 93,-Traceback= 0x60C6C978 0x60373164 0x61556FC8 0x61558534 0x612D6A44 0x612D8368 0x612D8780 0x612D883C 0x612D8A84 %SYS-2-SHARED: Attempt to return buffer with sharecount 0, ptr= 6649466C-Process= "IP Input", ipl= 4, pid= 93,-Traceback= 0x60C6C978 0x60373164 0x61556FC8 0x61558534 0x612D6A44 0x612D8368 0x612D8780 0x612D883C 0x612D8A84Conditions: This symptom is observed on a Cisco 2801 router that is running Cisco IOS Release 12.4(20)T. The errors appear to be triggered with the forwarding of UDP packets.
Workaround: There is no workaround. The problem does not appear to be service impacting.
•
Symptoms: The following CPUHOG messages are seen for Crypto ACL process:
%SYS-3-CPUHOG: Task is running for (xxxx)msecs, more than (2000)msecs (9/7),process = Crypto ACL.Conditions: This has been seen on Cisco routers that are running Cisco IOS Release 12.4(15)T8 (other versions may be affected as well) with GETVPN configured.
Workaround: Reducing the size and complexity of the crypto ACLs will often stop these errors.
•
Symptoms: An FXO port with "supervisory disconnect tone" configured is unable to be released while receiving disconnect tone.
Conditions: The symptom is observed when FXO is handling a fax call which will disable the FXO port "supervisory disconnect tone" capability and cause the FXO to be unable to detect the disconnect tone.
Workaround: There is no workaround.
•
Symptoms: Many "IP ARP: Sticky ARP entry invalidated" syslog messages appear, and the RP reloads unexpectedly.
Conditions: This symptom is observed when a linecard is swapped while thousands of DHCP snooping bindings are present and the ip sticky-arp command is configured.
Workaround: Configure the no ip sticky-arp command.
•
Symptoms: Ingress MPLS EXP marking malfunctioning on Multilink Frame Relay (MFR) Interface.
Conditions: Occurs with MFR interface on Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: The KS database becomes unreliable.
Conditions: The symptom is observed when clearing the GM database from KS and re-registering GMs with different criteria.
Workaround: There is no workaround.
•
Symptoms: With Ethernet over MPLS configured in VLAN interface, End-to-End connectivity is broken between CE routers.
Conditions: The issue is seen on router loaded with an internal build of 12.2(33)SR.
Workaround: There is no workaround.
•
Symptoms: The command analysis-module is not replicating packets routed from an IP Phone.
Conditions: The symptom is observed on an IP Phone communication set up via router to FXO. Ingress interface contains the analysis-module monitoring command.
Workaround: There is no workaround.
•
Symptoms: All WWW sites are allowed even though there is a matching local URL filter blocking policy configured, and the allow mode is set to off.
Conditions: The symptom is observed when the local URL filter blocking policy is configured and the allow mode is set to off. Also, global CEF switching path is turned on.
Workaround: There is no workaround.
•
Symptoms: The ip nat inside source ... match-in-vrf command is not working without the overload option.
Conditions: Occurs on a router running Cisco IOS Release 12.4(15)T8.
Workaround: There is no workaround.
•
Symptoms: With mLDP over a P2P tunnel, traffic drops in multiple cases.
Conditions: The traffic drops when there is a change in path set entries, which can happen when you perform a shut and no shut the TE tunnel or toggle MPLS traffic-tunnel or use the clear mpls traffic-eng auto-tunnel command.
Workaround: There is no workaround.
•
Symptoms: A router configured with BGP may generate IPRT-3-NDB_STATE_ERROR log messages. An additional symptom when bgp suppress-inactive is configured is that the router CPU usage may get close to 100%.
Conditions: When both BGP and an IGP are advertising the same prefix, the error condition may occur. When in addition bgp suppress-inactive is configured high CPU usage by BGP may be seen.
Workaround: Removing the bgp suppress-inactive configuration should eliminate the high CPU problem. Removing either the BGP or IGP conflicting routes from the system should clear both symptoms.
•
Symptoms: Cisco IOS certificate server crashes while shadow certificate takes over after a manual reload.
Conditions: This seems to only happen under test conditions where the system clock is modified. There may be a rare instance where this could happen without the clock being modified.
Workaround: There is no workaround.
•
Symptoms: The router stays at 100% CPU usage after trying to establish an SSL session with an SSL server when this SSL server is not reachable.
Conditions: The symptom is observed with any applications on the router that use an SSL client to establish a secure session with the SSL server. At the same time, the secure server is not available for whatever reason.
Workaround: Make sure the SSL server is reachable by pinging it. Save the configuration as startup-config and reload the router.
•
Symptoms: When Service Policy is applied under the PVC, traffic flow across that interface stops.
Conditions: The ping failure starts only after service-policy configuration.
Workaround: There is no workaround.
•
Symptoms: Cisco voice gateway may be unable to establish IPSec tunnel to a Cisco Call Manager (CCM)
Conditions: Occurs when the gateway is running Cisco IOS Release 12.4(23.15)T3 or later.
Workaround: There is no workaround.
•
Symptoms: PKI daemon is stuck in DNS resolution attempt for the hostname used in the CDP.
Conditions: The symptom is observed when using name resolution for automatic actions taken by the router during non-interactive sessions (CRL download using name in CDP URI). This issue has been seen to occur only on a Cisco Catalyst 6500 running Cisco IOS SXH software.
Workaround: There is no workaround.
•
Recent research (1) has shown that it is possible to cause BGP sessions to remotely reset by injecting invalid data, specifically AS_CONFED_SEQUENCE data, into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH is an optional transitive attribute, the invalid data will be transited through many intermediate ASes which will not examine the content. For this bug to be triggered, an operator does not have to be actively using 4-byte AS support.
The root cause of this problem is the Cisco implementation of RFC 4893 (4-byte ASN support) - this RFC states that AS_CONFED_SEQUENCE data in the AS4_PATH attribute is invalid. However, it does not explicitly state what to do if such invalid data is received, so the Cisco implementing of this RFC sends a BGP NOTIFICATION message to the peer and the BGP session is terminated.
RFC 4893 is in the process of getting updated to avoid this problem, and the fix for this bug implements the proposed change. The proposed change is as follows:
"To prevent the possible propagation of confederation path segments outside of a confederation, the path segment types AS_CONFED_SEQUENCE and AS_CONFED_SET [RFC5065] are declared invalid for the AS4_PATH attribute. A NEW BGP speaker MUST NOT send these path segment types in the AS4_PATH attribute of an UPDATE message. A NEW BGP speaker that receives these path segment types in the AS4_PATH attribute of an UPDATE message MUST discard these path segments, adjust the relevant attribute fields accordingly, and continue processing the UPDATE message."
The only affected version of Cisco IOS that supports RFC 4893 is 12.0(32)S12, released in December 2008.
(1) For more information please visit:
http://www.merit.edu/mail.archives/nanog/msg14345.html
•
Symptoms: Executing the commands show ip bgp version recent 1 or show ip bgp version 1 from EXEC mode may cause the device to crash.
Conditions: The symptom is observed in affected images that have support for BGP.
Workaround: Use AAA command authorization to prevent the use of these commands.
Further Problem Description: A note regarding BGP Looking Glasses for IPv4/IPv6, Traceroute & BGP Route Servers:
Per http://www.bgp4.as/looking-glasses, BGP Looking Glass servers are computers on the Internet running one of a variety of publicly available Looking Glass software implementations. A Looking Glass server (or LG server) is accessed remotely for the purpose of viewing routing info. Essentially, the server acts as a limited, read-only portal to routers of whatever organization is running the lg server. Typically, publicly accessible looking glass servers are run by ISPs or NOCs.
Public Looking Glass servers running an affected version of Cisco IOS are specially susceptible to this bug because they provide unauthenticated public access to Cisco IOS devices. Because of this, operators of BGP Looking Glass servers are encouraged to use AAA to prevent execution of the commands mentioned above that are known to crash Cisco IOS.
•
Symptoms: NVgen issue occurs with violate-action commands under policy-map class.
Conditions: When we configure violate-action commands with "police cir" and "exceed" under policy-map class, it is not reflected under show run output.
Workaround: Do not configure as a whole with "policy cir" and "exceed command". Configure as individual commands.
•
Symptoms: A router may crash after receiving DNS TCP queries.
Conditions: The symptom is observed on a router with "ip dns server" configured.
Workaround: There is no workaround.
•
Symptoms: EIGRP commands may disappear from the interface configuration.
Conditions: The symptom is observed on Cisco routers that are running Cisco IOS Release 12.4T and following an interface flap.
Workaround: There is no workaround.
•
Symptoms:
Router crash due to Address Error:
Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0xXXXXXXXX
Conditions:
This has been seen on Cisco routers running 12.4T and 12.4 images with SIP traffic.
Workaround:
There is no workaround.
•
Symptoms: The router is crashing while booting with the c3270-adventerprisek9-mz.124-22.T1.fc2 image.
Conditions: The symptom is observed with the c3270-adventerprisek9-mz.124-22.T1.fc2 image.
Workaround: There is no workaround.
•
Symptoms: There is traceback after using the auto qos voip trust command under frame-relay mode.
Conditions: This issue is seen with a Cisco 7200 series router loaded with Cisco IOS Release 12.4(23.15)T2.
Workaround: There is no workaround.
•
Symptoms: Router reloads with a bus error and no tracebacks.
Conditions: Unknown at this time.
Workaround: There is no workaround.
•
Symptoms: The following commands executed from the console result in a device reload: write, copy running-config startup-config or show run.
Conditions: The symptom is observed when a large number of interfaces (200+) have been configured for RIPv6 and are active. Interfaces which are down will not contribute to the problem.
Workaround: There is no workaround.
•
Symptoms: Catalyst 6000 running modular Cisco IOS 12.2(33)SXH4 may crash with NAT configuration.
Conditions: Occurs when running modular IOS with NAT deployment. Crash only happening in production, and NAT translation is required for crash to occur.
Workaround: Run non-modular Cisco IOS Release 12.2(33)SXH4.
•
Symptoms: Removing tunnel configuration can cause the router to crash.
Conditions: Occurs when the tunnel is removed while QoS is active on that tunnel.
Workaround: Stop traffic to the tunnel, remove QoS and then delete the tunnel configuration.
•
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.
•
Symptoms: While the atm pvp command is applied under the ATM interface, a router reloads.
Conditions: This symptom is observed while the atm pvp command is applied under the ATM interface.
Workaround: There is no workaround.
•
Symptoms: Traceback will be seen if high amount of HTTP sessions are sent with Java blocking enabled.
Conditions: Occurs on Cisco 3845 and Cisco 7200G1 routers with high number of HTTP connection per second and with HTTP inspection with Java blocking enabled. May occur on other platforms.
Workaround: Does not impact router functionality. The issue can be avoided by not enabling Java blocking.
•
Symptoms: QSIG-rose memory leak is seen with QSIG MWI feature enabled. The topology is:
Avaya phones----Avaya PBX---QSIG----ISR----SIP-----IP Unity Voice Mail
Conditions: The leak is observed per call during the following call scenario, Leave Message -> MWI ON -> Retrieve Message -> MWI OFF.
Workaround: There is no workaround.
•
Symptoms: Router is crashes.
Conditions: Occurs because of malformed LDAP packet.
Workaround: There is no workaround.
•
Symptoms: Packet drops seen in the network when an IOS application sends full length segments along with TCP options.
Conditions: Issue is seen only in topologies where an IOS device is communicating with a non-IOS peer or with an IOS device with on which this defect has been fixed.
Workaround: Reset ip mtu .. to a lower value. Any value lower than the advertised MSS from the peer should always work.
•
Symptoms: Watchdog reset seen with combination of NPEG1+PA-POS-1OC3/PA-POS-2OC3.
Conditions: The symptom is observed on a Cisco 7200 series router and Cisco 7301 router with an NPEG1 processor.
Workaround: Change the MDL of operation to PULL using the command dma enable pull model.
•
Symptoms: In certain corner cases, received BFD packets can fill up the input queue on the incoming interface eventually blocking packet reception on that interface.
Conditions: The symptom is observed when BFD is enabled and BFD adjacency is established after bootup.
Workaround: There is no workaround.
•
Symptoms: Router crashes at "t3e3_ec_safe_start_push".
Conditions: The crash is seen immediately after removing the channel-group of the PA-MC-2T3/E3-EC card.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 router crashes when ip sla ethernet probe is configured.
Conditions: Occurs when the following commands are entered:
cns config notify diff interval 5
ip sla ethernet echo oper
Workaround: Do not configure cns config notify diff interval 5 when configuring ip sla opers.
•
Symptoms: When the fastethernet interface is up, the reload command takes the card to an empty state. You need to enter resetcd from the PXM to bring the card to an active state.
Conditions: The symptom is observed when the fastethernet interface is connected to a Cisco 3750 router, a 2950 switch and an RPMXF card. The fastethernet interface should be up.
Workaround: Enter resetcd from the PXM.
•
Symptoms: Cisco 7200 router crashes while removing configuration for internal testing.
Conditions: Occurs on a router running an internal build of Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: In a rare situation when you attempt to browse to a WebVPN portal you only see a blank page. The router does not send the browser a certificate and the portal login page is not displayed.
Conditions: The symptom is observed when the SSLVPN process is waiting for HTTP REQUEST from a client on the port configured using http-redirect <port no> and never wakes up. This can happen because of an unexpected IPC message to SSLVPN process by another IOS process.
Workaround: Remove http-redirect.
•
Symptoms: A privilege 15 user being authorized against a TACACS server can issue certain commands containing the arguments "full" or "brief" although these commands are disallowed in the TACACS server. For instance:
- show running-config brief
- show running-config full
Conditions: When running TACACS debugs when the commands are executed, we can see that the privilege level is set to 0 for these commands, although the correct level should be 15. The router is configured with the following:
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
Workaround: There is no workaround.
•
Symptoms: The GM crashes when trying to display VSA policy detail using the command show pas vsa policy detail and when traffic is being sent through the GM.
Conditions: The symptom is observed when using the command show pas vsa policy detail. It may affect all recent software releases.
Workaround: There is no workaround.
•
Symptoms: On a router that has a Virtual Tunnel Interface (VTI) IPSEC configuration, an access control list (ACL) may be bypassed when there is an ACL on the tunnel interface. This happens only in the case where the physical interface (facing the IPSec peer) also has a ACL.
Conditions: This symptom is observed when there is a ACL configured on the physical interface (facing the IPSec peer).
Workaround: Apply the ACL on the protected LAN interface in the outbound direction instead of on the tunnel interface.
•
Symptoms: Easy VPN across Dynamic Virtual Tunnel Interface (DVTI) malfunctions after re-key.
Conditions: Happen only across DVTI. This is not seen with static interfaces.
Workaround: There is no workaround.
•
Symptoms: The file transfer aborts with the Active FTP.
Conditions: The symptom is observed with the image c7200-adventerprisek9-mz.124-23.15.T3.
Workaround: Use Passive FTP (ip ftp passive) for the FTP file to be properly transferred.
•
Symptoms: Incoming traffic on a PBR-configured interface is process switched.
Conditions: The symptom is observed when traffic ingressing on an interface configured for PBR when using an ipbase, ipvoice, or entbase Cisco IOS images.
Workaround: Disable PBR on the incoming interface.
•
Symptoms: A router acting as an EasyVPN client may fail to build the IPSec tunnel and hang in the IPSEC_ACTIVE state, as shown in the show crypto ipsec client ezvpn command output.
Conditions: It is not clear at this point what triggers this failure.
Workaround: There is no workaround.
•
Symptoms: Any queueing policy application on a tunnel interface, with a tunnel state change in parallel, may cause the router to crash.
Conditions: The symptoms are observed with Cisco IOS Release 12.4(20)T2 and 12.4(24)T
Workaround: If you need to unconfigure QoS on the tunnel, remove the policy first and then shutdown the tunnel. If you need to configure QoS on the tunnel, bring up the tunnel first and then apply QoS.
•
Symptoms: Configuring police "CIR" displays as rate under show policy-map.
Conditions: Above symptom is seen in Cisco routers running Cisco IOS Release 12.4(23.15)T3.
Workaround: There is no workaround.
•
Symptoms: Cisco router may face ping failure between provider and customer networks.
Conditions: Occurs on routers running Cisco IOS Release 12.4(23.15)T3.
Workaround: There is no workaround.
•
Symptoms: There may be a crash at OCE functions after disabling netflow by using the command no ip flow ingress.
Conditions: The symptom occurs when both crypto and netflow configurations are applied.
Workaround: Do not run crypto along with netflow.
•
Symptoms: Bandwidth is not allocated correctly when UBR/ABR value of 5000 is used. ATM PVC initially comes up with 5000 BPS but does not readjust correctly
Conditions: This symptom is observed on a Cisco router ATM IMA interface when "vc-class" is used. It works fine for 1000.
Workaround: There is no workaround.
•
Symptoms: Router crashes at an OCE function in crypto switching code.
Conditions: The symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4(20)T, 12.4(22)T and 12.4(24)T. The following steps are used to generate the crash:
1. Start VPN client and initiate connection. 2. After successful connection, open DOS prompt. 3. Start a trace route (tracert) to an internal IP OR start to an external IP.
Workaround: There is no workaround.
•
Symptoms: Cisco 3845 used as a WAN aggregator will randomly crash when Frame Relay fragmentation is configured and with high traffic.
Conditions: Occurs when branch routers are configured with FR, EIGRP, GRE, QOS, and Multicast. Traffic is sent. Occurs in an internal build of Cisco IOS Release 12.4(24)T.
This crash would only happen when:
1) Frame-relay is configured together with the QoS policy, and packet size is larger than the fragment size.
2) Traffic exceeds 50% of line rate.
Workaround: Remove the FR fragmentation configuration.
•
Symptoms: Agent entry is not seen.
Conditions: Occurs on a roaming interface that is configured for Collocated Care-of Address (CCoA). The mobile router will not see it as a usable interface.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: The basic ping fails between two end-to-end ATM interfaces.
Conditions: The symptoms are observed when two end-to-end ATM interfaces are configured. The ping fails.
Workaround: There is no workaround.
•
Symptoms: Router crash seen at "html_config_command".
Conditions: This issue is observed on a Cisco 7200 router running Cisco IOS Release 12.4(24.2)T.
Workaround: There is no workaround.
•
Symptoms: Transit IPsec traffic is dropped on GM GETVPN. The following message is shown:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.6.1, prot=50, spi=0xC39A071A(3281651482), srcaddr=192.168.6.2Conditions: The symptoms are observed under the following conditions:
1.
2.
3.
Workaround: Permit double encryption with the following caveat: If transitting ESP packet are near the IPsec path MTU then, after encapsulation into GETVPN IPSEC, they will be fragmented. The receiving side of the transit IPsec flow (e.g. R1 or R4 in above scenario) will have to reassemble these packets which can lead to high CPU on the receiving end.
This makes the workaround more or less applicable depending on the transiting traffic pattern.
•
Symptoms: H.324 video calls fail.
Conditions: Occurs when calls go from H.323 leg to SIP leg. Call becomes audio only.
Workaround: Add the following command to the VoIP dial-peer:
voice-class sip calltype-video
•
Symptoms: A Cisco 2811 ISR may crash.
Conditions: The symptom is observed on a Cisco 2811 ISR that is running Cisco IOS Release 12.4(20)T2 and with NAT NVI configured.
Workaround: There is no workaround.
•
Symptoms: SAMI PPC crashes due to a SegV exception at the L2TP process.
Conditions: The symptom is observed under the following conditions:
1.
2.
Workaround: Avoid sending L2TP hello at L2TP shutting down process by L2TP shutdown timer expiration. (For example, use l2tp tunnel timeout no-session 0. The command will teardown the session immediately when there is no session.)
•
Symptoms: Calls fail intermittently with cause "47: no resource available" error.
Conditions: Occurs when router is under load test.
Workaround: There is no workaround.
•
Symptoms: Router crashes at SCCP SPI functions when handling events from STCAPP.
Conditions: This is a corner case that occurs rarely. Only if STCAPP unregisters its SCCP device (forced by a DSP problem, in this case) while the corresponding voice-port is still active (having some internal event in the SCCP SPI queue to be processed after the unregistration), the crash can occur.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS routers crash when filter style is changed from fixed filter (FF) to wild card filter (WF).
Conditions: Occurs when FF style reservation is installed on an interface and is then modified to WF style without first removing the FF style reservation.
Workaround: Remove FF style reservation before configuring for WF style reservation.
•
Symptoms: A numbered ACL with an object-group reference is not nvgened properly.
Conditions: Global (numbered) ACL configuration mode does not support OG. (You can configure OG for numbered ACLs using sub-configuration (named) mode.) This issue applies only to numbered ACLs.
Workaround: Use named ACLs in place of numbered ACLs.
•
Symptoms: Bindings are not cleared after the clear ip mobile binding ip address.
Conditions: Occurs on a router running Cisco IOS Release 12.4(23.15).
Workaround: There is no workaround.
•
Symptoms: A router configured for SNMP might unexpectedly crash with a bus error code.
Conditions: This issue occurs when you query cSipCfgPeerTable of CISCO-SIP-UA-MIB. To be more specific, cSipCfgPeerPrivacy MIB object.
Workaround: Do not poll cSipCfgPeerPrivacy MIB object.
•
Symptoms: Police policy is not working at Multilink interface with MPLS EXP classification.
Conditions: This symptom is seen with a Cisco 7200 series router after detach a 3 level policy. In a 3 level policy, police is configured at level 3. After detach 3 level policy, attach a single level policy with police class.
Workaround: There is no workaround.
•
Symptoms: Device will crash when loading the configuration with service policies with ACLs.
Conditions: This is seen when more than 200 ACL filters are used in a service policy.
Workaround: Remove unused ACLs in class-maps to get under the 200 limit. (The fix allows for 512 filters.)
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: A router that is running Cisco IOS Release 12.4(22)T and that is configured for L2L tunnels may intercept pass-through UDP 4500 packets destined to an internal client. Logged on the fault router is:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xDD8DEB2(232316594), srcaddr=y.y.y.y.Conditions: The symptom is observed on a router that is running Cisco IOS Release 12.4(22)T configured for IPSec. Internal IPsec client is natted on the router using NAT-T.
Workaround: There is no workaround.
•
Symptoms: Large packets may be dropped if prefragmentation is enabled with VSA.
Conditions: The symptom is observed when GETVPN creates some tunnels with time-based anti-replay and others with counter-based anti-replay/no anti-replay.
Workaround: Use the same replay method for all the SAs in the router.
•
Symptoms: Multiple issues are seen on multicast NAT. NAT is adding the number of dynamic entry statistics for every new multicast packet, even though there is already an existing NAT flow entry. This causes the number of dynamic entries to be inconsistent with the output from show ip nat trans. Also, dynamic NAT entries cannot be deleted with clear ip nat trans *. Finally, every fragmented multicast packet creates a separate NAT entry.
Conditions: Occurs when ip pim sparse-dense-mode is configured on the interfaces with NAT overload.
Workaround: There is no workaround.
•
Symptoms: In a Carriers Carrier, the CSC-PE router advertises wrong out-label. This causes the end-to-end LSP to be broken in the CSC network, and all traffic is dropped.
This problem is observed by enabling the show ip bgp label command on CSC-CE. See "Out Label" of the route is "imp-null".
Conditions: This condition is observed in routers that are running Cisco IOS Release 12.0(32)SY6.
Workaround: Configure neighbor {ip-address | peer- group-name} next-hop-self on CSC-PE.
•
Symptoms: A voice gateway placing ISDN calls will exhibit a memory leak. The effects of this memory leak can be seen with the show process memory command. It shows that the amount of memory the ISDN process is holding continues to increase without being released.
Conditions: The symptom is observed on a voice gateway that is processing ISDN calls on a PRI interface. Switchtype is set to be primary-QSIG and the calls that leak memory are QSIG-GF (connection-oriented calls) and not regular voice calls. Such calls are typically used when implementing supplementary services such as MWI.
Workaround: There is no workaround.
•
Symptoms: Packets with certain packet sizes get dropped when being CEF-switched on a router.
Conditions: The symptom is observed when CEF is enabled and when the outbound interface is an HWIC-4SHDSL DSL interface. It is observed when the packet undergoes fragmentation.
Workaround: Disabling CEF is a workaround.
•
Symptoms: A video conference device makes a video call to a TDM Conference Station through an H320 gateway. When the call is placed, only the primary channel goes up and the H320 gateway does not proceed with secondary channels.
Conditions: The symptom is observed with Cisco IOS Release 12.4(22)T.
Workaround: There is no workaround.
•
Symptoms: Any attempt to copy a file from a router to an FTP server will fail. The FTP error is "No such file or directory".
Conditions: This is only a problem with FTP and only when transferring to an FTP server. Transfers from an FTP server work as expected.
Workaround: Use a different file transfer protocol, such as TFTP.
•
Symptoms: Cisco Configuration Professional (CCP) is unable to load signatures from the router. IOS-IPS signatures cannot be viewed or modified using CCP.
Conditions: The symptom occurs when using CCP to manage IPS5.0 in routers that are running Cisco IOS Release 12.4(20)T2, 12.4(24)T and 12.4(22)T1.
Workaround: There is no workaround from CCP. Use CLI to view or modify IPS signatures.
•
Symptoms: Calls on an MGCP gateway negotiating the g729br8 codec may fail to have audio in one or both directions.
Conditions: This occurs on MGCP gateways with the fix for CSCsu66759 when the g729br8 codec is being negotiated.
Workaround: Any of the following will be sufficient to get around this issue:
1.
mgcp behavior g729-variants static-pt mgcp behavior dynamically-change-codec-pt disable
2.
3.
•
Symptoms: Video call between two Cisco Unified Video Advantage endpoints results in one-way audio and no video.
Conditions: Occurs when call passes through Cisco Unified Border Element (CUBE).
Workaround: There is no workaround.
•
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•
Symptoms: Crash keyserver reloads.
Conditions: The symptom is observed if test case 1 in TBAR sanity regression on the VSA is configured and then unconfigured. When configuring the second one, the keyserver crashes.
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS or Cisco IOS XE may unexpectedly reload due to watchdog timeout when there is a negotiation problem between crypto peers. The following error will appear repeatedly in the log leading up to the crash:
.Mar 1 02:59:58.119: ISAKMP: encryption... What? 0?
Conditions: Occurs when the device has debug crypto isakmp enabled.
Workaround: Remove this debug command.
•
Symptoms: Cisco 2811 experiences invalid checksum over SCP on SSH version 2.
Conditions: Occurs on a Cisco 2811 with flash type file system.
Workaround: There is no workaround.
•
Symptoms: A switch may reload with messages on both the RP and SP similar to:
%CPU_MONITOR-2-NOT_RUNNING: CPU_MONITOR messages have not been sent for 30 secondsConditions: The symptom is observed with SNMP polling configured for SNMP MIB:
ceemEventMapEntry, oid 1.3.6.1.4.1.9.10.91.1.1.1.1This crash will only occur on modular IOS.
Workaround: Disable SNMP polling of SNMP MIB:
ceemEventMapEntry, oid 1.3.6.1.4.1.9.10.91.1.1.1.1•
Symptoms: When using Point-to-Point Tunnelling Protocol (PPTP) with RADIUS Accounting, there may be several "nas-error" and "lost-carrier" listed in accounting as the Acct-Terminate-Cause.
Conditions: The symptom is observed when using Cisco IOS Release 12.4T (Releases 12.4(15)T-12.4(22)T confirmed) and using PPTP with RADIUS Accounting in place.
Workaround: There is no workaround.
•
Symptoms: Several chunk element leakages are seen when the show memory debug leaks chunk command is entered.
Conditions: Occurs after a reboot.
Workaround: There is no workaround. Please ignore the leaks as they are false alarms.
•
Symptoms: IPSsec/GRE traffic does not go over an ATM interface.
Conditions: The symptoms are observed when using a VSA encryption card and when the ATM interface is using PVC bundles.
Workaround: Do not use PVC bundles.
Alternate workaround: Disable the VSA encryption and use software encryption (not recommended for a high load of encryption).
•
Symptoms: Using secure copy (SCP) between Cisco routers may cause compatibility issues.
Conditions: Occurs when using SCP SSH version 2 between a Cisco 1800 and Cisco 2800.
Workaround: There is no workaround.
•
Symptoms: Chunk leak is seen whenever one PPPoE session is cleared.
Conditions: Occurs only when one session is cleared.
Workaround: There is no workaround.
•
Symptoms: A router crashes at mripv6_mode_entry when the authentication key is configured to be equal to 64 bytes.
Conditions: The symptom is observed on a router that is running the c7200-adventerprisek9-mz.124-24.6.T image.
Workaround: Configure an authentication key of less than 64 bytes.
•
Symptoms: On occasion, a false positive is returned on a file system failure. File operation is deemed successful when, in fact, it has failed.
Conditions: This problem occurs when the file system device returns an error and the code follows the path in the file system buffer cache where the error is masked and converted to a success code. This problem is likely to show up if there is a device error during the write. The device error may be due to bad media or an OIR (although it is very unlikely during an OIR).
Workaround: There is no workaround.
Further Problem Description: This is possible during any file system operation where a file system device is unable to complete the operation and an error is returned. This error is not passed down to the file system stack but is converted to a success code. Other clients which are dependent on previous file system operations fail on successive file system calls and possibly result in a crash.
•
Symptoms: Users who can execute a show ip interface command can see that an LI tap is in progress.
Conditions: No specific conditions are necessary to trigger this problem.
Workaround: There is no workaround.
•
Symptoms: HLog softkey stops working.
Conditions: The symptom is observed under the following conditions:
1.
2.
Workaround: Log in with the EM profile on the phone that was used to log out the huntgroup.
•
Symptoms: A Cisco router may reload due to a bus error. The error indicates trying to read address 0x0b0d0b**, where ** is around 29.
Conditions: This has been experienced on a Cisco 2800 series router running Cisco IOS Release 12.4(24)T. The router must be configured with NAT, and SIP traffic is passed through the NAT router.
Workaround: Enter the following commands:
–
–
Or
–
•
Symptoms: Memory leak of 24-bytes can occur when a transcoding call is disconnected.
Conditions: The symptom is observed with Cisco IOS Release 12.4(24.6)T and is seen while shutting down the DSPfarm profile when the transcoding call is active in IPIPGW.
Workaround: There is no workaround.
•
Symptoms: Through-the-box traffic is dropped on the router (when the egress path is from the clear-text side to the encrypted side).
Conditions: The symptom is observed with Cisco IOS Release 12.4(20)T and with L2TP over IPSec with a front door VRF.
Workaround: Disable ip route-cache and ip route-cache cef on the clear-text interface (where the clear-text traffic comes from).
•
Symptoms: Cisco 3845 crashes during end point registration.
Conditions: Occurs on a router running the c3845-adventerprisek9-mz.124-24.T.bin image.
Workaround: Increase tcp idle-timeout to 7200 seconds.
•
Symptoms: The clear ip nat tr * commandremoves corresponding static NAT entries from the running configuration, but removing static NAT running configuration does not remove the corresponding NAT cache.
Conditions: Occurs when NAT commands are entered while router is processing around 1 Mb/s NAT traffic.
Workaround: Stop the network traffic while configuring NAT.
•
Symptoms: EzVPN tunnel will not come up after a reload. EzVPN is trying to connect to the peer with outside interface IP address to be "NULL". The below debug message will be seen if "debug crypto isakmp" is enabled:
EX: "ISAKMP:(0):receive null address from sa_req (local 0.0.0.0, remote 192.168.76.40)
Conditions:
1.
2.
3.
Workaround: There is no workaround.
•
Symptom: HQF policer policy with exceed action does not attach. Or, when execute exceed action is in an attached parent policy, policy is removed from the interface.
Conditions: This symptom is seen in a two level, two rate, two color policy.
Workaround: There is no workaround.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
Symptoms: In a router running BGP, the BGP process may hold increased amounts of memory over time without freeing any memory. This may also be seen from the output of show proc mem sort and in the output of show ip bgp sum or show ip bgp vpnv4 all sum and looking at the number of BGP attributes which may be increasing over time in relation to the BGP prefixes and paths which may remain roughly the same.
Conditions: Some BGP neighbors are not in established state and exchanging prefixes. The issue is observed on all platforms running the following releases of Cisco IOS:
–
–
–
–
–
–
–
–
–
Workaround: Remove the configuration lines related to the inactive neighbors (neighbors in Idle or Active states).
•
Symptoms: A device that is running Cisco IOS Release 12.4(24)T reloads when editing ACL with an object group.
Conditions: The symptom is observed on a Cisco 3845 and 2800 series router that is running Cisco IOS Release 12.4(24)T and 12.4(24.6)T2.
Workaround: Avoid using "range" in any of the object groups (either direct or nested) and containing a group of objects which use a range of IP addresses.
•
Symptoms: An IP-to-IP gateway (IPIPGW), also called CUBE, is adding an incorrect token in the H225 connect message.
Conditions: The symptom is observed on an IPIPGW running Cisco IOS Release 12.4(20)T1, with talking H323 signaling protocol on both sides with security enabled.
Workaround: There is no workaround.
•
Symptoms: A router may crash when multipath is enabled and when the MR is registered with two or more of its roaming interfaces.
Conditions: The symptom is observed when using the no ip mobile router-service roam command on any one of the MR's roaming interfaces.
Workaround: There is no workaround.
•
Symptoms: Unable to boot a Cisco 850 series router using Cisco IOS Release 12.4(15)T9.
Conditions: The symptom is observed on a Cisco 850 series router with 64MB of dram. The image requires more dram to boot.
Workaround: There is no workaround.
•
Symptoms: Connection for TR-069 is lost to the device after the device reloads.
Conditions: The symptom is observed under the following conditions:
1.
2.
3.
4.
Workaround: There is no workaround.
•
Symptoms: The following message appears on the console:
[crypto_bitvect_alloc]: bitvect full (size = 8192) -Traceback= 0x4244AB0 0x426875C 0x426AE60 0x426B330 0x426FAF4 0x4292B7C 0x4293278 0x75429CConditions: The symptom is observed when the GetVPN rekey is used with a number of Deny ACL entries and with VSA.
Workaround: There is no workaround.
•
Symptoms: The following traceback may be seen:
Local7.Critical 192.168.133.252 827681: %SYS-2-NOBLOCK: printf with blocking disabled.Local7.Critical 192.168.133.252 827682: -Process= "IP Input", ipl= 0, pid= 61Local7.Critical 192.168.133.252 827683: -Traceback= 0x11EF3E4 0x12031200x180214C 0x1209F54 0x120A0B8 0x179EF5C0x19A1F94 0x19A270C 0x19A2930 0x19A2B0C 0x196B6FC 0x196EC44 0x197115C 0x1972F8C0x17AC2F4 0x17AC87CConditions: The symptom is observed during basic function.
Workaround: There is no workaround.
•
Symptoms: Native GigE interfaces of a Cisco 7200 NPE-G2 router will not acknowledge reception of pause frames and will not stop its transmission in case of media-type RJ45.
Conditions: The symptom is observed with media-type RJ45 and with SFP with "no neg auto" configured.
Workaround: There is no workaround.
Further Problem Description: There are no issues with SFP with a "neg auto" configuration.
•
Symptoms: Need to disable CEF to pass IP traffic. With CEF enabled, traffic fails to pass.
Conditions: The symptom is observed on a Cisco 2801 and 2811 router that is running the ipvoicek9-mz.124-23_15_PI10 image.
Workaround: Disable CEF OR shut/unshut the interface with incomplete adjacency (using the show adjacency command).
•
Symptoms: A router crashes when a multicast group address joins and leaves the MLD group from the client within the configured delay time.
Conditions: The symptom is observed when applying MLD leave for the group for which accounting has not yet started.
Workaround: There is no workaround.
•
Symptoms: Reverse SSH using PVDM2 modems fails. If the ssh -l <username>:<line #> <ip> command is entered, modem activation is triggered. The input of "atdt<number>" is making it to the modem, meaning whatever the <number> field is typed, it is reported in the debugs. However, the modem does not send anything back to router about it and no connection is made. At modem prompt, "at", "at&f", "ate1" (and perhaps others) do not appear to be taken.
Conditions: Seen on routers running Cisco IOS Release 12.4(22)T and 12.4(23). Appears to be issue with all releases. Issue is seen when using both ssh -l <username>:<line #> <ip> and by using SSH from a client to a particular line.
Workaround: There is no workaround.
•
Symptoms: The device crashes due to a bus error (CPU signal 10).
Conditions: This symptom is observed on a Cisco 3825 router that is running c3825-advipservicesk9-mz.124-20.T1.bin. The crash occurs while removing some classes (no class <x>) from a policy-map that is applied on an interface.
Workaround: There is no workaround.
•
Symptoms: When an HTTP request with payload of greater than 10MB is sent to the HTTP server of the router, the server is not able to process the request and responds back with the message "request entity too large".
Conditions: The symptom is observed with Cisco IOS Releases 12.4(22)T and 12.4(24)T and when the payload is above 10MB
Workaround: Updating the signatures from S385 is a potential workaround.
Further Problem Description: This behavior is only evident while applying S386 and above on devices that do not have any previous signature package. This error does not appear while updating signature from S385 to S386.
•
Symptoms: Router crashes while removing "ip dhcp class".
Conditions: The symptom occurs with relay agent information and relay-information hex configured.
Workaround: There is no workaround.
•
Symptoms: Calls via an MGCP gateway registered to a Cisco Unified Communications Manager (CUCM) fail immediately with a codec negotiation error.
Conditions: The symptom is observed when a CUCM is configured to use the G729 codec for the MGCP gateway.
Workaround: Use the G729 AnnexB codec between the MGCP gateway and CUCM.
•
Symptoms: An NM-CEM-4SER module crashes.
Conditions: The symptom is observed with an NM-CEM-4SER module when its payload size is changed on a CEM port which is part of a multiplexed group that is created using the attach <port> command.
Workaround: Reload the router after using the write config command.
•
Symptoms: WebVPN portal is not displayed. The router closes the SSL negotiation as soon as it sends an SSL "Server Hello" message by sending a TCP FIN.
Conditions: The symptom is observed when a trustpoint uses a certificate chain of larger than 4096 bytes.
Workaround:
1.
2.
•
Symptoms: Ping fails from gen to ref.
Conditions: The symptom is observed when the router is loaded with Cisco IOS Release 12.4(24.6)T5.
Workaround: Perform a shut and no shut on the VLAN interface and the ping passes.
•
Symptoms:
–
–
Conditions:
–
–
Workaround:
–
–
•
Symptoms: Cisco 7200 router crashes.
Conditions: Occurs when Distributed LFI over ATM (dLFIoATM) is configured on a Cisco 7200 and a QoS policy is attached.
Workaround: There is no workaround.
•
Symptoms: Voice/SIP (ef) packets are not marking in the ingress/egress when NAT is enabled on the interface.
Conditions: Occurs when NAT is enabled.
Workaround: Remove NAT from the configuration.
•
Symptoms: Router will reboot and also causes traceback output.
Conditions: This happens when running check syntax mode. In syntax mode, when a user enters the event manager applet submode and execute the no event manager applet xxx two times, this will cause the reboot. "xxx" is the applet name specified when the user enters the submode.
Workaround: Do not run the no event manager applet xxx command in check syntax mode.
•
Symptoms: One-way audio may be experienced on a call which traverses a transcoder hosted on an ISR platform (e.g.: Cisco 2800, 3800 etc) after a hold, resume, or transfer.
Conditions: When the call is held or resumed, there is a significant change in the RTP Sequence Numbers but the SSRC does not change. This behavior may cause the receiving device to assume that the RTP packets are out of sequence (i.e.: late, early, or lost) and therefore the receiving device may drop them.
Workaround:
1.
2.
3.
4.
Further Problem Description: This issue looks very similar to CSCsi27767 which was opened and resolved against the Catalyst 6000's CMM. The fix for CSCsi27767 is, however, only intended for the CMM platform.
IOS DSPFarm services and voice gateways will now avoid generating discontiguous RTP sequence numbers with the same SSRC, by using a new SSRC and setting the marker bit of the first RTP packet for the new SSRC whenever its DSP restarts the RTP sequence number due to call features such as call transfer, hold, resume, etc.
•
Symptoms: A TR-069 Agent becomes disabled on the router and the device is unreachable from the ACS server.
Conditions: The symptom is observed when a TR-069 Agent is enabled and running on a router and the default WAN interface is configured and has a DHCP-assigned IP address. When the configurations are saved and the router is reloaded the issue is seen.
Workaround: If possible, do not save the configurations on the router when the WAN interface gets a DHCP-assigned IP address.
Alternate workaround: Use the write erase command and remove all the configurations just before every router reload.
•
Symptoms: SIP-NAT SBC does not properly preserve the Contact Header for outside-to-inside translations.
Outside Packet:
Contact: "EMTAlinea1"<sip:1188800099@192.168.15.10:1032;transport=udp>;expires=1674Inside Packet:
Contact: "EMTAlinea1"<sip:1188800099@10.0.2.101:5060;expires=60Conditions: Only seen on outside-to-inside translations when using the registration-throttle feature.
Workaround: There is no workaround.
•
Symptoms: NSAP address family cannot be configured.
Conditions: The symptom is observed with the initial configuration.
Workaround: There is no workaround.
•
Symptoms: TTY sessions not accessible after reverse SSH session to the same TTY port results in failed authentication.
Conditions: Occurred on a router running Cisco IOS Release 12.4(24)T and configured with TTY lines accessed using reverse SSH Version 2. Issue also affects SSH version 1 and affects VTY lines.
Workaround: Reload the router.
•
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.
•
Symptoms: Cisco Unified Border Element (CUBE) ignores reINVITEs from Cisco Customer Voice Portal (CVP).
Conditions: While call transfer is in progress and CUBE is waiting for NOTIFY (with 200 or any final response code) after receiving NOTIFY (with 100), it receives INVITE.
Workaround: There is no workaround.
•
Symptoms: Doing reverse SSH to a TTY line, which is busy, causes the terminal server to crash.
Conditions: This issue is encountered in a Cisco 3845 router that is running Cisco IOS Release 12.4(23).
Workaround: There is no workaround.
•
Symptoms: The clear interface atm5/ima command makes the ATM PVC inactive.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(24.6)T8.
Workaround: There is no workaround.
•
Symptoms: The vlan.dat file gets deleted after the second reload of the router, and the VLAN definition and names are lost (not the interfaces and IP addresses). It has been observed that when the vlan.dat is lost, in "sh vtp status" the VTP Domain Name is blank (and was properly configured before).
Conditions: This behavior is observed in a Cisco 3270 router that is running Cisco IOS Release 12.4(24)T. It is also observed with Cisco 1800 ISR with switch modules in Cisco IOS Release 12.4(22)T.
Workaround: There is no workaround. Customer needs to reconfigure them again after reboot. This problem is not observed in Cisco IOS Release 12.4(15)T.
Further Problem Information: When a customer is running an image that does not store the VTP and VLAN information in the start-up configuration or the normal output of show running-config, the vlan.dat file gets overridden to the default vlan.dat approximately 2 minutes after reboot. The current VLANs and VTP information remains operational until the router is rebooted.
A reboot causes the VLANs and VTP information to disappear because the start-up configuration does not contain any VLAN or VTP information, nor does the vlan.dat file in flash.
The operating VTP information appears in the output of show running-config all (which shows non-default and default values), indicating that the router considers the VTP information to be at default values even when there is a VTP domain name configured. This allows the VLANs and VTP to remain operational until the router is rebooted.
•
Symptoms: If number of hours for statistics is increased to 10 or more after the probe is initially run and then restarted, system crashes with memory corruption
Conditions: Occurs when the probe is started with the hours of statistics less than 10 and then re-started with the hours of statistics greater than 9.
Workaround: There is no workaround.
•
Symptoms: When running Network Load-balancing (IGMP-mode) in VLANs with PIM enabled and static ARP entries for unicast IP to layer-2 multicast address, packet duplication will occur.
Conditions: This symptom occurs when sending unicast (non-multicast) IP packets with multicast layer-2 destinations.
Workaround: Use non-IGMP NLB modes (unicast or multicast with static macs) or use IGMP snooping querier instead of PIM on NLB SVIs.
•
Symptoms: A remote third-party device is resetting the IPv6 BGP session with a Cisco 12000 router.
Conditions: BGP is exchanging only IPv6 capability with the remote EBGP peer, but IPv4 capability will be enabled by default. The remote EBGP peer is sending only IPv6 capability, and we should advertise only IPv6 prefixes because that is the capability negotiated. We are wrongly marking IPv4 capability as negotiated and advertising IPv4 prefixes, and the remote neighbor is resetting the session because IPv4 capability is not negotiated at the peer end.
Workaround: Configure a route map to deny all IPv4 prefixes, and apply it as follows:
Route-map deny-ipv4 deny 10Router bgp <asnum>address-family ipv4Neighbor <IPv6Address> activateNeighbor <IPv6Address> route-map <deny-ipv4> out•
Symptoms: Cisco UC500 console displays the following log(s) constantly:
%PQII_PRO_FE-4-QUEUE_FULL: Ethernet Switch Module transmit queue is full.Phones and hosts connected to the UC can not retrieve IP addresses via DHCP.
Conditions: This problem occurs shortly after a reload of the Cisco UC500 (on the CME side). This problem is observed after upgrading from Cisco IOS Release 12.4(20)T2 to Cisco IOS Release 12.4(20)T3.
Workaround: There is no workaround.
•
Symptoms: CPU utilization goes to 90% or above when PfR is configured with a large number of policy using fastmode and forced target.
Conditions: The problem is limited to a large number of forced target (greater than 500) and fastmode with probe frequency of 2-5 seconds. CPU usage progressively gets worse with the increase in number.
Workaround: Use longest-match targets instead of forced targets. Forced targets are configured under oer-map, and longest-match targets are configured under OER master. Forced targets are required only if the target does not belong to the destination subnet of the traffic-class being optimized.
•
Symptoms: After the activation of the HW encryption modules (VSA), the following message is logged by Cisco 7200:
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Unknown ErrorThere is a traffic impact towards the destination mentioned in the error.
Conditions: This symptom occurs when VSA hardware encryption is used on a Cisco 7200 with Time-based anti-replay (TBAR) enabled.
Workaround: Disable Time-based anti-replay (TBAR).
Further Problem Description: This happens when VSA receives a very small UDP fragment that is less than 26 bytes.
•
Symptoms: After configuring NAT, traffic fails to hit the policy-map of the frame-relay serial interface.
Conditions: This issue is seen with NM-1T3/E3 of a Cisco 3845 router only when NAT is configured.
Workaround: Remove and re-apply the frame-relay map-class under serial interface after NAT is configured.
•
Symptoms: A multicast video stream forwarded between GE0/0 subinterfaces is policed by the Control Plane Policing (CoPP) class-default. As soon as CoPP is removed, the video recovers its original quality.
With CEF:
qffsydbd6ar01#deb control-plqffsydbd6ar01#sh log | i reasonControl Plane: marking pak exception [cef reason 12]Control Plane: marking pak exception [cef reason 39]Without CEF:
qffsydbd6ar01(config)#no ip cefqffsydbd6ar01#deb control-plqffsydbd6ar01#sh log Control Plane:marking in pak exception [non cef linktype IP]Conditions: This occurs after upgrading to Cisco IOS Release 12.4(20)T2.
Workaround: There is no workaround.
•
Symptoms: NHRP cache entry is not getting created for certain spoke nodes.
Conditions: This symptom occurs when two spokes A and B advertise the same subnet with varying masks (anything other than /8 or /16 or /24). A third spoke upon receiving such routes (from the hub), in order to send traffic to such subnets, can form a dynamic tunnel with either A or B but not both at the same time.
Workaround: There is no workaround.
Further problem description: There is no hindrance to traffic since it continues to flow via the hub. When tunnel with spoke A is formed, there is no problem with traffic to subnet behind spoke A. But, traffic to subnet behind spoke B takes the spoke A - hub - spokeB path. This can be easily noted by traceroute.
•
Symptoms: A Cisco 87x router may hang or crash after displaying "Now reloading" during ROMmon upgrade when using the upgrade rom-monitor file flash: command.
Conditions: This occurs when a router running ROMmon release 12.3(8r)YI4 or an older ROMmon from alternate space is upgraded to YI5 or a newer ROMmon version
Workaround: Power cycle the router to recover from this hang state. The router will then boot with the upgraded ROMmon.
•
Symptoms: Using "send break" causes router to display "TLB Miss exception" error and hang indefinitely.
Conditions: Occurs on a Cisco 800 router running Cisco IOS Release 12.4(24.6)T9.
Workaround: There is no workaround.
•
Symptoms: After few days of normal operations, Cisco L2TP network server (LNS) starts rejecting significant percentage of L2TP sessions. While problem is present debug vpdn l2x-event shows:
"312238: May 13 14:32:43.042: VPDN Tnl/Sn 0 0 CLIENT: fail to set server 000BA226 -> session 000BA226312239: May 13 14:32:43.042: VPDN Unknown vpdn syslog error due to AAA disconnect code 0"Conditions: Occurs after a few days of LNS uptime.
Workaround: There is no workaround.
•
Symptoms: GetVPN Key Servers no longer function in cooperative mode. The Key Servers (KSs) will fail to communicate with each other, and each will assume it is the primary. GMs registering to different KSs will not be able to communicate with GMs registered to a different KS.
Conditions: This symptom occurs when using GetVPN Key Servers in cooperative mode.
Workaround: There is no workaround.
•
Symptoms: CPU HOG in Crypto ACL is seen on the GM. The GM may crash some milliseconds later after printing the hog.
Conditions: This symptom is observed on a large ACL on the KS (greater than 70 lines) with or without large ACL locally on the GM.
Workaround: Limit the ACL length drastically.
•
Symptoms: %SYS-3-CPUHOG is seen when multicast fanout performance test is executed with a large number of IGMP or PIM joins and forwarding out through a large number of OIF (1000 sub-interfaces).
Conditions: Observed on a Cisco 7200 router running Cisco IOS Release 12.4(24.06)T9.
Workaround: There is no workaround.
•
Symptoms: Cisco router crashes.
Conditions: Occurs when you change your present working directory to a directory where an images is located. Using the secure boot-image command to secure the image causes the crash.
Workaround: There is no workaround.
•
Symptoms: Router with dynamic NAT configuration crashes after deleting ip nat inside source list.
Conditions: Router crashes only when there is unicast and multicast traffic and the following sequence of steps occurs:
1.
2.
Workaround: Delete ip nat inside source list without clearing NAT translations.
Open Caveats—Cisco IOS Release 12.4(24)T
This section describes possibly unexpected behavior by Cisco IOS Release 12.4(24)T. All the caveats listed in this section are open in Cisco IOS Release 12.4(24)T. This section describes severity 1 and 2 caveats and select severity 3 caveats.
Miscellaneous
•
Symptoms: When a simple shaping policy is applied on a Dynamic Multipoint VPN (DMVPN) tunnel, and multicast traffic is forwarded over the tunnel, shaping functionality is broken.
Conditions: Shaping functionality works for unicast traffic. The issue is seen only with multicast traffic.
Workaround: There is no workaround.
•
Symptoms: TCP may exhibit some unexpired managed timers. The TCP retransmission timer for a given TCB in show tcp may be past due.
Conditions: This is a rare situation.
Workaround: There is no workaround.
•
Symptoms: Memory leak occurs in SSGCmdQue
Conditions: Occurs on routers configured for Service Selection Gateway (SSG) and running Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
•
Symptoms: Cisco 877 and Cisco 878 routers suffer from flapping ATM interfaces.
Conditions: Observed with Cisco 877 and Cisco 878 routers configured for ADSL2+ training to Nokia D500 DSLAM.
Workaround: There is no workaround.
•
Symptoms: GPRS Gateway Support Node (GGSN) router crashed while doing stress testing after 30 minutes using iSCSI. Traceback pointed to parse_radius_response.
Conditions: Router configured for 120K IP packet data protocol (PDP) and sends bidirectional IMIX traffic at 99 kpps. When call detail records (CDRs) are written to iSCSI, GGSN uses 99% CPU.
Workaround: There is no workaround.
•
Symptoms: Router displays the following error message, then freezes:
%SYS-2-BADSHARE: Bad refcount in retparticleA reload is required to recover.
Conditions: Occurs on a Cisco 1803 running Cisco IOS Release 12.4(6)T7.
Workaround: There is no workaround.
•
Symptoms: Classification failed on virtual interface.
Conditions: Occurred on a Cisco 7200 router running Cisco IOS Release 12.4(15)T06.
Workaround: There is no workaround.
•
Symptoms: GPRS: Gateway Support Node (GGSN) continually reboots.
Conditions: Occurs when configured for Redundancy Facility (RF) inter-device.
Workaround: There is no workaround.
•
Symptoms: Session is not getting disconnected when the locally configured timers expire.
Conditions: Occurs while testing an internal build of Cisco IOS Release 12.4(22)T on the Cisco 7200.
Workaround: There is no workaround.
•
Symptoms: One-way audio is observed for after use of TCL [connection create] command.
Conditions: Occurs with TCL application running on Cisco IOS Release 12.4(15)T6 and playing media in incoming_leg and leg setup without bridging incoming leg [leg setup $dnis callInfo].
Workaround: There is no workaround.
•
Symptoms: Software-forced reload occurs on Cisco 870 router.
Conditions: Encountered during extended VLAN testing.
Workaround: There is no workaround.
•
Symptoms: HWIC-2SHDSL is not recognized after warm reload of Cisco 2821. Unknown VWIC messages are seen on console.
Conditions: Occurs on a Cisco 2821 with HWIC-2SHDSL module. Enabling warm reboot and issuing reload warm flash:iosimage.bin causes this problem.
Workaround: Cold reboot the router. Do not use warm reload feature.
•
Symptoms: The following command do not work:
dot1x timeout supp-response dot1x timeout reauth-period
Conditions: Occurs when configuring wireless on a Cisco 871 router.
Workaround: There is no workaround.
•
Symptoms: Router crashes after the removing the tunnel source interface before entering the no interface tunnel command.
Conditions: Occurred during Dynamic Multipoint VPN (DMVPN) testing when there are more than 150 DMVPN tunnels.
Workaround: There is no workaround.
•
Symptoms: Any image or large file is corrupted when copied to disk. The following error message is displayed:
Error reading disk2:<filename> (Clusterchain broken on file)Conditions: Happens only when a compact flash card is present.
Workaround: Replace the compact flash card with another model, one that is supported by Cisco.
•
Symptoms: Frame-Relay fragment output not seen when modifying the attached map-class.
Conditions: Occurs on a Cisco 7200 router.
Workaround: Detach and attach Frame-Relay fragment.
•
Symptoms: Card crashed upon attaching the policy-map to the output interface.
Conditions: Happening in all types of VCs (PVC/SVC) when the service policy is defined with shape command.
Workaround: There is no workaround.
•
Symptoms: Cisco Unified Border Element (CUBE) crashed.
Conditions: This occurs when remote SCCP phone registration message passes through ZBFW/CUBE with "ip virtual-reassembly" configured under the interfaces of the private and public zones.
Workaround: There is no workaround.
•
Symptoms: Router will crash upon removing service policy and DLCI associated with a frame-relay interface.
Conditions: The router if the following steps are performed in the order given:
1. Configure frame-relay encapsulation on serial interface and assign IP address.
2. Configure header compression on it through policy-map using the service-policy output command.
3. Associate the interface with DLCI using the frame-relay interface-dlci command.
4. Configure the remote router in a similar fashion and ensure both interfaces ping each other.
5. Remove the policy-map on local router using the no service-policy output command.
6. Remove the DLCI associated using the no frame-relay interface-dlci command. This causes the router to crash.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS Release 12.4T causes 15% performance degradation.
Conditions: Occurred on a Cisco 2800 series router. Issue affects data features such as IP, NAT, firewall, QoS, and ACL.
Workaround: There is no workaround.
•
Symptoms: A performance degradation of 7% occurs for Cisco 2801 with security configured.
Conditions: Problem is seen when utilizing 75% CPU and using 3DES IPSec transform with SHA authentication and 100 tunnels.
Workaround: There is no workaround.
•
Symptoms: Protected Extensible Authentication Protocol (PEAP) with secure token not working.
Configure Occurs on a Cisco 800 series router and a client using PEAP with secure token.
Workaround: There is no workaround.
•
Symptoms: A call through a Cisco Unified Border Element (CUBE) does not establish two-way audio. The call may drop.
Conditions: Occurs if the endpoint to which CUBE is communicating sends a re-INVITE for a call before it has received an ACK from the other call leg for the original INVITE.
Workaround: There is no workaround.
•
Symptoms: NM-CEM-4SER modules installed in Cisco 3845 routers will not use network clock if one is available. Instead, they will use the local oscillator. This can be observed by using the show cem slot/port/0 command.
Conditions: This behavior is observed on a NM-CEM-4SER module installed in Cisco 3845 routers running Cisco IOS Release 12.4(20)T or later.
Workaround: Use adaptive clocking to improve clock accuracy.
•
Symptoms: Ping failed between two customer routers. Customer routers are connected through two PE routers, and PE routers are connected to each other by ATM point-to-point link.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(15)T8
Workaround: There is no workaround.
•
Symptoms: Cisco router with HWIC-2CE1T1-PRI may unexpectedly reload when the show controllers command is executed at the same time one of the channels on the card goes down.
Conditions: Show controllers must be executed at the same time the channel goes down.
Workaround: There is no workaround.
•
Symptoms: WIC-4SHDSL: Inconsistency in train up with m-pair Annex interchange.
Conditions: With the HWIC-4SHDSL scenario, when we create mpair DSL group link, it may fail to train with default B annex. Sometimes with annex B trains up, but when we interchange to annex A, it fails to train up. Also sometimes when we issue shut/no shut on CPE/CO side, it fails to train up.
Workaround: Swapping the termination mode and reloading both the routers may bring up the line successfully. It can be repeated multiple times if controller line does not train properly in the back-to-back setup. This workaround may not be suitable in a customer environment.
•
Symptoms: When accounting is enabled for virtual private dial-up network (VPDN), there might be messages with termination cause "nas-error" and displaying impossible values in Acct-Input-Octets, Acct-Output-Octets, Acct-Input-Packets and Acct-Output-Packets.
This causes accounting to be unreliable.
Conditions: Occurs with Cisco IOS Release 12.4T and configured for PPTP/L2TP with accounting.
Workaround: There is no workaround.
•
Symptoms: Cisco 7201 with Gi0/3 experienced communication failure.
Conditions: This problem does not occur with Gi0/0 or Gi0/2.
Workaround: Perform a shut/no shut on the Gi0/3. The problem will occur again.
•
Symptoms: Group member crashed when downloading a large number of access-lists from the key Server.
Conditions: This crash was seen when the key server was configured with 100 access-lists that permit traffic from 50 hosts on either sides of the group members.
Workaround: Configure a smaller number of ACLs.
•
Symptoms: Router crashes VFR is enabled and CEF is turned off.
Workaround: Disable VFR using the no ip virtual reassembly command.
Workaround: There is no workaround.
•
Symptoms: Memory leak occurs on ISR transcoder router.
Conditions: Occurs when the secure option is added to a transcoder configuration in a topology with a Cisco Unified Communication Manager 7.1.
Workaround: Remove the secure configuration from the transcoder.
•
Symptoms: Router crashes due to memory corruption in the I/O pool. In all of the crashes previous block pointer is corrupted.
Conditions: Observed in a Cisco 2811 running Cisco IOS Release 12.4(22)T.
Workaround: There is no workaround.
•
Symptoms: High CPU utilization is noticed for PPP events, causing increased number of PPP session flaps.
Conditions: The problem is noticed on Cisco 7206VXR with NPE-G1 processor running Cisco IOS Release 12.4(15)T5.
Workaround: There is no workaround.
•
Symptoms: Tunnels flapping. Traffic fails (all counters show "0") even when the tunnels are up.
Conditions: Occurs when a service-policy is attached to a PVC.
Workaround: Delete the service-policy, then wait for about 30 seconds. The tunnels will recover and traffic can resume, then add the service-policy back.
•
Symptoms: A Cisco 7200 router running Cisco IOS Release 12.4(20)T1 reboots with a bus error.
Conditions: The router is configured with ios-firewall. The crash was observed one time only.
Workaround: There is no workaround.
•
Symptoms: Key server crashes during configuration.
Conditions: Occurs when key server is configured with two or more GDOI groups.
Workaround: There is no workaround.
•
Symptoms: Router crashes while performing online insertion and removal (OIR) of two NM-1A-OC3-POM cards at the same time.
Conditions: Occurs on a Cisco 3845 with two NM-1A-OC3-POM installed at slots 2 and 4. When both are removed, the router crashes sometimes.
Workaround: Do OIR one by one.
Resolved Caveats—Cisco IOS Release 12.4(24)T
This section describes possibly unexpected behavior by Cisco IOS Release 12.4(24)T. All the caveats listed in this section are resolved in Cisco IOS Release 12.4(22)T. This section describes severity 1 and 2 caveats and select severity 3 caveats.
•
Symptoms: A router running Cisco IOS 12.4T may reload unexpectedly
Conditions: Occurs when BFD is configured and active.
Workaround: Disable the BFD feature.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.4(13b) might unexpectedly reload with a bus error.
Conditions: This symptom happens during normal operation with NAT configured.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the "BGP Router" process.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(26)S6, that is configured for BGP, and that has the bgp regexp deterministic command enabled.
Workaround: Disable the bgp regexp deterministic command.
•
Symptoms: When you perform an OIR of an ATM line card, a CPUHOG condition may occur in the "BGP Event" process.
Conditions: This symptom is observed when the ATM line card is configured with about 15,000 /32 routes.
Workaround: There is no workaround.
Further Problem Description: The ATM line card connects to about 15,000 different gateways, each of which is covered by its own /32 route. In addition, there is a less specific route that covers everything. The symptom occurs when BGP attempts to remove a large number of these tracked entries without suspending any.
•
Symptoms: Devices running Cisco IOS may reload with the error message "System returned to ROM by abort at PC 0x0" when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.
Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with 'ssh' removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configur ation/guide/swacl.html#xtocid14
More information on configuring ACLs can be found on the Cisco public website: /en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
•
Symptoms: A router may reload with the message "Unexpected exception to CPU".
Conditions: The symptom is observed when EzVPN remote using client mode is configured on the router. It is seen when an IP address is being removed from one of the EzVPN inside interfaces while having active NAT translations.
Workaround: There is no workaround.
•
Symptoms: Router displays following error message and reloads:
Jun 18 06:12:23.008: event flooding: code 10 arg0 0 arg1 0 arg2 0%SYS-3-OVERRUN: Block overrun at E5D8310 (red zone 00000000) -Traceback= 0x6080CEB0 0x60982108 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-BLKINFO: Corrupted redzone blk E5D8310, words 6088, alloc 61FE2638, InUse, dealloc 80000000, rfcnt 1 -Traceback= 0x6080CEB0 0x609681D4 0x6098211C 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MEMDUMP: 0xE5D8310: 0xAB1234CD 0xFFFE0000 0x0 0x63894208 %SYS-6-MEMDUMP: 0xE5D8320: 0x61FE2638 0xE5DB2D0 0xE5D8144 0x800017C8 %SYS-6-MEMDUMP: 0xE5D8330: 0x1 0x0 0x1 0x64B53478%Software-forced reloadConditions: Occurred on a Cisco 7200 running the c7200-ik9s-mz.124-7a.bin image.
Workaround: There is no workaround.
•
Symptoms: A Cisco router unexpectedly reloads with memory corruption after showing multiple "%SYS-2-INPUT_GETBUF: Bad getbuffer" messages
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: When a VPN routing/forwarding (VRF) is deleted through the CLI, the VRF deletion never completes on the standby RP, and the VRF cannot be reconfigured at a later time.
Conditions: This symptom is observed when BGP is enabled on the router.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 that is configured as a SIP gateway may crash unexpectedly when running a high volume of SIP calls.
Conditions: This symptom is observed on the Cisco AS5850.
Workaround: There is no workaround.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Symptoms: CPU utilization goes to 99%. It stays there for few seconds, then reduces to around 50%, then 2%. After few seconds, CPU utilization reaches 99%, and this cycle continues.
ROUTER#show proce cpu sorted CPU utilization for five seconds: 99%/0%; one minute: 47%; five minutes: 25%Conditions: This symptom is observed when around 2000 PPPOE sessions are initiated.
Workaround: There is no workaround.
•
Symptoms: BGP update is not sent after reloading opposite router or resetting module. Sometimes a BGP VPNv4 label mismatch also occurs between the routers because BGP update is not received.
Conditions: - This problem may occur once or twice out of 20 attempts. - This problem is apt to occur when MPLS-TE tunnel is enabled. - This problem may occur when entering either reload command, hw-module module X reset command or the clear ip bgp X.X.X.X command on the opposite router.
Workaround: There is no workaround.
•
Symptoms: The router will crash if the routing instance has been removed and an instance-specific command is issued (e.g. shutdown, maxpaths, split horizon etc).
Conditions: The symptom is observed when removing an instance from either console or VTY while another console or VTY is still in router mode.
Workaround: Exit and re-enter router mode before issuing any instance- specific commands.
•
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
•
Symptoms: A policy with unsupported queuing features is allowed to attach to sessions. It may cause potential issues that require a reload to recover.
Conditions: There are no specific conditions required for this issue.
Workaround: There is no workaround.
•
Symptoms: Router crashes on attaching the policy which contains "queue-limit" configuration in the input direction of any interface.
Conditions: Occurs on Cisco 7200 routers with NPEG1 processor and Cisco 7301 routers.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS device may crash with a data bus error exception and stack trace PC = 0xA0000100
Conditions: Device is running normal production traffic. Presence of malformed punted RP packets in this network caused the issue.
Workaround: There is no workaround.
•
Symptoms: Router may crash due to memory corruption:
*Apr 7 12:32:14: %SEC-6-IPACCESSLOGRP: list 111 denied pim 0.0.0.0 -> <removed>, 1 packet*Apr 7 12:32:29: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 680A5374 data 680A79A4 chunkmagic FFFFFFFF chunk_freemagic 0 - Process= "Mwheel Process", ipl= 0, pid= 274, -Traceback= 0x6169C450 0x60102E78 0x601031E4 0x61D418E4 0x61D4230C 0x61CF1A48 0x61D1280C 0x61D05FE4 0x61D0E9FCchunk_diagnose, code = 1chunk name is PIM JP GroupQConditions: This symptom occurs when PIM is enabled on an interface and access- list logging is enabled.
ip pim sparse-dense-modeaccess-list 98 deny any logWorkaround: Remove access-list logging.
•
Symptoms: Fax fails when the supervisory disconnect command is applied on a voice port. The default fax detect script, app_fax_detect.2.1.2.2.tcl, is being used.
voice-port 2/0/20 supervisory disconnect dualtone mid-call
When the supervisory disconnect dualtone mid-call command is removed, fax works.
Conditions: This symptom is observed with Cisco IOS Release 12.4.15T4.
Workaround: There is no workaround.
•
Symptoms: User can only configure a maximum of 500 SWMTP sessions per profile.
Conditions: This symptom is observed when using SWMTP.
Workaround: Configure multiple SWMTP profiles.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), the router may reload if BGP show commands are executed while the BGP configuration is being removed.
Conditions: This problem may happen only if the BGP show command is started and suspended by auto-more before the BGP-related configuration is removed, and if the BGP show command is continued (for example by pressing the SPACE bar) after the configuration has been removed. This bug affects BGP show commands related to VPNv4 address family. In each case the problem only happens if the deconfiguration removes objects that are being utilized by the show command. Removing unrelated BGP configuration has no effect.
This bug is specific to MPLS-VPN scenarios (CSCsj22187 fixes this issue for other address-families).
Workaround: Terminate any paused BGP show commands before beginning operations to remove BGP-related configuration. Pressing "q" to abort suspended show commands, rather SPACE to continue them, may avoid problems in some scenarios.
•
Symptoms: Memory leak was found after voice stress testing on a Cisco 3845.
Conditions: Occurred on router configured for E1, Direct Inward Dial (DID), G.711, and voice activity detection (VAD). Testing was performed for 2 hours, and call duration was 60 seconds.
Workaround: There is no workaround.
•
Symptoms: A crash is seen when a child policy-map is added to a policy-map that is attached to a large number (1000s) of interfaces.
Conditions: This symptom occurs when any configuration change results in the creation of 1000s of QoS queues at once.
Workaround: Remove policy-map from all interfaces prior to modification.
•
Symptoms: Different crashes are seen in the nhrpSnmpCompareNodes routine.
Conditions: The symptom is observed in the nhrpSnmpCompareNodes routine while configuring IPv6.
Workaround: There is no workaround.
•
Symptoms: Per session queuing does not work with PPPoE session.
Conditions: Occurs on a Cisco router configured for Mobile Ad Hoc Networks (MANET).
Workaround: There is no workaround.
•
Symptoms: A Cisco NHRP router may unexpectedly reload because of a bus error.
Conditions: The router must be running NHRP, and the NHRP SNMP MIB must be enabled.
Workaround: Disable the NHRP SNMP MIB. Save the configuration, and reload the router.
•
Cisco IOS devices that are configured for Cisco Unified Communications Manager Express (CME) and the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition on an affected device.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-cme.shtml.
•
Symptoms: Unable to create sessions and ACLs.
Conditions: The symptom is observed when testing with DACL.
Workaround: There is no workaround.
•
Symptoms: A router may reload due to a crash after configuring the no multi-path command or the shut command.
Conditions: This symptom occurs when the router is configured with Mobile IP, Mobile Router, and the multi-path command on Cisco IOS Release 12.4(9)T.
Workaround: There is no workaround.
•
Symptoms: 1. If dampening is enabled on a router, and identical updates of a IPv4 prefix carrying label information are received, these updates are not treated as identical and dampening penalty is set for the route. 2. If dampening is enabled on a router, and identical updates of a IPv4 multicast prefix are received, these updates are not treated as identical and dampening penalty is set for the route.
Conditions: The symptom is observed when dampening is enabled and: 1. Identical updates of a IPv4 prefix are received. The updates should be carrying MPLS Label information; or 2. Identical updates of a IPv4-multicast prefix are received.
Workaround: There is no workaround.
•
Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
•
Symptoms: On a Cisco 7200 series router that has a crypto map protecting GRE tunnel traffic, putting an inbound ACL to drop the decrypted, GRE- decapsulated IP traffic may not work. The traffic is not dropped as expected and there is no hit count on ACL/ACE (although permit ACE still works properly and receives hit counts).
Conditions: The symptoms are observed with the following conditions: 1. On a Cisco 7200 series router with K9 images. 2. Where a crypto map is applied on a physical interface protecting GRE tunneling traffic (47 host2host) 3. When "deny inbound ACL" is configured on the tunnel interface to drop the cleartext (the traffic will not be dropped as expected). 4. It occurs with certain configuration sequences, such as configure tunnel and crypto map. (If you bring up IPSec SA, then apply inbound ACL to the tunnel interface, then save the configuration at the start-up configuration and boot from there, the issue may not show up.) 5. This only affects inbound ACLs. Outbound ACLs are not affected
Workaround: Use an inbound crypto map ACL (ipsec-dACL) instead of a inbound ACL on tunnel in this senario. Inbound crypto map ACL sees the decrypted GRE packets, and it can drop the traffic properly. For example:
router#sh cry map Crypto Map "testtag" 10 ipsec-isakmp Peer = 10.0.0.8 Extended IP access list 101 access-list 101 permit gre host 10.0.0.9 host 10.0.0.8 Extended IP access check IN list imacl access-list imacl permit ahp any any access-list imacl permit esp any any access-list imacl deny gre any any access-list imacl permit ip any any Current peer: 10.0.0.8 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ proposal1: { ah-sha-hmac } , { esp-3des esp-sha-hmac } , } Interfaces using crypto map testtag: GigabitEthernet0/1Alternate workaround: Turn off CEF switching and use process switching.
•
Symptoms: A Cisco 7200 VXR series router may crash and reload upon applying a policy map.
Conditions: This symptom is observed when the service policy map is applied on the channelized E3 interface of a Cisco 7200 VXR router and traffic is pumped. The issue is observed only for E3 interface.
Workaround: Remove the service policy map.
•
Symptoms: The standby router crashes.
Conditions: This symptom is observed when a service-policy map is removed from a VC.
Workaround: There is no workaround.
•
Symptoms: On a chassis with large number of v4 and v6 VRFs and multicast, a memory leak may be seen for the PIM process.
Conditions: The symptom is observed when running ION. There is no multicast traffic flowing but IPv4 and IPv6 VPN traffic is flowing.
Workaround: There is no workaround.
•
Symptoms: Traffic engineering (TE) tunnel reoptimization fails and tunnel stuck in "RSVP signaling proceeding".
Conditions: Occurs when explicit path with loose next hops and one of the next hops is still reachable and that next hops is a dead-end.
Workaround: Use strict next hop addresses.
•
Symptoms: There may be memory allocation errors and traceback for the Net Background process when HWIC-1FE/2FE is present in the router.
Conditions: The symptoms are observed when the line protocol state of FastEthernet interface in HWIC-1FE/2FE is down for more than 48 hours.
Workaround: Configure "no keepalive" on the interface that is down.
•
Symptoms: A crash happens when the show ipv6 rpf x:x:x::x command is given.
Conditions: This symptom is observed only when there are more than 16 adjacencies for a single static route. The crash happens when the show ipv6 rpf command is given for this particular static route.
Workaround: There is no workaround. This problem occurs as long as there are more than 16 adjacencies for single static route even if some of them are not active.
•
Symptoms: A router may crash when removing policy-map configuration with policy-map still in use (with traffic through).
Conditions: The symptom is observed if a policy-map is removed from configuration and that policy-map is still referenced by an interface service-policy statement (with traffic through).
Workaround: Stop traffic before removing policies.
•
Symptoms: A crash occurs.
Conditions: The crash is caused by a ping across an ISATAP tunnel. The symptom is observed only in Cisco IOS Release 12.4(15)T7 on the Cisco 7200 (it is not known to affect other platforms), since the crash is dependent on the Cisco IOS memory map (which varies with each image).
Workaround: There is no workaround.
•
Symptoms: The EIGRP IPv6 process may incorrectly select a router-ID from the 127.0.0.0 address range.
Symptoms: The same router-ID may be selected on two separate Cisco routers configured for EIGRP IPv6. External prefixes advertised by one of the EIGRPv6 routers will be ignored by the receiving EIGRPv6 router due to the fact the routerID contained in the external data portion of the prefix matches the receiving routerID; a loop prevention method.
Workaround: Manually configure a router-ID under the EIGRP IPv6 process with router-id<address> command.
•
Symptoms: HSRP virtual MAC is dynamic instead of static on a Cisco 7600 after a reload.
Conditions: HSRP is configured under a routed vlan-based pseudowire:
interface Vlan X ip address 10.0.0.1 255.255.255.0 standby 1 ip 10.0.0.254 xconnect x.y.z.w encapsulation mpls
Occurs when fast millisecond HSRP timers are used, and an HSRP interface delay is not configured.
Workaround: Perform a shut/no shut on the interface "vlan X". Or, as a preventive action, configure standby delay minimum 60 on the interfaces. Testing has shown that after a reboot the entry is installed correctly in the PFC/DFC.
•
Symptoms: EIGRP may lose some routes from stub neighbors in a DMVPN setup.
Conditions: If EIGRP graceful restart happens on an interface and the interface update queue is busy, then it may lose some routes from the stub neighbors on that interface.
For example, issuing the below commands can trigger this issue:
clear ip eigrp vrf abc as-number neighbors interface Wait 30 seconds clear ip eigrp vrf abc as-number neighbors interface soft
Workaround: Use the clear ip eigrp vrf abc neighbors command to fix the problem.
Another workaround is that graceful restart can be turned off by the no eigrp graceful-restart command under the router or the address-family command. This will cause the symptom to go away but will revert back to hard resetting peers on configuration changes or the clear ip eigrp neighbor soft command.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when NetFlow version 5 is used.
Workaround: NetFlow version 9 could be used for exporting.
•
Symptoms: A router may experience %SYS-3-CPUHOG: errors and then a watchdog crash in the FR LMI process.
Conditions: The symptoms are observed when ISDN is configured on the router.
Workaround: There is no workaround.
•
Symptoms: Dialer watch on the Cisco 3845 router makes the backup link of PPP multilink on the PRI port which is connected to BRI 4 port of peer router through ISDN net. If one out of four BRI ports is shut down on the peer router, the dialer watch does not keep the backup link up without resetting the idle timer at the expiration of idle timeout though the primary link remains down, causing the other three ports to be disconnected.
Conditions: This symptom occurs only when the BRI port which contains B-ch that became link up first is shut down. This symptom does not occur even if the other BRI ports are shut down.
Workaround: There is no workaround.
•
Symptoms: SSH connection fails to establish after SSO with the following debug message on client side:
SSH2 CLIENT 0: RSA signature verification failed, status 524
Conditions: This symptom occurs when a new RSA key is generated. The SSH server key is not updated on the standby. The show ip ssh command on the standby will show that SSH is enabled, but the SSH connection will fail to establish.
Workaround: Regenerate RSA key on the new active after SSO.
•
Symptoms: Changing any of the parameters of a route-map does not take effect.
Conditions: Occurs when using a BGP aggregate-address with an advertise map.
Workaround: Delete the aggregate-address statement and then put it back for the change to take effect.
•
Symptoms: Autoinstall requires user to respond "No" to initial configuration dialog before proceeding with autoinstall process.
Conditions: The symptom is observed whenever the user does a "write erase" and reload to invoke autoinstall.
Workaround: There is no workaround.
•
Symptoms: ASR1000 Router crashes.
Conditions: Occurs if "ip vrf" is deleted from the configuration.
Workaround: There is no workaround.
•
Symptoms: The following may be seen on a Catalyst 3750 if an HSRP version 2 group is configured after an HSRP version 1 group:
Vlan5 - Group 300 (version 2) State is Init (virtual MAC reservation failed)
The correct behavior is for the HSRP version 2 group to be rejected since the Catalyst 3750 only supports MAC addresses for one HSRP version at any one time.
Conditions: This only affects the catalyst 3750 platform.
Workaround: Remove the HSRP version 2 group.
•
Symptoms: A router may crash when entering the isdn test call command.
Conditions: The symptom is observed when the BRI interface is up.
Workaround: There is no workaround.
•
Symptoms: Service policy is missing from the running-configuration after a device is reloaded.
Conditions: The symptom is observed when the service policy contains a "police rate percent" that is 13% or less, and is applied to an MLPPP interface. It is observed with Cisco IOS Release 12.4(8c) and Release 12.4T.
Workaround: Use any one of the following: 1. Re-apply service-policy each time after rebooting. 2. Change service policy to use "police rate XXXX bps". 3. Configure bandwidth XXXX on the MLPPP interface. 4. Change service policy to use more than 13% for the policing.
•
Symptoms: Pinging an interface fails.
Conditions: Occurs when unconfiguring xconnect on the interface.
Workaround: Perform a shut/no shut on the interface.
•
Symptoms: When the main ATM interface MTU has an explicit non-default value (something other than 4470), then the subinterfaces may not save (shown with the show run command) the explicit MTU configuration of the default (4470) even though the command is expected.
Conditions: The symptoms are observed only for the ATM MTU value 4470. This unexpected behavior is not seen for any other value (less than or more than 4470 within allowed ATM MTU values).
Workaround: Upon reload, manually (explicitly) configure MTU 4470. You can configure an IP MTU under the ATM interface instead of an ATM MTU.
•
Symptoms: The following crash is observed after configuring a policy-map.
SegV exception, PC 0x2142818 at 10:04:23
Conditions: Occurred on a Cisco 7206VXR (NPE-G2) running Cisco IOS Release 12.4(15)T5.
Workaround: There is no workaround.
•
Symptoms: SRTP call fails through IP-IP gateway with SIP end points.
Conditions: SRTP call may fail with SIP trunk in between two CUCMs that are connected through IP-IP gateway.
Workaround: There is no workaround.
•
Symptoms: A router reloads continuously on switching off one of the redundant power supplies.
Conditions: This symptom occurs when a router reloads continuously on switching off one of the redundant power supplies.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running a PfR Master Controller crashes under stress.
Conditions: This symptom is observed when traffic with more than 2000 prefixes with about 500 unreachable prefixes is flowing through the router.
Workaround: Minimize the number of prefixes learned during an interval. The default of 100 should be sufficient.
oer master learn prefixes 100
•
Symptoms: BGP as-override does not work properly on a PE to overwrite the AS in the AS4_PATH.
Conditions: When a 4 byte CE is peered to a 2 byte capable PE using AS 23456 and the command as-override is configured on the neighbor, the PE router does not override the AS in the AS4_PATH with its own AS number, mapped to 4 bytes.
Workaround: Use "allowas-in" on the CE.
•
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•
Symptoms: When a port becomes active the endpoints stay in "Not Ready" state and the RSIP message is not sent.
Conditions: The symptoms are observed when a new E1/T1 is configured with new DS0 groups controlled by MGCP. It is observed only during initial configuration.
Workaround: Remove the entire configuration under the controller before reloading/configuring a new set. After the problem occurs, the only workaround is to reload router.
•
Symptoms: A router may crash while unconfiguring "source template test" in interface configuration mode.
Conditions: The symptom is observed with a router loaded with Cisco IOS Release 12.4(22)T.
Workaround: There is no workaround.
•
A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco has released free software updates that address this vulnerability. No workarounds are available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml.
Note: The March 25, 2009, Cisco IOS Security Advisory bundled publication includes eight Security Advisories. All of the advisories address vulnerabilities in Cisco IOS Software. Each advisory lists the releases that correct the vulnerability or vulnerabilities in the advisory. The following table lists releases that correct all Cisco IOS Software vulnerabilities that have been published in Cisco Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
•
Symptoms: Right after the show ephone summary command is executed, the device crashes because of a bus error (CPU signal 10).
Conditions: This symptom is observed on a Cisco 2811 that is running Cisco IOS Release 12.4(20)T with an ephone.
Workaround: There is no workaround.
•
Symptoms: A router hangs for a couple of minutes, then crashes anytime the clear ip bgp neighbor x.x.x in command is issued.
Conditions: This symptom occurs when a router crashes when the clear ip bgp neighbor x.x.x.x soft in command is issued when the following commands are configured for that neighbor (without route-map): 1) neighbor x.x.x.x soft-reconfiguration inbound 2) neighbor x.x.x.x weight 3) neighbor x.x.x.x filter-list in
If any one of the commands is not configured, then the router will not crash.
Workaround: Configure route-map instead of filter-list for inbound direction. For example: "neighbor x.x.x.x filter-list 1 in" replace with "neighbor x.x.x.x route-map name in"
where, route-map name permit 10 match as-path 1
•
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•
Symptoms: When the router is running with an on-board VPN module, the module driver should update the maximum IKE SA limit to support more tunnels than software encryption. However, the on-board driver may not update the limit when Cisco IOS Release 12.4(11)T or later is used. Therefore, only 100 IKE SA are supported with the on-board module.
Conditions: The symptom is observed with a Cisco 2811 or 2821 router that is running Cisco IOS Release 12.4(11)T or later.
Workaround: Use Cisco IOS Release 12.4(9)T.
•
Symptoms: An ISR router may crash with the following error message: %ALIGN-1-FATAL: Corrupted program counter
Conditions: The symptoms are observed on a Cisco 2811 and 2801 router. The trigger has not yet been identified.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1800 series router may stop passing traffic on FastEthernet interface 0/1 when FastEthernet interface 0/0 is administratively shut down using the interface configuration command shutdown. When FastEthernet 0/0 is shutdown, the following message is displayed:
%GT96K_FE-5-LATECOLL: Late Collision on int FastEthernet0/0Conditions: The symptoms are observed with FastEthernet 0/0 on a Cisco 1841 router and when the device at the far end of interface FastEthernet 0/0 is configured manually to speed 10 or 100.
Workaround: Configure the far-end device to auto-negotiate the speed with the 1800 router.
Further Problem Description: This problem does not occur when pulling out cable and re-inserting in FastEthernet 0/0. It also does not occur when FastEthernet 0/1 is reversed to FastEthernet 0/0.
•
Symptoms: When stateful switchover (SSO) is performed on a Cisco 7600, MPLS label allocation fails.
Conditions: Issues are seen on Cisco 7600 router. Occurs after performing the SSO. Also seeing CPU usage above 95% for 10-15 minutes.
Workaround: There is no workaround.
•
Symptoms: IGMP v3 reports are discarded.
Conditions: Occurs on Cisco 7200 router running Cisco IOS Release 12.4(20)T2.
Workaround: There is no workaround.
•
Symptoms: HWIC-4SHDSL: 4Wire annex F with coding 16-TCPAM link goes down after the shut command followed by the no shut command.
Conditions: This symptom occurs after the 4WIRE SHDSL card with annex F coding 16-TCPAM configuration goes down after the shut command followed by the no shut command and never comes up. This issue is seen only with annex F coding 16-TCPAM, enable annex on CPE first and then CO side. This issue is not seen on 4WIRE SHDSL card with annex G coding 16-TCPAM.
Workaround: There is no workaround.
•
Symptoms: A small memory leak may occur.
Conditions: This symptom is observed when a PPPoE client or a PPPoA client is configured.
Workaround: There is no workaround.
•
*Crash observed after configuring a policy-map
•
Symptoms: A router reloads.
Conditions: Under certain crypto configurations with NetFlow also configured, the router will reload when required to fragment CEF-switched traffic on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: A PRE-3 that is running Cisco IOS Release 12.2(31)SB code may encounter a Redzone overrun memory corruption crash.
Conditions: Unknown at this time.
Workaround: Turn off Auto IP SLA MPLS by entering the auto ip sla mpls reset command.
•
Symptoms:
Calls through an MGCP-controlled FXS may fail to complete. The user will hear fast-busy signal when attempting to make inbound or outbound calls from or to that port. Outbound calls to the port in this state may return a 400 error "Previous message in-progress" in response to the CRCX.
Conditions:
The symptom is observed under rare conditions with an MGCP-controlled FXS port on a Cisco IOS Voice over IP (VoIP) gateway.
To verify that a port is in this state, compare the output of show mgcp connection to the output of show voice call summary. If a call appears with the mgcp show command output for a port but that port appears idle (FXLS_ONHOOK) in the voice call output, this would indicate the problem being seen.
An example of such output is here showing port 2/1 in this state:
VG224#sh voice call summ PORT CODEC VAD VTSP STATE VPM STATE============== ========= === ==================== ======================2/0 - - - FXSLS_ONHOOK 2/1 - - - FXSLS_ONHOOKVG224#sh mgcp conn Endpoint Call_ID(C) Conn_ID(I) (P)ort (M)ode (S)tate (CO)dec (E)vent [SIFL] (R)esult[EA (ME)dia (COM)Addr:Port 1. aaln/S2/1 C=,34,-1 I=0x0 P=0,0 M=0 S=9,0 CO=0 E=3,10,10,10 R=41,0 ME=0 COM=0.0.0.0:0Workaround: Reload the gateway to recover a port once it is in this state. Attempting to restart the MGCP service on the gateway by removing and adding the mgcp command in the configuration has been shown at times to be ineffective once in this state.
Alternate workaround: Use of H323/SIP signaling instead of MGCP will prevent ports from getting into this state.
Further Problem Description:
Changes applied through CSCsq97697 have been found to greatly reduce the instances of this issue from occurring. If using H323/SIP instead of MGCP is not an option, it is recommended to use a Cisco IOS Release that contains the changes in CSCsq97697 (for example, Cisco IOS Release 12.4(15)T7).
The changes applied to CSCsu32154 introduce a new MGCP CLI command which is not enabled by default. If upgrading to obtain a fix for this issue, configure mgcp disconnect-delay.
•
Symptoms: During a manual clear of PPPoE sessions associated with a VMI interface (using the clear pppoe all command), the router may crash.
Conditions: The symptom is observed when sessions are established and all cleared at once. The router will then crash and create a crashinfo file. On a Cisco 3200 series router, the router may hang. When the 3200 series router hangs, the router console becomes unresponsive.
Workaround: There is no workaround. When the Cisco 3200 series router hangs the hung condition may be cleared by sending a break to the console or by power cycling the router.
•
Symptoms: The shutdown command is not working as expected and it reloads the NME-16ES-1G Service Module instead.
Conditions: When the service-module gigabitEthernet <x/y> shutdown command is issued from ISR, the NME-16ES-1G Service Module reloads instead of shutting down.
Workaround: There is no workaround.
•
Symptoms: Transmitted packets/bytes are zero; while packets are classified.
Conditions: Configure the class map and policy map with the random- detect ecn command, and apply the service policy outbound on the serial interface. This symptom is specific to the random-detect ecn command.
Workaround: There is no workaround.
•
Symptoms: HWIC-4SHDSL:4Wire annex F/G with coding 16/32 TCPAM link on central office (CO) side is going down.
Conditions: 4-WIRE SHDSL card with F/G annex-coding 16/32 TCPAM link on CO side is going down. CO link goes down immediately when either F/G annex is configured and never comes up. But the link on the CPE side will come up.
- Issue is seen with F/G annex; the issue is not seen with A/B annex. - CO side link goes down, but the CPE comes up.
Workaround: There is no workaround.
•
Symptoms: Renaming a directory gives error message.
Conditions: This happens on a Cisco router running Cisco IOS Release 12.4(20)T1.fc2 image
Workaround: There is no workaround.
•
Symptoms: IPIPGW/CUBE will not respond to a H.245 EmptyCapabilitySet (ECS) (i.e. TerminalCapabilitySet(TCS)=0) message from Cisco Voice Portal (CVP) with a CloseLogicalChannel (CLC) message. This will result in call failure.
Conditions: The symptom occurs when IPIPGW is deployed in H.323-H.323 mode, running Cisco IOS Release 12.4(20)T and interacting with CVP.
Workaround: There is no workaround.
•
Symptoms: The CUE clock does not synch up with the CME using NTP.
Conditions: This symptom is observed when the UC500 is configured as the NTP master.
Workaround: Use an external NTP server other than the UC500.
•
Symptoms: TCL scripts and policies attempting to work with open files and sockets simultaneously may not operate properly. One symptom is the vwait command may fail by reporting "would wait forever".
Conditions: Occurs when a TCL script opens both a file and a client or server socket simultaneously.
Workaround: Open and close files and sockets separately. Avoid having them open simultaneously.
•
Symptoms: In Cisco IOS Release 12.4(20)T and 12.4(15)T7, IKE Phase 1 is not flushed by DPD (although IKE Phase 2 is correctly deleted). This can be verified by using the following commands: show crypto isakmp sa then show crypto ipsec sa
Conditions: The symptom is observed when the IPSec end node is behind NAT and DPD is configured. It is seen when the last IKE Phase 2 SA is deleted.
Workaround: Use Cisco IOS Releases up to 12.4(15)T6.
•
Symptoms: Memory leak from "HQF: hqf feature(s) data" is observed.
Conditions: Occurs after configuring class-based WRED and reconfigure fair-queue for class-default.
Workaround: There is no workaround.
•
Symptoms: Traffic may fail with VSA and time-based anti-replay.
Conditions: The symptom is observed when GetVPN and time-based anti-replay are configured with the VSA module.
Workaround: Remove time-based anti-replay from the GetVPN Key Server configuration.
•
Symptoms: On a Cisco 7500 with an HA setup, the "show controller t3" command is showing framing as M23 on the active and as C-bit on the standby. So the "loopback remote" configuration is rejected on the active and is accepted on the standby.
Conditions: This symptom is observed when the "show controller t3 1/1/0" command is issued.
Workaround: There is no workaround.
Further Problem Description: Because of the framing mismatch, the standby might crash due to sync issues.
•
Symptoms: Spurious memory access traceback is seen.
Conditions: The symptom is observed when an MGCP Gateway tries to defer a Request Notification (RQNT) without the requested/signal event.
Workaround: There is no workaround.
•
Symptoms: A zone-based firewall does not allow returned TCP traffic from a VPN tunnel.
Conditions: This symptom is observed when the firewall is configured to inspect TCP traffic to and from the VPN tunnel.
Workaround: There is no workaround.
•
Symptoms: A router may crash very close in time to when an RFC 4938 compliant PPPoE session is being terminated.
Conditions: The symptom is observed when the VMI interface is in aggregate mode and an RFC 4938 compliant PPPoE session is terminated.
Workaround: There is no workaround.
•
Symptoms: A router may crash under low memory conditions.
Conditions: The symptom is observed with a router running GetVPN and Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: Unable to attach service policy to VT when bandwidth is configured in class default.
Conditions: Occurs when DLFI over ATM is configured while trying to attach service policy to VT when bandwidth is configured in class default.
Workaround: Configure bandwidth in user defined class and attach to VT.
•
Symptoms: A device may crash 10-15 times per day when receiving calls from a end customer using a third party-vendor PBX.
Conditions: The symptom is observed with Cisco IOS Release 12.4(21) and Release 12.4(20)T.
Workaround: There is no workaround.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
Symptoms: The output counters for a Multilink Frame Relay (MFR) bundle interface may not be updated correctly.
Conditions: Occurs after the same interface is deleted and recreated.
Workaround: There is no workaround.
•
Symptoms: In a MPLS Traffic Engineering Fast Reroute environment, if the line protocol on the protected link goes down due to mismatched keep-alives on the link (or too many collisions), the forwarding plane does not switch traffic for protected label switched paths (LSP) to their respective backups.
Conditions: Occur under the following scenario: - A Cisco router running a Cisco IOS Release 12.2S - Router acting as a Point of Local Repair (PLR) for MPLS Traffic Engineering Tunnels that request Fast Reroute protection - Mismatched keep-alives or excessive collisions on the protected link.
Workaround: There is no workaround.
•
Symptoms: A BGP neighbor may send a notification reporting that it received an invalid BGP message with a length of 4097 or 4098 bytes.
Conditions: The problem can be seen for pure IPv4 BGP sessions (no MP-BGP in use) when the router that is running the affected software generates a large number of withdraws in a short time period and fills an entire BGP update message (up to 4096 bytes normally) completely with withdraws. Because of a counting error, the router that is running the affected software can generate an update message that is 1 or 2 bytes too large when formatting withdraws close to the 4096 size boundary.
Workaround: The issue is not seen when multiple address families are being exchanged between BGP neighbors.
•
Symptoms: A router crashes when configuring auto qos on an ATM subinterface. The following error message is produced: "%SYS-6-STACKLOW: Stack for process Exec running low"
Conditions: The symptom occurs when AutoQoS Discovery is enabled for untrust mode, and also when AutoQoS Discovery is enabled for trusted DSCP.
Workaround: There is no workaround.
•
Symptoms: On a Cisco Catalyst 6509, a WS-SUP32-GE-3B, a Cisco 7600-SIP-400, a SPA-1XOC12-POS, a Cisco 7600-SSC-400 and a SPA-IPSEC-2G, configuring a hierarchical policy with multiple parent shapers (in user defined classes) and child queuers results in the police cir percent command (which MUST be used with the "priority" CLI on a SIP-400 in SRA to avoid PQ monopolization) policing data in the parent-policy in accordance with the following formula: ("police cir percent") * (LOWEST "shape average") instead of the expected behavior: ("police cir percent") * ("shape average") For example, in this policy: policy-map cbwfq-ip class tunnel13601 shape average 80000000 service-policy cbwfq-sip class tunnel13603 shape average 20000000 service-policy cbwfq-sip The policer in the child policy-map (below) will police both classes tunnel13601 AND tunnel13603 to 66% of 20000000 (when it should police class tunnel13601 to 66% of 80000000 and class tunnel13603 to 66% of 20000000): policy-map cbwfq-sip class out-voice priority police cir percent 66 conform-action transmit exceed-action drop violate-action drop class out-streaming bandwidth remaining percent 15 class out-time-sensitive bandwidth remaining percent 10 class out-troubleshooting bandwidth remaining percent 2 class out-viruscontrol bandwidth remaining percent 1 queue-limit 128 packets class class-default bandwidth remaining percent 20 queue-limit 2000 packets
The show policy-map interface command shows correct rate but policing is failing.
Conditions: The symptoms are observed on a Cisco Catalyst 6509, a WS-SUP32- GE- 3B, a Cisco 7600-SIP-400, a SPA-1XOC12-POS, a Cisco 7600-SSC-400 and a SPA- IPSEC-2G using a hierarchical policy with multiple parent shapers in user- defined classes and child policies with queuing and policing actions.
Workaround: Remove "police cir percent" from child queuing policy "cbwfq- sip".
Alternate workaround: Use a different child-policy (with the same configuration). Example: Define a second policy-map, say "cbwfq-sip1", with the same configuration as "cbwfq-sip" and change the cbwfq-ip as below: policy-map cbwfq-ip class tunnel13601 shape average 80000000 service-policy cbwfq-sip class tunnel13603 shape average 20000000 service-policy cbwfq-sip1 (shows a different child-policy with the same configuration as "cbwfq-sip").
•
Symptoms: Router crashes when DGVPN is configured with VRF.
Conditions: The symptom is observed with a Cisco 3845 router and when DGVPN is configured with VRF.
Workaround: There is no workaround.
•
Symptoms:
1. The No_Global bit (0x10) for MOI flag is incorrectly set for iBGP when it becomes best path.
router#show ip cef vrf <vrf name> x.x.x.x int [snip] MPLS short path extensions: MOI flags = 0x16 <-------MOI flags 0x10 is incorrectly set for iBGP when it becomes best path, correct flag should be 0x4, 0x5, 0x6 ... correct now.2. The No_Global bit (0x10) for MOI flag for iBGP path was incorrectly unset when eBGP becomes best path.
router#show ip cef vrf <vrf name> x.x.x.x int [snip] MPLS short path extensions: MOI flags = 0x5 <-------MOI flags 0x10 is incorrectly clear for ibgp path when eBGP becomes best path, correct flag should be 0x14, 0x15, 0x16... correct now.Conditions: This symptom sometimes happens after BGP path update.
Workaround: Issue the clear ip route vrf vrf name x.x.x.x/y command.
•
Symptoms: Packets being sent towards a Cisco 7200 that are group domain of interpretation (GDOI) encapsulated but which in fact the router wants to send out through the same interface (due to a routing problem) will not leave the router with the TTL decreased by one, but increased by one.
As it is likely that the upstream router will send the packet again to the GDOI endpoint this will lead to a never-stopping flow of packets that will overwhelm the router.
Conditions: Occurs when using GDOI on a Cisco 7200 and having a routing issue where the upstream router forwards packets towards the GDOI router, but the GDOI router wants to send the same traffic towards the upstream router.
Workaround: There is no workaround.
•
Symptoms: Trimble Palisade NTP Synchronization Driver feature does not work.
Conditions: Occurs on a Cisco 7200 NPE-G2 running Cisco IOS Release 12.4(15)T3 and Cisco IOS Release 12.4(15)T5. Issue is not seen on NPE-400 running 12.4(15)T3 and Cisco IOS Release 12.4(15)T5.
Workaround: There is no workaround.
•
Symptoms: A router may crash when continuously executing the sh ip mroute count | incl groups command with large number of mroutes.
Conditions: The symptom is observed only when unconfiguring a large number of static joins at a time or unconfiguring the class-map having large number of groups and executing the sh ip mroute count | incl groups command multiple times continuously. (Unconfiguration/configuration of a large number of static joins can be done only by using a class-map.)
Workaround: Do not check sh ip mroute count | incl groups continuously when unconfiguring or configuring a large number of mroutes.
•
Symptoms: On a newly-rebooted router, CEF states on SP will not be in sync with RP.
Conditions: It is a very rare race condition that triggers this problem. It is not seen on many platforms.
Workaround: There is no workaround, other than reloading the router.
•
Symptoms: A CPU hog may be seen after changing the "logging buffered" setting to up to 50MB or more. This issue can cause an OSPF flap.
Conditions: The symptoms are observed with Cisco IOS Release 12.2(33)SXH2 on a Cisco WS-C6506.
Workaround: Instead of manipulating such a large logging buffer at runtime when the device/network is busy, consider configuring the "logging buffered" setting once and save it as part of the startup configuration. This way, the huge logging buffer will be allocated during the device initialization without runtime impact.
•
Symptoms: The commands under the submode dspfarm profile are not retrofitted and the default values are not shown.
Conditions: The symptom is observed with the commands under the submode dspfarm profile. When the show run all command is executed, the default values are not displayed.
Workaround: There is no workaround.
•
Symptoms: When a router has many PPPoE sessions and the router is configured as an RP-mapping agent, the router crashes following a switchover.
Conditions: The symptom is observed when the router has 8000 PPPoE sessions and it is configured as an RP-mapping agent. Following a switchover, the issue is seen.
Workaround: Another router that does not have as many interfaces in the network should be configured as the RP-mapping agent.
•
Symptoms: An MSDP peer may flap randomly.
Conditions: The symptom is observed when the device is configured with logging host ip-address ... or logging host ip-address.
Workaround: It has been observed that removing the "logging host" configuration helps in preventing the peer-flap: no logging host ip-address no logging ip-address
•
Symptoms: The error message "Must remove traffic-shape configuration first" is seen, and QoS policy is not getting attached.
Conditions: This symptom is seen when unable to attach a queuing policy-map ("bandwidth" configured) through Frame-relay (FR) map-class to a FR-DLCI interface with FRTS enabled.
Workaround: There is no workaround.
Further Problem Description: This has a major functional impact as the QoS- Policy is not getting attached.
•
Symptoms: The pppoe-client command is not accepted on ATM interfaces. Cisco IOS software will report "% Unrecognized command" when an attempt is made to configure it.
Conditions: This symptom is observed when an attempt is made to configure the pppoe-client command.
Workaround: Use pppoe_client as the command prefix followed by the normal pppoe-client configuration items.
•
Symptoms: Redistributed routes are not removed even though network is down. Redistribution is done between BGP and OSPF.
Conditions: Occurs on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: IPIPGW/CUBE drops the H.245 OpenLogicalChannel(OLC) received from Cisco Voice Portal (CVP). This results in call failure.
Conditions: This occurs when IPIPGW/CUBE is deployed in H.323-H.323 mode, running Cisco IOS Release 12.4(20)T and registered to a gatekeeper and talking to a CVP server.
Workaround: Do not register the IPIPGW/CUBE to a Gatekeeper.
•
Symptoms: Traceback seen while using the mgcp block- newcalls and no mgcp block-newcalls commands.
Conditions: The symptom is observed only during repeated configuration/unconfiguration of mgcp block-newcalls.
Workaround: There is no workaround.
•
Symptoms: A Cisco 10000 series router may crash every several minutes.
Conditions: The symptom is observed with a Cisco 10000 series router that is running Cisco IOS Release 12.2(31)SB13.
Workaround: Use Cisco IOS Release 12.2(31)SB11.
•
Symptoms: A router may crash when unconfiguring IPv6.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A processor may crash while sending IMIX traffic at 80k packets per second (pps) across 30k PDPs. The system has 60k IP PDPs with Small Computer Systems Interface over IP (iSCSI) backup storage configuration.
Conditions: The following conditions trigger the crash (showing steps followed and sequence of events): - Create 60k IP PDPs. The charging gateway is down and there is no iSCSI back configuration. - Apply an iSCSI/GPRS-iSCSI configuration. - Send IMIX traffic at 80k pps across 30k PDPs. - After sending the traffic for about 10 minutes, the GPRS memory threshold is reached and some PDPs are deleted. - The processor will crash.
Workaround: There is no workaround.
•
Symptoms: PVC range disappears after a second PVC range is configured.
Conditions: Occurs under the following scenario:
1) Configure a PVC range on a point-to-point interface.
2) Configure a second PVC range that approaches the maximum number of VCs possible.
Workaround: There is no workaround.
•
Guest
