Table Of Contents
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD3
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD2
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD1
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD
CSG2 Software License Part Numbers
CSG2 Software Subscriber License Part Numbers
CSG2 Software Upgrade License Part Numbers
Supported Hardware and Software for the CSG2
Determining the Software Version
Prerequisites and Restrictions
Caveats for Cisco IOS Release 12.4(15)MD3
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
Caveats for Cisco IOS Release 12.4(15)MD2
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
Caveats for Cisco IOS Release 12.4(15)MD1
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
Caveats for Cisco IOS Release 12.4(15)MD
CSG2 Software for Cisco IOS Release 12.4(15)MD - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD - Open Caveats
SAMI Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
Documentation and Technical Assistance
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 2.0
Cisco IOS Release 12.4(15)MD3
Revised: September 23, 2009
Current Release—12.4(15)MD3
This publication describes the requirements, dependencies, and caveats for the Cisco Content Services Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2.
This publication includes the following information:
•
Prerequisites and Restrictions
•
–
–
–
–
•
–
–
–
–
•
–
–
–
–
•
–
–
–
–
•
Introduction
The CSG2 is an application that runs on the Service and Application Module for IP (SAMI), a high-speed processing module. The CSG2 provides content-aware billing, service control, traffic analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software required by mobile wireless operating companies and other billing, applications, and service customers.
The CSG2 runs on the SAMI, a new-generation high performance service module for the Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet service provider (ISP) point of presence (POP), or Regional Data Center.
Features
This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation Installation and Configuration Guide, Cisco IOS Release 12.4(15)MD.
To see the software part numbers associated with each CSG2 release; the Supervisor hardware required by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release; and the minimum IOS level supported by each CSG2 release, see the "Software Requirements" section.
•
•
•
•
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD3
The CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the entire feature set listed in "CSG2 Features Supported for Cisco IOS Release 12.4(15)MD" section.
In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD3 supports the following new features:
•
For more information, see Closed caveat CSCsq12202.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD2
The CSG2 software for Cisco IOS Release 12.4(15)MD2 supports the entire feature set listed in "CSG2 Features Supported for Cisco IOS Release 12.4(15)MD" section. There are no new features in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD1
The CSG2 software for Cisco IOS Release 12.4(15)MD1 supports the entire feature set listed in "CSG2 Features Supported for Cisco IOS Release 12.4(15)MD" section. There are no new features in this release.
CSG2 Features Supported for Cisco IOS Release 12.4(15)MD
The CSG2 Release 2.0 software for Cisco IOS Release 12.4(15)MD supports the entire feature set for the CSG2 Release 1.0 software for Cisco IOS Release 12.4(11)MD5.
In addition, the CSG2 software for Cisco IOS Release 12.4(15)MD supports the following new features:
•
•
•
•
•
•
•
•
•
•
•
•
–
–
System Requirements
This section describes the following memory and software requirements for CSG2:
•
For hardware requirements, such as power supply and environmental requirements, as well as hardware installation instructions, see the Service and Application Module for IP User Guide.
Memory Requirements
The CSG2 memory is not configurable.
The SAMI is available with a default 1 GB memory or an optional 2-GB memory.
Hardware Supported
Use of the CSG2 requires one of the following supervisor engines, and a module with ports to connect server and client networks:
•
•
•
Software Requirements
This section includes the following information:
•
•
•
When referring to this section, keep the following considerations in mind:
•
•
SAMI Module Part Numbers
The following table lists the SAMI module part numbers and associated information for each CSG2 release:
CSG2 Software License Part Numbers
The following table lists the CSG2 software license part numbers and associated information for each CSG2 release:
CSG2 Software Subscriber License Part Numbers
The following table lists the CSG2 software subscriber license part numbers and associated information for each CSG2 release:
CSG2 Software Upgrade License Part Numbers
The following table lists the CSG2 software upgrade license part numbers and associated information for each CSG2 release:
Supported Hardware and Software for the CSG2
The following table lists the supported hardware and software for the CSG2:
Determining the Software Version
To determine the version of Cisco IOS software that is currently running on your Cisco network device, log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.
To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in privileged EXEC mode.
To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and enter the show tech-support command in privileged EXEC mode.
Prerequisites and Restrictions
For the latest prerequisites and restrictions for the CSG2, see the "Overview" chapter of the Cisco Content Services Gateway - 2nd Generation Release 2.0 Installation and Configuration Guide, Cisco IOS Release 12.4(15)MD.
Caveats for Cisco IOS Release 12.4(15)MD3
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(15)MD3.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg entries user idle pod command in global configuration mode.
•
With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.
Workaround: Disable the exclude mms option redirect command.
•
If you attempt a ROLLBACK with a saved running configuration, using the config replace (disk):(file) command on the CP, the CSG2 might crash.
Workaround: None.
CSG2 Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the Service-Start timestamp.
•
When entering CSG2 show commands that collect and display information from all of the CPUs in the CSG2, the output might not break or pause as expected based on the term length configuration. If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed command or otherwise.
•
When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.
To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match the current transaction to the catchall policy in the content, if there is one configured. If no catchall policy is configured, then the CSG2 should use the block configuration in the content to determine whether to forward or block the traffic.
•
If a spanning tree loop occurs in an HA network, a standby CSG2 might become stuck in COLD-BULK state for several hours.
•
If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2 (for example, using one VTY to enter show commands and another to enter configuration commands), one of the VTYs might hang and the CSG2 will not allow further configuration commands. The CSG2 issues the following message:
Config failed, CSG being configured by line
You must reboot the CSG2 before continuing.
•
The CSG2 might crash when the debug ip csg qs detail command is configured and a nonstandard Quota Push Request message is received.
•
If the ip csg quota-server retransmit command is set to 5 or lower, and a quota server fails over, the CSG2 might send a Service Reauthorization Request (SRAR) before sending a Service Authorization Request.
•
If the CSG2 depleted the RADIUS attribute pool while processing a large number of RADIUS requests at a very high rate, it might fail to proxy RADIUS requests to the RADIUS server, while the "radius attribute" and "radius deny" counters continue to increase.
•
If the CSG2 is configured for RADIUS endpoint or RADIUS proxy, and the debug ip csg radius command is entered, the CSG2 might reload.
•
The CSG2 might crash with the following messages in the crash information file:
SAMI 4/3: Mar 25 13:58:30.665 ISR: %SYS-6-STACKLOW: Stack for process CSG BGCFG running low, 0/24000
%Software-forced reload
13:58:30 ISR Wed Mar 25 2009: Unexpected exception to CPU: vector 1500, PC = 0x4504A33C, LR = 0x4504A298
-Traceback= 0x4504A33C 0x4504A298 0x4504F6B4 0x4504F844 0x44E40654 0x450A0FCC 0x4504C384 0x4504FA64
For this problem to occur, all of the following conditions must be met:
–
–
–
•
The CSG2 might reload under certain conditions.
For this problem to occur, all of the following conditions must be met:
–
–
–
–
–
•
Under certain RTSP load and stress conditions, some entries remain in the CSG2 User Table. Trying to clear this state results in a traceback.
•
For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate multiple reauthorization requests within a few seconds.
•
In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of the subscribers that are present in the active CSG2 User Table.
This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before completing processing of the RADIUS Accounting On or Off message.
This problem can also occur if the clear ip csg user command is entered.
•
The CSG2 might encounter a memory leakage that results in a malloc failure of RADIUS attributes and prevents the CSG2 from processing incoming RADIUS requests.
•
Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from the User Table.
•
If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new transaction, a service's "reserved", as displayed in the output of the show ip csg user all detail command, might keep incrementing.
•
When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in that packet are incorrect.
SAMI Software for Cisco IOS Release 12.4(15)MD3 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCaL, or any port other than 10000.
•
When the Supervisor Engine is busy processing CLI, including the case in which a CLI-intensive management application is running, sending a remote console and logging (RCaL) execute-on command from the Supervisor Engine into the SAMI PowerPC (PPC) might cause the device to hang.
Workaround: Open another Telnet session and enter the same execute-on command. This will release the first hung execute-on command.
•
If you use Ctrl-^ to terminate a remote console and logging (RCaL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCaL execute-on attempt might fail.
Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.
•
A remote console and logging (RCaL) show run for the SAMI from the Supervisor Engine does not display any output when the PowerPC (PPC) is configured with more than 510 subinterfaces.
Workaround: None.
•
On the SAMI, redirecting show command output for a PowerPC (PPC) onto the PPC's bootflash can cause 100% CPU utilization.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(15)MD3 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD3.
•
If there are too many syslog messages to be flushed out, the Cisco software application can hang after a reload command from the SAMI PPC.
•
On the SAMI, bringing up a large number of subinterfaces by executing configuration commands in a particular order might result in tracebacks.
•
If a packet has an ICMP source and destination IP address that is the same as the PPC interface IP address, the SAMI runs out of I/O memory, and the following message appears:
%SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x45407D18, alignment 32
•
A SAMI processor might crash when removing the ISCSI configuration using the no ip iscsi profile command.
Caveats for Cisco IOS Release 12.4(15)MD2
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(15)MD2.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
When entering CSG2 show commands that collect and display information from all of the CPUs in the CSG2, the output might not break or pause as expected based on the term length configuration. If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed command or otherwise.
Workaround: None.
•
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
The Packet of Disconnect (POD) feature does not work at the billing plan level.
Workaround: Configure PoD at the global level by configuring the pod keyword on the ip csg entries user idle pod command in global configuration mode.
•
With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.
Workaround: Disable the exclude mms option redirect command.
CSG2 Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
The CSG2 displays the following message numerous times per second in the log of an 1841:
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= "Per-minute Jobs", ipl= 4, pid= 166
-Traceback= 0x60913F98 0x601F0064 0x60214250 0x602D1EF4 0x615146B8 0x602F9A18
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= "Per-minute Jobs", ipl= 4, pid= 166
-Traceback= 0x60913F98 0x601F0064 0x60214250 0x602D1EF4 0x615146B8 0x602F9A18
Apr 16 10:25:13: %SYS-2-LINKED: Bad enqueue of 0 in queue 631A71B0
-Process= "Per-minute Jobs", ipl= 4, pid= 166•
In Cisco CSG2 running R2 image, service reauthorization might not be sent to the quota server during roaming.
For this problem to occur, all of the following conditions must be met:
–
–
–
–
•
When the CSG2 performs Layer 7 SIP parsing on a packet that contains a SIP or SDP header token that exceeds 256 bytes, a DATA CORRUPTION traceback might be displayed on the console.
•
If duration-based billing is configured, and the remaining quota is very large (greater than 2147483647), the CSG2 might not use the upper 4 bytes of the Qualified Remaining Quota TLV.
•
If duration-based billing is configured, and there is a difference between the remaining quota and the quota required for the current transaction, and the last billable timestamp is very large (greater than 2147483647), the CSG might show an incorrect usage value in the SvcReAuthReq message.
•
The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its processors with a %SYS-2-MALLOCFAIL error message.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
A WS-SVC-SAMI-BB-K9 service blade running an c7svcsami-csg-mz or c7svcsami-csgk9-mz image might reload.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
If you have already configured a RADIUS monitor for a RADIUS server address, and you try to configure another RADIUS monitor for that address but for a different port, the CSG2 might not allow you to do so.
•
The CSG2 displays the following message in the log:
Bad enqueue of 0 in queue xxxxxx
•
Quota which could not be returned to the quota server is not credited back to the user.
For this problem to occur, all of the following conditions must be met:
–
–
–
SAMI Software for Cisco IOS Release 12.4(15)MD2 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCaL, or any port other than 10000.
•
When the Supervisor Engine is busy processing CLI, including the case in which a CLI-intensive management application is running, sending a remote console and logging (RCaL) execute-on command from the Supervisor Engine into the SAMI PowerPC (PPC) might cause the device to hang.
Workaround: Open another Telnet session and enter the same execute-on command. This will release the first hung execute-on command.
•
Interfaces in the SAMI might take a long time to respond to ping packets. This problem can occur if corrupted or malformed IPv6 pkts are sent to the SAMI.
Workaround: Add IPv6 ACLs to the Supervisor Engine to prevent any IPv6 packets from entering the SAMI. When the ACLs are configured, the SAMI will no longer support GGSN IPv6.
•
If you use Ctrl-^ to terminate a remote console and logging (RCaL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCaL execute-on attempt might fail.
Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.
•
A remote console and logging (RCaL) show run for the SAMI from the Supervisor Engine does not display any output when the PowerPC (PPC) is configured with more than 510 subinterfaces.
Workaround: None.
•
On the SAMI, redirecting show command output for a PowerPC (PPC) onto the PPC's bootflash can cause 100% CPU utilization.
Workaround: None.
SAMI Software for Cisco IOS Release 12.4(15)MD2 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD2.
•
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
Details on how to see if the affected feature is enabled on a device, is provided within the "Details" section of this advisory.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If debug ip tcp transactions is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
Cisco IOS software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
•
If Small Computer Systems Interface over IP (iSCSI) backup is configured while the BMA is down, and there is a large volume of data plane traffic, a processor might crash.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
Caveats for Cisco IOS Release 12.4(15)MD1
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(15)MD1.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
When entering CSG2 show commands that collect and display information from all of the CPUs in the CSG2, the output might not break or pause as expected based on the term length configuration. If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed command or otherwise.
Workaround: None.
•
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
CSG2 Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
If an idle timer is configured for the User Table, and if thousands of users idle out at the same time, the rate at which the CSG2 can handle incoming RADIUS messages is reduced.
•
When the CSG2 receives a higher-than-expected rate of RADIUS Accounting Starts with a large number of RADIUS attributes from the Network Access Server (NAS), it might deny the RADIUS requests because it cannot grow the buffer pool fast enough.
•
During Layer 7 inspection for RTSP, the quota server receives an incorrect content authorization request of type 0x08 (RTSP TCP). The request should be of type 0x09. The problem occurs when the RTSP session is transporting data over the control session (interleaved).
•
If you remove a configured billing plan or service using the no option (for example, no ip csg billing), and you then configure a new billing plan or service and assign it to a new transaction, the CSG2 might assign the wrong services to the transaction.
•
If the standby ip command is removed from a protected interface on the standby router, then reapplied, the reapplication fails, and output from the show standby command is empty.
For this problem to occur, one or more of the following conditions must be met:
–
interface gigabitEthernet 0/0.10
no standby 1 ip
standby 5 ip 10.10.30.105
no standby 5 ip
standby 1 ip–
•
If both HTTP and SIP are configured on the same 1 GB SAMI, the CSG2's memory might be depleted. If this occurs, the CSG2 might deny incoming RADIUS requests.
•
TLVs that report units, such as the Qualified Usage TLV, might report a value of 1 (second) when basis second transaction is configured.
•
The output from the show ip csg users all command might include some but not all of the sticky user entries.
•
With a Cisco VPN client and a Cisco VPN concentrator, in a VPN session in IPSec transparent mode, no user traffic flows. The VPN connection is established, but traffic does not flow.
•
While performing Layer 7 parsing of RTSP traffic, the CSG2 might crash if it receives a DESCRIBE message containing a URL that exceeds 512 bytes.
•
The CSG2 reloads with a crash indication.
The CSG2 might reload while performing L7 inspection of IMAP traffic if certain fields within the flow are >256 bytes.
•
If any combination of the following situations occurs:
–
–
–
Then the following message might appear on the console:
%PLATFORM-1-DP_HM_FAIL: Failed to receive response from Fail to send message to IXP: Msgcode : %d
. Check `sami health-monitoring' configuration and see `show sami health-monitoring' for more infoThereafter, although the interface might be UP on the CP, pings to the interface fail. Packets can be seen leaving the CSG2 from the interface, but data to the interface is not seen by the CP.
•
If multiple quota servers are active, and the user logs off during a quota server failover, the CSG2 might fail to generate a ServiceStop message. This might result in the user session not being billed correctly.
•
If you configure the following commands:
records granularity service bytes 10240000 seconds 3600ip csg records format fixedThen CDRs for the service might report start and stop dates with years and months in the wrong format.
•
If a service is configured for Advice of Charge, the CSG2 might fail to redirect a user when zero quota is received from the quota server in a Service Authorization Response.
•
CSG might crash when performing Layer 7 SIP inspection. The crash can occur while the CSG2 is parsing an incorrectly formed SIP INVITE request (that is, a SIP INVITE request in which the SDP portion of the message contains extra carriage return and line feed characters).
SAMI Software for Cisco IOS Release 12.4(15)MD1 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCaL, or any port other than 10000.
SAMI Software for Cisco IOS Release 12.4(15)MD1 - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD1.
•
Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.
•
The SAMI processors fail to download the configuration from the Supervisor Engine. EOBC traffic does not work. The session from the Supervisor Engine to processors 1-8 does not work.
For this problem to occur, one or more of the following conditions must be true:
–
–
–
–
•
A router functioning as the standby for a Hot Standby Routing Protocol (HSRP) group might reload when it is dissociated from that group and then re-associated with it.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
Caveats for Cisco IOS Release 12.4(15)MD
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(15)MD.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(15)MD - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
When entering CSG2 show commands that collect and display information from all of the CPUs in the CSG2, the output might not break or pause as expected based on the term length configuration. If that happens, long output can scroll off-screen unexpectedly.
This problem does not occur for information gathered from the CP, whether in a distributed command or otherwise.
Workaround: None.
•
If an idle timer is configured for the User Table, and if thousands of users idle out at the same time, the rate at which the CSG2 can handle incoming RADIUS messages is reduced.
Workaround: Either do not configure an idle timer for the User Table, or do not allow so many users to idle out of the User Table at the same time.
•
In a prepaid configuration that requires a billing plan from the quota server, if RADIUS Accounting Starts begin arriving at a rate that exceeds the capacity of the CSG2, the CSG2 might drop some of the responses from the quota server.
Workaround: Do not exceed the capacity of the CSG2.
•
When the CSG2 receives a higher-than-expected rate of RADIUS Accounting Starts with a large number of RADIUS attributes from the Network Access Server (NAS), it might deny the RADIUS requests because it cannot grow the buffer pool fast enough.
Workaround: None.
•
During Layer 7 inspection for RTSP, the quota server receives an incorrect content authorization request of type 0x08 (RTSP TCP). The request should be of type 0x09. The problem occurs when the RTSP session is transporting data over the control session (interleaved).
Workaround: Disable the AoC feature for RTSP traffic.
•
If you remove a configured billing plan or service using the no option (for example, no ip csg billing), and you then configure a new billing plan or service and assign it to a new transaction, the CSG2 might assign the wrong services to the transaction.
Workaround: Save the running configuration and force a reload of the CSG2.
•
If the standby ip command is removed from a protected interface on the standby router, then reapplied, the reapplication fails, and output from the show standby command is empty.
For this problem to occur, one or more of the following conditions must be met:
–
interface gigabitEthernet 0/0.10
no standby 1 ip
standby 5 ip 10.10.30.105
no standby 5 ip
standby 1 ip–
Workaround: Save the running configuration and force a reload of the standby router.
•
If both HTTP and SIP are configured on the same 1 GB SAMI, the CSG2's memory might be depleted. If this occurs, the CSG2 might deny incoming RADIUS requests.
Workaround: Do not configure HTTP and SIP on the same board at the same time.
CSG2 Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
Attempts to establish new connections through the CSG2 fail, particularly when traffic first starts to flow through the CSG2 at high volume. During this period, deep IPC queues are often observed on one or more of the CSG2 processors. Load management might show denied sessions.
For this problem to occur, the following conditions must all be true:
–
–
•
With configurations that include very large numbers of inservice contents that refer to policies with URL maps, the CSG2 can take more than 15 minutes to boot up, causing the CSG2 to be reset. This can result in a rebooting loop in which the CSG2 never fully enters service. This problem does not occur if the contents are not inservice when the CSG2 is rebooted.
•
If the quota server is configured to provide a tariff-switch time to the CSG2 in a SvcAuthResponse, the CSG2 does not report the tariff-switch TLV to the BMA.
•
The CSG2 might crash if the report format is changed from variable to fixed while running HTTP or RTSP traffic.
•
If WAP 1 content is configured with a next-hop address, the user has no quota at the start of a transaction, and WAP redirect is not configured, the transaction is not terminated with an abort.
If the user runs out of quota during a transaction, the transaction is not terminated with aborts to both the client and server, regardless of whether WAP redirect is configured.
•
If the CSG2 generates a CDR immediately after reloading, the value of the Start Time in the Timestamp TLV might be incorrect. Typically, the invalid value corresponds to a date in the year 2002.
This problem can occur if the CDR is generated before a value for the clock is received from the Supervisor Engine on a CSG2 Traffic Processor.
Since a clock value is usually received from the Supervisor Engine module shortly after bootup, the probability of this problem occurring is very small. Furthermore, deployment of CSG2s in a redundant configuration greatly reduces the probability of this problem occurring, because the redundant CSG2s receive a clock from the Supervisor Engine module before becoming active (and even before HSRP negotiation has completed).
•
The CSG2 might generate CDRs even when it is configured not to by disabling accounting under the CSG policy.
•
If no ip csg quota-server reassign is configured and the traffic to all quota servers stalls while one or more quota servers reports FAILED or flaps from FAILED to ACTIVE to FAILED, no quota server messages can get through and the CSG2 prevents prepaid traffic from flowing.
SAMI Software for Cisco IOS Release 12.4(15)MD - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCaL, or any port other than 10000.
•
The SAMI processors fail to download the configuration from the Supervisor Engine. EOBC traffic does not work. The session from the Supervisor Engine to processors 1-8 does not work.
For this problem to occur, one or more of the following conditions must be true:
–
–
–
–
Workaround: If you move the SAMI from a Supervisor Engine 32 to a Supervisor Engine 720 or Route Switch Processor 720, or vice versa, use the following procedure to avoid this problem:
a.
Sup(config)# boot device module sami-slot disk0:sami image
b.
If the SAMI has a usable image on its compact flash, enter the following command:
Sup(config)# hw-module module sami-slot reset
Otherwise, boot the SAMI through the Ethernet Out-of-Band Channel (EOBC) from the Supervisor Engine by entering the following commands:
Sup(config)# boot device module sami-slot disk0:sami image
Sup(config)# hw-module module sami-slot boot eobc
Sup(config)# hw-module module sami-slot reset
c.
Sup(config)# upgrade hw-module slot sami-slot software disk0:sami image
d.
Sup(config)# no boot device module sami-slot disk0:sami image
SAMI Software for Cisco IOS Release 12.4(15)MD - Closed Caveats
The following list identifies Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(15)MD.
•
From processor 3-8, a pipe redirect when using rcp to the Supervisor Engine can result in errors, or can cause the processor to reload. For example, the following command might result in a 0-byte file:
Router-3> sh tech | redirect rcp://127.0.0.81/shtech•
When the SAMI/CSG2 runs out of destination filters, a new IP address configuration might not be effective even though it is accepted, and no error message is issued when the IP address is configured.
To verify that the SAMI/CSG2 has run out of destination filters, enter the show sami ixp statistics command after applying an IP address. If the Out of filter elements counter is not zero, and if it increments as a result of configuring the IP address, then the Network Processor destination filter limit has been reached.
•
The ENTITY-MIB entries entPhysicalFirmwareRev and entPhysicalSoftwareRev do not return any values from the SAMI processor.
Documentation and Technical Assistance
This section contains the following information:
•
Related Documentation
For more detailed installation and configuration information, see the following publications:
•
•
•
•
•
•
•
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Copyright © 2009 Cisco Systems, Inc. All rights reserved.
Guest