Table Of Contents
CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1
CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA
Determining the Software Version
Prerequisites and Restrictions
Caveats for Cisco IOS Release 12.4(22)MDA1
CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats
SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats
Caveats for Cisco IOS Release 12.4(22)MDA
CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats
CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats
SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats
SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats
Documentation and Technical Assistance
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco
Content Services Gateway -
2nd Generation Release 3.5
Cisco IOS Release 12.4(22)MDA1
Revised: September 23, 2009
Current Release—12.4(22)MDA1
This publication describes the requirements, dependencies, and caveats for the Cisco Content Services Gateway - 2nd Generation, more commonly known as the Content Services Gateway 2 or CSG2.
This publication includes the following information:
•
Prerequisites and Restrictions
•
–
–
–
–
•
–
–
–
–
•
Introduction
The CSG2 is an application that runs on the Service and Application Module for IP (SAMI), a high-speed processing module. The CSG2 provides content-aware billing, service control, traffic analysis, and data mining in a highly scalable, fault-tolerant package. The CSG2 provides the software required by mobile wireless operating companies and other billing, applications, and service customers.
The CSG2 runs on the SAMI, a new-generation high performance service module for the Cisco 7600 series router platforms. The CSG2 is typically located at the edge of a network in an Internet service provider (ISP) point of presence (POP), or Regional Data Center.
Features
This section lists the CSG2 features and the CSG2 release in which the feature was introduced. For full descriptions of all of these features, see the Cisco Content Services Gateway - 2nd Generation Release 3.5 Installation and Configuration Guide.
To see the software part numbers associated with each CSG2 release; the Supervisor hardware required by each CSG2 release; the minimum Cisco IOS release required for new features in each CSG2 release; and the minimum IOS level supported by each CSG2 release, see the "Software Requirements" section.
•
•
CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA1
The CSG2 software for Cisco IOS Release 12.4(22)MDA1 supports the entire feature set listed in the "CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA" section.
In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA1 supports the following new features:
•
•
•
•
CSG2 Features Supported for Cisco IOS Release 12.4(22)MDA
The CSG2 Release 3.5 software for Cisco IOS Release 12.4(22)MDA supports the entire feature set for the CSG2 Release 3.0 software for Cisco IOS Release 12.4(22)MD.
In addition, the CSG2 software for Cisco IOS Release 12.4(22)MDA supports the following new features:
•
•
•
•
•
•
•
•
•
•
•
•
•
System Requirements
This section describes the following memory and software requirements for CSG2:
•
For hardware requirements, such as power supply and environmental requirements, as well as hardware installation instructions, see the Service and Application Module for IP User Guide.
Memory Requirements
The CSG2 memory is not configurable.
The SAMI is available with a default 1 GB memory or an optional 2-GB memory.
Hardware Supported
Use of the CSG2 requires one of the following Cisco 7600 Series Routers and Supervisor Engines, and a module with ports to connect server and client networks:
•
•
•
•
•
•
•
Software Requirements
When referring to this section, keep the following considerations in mind:
•
•
The following table lists the CSG2 and SAMI module part numbers and associated information for each CSG2 release:
Determining the Software Version
To determine the version of Cisco IOS software that is currently running on your Cisco network device, log in to the CSG2 or Supervisor Engine and enter the show version EXEC command.
To show CSG2 versions, log in to the Supervisor Engine and enter the show module command in privileged EXEC mode.
To provide meaningful problem determination information, log in to the CSG2 or Supervisor Engine and enter the show tech-support command in privileged EXEC mode.
Prerequisites and Restrictions
For the latest prerequisites and restrictions for the CSG2, see the "Overview" chapter of the Cisco Content Services Gateway - 2nd Generation Release 3.5 Installation and Configuration Guide.
Caveats for Cisco IOS Release 12.4(22)MDA1
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MDA1.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA1:
•
If the CSG2 is rebooted and the configuration does not begin with any of the ip csg commands, then after the reboot the iSCSI connection from the CSG2 is not initiated, even if the ip csg iscsi profile command is configured.
Workaround: Before rebooting the CSG2, configure any of the ip csg commands and save the configuration.
•
The CSG2 might generate the following error message when it tries to send an HTTP redirect packet:
%SYS-2-BADSHARE: Bad refcount <function name>
Workaround: None.
•
If the CSG2 generates a Continue CDR because the data does not fit in a single IP packet, and the correlator value in the Continue TLV is not unique for the CSG2, the BMA or quota server might associate data from the Continue CDR with an incorrect BMA or quota server record.
Workaround: There is no guaranteed workaround. The CSG2 typically sends Continue CDRs due to reporting of a large number of RADIUS attributes or protocol headers. If you can modify your configuration to report fewer attributes and protocol headers, that might reduce or eliminate the sending of Continue CDRs by the CSG2.
CSG2 Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA1:
•
The CSG2 might generate a CDR with a Connection timestamp that is one second earlier than the Service-Start timestamp.
•
Even if the PCRF is down, the pcrf failure continue command should allow users to be created. However, if the PCRF is down, the pcrf failure continue command does not work, and users cannot be created.
•
When there is high traffic load on the CSG2, the output from the show fastblk command might indicate that the quota server and QoS memory pools experienced allocation failures. Some user sessions might be denied.
•
If the PCRF attempts to install or remove an object on the CSG2 which has already been configured, the CSG2 rejects the attempt but returns the wrong error code to the PCRF.
•
Doing Layer 7 WAP inspection, a KUT_CLEANUP_ERROR traceback is dumped to the console when the CSG2 attempts to remove a WAP user from the User Table. the user is not removed from the User Table.
•
When user traffic is forwarded during the time the CSG2 is waiting for a CCA-U in response to a CCR-U, sent after reaching the volume threshold, the CSG2 might not send a CCR-U (for volume threshold reached) and might not account for all traffic in a CCR-F (volume usage).
•
Services under a postpaid billing plan are set to prepaid mode if the Online Billing AVP is not sent by the PCRF.
•
If a preload service object references a content or policy that is configured on the CSG2 via the CLI, the preload object fails to install. However, the error code that the CSG2 returns to the PCRF does not explicitly indicate the cause of the failure.
•
The replicate session flag is not set for a content which is sent from the PCRF via preload. This problem can occur if the PCRF does not send the replicate-session-delay AVP along with the replicate-session AVP. That is, the PCRF must send the replicate-session-delay AVP along with the replicate-session AVP for this flag to be set.
•
If an HTTP packet consists of retransmitted bytes of a previous transaction, and new bytes of a new transaction, a service's "reserved", as displayed in the output of the show ip csg user all detail command, might keep incrementing.
•
The CSG2 crashes while sending a segmented MMS URL for WAP.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
If the timer trigger for a Gx rule is disarmed and then rearmed throughout the installation of a single Gx rule, and a CSG2 failover occurs, then the" interval time" displayed in a Gx rule for a user is not accurate on the backup CSG2.
•
After a CSG2 failover, the new active CSG2 might delay sending the CCR-F when removing replicated Gx users.
•
When a retransmitted packet has multiple transactions, the reported IP bytes for each transaction in that packet are incorrect.
•
If a change is made on the standby CSG2, and a content is taken out of service, the CSG2 might not be able to bring the content back inservice. The following error message is generated:
% Cannot bring content <*> inservice, content out of service in progress
•
A CSG2 Gx subscriber might not be allowed access to the network. This problem might occur when multiple GGSNs are using the same CSG2, and the GGSNs send the same value for the 3GPP-Charging-Id for different subscribers.
•
When the CSG2 is performing RADIUS reauthorization and time-based billing at the same time, the CSG2 might repeat RADIUS service reauthorizations.
•
When modifying an existing configured object, such as a service, a service parameter is not reset to the default value when not specifically defined in a PUSH message from the PCRF.
•
When a tariff switch occurs for an open transaction, and the transaction also qualifies for refunding, a refund TLV is reported in a transaction CDR with 0 bytes refunded. However, the transaction reports that IP packets/bytes were passed.
•
The CSG2 might crash when removing a configured content.
•
When a user is assigned a billing plan via the default billing plan option, the QoS profile configured under that billing plan is not applied to the user.
•
When trying to configure TACACS on the CSG2, the following message is displayed:
SAMI 1/3: Aug 15 03:07:35 AEST: %SYS-5-CONFIG_I: Configured from console by cisco on vty1 (10.176.6.144)
SAMI 1/3: Aug 15 03:07:35 AEST: %PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "CSG config rollback", ipl= 0, pid= 125The configuration is removed when exiting configuration mode.
•
The CSG2 generates the following error messages continuously:
SAMI 1/8: Aug 30 14:05:33 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.227.179.191, uid= 61425166227, (1/48/2822/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x45081C10
SAMI 1/8: Aug 30 14:08:00 AEST: %CSG-3-KUT_CLEANUP_ERROR: OPENMOBILEWEB, ip= 10.228.102.132, uid= 61425170578, (1/48/2054/9217), -Traceback= 0x4428BB68 0x45145678 0x451475CC 0x4514A2D0 0x4514A5D8 0x4513B158 0x450FBF6C 0x4524E69C 0x44F76AE8 0x44F948FC 0x44F97558 0x4507D9EC 0x44F624AC 0x44F624AC 0x4507DAA8 0x44E6AEC4•
If the Service Authorization Response has only the DROP action code but not the Quadrans TLV, and a subscriber is not authorized to use a service, the CSG does not send out a Service Stop.
SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA1.
•
The show cdp entry * command output is empty.
Workaround: None.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCAL, or any port other than 10000.
•
If you use Ctrl-^ to terminate a remote console and logging (RCAL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCAL execute-on attempt might fail.
Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.
SAMI Software for Cisco IOS Release 12.4(22)MDA1 - Closed Caveats
The following list identifies the Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA1:
•
Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.
•
The SAMI is not setting the DBUS trust bit to 1, which in turn causes the Cisco 7600 Series Router to remark the DSCP of the packets.
Caveats for Cisco IOS Release 12.4(22)MDA
This section lists and describes all caveats, both Open and Closed, that affect the CSG2 or SAMI software for Cisco IOS Release 12.4(22)MDA.
•
•
•
•
CSG2 Software for Cisco IOS Release 12.4(22)MDA - Open Caveats
The following list identifies Open caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA.
•
Even if the PCRF is down, the pcrf failure continue command should allow users to be created. However, if the PCRF is down, the pcrf failure continue command does not work, and users cannot be created.
Workaround: None.
CSG2 Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats
The following list identifies Closed caveats in the CSG2 software for Cisco IOS Release 12.4(22)MDA:
•
When the CSG2 detects an HTTP protocol error, such as non-HTTP traffic hitting content that is configured with parse protocol http, it downgrades to Layer 4 inspection. The CSG2 allows all remaining traffic to pass through, and reports the traffic in the Unassigned Bytes TLV.
To be consistent with the CSG1, after downgrading to Layer 4 inspection the CSG2 should match the current transaction to the catchall policy in the content, if there is one configured. If no catchall policy is configured, then the CSG2 should use the block configuration in the content to determine whether to forward or block the traffic.
•
Configuration rollback does not work for CSG2 maps, policies, and contents.
•
The CSG2 might send a Packet of Disconnect (PoD) to a user, even if the user has enough quota.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
The show interface command returns output from all of the TPs and the CP. When The CSG2 is under stress, the command might take up to 2 minutes to display output.
•
The CSG2 might experience a memory allocation failure on the I/O memory pool of one of its processors with a %SYS-2-MALLOCFAIL error message.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
The CSG2 might crash when the User Table entry for a subscriber is deleted due to a trigger, such as the receipt of a RADIUS Accounting Stop message.
The crash might also occur if the subscriber is using a prepaid service and the traffic that maps to the service is FTP or HTTP traffic parsed at Layer 7, or any IPv4 traffic parsed at Layer 4.
•
A session might reset if the CSG2 is unable to count retransmitted or out-of-order packets. This problem can occur if the CSG2 does not have enough resource to count retransmitted or out-of-order packets, or if malformed packets caused packet counting errors.
•
The CSG2 might display the following message in the log:
Bad enqueue of 0 in queue xxxxxx
•
If you use more than one virtual teletype terminal (VTY console) when interacting with the CSG2 (for example, using one VTY to enter show commands and another to enter configuration commands), one of the VTYs might hang and the CSG2 will not allow further configuration commands. The CSG2 issues the following message:
Config failed, CSG being configured by line
You must reboot the CSG2 before continuing.
•
Quota which could not be returned to the quota server is not credited back to the user.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
When the CSG2 tries to return a quadrans value that exceeds a maximum long value, the Qualified Quadrans TLV in a Quota Return might truncate the 8-byte quadrans value to the lower 4 bytes.
•
If bidirectional traffic is sent over 500 VRF VLANs across 6 CPU of a SAMI, the SAMI might drop some packets, or some of the packets might become corrupted.
•
If a user configures a 32-character VRF name, and the VRF is used in a user database, BMA, or quota server definition, the CSG2 might experience buffer overflow problems, due to SNMP queries on the CISCO-CONTENT-SERVICES-MIB.
•
When using the no server name command to remove the configured server name from an AAA server group, the 7200 router might crash.
•
If a packet has an ICMP source and destination IP address that is the same as the PPC interface IP address, the SAMI runs out of I/O memory, and the following message appears:
%SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x45407D18, alignment 32
•
The CSG2 might crash when the debug ip csg qs detail command is configured and a nonstandard Quota Push Request message is received.
•
When the number of users exceeds the licensed value, configured with the ip csg license warning-enable command in global configuration mode, the first syslog message is generated after five minutes:
SAMI 8/3: *Feb 5 09:17:11.555: %CSG-4-CSG_LICENSE_LIMIT_REMINDER_
SYSLOG: KUT limit exceeded the license limit: Number of users accessing network concurrently has exceeded the license limit•
Packet of Disconnect (PoD) can be configured at either the global level or at the billing plan level. Each level should work independently of the other. However, PoD is not working unless the ip csg entries user idle duration pod command is configured in global configuration mode.
•
If the CSG2 is configured for redundancy with ipc zone, association, and protocol sctp commands, and the SCTP configuration is invalid, the CSG2 might experience a memory leak with the following message:
%CHKPT-3-UNKNOWNMSG: Unknown message received from peer on standby for client (0).
In addition, the output from the show memory command shows a decreasing amount of available I/O memory, and the output from the show buffers command shows an incrementing number of VeryBig buffers allocated on processor 3.
For this problem to occur, the invalid SCTP configuration must be configured with a remote port that is equal to the remote's local port, plus one, as shown in the following sample configuration. In this sample configuration, the local port is 5000 on each side. Therefore, the remote port on each side should also be 5000, but is incorrectly configured as 5001.
Side 1 configuration
ipc zone defaultassociation 1protocol sctplocal-port 5000local-ip <x.x.x.x>remote-port 5001remote-ip <y.y.y.y>Side 2 configuration
ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip <y.y.y.y>remote-port 5001remote-ip <x.x.x.x>•
The CSG2 might experience a slow memory leak when adding attribute map matches.
•
A per-user QoS signaled from the quota server might not be replicated from the active CSG2 to the standby CSG2. If a failover occurs, traffic for that subscriber is either not subject to any QoS or is subject to the configured QoS, if any.
For this problem to occur, all of the following conditions must be met:
–
–
–
•
With the meter exclude mms wap command configured and AoC enabled on a service, when a subscriber tries to browse with WAP 1.x, the CSG2 consults the quota server with a content authorization request and the quota server then responds with a content authorization response with the action of redirect and the URL to be redirected to. the page does not load on the subscriber's cell phone.
•
If the CSG2 is configured for RADIUS endpoint or RADIUS proxy, and the debug ip csg radius command is entered, the CSG2 might reload.
•
If a large number of reporting RADIUS VSA subattributes are configured or unconfigured for the CSG2, a large number of messages like the following is generated:
0x4518DEAC 0000000272 0000000001 0000000272 CSG RADIUS VSA
•
The CSG2 might crash with the following messages in the crash information file:
SAMI 4/3: Mar 25 13:58:30.665 ISR: %SYS-6-STACKLOW: Stack for process CSG BGCFG running low, 0/24000
%Software-forced reload
13:58:30 ISR Wed Mar 25 2009: Unexpected exception to CPU: vector 1500, PC = 0x4504A33C, LR = 0x4504A298
-Traceback= 0x4504A33C 0x4504A298 0x4504F6B4 0x4504F844 0x44E40654 0x450A0FCC 0x4504C384 0x4504FA64
For this problem to occur, all of the following conditions must be met:
–
–
–
•
The CSG2 might reload under certain conditions.
For this problem to occur, all of the following conditions must be met:
–
–
–
–
–
•
Under certain RTSP load and stress conditions, some entries remain in the CSG2 User Table. Trying to clear this state results in a traceback.
•
Entering distributed show commands, such as show proc cpu, from a Telnet or Supervisor Engine session into the SAMI module, while the CSG2 is under heavy stress, might cause the CSG2 to hang and fail at CPU 4.
Attempts to change the configuration results in the following message after exiting configuration mode:
%PARSER-6-EXPOSEDLOCKRELEASED: Exclusive configuration lock released from terminal '0' -Process= "CSG config rollback", ipl= 0, pid= 122
•
For a prepaid subscriber with zero quota using a service with zero weight, the CSG2 might generate multiple reauthorization requests within a few seconds.
•
The CSG2 NBAR CDRs might not report the QoS rate-limit TLV or QoS drop TLV.
For this problem to occur, all of the following conditions must be met:
–
–
•
In a stateful redundant CSG2 configuration, the standby CSG2 User Table might not contain all of the subscribers that are present in the active CSG2 User Table.
This problem can occur if the standby CSG2 receives a RADIUS Accounting On or Off message from a GGSN, then receives a RADIUS Accounting Start message from the GGSN before completing processing of the RADIUS Accounting On or Off message.
This problem can also occur if the clear ip csg user command is entered.
SAMI Software for Cisco IOS Release 12.4(22)MDA - Open Caveats
The following list identifies Open caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA.
•
The show cdp entry * command output is empty.
Workaround: None.
•
The remote console and logging (RCaL) feature on the CSG2 image might not work if the Supervisor Engine's logging listen port and the Power PC's (PPC's) logging main-cpu port are both configured as port 10000.
Workaround: Use the default port 4000 for RCAL, or any port other than 10000.
•
If you use Ctrl-^ to terminate a remote console and logging (RCAL) execute-on from the Supervisor Engine into the SAMI line control processor (LCP) or PowerPC (PPC), the next RCAL execute-on attempt might fail.
Workaround: Disable logging listen on the Supervisor Engine, then re-enable it.
SAMI Software for Cisco IOS Release 12.4(22)MDA - Closed Caveats
The following list identifies the Closed caveats in the SAMI software that impact the CSG2 software for Cisco IOS Release 12.4(22)MDA:
•
Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
•
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•
The SAMI blade might reload while upgrading from the Supervisor Engine. The line control processor (LCP) crashes while copying an image to the SAMI from the Supervisor Engine. This problem can occur when you terminate an upgrade then immediately attempt another upgrade.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
The SAMI Status LED is remaining green during shutdown. It should change to orange during shutdown.
•
A SAMI processor might crash when removing the ISCSI configuration using the no ip iscsi profile command.
•
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.
Documentation and Technical Assistance
This section contains the following information:
•
Related Documentation
For more detailed installation and configuration information, see the following publications:
•
•
•
•
•
•
•
•
•
•
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Copyright © 2009 Cisco Systems, Inc. All rights reserved.
Guest