|
|
Table Of Contents
Release Notes for SSG-MWAM Release 1.1 with Cisco IOS Release 12.3(5a)B5
Multi-processor WAN Application Module
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.3(5a)B5
New Software Features in Cisco IOS Release 12.3(5a)B5
New Hardware Features in Cisco IOS Release 12.3(5a)B4
New Software Features in Cisco IOS Release 12.3(5a)B4
New Hardware Features in Cisco IOS Release 12.3(5a)B3
New Software Features in Cisco IOS Release 12.3(5a)B3
New Hardware Features in Cisco IOS Release 12.3(5a)B2
New Software Features in Cisco IOS Release 12.3(5a)B2
New Hardware Features in Cisco IOS Release 12.3(5a)B1
New Software Features in Cisco IOS Release 12.3(5a)B1
New Hardware Features in Cisco IOS Release 12.3(5a)B
New Software Features in Cisco IOS Release 12.3(5a)B
New Hardware Features in Cisco IOS Release 12.3(3)B1
New Software Features in Cisco IOS Release 12.3(3)B1
New Hardware Features in Cisco IOS Release 12.3(3)B
New Software Features in Cisco IOS Release 12.3(3)B
New Hardware Features in Cisco IOS Release 12.3(1a)BW
New Software Features in Cisco IOS Release 12.3(1a)BW
MWAM Installation and Configuration
Limitations, Restrictions, and Important Notes
Resolved Caveats—Cisco IOS Release 12.3(5a)B5
Resolved Caveats—Cisco IOS Release 12.3(5a)B4
Resolved Caveats—Cisco IOS Release 12.3(5a)B3
Resolved Caveats—Cisco IOS Release 12.3(5a)B2
Open Caveats—Cisco IOS Release 12.3(5a)B1
Resolved Caveats—Cisco IOS Release 12.3(5a)B1
Resolved Caveats—Cisco IOS Release 12.3(5a)B
Resolved Caveats—Cisco IOS Release 12.3(3)B1
Resolved Caveats—Cisco IOS Release 12.3(3)B
Cisco IOS Software Documentation Set
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for SSG-MWAM Release 1.1 with Cisco IOS Release 12.3(5a)B5
May 12, 2005
Product Numbers:
SC-SVC-SS10—Cisco MWAM Series Service Selection Gateway - Mobile Wireless
SC-SVC-SSP-10=—Service Selection Gateway with Prepaid license
SC-SVC-SSD-10=—Service Selection Gateway Layer 2 Tunneling Protocol dial out license
These release notes include important information and caveats for Cisco SSG-MWAM Release 1.1, which provides the Service Selection Gateway (SSG) feature on the Multi-processor WAN Application Module (MWAM) using Cisco IOS Release 12.3(5a)B5.
Caveats for Cisco IOS Release 12.3 can be found on CCO at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_notes_list.html
Contents
This release note includes the following topics:
•
MWAM Installation and Configuration
•
•
•
•
•
•
Introduction
Cisco SSG-MWAM Release 1.1 implements the SSG on the Multi-processor WAN Application Module (MWAM). Cisco SSG-MWAM Release 1.1 increases session density and enhances interoperability with other products based on the Catalyst 6500/Cisco 7600 series platform.
Multi-processor WAN Application Module
The MWAM provides three processor complexes with dual processors used in two of the complexes and a single processor used in the remaining processor complex. This architecture provides five SSGs (see Figure 1) on one module. In addition, each Catalyst 6500/Cisco 7600 chassis can be populated with multiple MWAMs to enable a large number of subscribers to access network services under SSG control.
Figure 1 MWAM Architecture
The MWAM does not provide external ports but is connected to the switch fabric in the Catalyst 6500/Cisco 7600 chassis. An internal Gigabit Ethernet port provides an interface between each processor complex and the Supervisor module. Virtual Local Area Networks (VLANs) direct traffic from external ports via the Supervisor module to each SSG instance.
The software image that provides the SSG feature is downloaded through the Supervisor module and distributed to each processor complex on the MWAM(s). The same image is installed on all the processors in the MWAM.
Service Selection Gateway
The SSG is a Cisco IOS software feature module that enables service providers to create new revenue-generating opportunities by offering on-demand services. The SSG provides Remote Authentication Dial-in User Service (RADIUS) authentication and accounting for user-interactive policy routing to different IP destinations. This improves flexibility and convenience for subscribers, including the ability to log on to multiple services simultaneously, and enables service providers to bill subscribers based on connection time and services used, rather than charging a flat rate.
Traffic from the mobile user is addressed to an SSG on the MWAM. The request for access is forwarded to the Authentication, Authorization, and Accounting (AAA) server, and the user is authenticated and authorized to access the services defined in a user profile. Then data traffic is exchanged between the user and servers in the service network. Each network is defined with its own VLAN, and all SSGs on the MWAM access the same VLANs to receive and send data.
For more information about the features available in the SSG, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/wan_vcg.htm#1000988
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guides_list.html
System Requirements
This section describes system requirements for SSG-MWAM Release 1.1.
Hardware
The SSG-MWAM Release 1.1 requires the following hardware components:
•
•
•
A Hardware-Software Compatibility Matrix is available on CCO for users with CCO login accounts. This matrix allows users to search for supported hardware components by entering a Cisco platform and IOS Release. The Hardware-Software Compatibility Matrix tool is available at the following URL:
http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
Software
The SSG-MWAM Release 1.1 requires the following software components:
•
•
–
–
Memory
The MWAM provides two complexes that are equipped with 1 GB memory shared between two processors (512 MB each). The remaining processor complex, the one with only one processor, is equipped with 512 MB memory. The total memory capacity for the MWAM is 2.5 GB.
The MWAM memory cannot be configured.
Determining the Software Version
To determine the version of Cisco IOS software running on your MWAM, log in to the router on one of the MWAM processors and enter the show version EXEC command:
Router# show versionCisco Internetwork Operating System SoftwareIOS (tm) MWAM Software (MWAM-G4JS-M), Version 12.3(5a)B3, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Upgrading to a New Software Release
For information on upgrading to a new software release, see the product bulletin Cisco IOS Software Upgrade Ordering Instructions located at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.html
Upgrading IOS Image on MWAM
For information about upgrading SSG images on the MWAM, refer to the Multiprocessor WAN Application Module User Guide:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/mwam_ug/
index.htm
Note
Upgrading ROMMON Software
A ROMMON software upgrade is not required for Cisco IOS 12.3(5a)B5.
New and Changed Information
The following is a list of the new hardware and software features supported by the MWAM on the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3B.
New Hardware Features in Cisco IOS Release 12.3(5a)B5
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B5.
New Software Features in Cisco IOS Release 12.3(5a)B5
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B5.
New Hardware Features in Cisco IOS Release 12.3(5a)B4
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B4.
New Software Features in Cisco IOS Release 12.3(5a)B4
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B4.
New Hardware Features in Cisco IOS Release 12.3(5a)B3
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B3.
New Software Features in Cisco IOS Release 12.3(5a)B3
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B3.
New Hardware Features in Cisco IOS Release 12.3(5a)B2
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B2.
New Software Features in Cisco IOS Release 12.3(5a)B2
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B2.
New Hardware Features in Cisco IOS Release 12.3(5a)B1
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B1.
New Software Features in Cisco IOS Release 12.3(5a)B1
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B1.
New Hardware Features in Cisco IOS Release 12.3(5a)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
New Software Features in Cisco IOS Release 12.3(5a)B
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(5a)B.
•
•
•
These features are provided by a new release of the application partition on the MWAM. For more information, go to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/mwam_ug/
index.htmNew Hardware Features in Cisco IOS Release 12.3(3)B1
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B1.
New Software Features in Cisco IOS Release 12.3(3)B1
There are no new software features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B1.
New Hardware Features in Cisco IOS Release 12.3(3)B
There are no new hardware features supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B.
New Software Features in Cisco IOS Release 12.3(3)B
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(3)B:
Attribute Screening for Access Requests
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Attribute Screening for Access Requests features allows you to configure your network access server (NAS) to filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization.
RADIUS NAS-IP-Address Attribute Configurability
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RADIUS NAS-IP-Address Attribute Configurability feature allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. This feature may be used for situations in which service providers are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability. This feature allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.
SSG Default DNS Redirection
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Default DNS Redirection feature allows a default Domain Name System (DNS) domain to be configured in a service profile. When a default DNS domain is configured, all DNS queries that do not match a service with a specific domain name will be redirected to the DNS server for a default service.
SSG Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Enhancements describes Layer 2 Tunneling Protocol (L2TP) enhancements for authentication, service logon, and the interface between the Service Selection Gateway (SSG) and the Subscriber Edge Services Manager (SESM). For Release 12.3(3)B, SSG enhancements include a new Account-Info vendor specific attribute (VSA), Account-Accept VSA, and Service-Accept VSA.
The SSG interacts with the SESM, through a Remote Authentication Dial-in User Service (RADIUS) interface. SSG Enhancements describe the enhancements to the RADIUS interface to allow a separate Mobile Station ISDN Number (MSISDN) and Challenge Handshake Authentication Protocol (CHAP) for service logon. The SSG Enhancements documentation also describes error codes in the SSG response to the SESM.
For more information, see the SSG Enhancements feature at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_note09186a00801b43aa.html#wp67474
SSG Permanent TCP Redirection
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are configured with HTTP proxy servers. This feature supports plug-and-play functionality in Public Wireless LANs.
SSG TCP Redirect Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The TCP Redirect feature is enhanced to allow access lists to be associated with server groups. This enhancement can be used to limit the kind of traffic that is redirected based on the source or destination IP address and/or TCP ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated user and unauthorized service redirection.
For more information, see the SSG TCP Redirect Enhancements feature at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_note09186a00801b43aa.html#wp67474
SSG Transparent Auto-Logon
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Transparent Auto-Logon (TAL) feature enables the Service Selection Gateway (SSG) to authenticate/authorize users based on IP packets received from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting (AAA) server when a first IP packet is received from the user.
Users can be activated on SSG through Web-based login procedures using Service Edge Subscriber Management (SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source IP address of packets received on a downlink interface of SSG, without any previous authentication phase.
For more information on the Transparent Auto-Logon feature, see the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/prod_release_note09186a00801b43aa.html#wp67474
New Hardware Features in Cisco IOS Release 12.3(1a)BW
The following new hardware feature is supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW:
MWAM on Catalyst 6500/Cisco 7600 Platform
The MWAM is built on a base card-to-daughter card configuration (see Figure 1). It provides three SiByte (700MHz) processor complexes. Two of the processor complexes enable dual processors while the third processor complex enables only one processor because of the memory configuration.
Each SiByte complex has a 1 Gigabit Ethernet (GE) interface to the switch fabric. This connection appears as a GE interface from the Supervisor module.
The MWAM connects to the Catalyst 6500/Cisco 7600 bus for data and control traffic.
More information about the MWAM platform is available at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/mwam_ug/
index.htmNew Software Features in Cisco IOS Release 12.3(1a)BW
The following new software features are supported by the Catalyst 6500/Cisco 7600 family for Cisco IOS Release 12.3(1a)BW.
EAP SIM Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Two EAP-SIM enhancements for Pebble Beach 1.1 solution:
•
•
IP Pool Backup
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The IP Pool Backup feature introduces two new interface configuration commands, peer pool backup and peer pool static, which allow you to define alternate sources for IP address pools in the event the original address pool is not present or is exhausted.
The peer pool backup command is useful in large-scale dial-out environments with large numbers of independently controlled authentication, authorization, and accounting (AAA) servers that can make it difficult for the network access server (NAS) to provide proper IP address pool resolution in the following cases:
•
•
The peer pool backup command uses the local pool names configured with the peer default ip address pool interface configuration command to supplement the pool names supplied by AAA. The problems of pool name resolution and specific local pool exhaustion can be solved by configuring backup pool names on a per-interface basis using the peer default ip address pool and peer pool backup interface configuration commands.
The peer pool static command controls attempts by the pool software to load dynamic pools in response to a pool request from a specific interface. These dynamic pools are loaded at system startup and refreshed whenever a pool name not configured on the NAS is specified for IP address allocation. Because the behavior of the NAS in response to a missing pool name can be changed using the peer pool backup interface configuration command, you can use the peer pool static command to control attempts to load all dynamic pools when the AAA-supplied pool name is not an existing local pool name.
Multilink PPP Minimum Links Mandatory
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Multilink PPP allows multiple PPP links to be established in parallel to the same destination. Multilink PPP is often used with dialup lines or ISDN connections to easily increase the amount of bandwidth between points.
With the introduction of the Multilink PPP Minimum Links Mandatory feature, you can configure the minimum number of links in a Multilink PPP (MLP) bundle required to keep that bundle active by entering the ppp multilink min-links links mandatory command. When you configure this command, all Network Control Protocols (NCPs) for an MLP bundle are disabled until the MLP bundle has the required minimum number of links. When a new link is added to the MLP bundle that brings the number of links up to the required minimum number of links, the NCPs are activated for the MLP bundle. When a link is removed from an MLP bundle, and the number of links falls below the required minimum number of links for that MLP bundle, the NCPs are disabled for that MLP bundle.
PPPoE Session Limit Per NAS Port
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Using the PPPoE Session Limit Per NAS Port feature, you can limit the number of sessions on a specific virtual circuit (VC) or VLAN configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.
The PPPoE session limit per NAS port is maintained in a RADIUS server customer profile database. This customer profile database is connected to a LAC and is separate from the RADIUS server that the LAC and L2TP Network Server (LNS) use for the authentication and authorization of incoming users. When the customer profile database receives a pre-authorization request from the LAC, it sends the PPPoE per NAS port session limit to the LAC.
The LAC sends a pre-authorization request to the customer profile database when the LAC is configured for Subscriber Service Switch (SSS) pre-authorization. Configure the LAC for SSS pre-authorization using the sss-subscriber access pppoe pre-authorize command. When the LAC receives the PPPoE per NAS port session limit from the customer profile database, the LAC compares the PPPoE per NAS port session limit to the number of sessions currently on the NAS port. The LAC then decides whether to accept or reject the current call based upon the configured PPoE per NAS port session limit and the number of calls currently on the NAS port.
You can configure other types of session limits on the LAC including session limit per VC, per VLAN, per MAC, or a global session limit for the LAC. When PPPoE Session Limit Per NAS Port is enabled (that is, when you have enabled SSS pre-authorization on the LAC), local configurations for session limit per VC and per VLAN are overwritten by the PPPoE per NAS port session limit downloaded from the customer profile database. Configured session limits per VC and per VLAN serve as backups in case of a PPPoE per NAS port session limit download failure.
The customer profile database consists of user profiles for each user connected to the LAC. Each user profile contains the NAS-IP-Address (Attribute #4) and the NAS-Port-ID (Attribute #5.) When the LAC is configured for SSS pre-authorization, it queries the customer profile database using the username. When a match is found in the customer profile database, the customer profile database sends the PPPoE per NAS port session limit in the user profile. The PPPoE per NAS port session limit is defined in the username as a Cisco AVpair.
RFC-2867 RADIUS Tunnel Accounting
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The RFC-2867 RADIUS Tunnel Accounting feature introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop). These new accounting types are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.
This feature also introduces two new commands—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—that help identify the following events:
•
•
•
•
Note
Note
Service Selection Gateway
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Service Selection Gateway (SSG) is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as xDSL, cable modems, or wireless to allow simultaneous access to network services.
For more information about SSG, refer to the Service Selection Gateway document.
SSG Autologoff Enhancement
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Autologoff Enhancement feature configures Service Selection Gateway (SSG) to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host. This prevents unauthorized reuse of IP addresses (spoofing). SSG MAC address checking also detects the assignment of a host IP address to a different host before the original hosts initiates a logoff and clears its host object. This prevents session reuse by a second host.
ARP Ping
The ARP is an Internet protocol used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP will broadcast ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG Autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic.
When SSG MAC address checking is configured, SSG checks the MAC address of a host when an ARP ping is performed. If SSG detects a different host MAC address, it initiates an automatic logoff of that host.
Note
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG Autologoff to use ARP ping in scenarios where hosts are directly connected.
SSG Complete ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Complete ID provides enhancements to the current interaction mechanism that is used between SSG and SESM, allowing SSG to pass along the following additional information:
•
•
•
•
•
This allows SESM to offer greater customization of Web portals, specifically by locations. Each hotspot can now have its own branded portal.
SSG EAP Transparency
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG EAP Transparency feature allows SSG to transparently pass EAP-SIM, EAP-TLS and Cisco LEAP authentication.
SSG Open Garden Configuration Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The Service Selection Gateway (SSG) is an IOS feature and implements layer 3 service selection through selective routing of IP packets to destination networks on a per subscriber basis. Out of the many features SSG has, Open Garden is one of the features, which is very useful for service providers to provide trial-based services to the customers.
An open garden is a collection of web sites that a user can access as long as the user has physical access to the network. The user doesn't need to provide any authentication information before accessing the Web sites in the open garden.
Currently, SSG open garden services can be configured/managed on the router itself, even though they are similar to normal SSG (subscribed) services. The modifications being proposed will allow open garden services to be defined and managed on the RADIUS server as well.
SSG L2TP Dialout
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG L2TP Dialout feature enhances SSG tunnel services and provides a dialout facility to users. Many Small Office Home Offices (SOHOs) use the Public Switched Telephone Network (PSTN) to access their intranet. SSG L2TP provides mobile users with a way to securely connect to their SOHO through the PSTN.
To provide SSG L2TP Dialout, SSG requires a digital number identification service (DNIS) number for the SOHO to which the user wants to connect, the address of the L2TP Access Concentrator (LAC) closest to the SOHO, and configured tunnel parameters to establish a tunnel to the LAC.
Users can access SSG L2TP Dialout by selecting the dialout service using Cisco Subscriber Edge Services Manager (SESM) from the list of subscribed services or by using a structured username. The user must provide the DNIS number when using either method of connecting to the dialout service.
SSG Prepaid Enhancements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Prepaid
The SSG Prepaid feature allows SSG to check a subscriber's available credit to determine whether to connect the subscriber to a service and how long the connection can last. The subscriber's credit is administered by the billing server as a series of quotas representing either a duration of use (in seconds) or an allowable data volume (in bytes). A quota is an allotment of available credit.
To obtain the first quota for a connection, SSG submits an authorization request to the authentication, authorization, and accounting (AAA) server. The AAA server contacts the prepaid billing server, which forwards the quota values to SSG. SSG then monitors the connection to track the quota usage. When the quota runs out, SSG performs reauthorization. During reauthorization, the billing server may provide SSG with an additional quota if there is available credit. If no further quota is provided, SSG logs off the user.
For more information refer to the SSG Prepaid document.
SSG Prepaid Enhancements
SSG Prepaid Enhancements introduces prepaid tariff switching, simultaneous volume and time based prepaid billing, and postpaid tariff Switching.
SSG Prepaid Idle Timeout
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Prepaid Idle Timeout feature enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing server from services that a user is logged into but not actively using. The quota that is returned to the billing center can be applied to the quota for the services the user is actively using.
When SSG is configured for SSG Prepaid Idle Timeout, a user's connection to services can be open even when the billing server returns a zero quota, but the connection's status is dependent on the combination of the quota and the idle timeout value returned. Depending on the connection service, SSG requests the quota for a connection from the billing server once the user starts using a particular service, when the user runs out of quota, or after the configured idle timeout value has expired.
The SSG Prepaid Idle Timeout feature enhances handling of a returned zero quota from the billing server. If a billing server returns a zero quota, and non-zero idle timeout, this indicates that a user has run out of credit for a service. When a user runs out of credit for a service, the user is redirected to the billing server to replenish the quota. When the user is redirected to the billing server, the user's connection to the original service or services is retained. Although the connection remains up, any traffic passing through the connection is dropped. This enables a user to replenish quota on the billing server without losing connections to services or having to perform additional service logons.
Using the SSG Prepaid Idle Timeout feature, you can configure SSG to reauthorize a user before the user completely consumes the allocated quota. You can also configure SSG to not pass traffic during reauthorization. This prevents revenue leaks in the event that the billing server returns a zero quota for the user. Without the SSG Prepaid Idle Timeout feature, traffic passed during reauthorization represents a revenue leak if the billing server returns a zero quota for the user. You can prevent this type of revenue leak by configuring a threshold value, causing SSG to reauthorize a user's connection before the user completely consumes the allocated quota for a service.
SSG Prepaid Idle Timeout enhances SSG to inform the billing server upon any connection failure. This enables the billing server to free quota that was reserved for the connection that failed and to apply this quota immediately to some other active connection.
SSG Proxy for CDMA2000
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Proxy for CDMA2000 extends the functionality of the existing SSG RADIUS Proxy so that it may be used in CDMA2000 networks.
When used in a CDMA2000 network, SSG provides RADIUS proxy services to the Packet Data Serving Node (PDSN) and the Home Agent (HA) for both Simple IP and Mobile IP authentication. SSG also provides service selection management and policy-based traffic direction for subscribers.
SSG Proxy for CDMA2000, used with Cisco Subscriber Edge Services Manager (SESM), provides users with on-demand services and service providers with service management and subscriber management.
SSG Proxy for CDMA2000 supports time- and volume-based usage accounting for Simple IP and Mobile IP sessions. Prepaid and postpaid services are supported. Host accounting records can be sent to multiple network elements including Content Service Gateways (CSGs), Content Optimization Engines (COEs), and Wireless Application Protocol (WAP) gateways.
CDMA
Code Division Multiple Access (CDMA) is a digital spread-spectrum modulation technique used mainly with personal communications devices such as mobile phones. CDMA digitizes the conversation and tags it with a special frequency code. The data is then scattered across the frequency band in a pseudorandom pattern. The receiving device is instructed to decipher only the data corresponding to a particular code to reconstruct the signal.
For more information about CDMA, see the "CDMA Overview" knowledge byte on the Mobile Wireless Knowledge Bytes web page.
CDMA2000
CDMA2000 Radius Transmission Technology (RTT) is a wideband, spread-spectrum radio interface that uses CDMA technology to satisfy the needs of Third generation (3G) wireless communication systems. CDMA2000 is backward compatible with CDMA.
For more information about CDMA2000, refer to the "CDMA2000 Overview" knowledge byte on the Mobile Wireless Knowledge Bytes web page.
SSG Proxy for CDMA2000 for Simple IP
When used in a CDMA2000 environment, SSG acts as a RADIUS proxy to the Packet Data Serving Node (PDSN) and to the Home Agent for Simple IP authentication. SSG sets up a host object for the following three different access modes:
•
•
•
SSG operating in a CDMA2000 network correlates Accounting-Start and Accounting-Stop requests. A PDSN may send out many Accounting-Start and Accounting-Stop requests during a session. These Accounting-Start and Accounting-Stop requests can be generated by PDSN hand-off, Packet Control Function (PCF) hand-off, interim accounting, and time-of-date accounting. SSG terminates a session only when it receives an Accounting-Stop request with the 3GPP2-Session-Continue VSA set to "FALSE" or if a subsequent Accounting-Start request is not received within a configured timeout. PPP renegotiation during a PDSN hand-off is treated as a new session.
In SSG Proxy for CDMA2000 for Simple IP, the end-user IP address may be assigned statically by the PDSN, RADIUS server, or SSG. The end-user IP address can also be assigned directly from the autodomain service.
Network Address Translation (NAT) is automatically performed when necessary. NAT is generally necessary when IP address assignment is performed by any mechanism other than directly from the autodomain service (which may be a VPN). You can also configure SSG to always use NAT.
If the user profile contains Cisco Attribute-Value (AV)-pairs of Virtual Private Dialup Network (VPDN) attributes, SSG initiates Layer 2 Tunneling Protocol (L2TP) VPN.
SSG Proxy for CDMA2000 for Mobile IP
For Mobile IP, SSG functions as the RADIUS proxy for both PDSN and the HA. SSG proxies PPP PAP or CHAP and Mobile Node (MN)/Foreign Agent (FA) CHAP authentication. SSG Proxy for CDMA2000 for Mobile IP can assign IP addresses statically by the PDSN, RADIUS server, or SSG. The end user IP address can also be assigned directly from the autodomain service.
Home Agent-Mobile Node (HA-MN) authentication and reverse tunneling must be enabled so that SSG can create host objects for Mobile IP sessions based on proxied RADIUS packets received from the HA.
The Home Agent must generate RADIUS accounting packets so that SSG can discover the user IP address and detect the termination of the session. Multiple Mobile IP sessions with the same NAI are supported. RADIUS packets must contain the Accounting-Session-ID attribute to be associated with the correct user session. SSG correlates RADIUS packets from the PDSN in order to obtain MSID information for a host object of a Mobile IP session.
SSG can set up a host object either with or without PAP/CHAP performed during the original PPP session.
SSG initiates L2TP VPN according to the SSG tunnel service VSAs in the user's profile. If the user profile contains Cisco AV-pairs of VPDN, SSG sets up the L2TP tunnel per these VPDN attributes. SSG removes these AV-pairs when sending the Access-Accept packet back to the PDSN.
Either the HA or the RADIUS server can assign the user's IP address.
Dynamic Home Agent Assignment
Dynamic HA assignment based on a mobile user's location is supported.
SSG Proxy for CDMA2000 provides three options for dynamic HA assignment:
•
•
•
Multiple RADIUS Server Support
SSG Proxy for CDMA2000 provides geographical redundancy by copying host object accounting packets and sending them to multiple RADIUS servers.
SSG PTA-MD Exclusion Lists
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
Beginning in Cisco IOS Release 12.2(8)B, the option of passing the entire structured username in the form `user@service' to PPP for authenticating an SSG request became available. The entire structured username can be passed to PPP through the use of a PTA-MD exclusion list; if an entire structured username should be passed to PPP, the domain (the `@service' portion of the structured username) should be added to a PTA-MD exclusion list. The PTA-MD exclusion list can be configured on the AAA server directly or via the router CLI. Structured usernames are parsed for authentication unless a PTA-MD exclusion list is configured for the particular domain requesting a service.
SSG Range Command for Bind Statements
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Range Command for Bind Statements creates a A "range" command for SSG BIND statements. This is useful when provisioning RBE subscribers en masse, as it allows for streamlined provisioning and configuration with a decreased CPU load.
SSG Service Profile Caching
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Service Profile Caching feature enhances the authentication process for SSG services by allowing users to authenticate a service using the service profile cached in SSG.
When SSG Service Profile Caching is not enabled, an authentication, authorization, and accounting (AAA) transaction is required to download a service profile each time an SSG subscriber logs onto the service. The other SSG subscribers already logged onto the service also have their service parameters automatically refreshed as a result of this AAA transaction. In many cases, this automatic refresh causes unnecessary traffic in SSG and on the AAA server.
The SSG Service Profile Caching feature creates a cache of service profiles in SSG. A service profile is downloaded from the AAA server and then stored in the SSG service profile cache as a service-info object. Subsequent SSG subscribers hoping to use that service are authorized by the SSG service profile cache provided that service profile remains in the cache. To ensure that the service profiles in the SSG service profile cache remain updated, the SSG service profile cache automatically refreshes the service profiles by downloading the service profiles from the AAA server at user-configured intervals (the default is every 120 minutes). SSG service profile caches can also be refreshed manually at any time. Service profiles that are not being used by any SSG subscriber are removed from the SSG service profile cache.
SSG Support of NAS Port ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
This feature will carry the NAS-Port attribute in the authentication packet. This will allow the authentication server to use consistent policies while authenticating PPPoX users and RFC1483 users. Currently, NAS-Port attribute is sent only for PPPoX users.
With this feature, SSG will send nas-port information for certain IP users in the authentication-request and accounting-request packets.
SSG Suppression of Unused Accounting Records
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
The SSG Suppression of Unused Accounting Records feature provides the ability to turn off those accounting records that are not needed on the router.
SSG Unconfig
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG Unconfig
The SSG Unconfig feature enhances your ability to disable SSG at any time and releases the data structures and system resources created by SSG when SSG is unconfigured.
The SSG Unconfig feature enhances several IOS commands to delete all host objects, delete a range of host objects. You can also delete all service objects or connection objects. The show ssg host command has been enhanced to display information about an interface and its IP address when Host-Key mode is enabled on that interface.
System Resource Cleanup When SSG Is Unconfigured
When you enable SSG, the SSG subsystem in IOS acquires system resources that are never released, even after you disable SSG. The SSG Unconfig feature enables you to release and clean up system resources when SSG is not in use by entering the no ssg enable force-cleanup command.
SSG Unique Session ID
Platforms: MWAM on Catalyst 6500 (Cat6000-MWAM) and Cisco 7600 (7600-MWAM)
SSG does not currently support a totally unique accounting session ID in the RADIUS accounting records. The SSG Unique Session ID feature provides a unique format in the RADIUS accounting records in order to be compatible with a customer's existing backend billing systems.
Performance
Each SSG instance on the MWAM is an individual router. Because the MWAM supports five SSGs, it provides five times the session density (that is, number of user sessions) of the NPE 400 7200/7400 platform. In addition, the MWAM processors provide twice the throughput of processors used in the NPE 400 7200/7400 platform. Overall, the MWAM improves SSG throughput by 5-10 times that of the NPE 400 7200/7400 platform.
External Interfaces
External physical interfaces provided by the supported platforms are not visible to the SSG software. This is an important advantage of the MWAM implementation when compared to the Cisco 7200/7400 platform. The MWAM implementation protects the SSG from interface and link failures. As long as the platform provides redundant links to other system components (for example, GGSN, AAA servers), the SSG configuration is not affected and its operation is maintained.
IP Address Management
The IP address management for the SSG on the MWAM is the same as the Cisco 7200/7400 platform with one exception: virtual subinterfaces (VLANs) are required for uplink, downlink, and network management paths.
Each SSG on the MWAM is configured with its own IP addresses including addresses for user traffic, RADIUS client function, and network management.
Reliability/Availability
This section provides analysis of reliability/availability of the SSG on the MWAM in the Catalyst 6500/Cisco 7600 chassis in context with other Cisco features. The following features are considered:
•
–
–
•
–
–
•
The Server Load Balancing (SLB) function can be implemented in the Supervisor module to provide RADIUS Load Balancing (RLB) across the SSGs on one or multiple MWAMs. The Content Switching Module (CSM) can be used to provide Firewall Load Balancing (FWLB).
Note
RADIUS Load Balancer
The RLB feature is implemented in the Supervisor module. The RLB feature provides one virtual IP address for all users accessing services and keeps the list of real IP addresses of all SSGs. The RLB feature distributes the upstream traffic between SSGs by using the load-balancing mechanism. It keeps the information about SSG assignment for each user session. When the RLB detects an SSG failure, it directs traffic to another available SSG.
Firewall Load Balancer
The FWLB feature ensures that the downstream traffic to the user is sent to the same SSG that handled the upstream traffic. The FWLB feature tracks all upstream traffic from an SSG to a network server and links the SSG address with the user session. This information is used when the downstream traffic from the server is received. The FWLB feature determines which SSG is handling the user traffic.
The FWLB feature can be implemented in the CSM in the same chassis or in the Supervisor module in different chassis.
System Modules
Each system module in the configuration provides its own degree of reliability/availability.
Supervisor Module
Two redundant Supervisor modules can be equipped in the same chassis using the Route Processor Redundancy Plus (RPR+) protocol and the RLB. The RLB provides stateful failover in this configuration (that is, user sessions are preserved).
If equipping redundant Supervisor modules in two chassis, the RLB can be configured with Hot Standby Router Protocol (HSRP) between the two RLBs to provide stateful failover (that is, user sessions are maintained).
When configuring the Supervisor module for the FWLB feature, it must be equipped on a different chassis than the one providing the RLB feature. If two chassis are used, the FWLB feature can be configured with HSRP and provide stateful failover.
MWAM
One or more MWAMs can be equipped using stateless failover (provided by the RLB feature) between SSGs. In a stateless failover, when user sessions are lost, the user must re-authenticate, but service access is not denied.
CSM
Two redundant CSMs can be equipped. The FWLB feature is configured with HSRP to provide stateful failover. No user sessions or data packets are lost.
Other Modules
Other service modules can be installed in the same Catalyst 6500/Cisco 7600 chassis that contains the MWAM. For example, to provide advanced content billing, install the Content Services Gateway (CSG).
Configuration Options
The SSG-MWAM Release 1.1 can be implemented in a redundant configuration using one or two chassis with the RLB feature providing the failover mechanism. The MWAM supports the Supervisor module RPR+ feature. This feature enables the MWAM to continue to operate after the active Supervisor fails and the secondary Supervisor takes over.
One Chassis Configuration
The following components are used in a typical one-chassis configuration:
•
•
•
•
Figure 2 shows an example of the one-chassis configuration.
Figure 2 Basic Configuration—One Chassis
Failure scenarios for the one-chassis configuration include the following:
•
•
•
Two Chassis Configuration
For deployments requiring high reliability/availability, multiple MWAMs in two chassis can be used. The two-chassis configuration uses the following components:
•
•
•
•
–
–
–
–
Figure 3 shows this configuration.
Figure 3 High Availability Configuration—Two-chassis Solution
Failure scenarios for the two-chassis configuration include the following:
•
Note
•
–
–
–
–
•
MWAM Installation and Configuration
For information on installing the MWAM, configuring it through the Command Line Interface (CLI), and loading or upgrading IOS images on the MWAM, refer to the Multiprocessor WAN Application Module User Guide:
http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/cfgnotes/servmod/mwam_ug/
index.htmLimitations, Restrictions, and Important Notes
When working with the MWAM, observe the following limitations, restrictions, and important notes:
•
•
•
•
•
•
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
Caveats for Cisco IOS Releases 12.3 can be found on CCO at:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_release_note09186a008037050b.html
Note
Caveats for 12.2(14)ZA2 (and higher)
For a list of caveats for 12.2(14)ZA2 (and higher), see the release notes at the following URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_release_note09186a0080145494.html
Resolved Caveats—Cisco IOS Release 12.3(5a)B5
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)5. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved Miscellaneous Caveats
•
A memory leak may occur in the dead process on a Cisco router, and the memory allocation failures (MALLOCAIL) may be reported in the processor pool. The authentication, authorization, and accounting (AAA) User Identifier (UID) database may leak about 200 MB for each failed EXEC call or VTY session of the internal errors during the initiation process.
This is observed when the EXEC Accounting and Network Accounting are enabled, and when a failure occurs during an EXEC call or a VTY session. The reasons for the EXEC call failure or VTY session failure could be low processor memory on the Cisco router, an internal message processing error, or a timeout during the prompting for a username and password.
Workaround: If this is an option, disable EXEC Accounting and Network Accounting.
Resolved SSG Caveats
•
SSG uses a duplicate Acct-Session-Id (attribute 44) in a RADIUS accounting packet.
This is observed for post-paid users only.
Workaround: There are no known workarounds.
•
SSG does not update tariff switch information to the users when the user logs-in exactly at tariff switching time.
This is observed for post-paid users only.
Workaround: There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.3(5a)B4
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)4. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved Miscellaneous Caveats
•
Cisco routers running Cisco IOS that supports Multiprotocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T,12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
This bug is a complementary fix to CSCeb56909 which addresses this vulnerability.
An advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml
Consequently, the use of the undebug all command in the privileged EXEC mode on any Cisco 3700 routers used as an IPSec Gateway, will stop all traffic going through an encrypted GRE (generic routing encapsulation) or tunnel using CEF (Cisco Express Forwarding) switching.
Workaround: Re-initialize CEF switching by using the no ip cef and then ip cef commands in the global configuration mode or turn off the individual debugs that have been turned on instead of using the undebug all command.
•
ESP (Encapsulated Security Payload) and AH IPSec (authentication header IP security) connections may be vulnerable to spoofed ICMP (internet connect message protocol) type 3 code 4 packets (that is, packets that are too large but have the DF (don't fragment) bit set). A spoofed ICMP type 3 code 4 packet may cause IPSec to use very low path MTU (maximum transmission unit) values for a flow for the duration of the security association (SA) lifetime.
This is observed when ESP and AH IPSec connections are configured for PMTU (path MTU) discovery.
Note
Workaround: Disable the PMTU discovery by entering the crypto ipsec df-bit clear command in either the global configuration or interface configuration mode.
•
Description: Reception of certain IPv6 fragments with carefully crafted illegal contents may cause a router running Cisco IOS to reload if it has IPv6 configured. This applies to all versions of Cisco IOS that include support for IPv6.
The system may be protected by installing appropriate access lists to filter all IPv6 fragments destined for the system. For example:
interface Ethernet0/0ipv6 traffic-filter nofragments in!ipv6 access-list nofragmentsdeny ipv6 any <my address1> undetermined-transportdeny ipv6 any <my address2> fragmentspermit ipv6 any anyThis must be applied across all interfaces, and must be applied to all IPv6 addresses which the system recognizes as its own.
This will effectively disable reassembly of all IPv6 fragments. Some networks may rely on IPv6 fragmentation, so careful consideration should be given before applying this workaround.We would recommend for customers to upgrade to the fixed IOS release. All IOS releases listed in IPv6 Routing Header Vulnerability Advisory at
http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml contain fixes for this issue.
Resolved SSG Caveats
•
RADIUS interim accounting update messages for connected devices are delayed.
This situation is observed on a Cisco platform that runs SSG under a moderate traffic load when the timer that is attached to the timer wheel has a tick value that is a multiple value of the size of the wheel.
Workaround: There are no known workarounds.
Resolved Caveats—Cisco IOS Release 12.3(5a)B3
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)B3. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
A Cisco 7204VXR series router functioning as an L2TP Network Server (LNS) may pause indefinitely because of a bus error when a user disconnects and then reconnects.
This issue is observed when a Cisco 7204VXR series router that is configured with a Network Processing Engine G1 (NPE-G1) under the following conditions:
–
–
Workaround: There are no known workarounds.
•
A Cisco AS5x00 access server may ignore a service-login attribute and start a PPP session. The Cisco AS5x00 may also start a PPP session when the RADIUS Access-Accept reply contains unknown (unsupported) Framed-Protocol attributes.
This issue is observed when a client uses a Password Authentication Protocol (PAP) for authentication.
Workaround: There are no known workarounds.
•
The force-local-chap VPDN configuration command does not work.
This issue occurs when both the force-local-chap and terminate-from hostname commands are configured in the same vpdn-group. Only Cisco IOS software version 12.3T is affected.
Workaround: Use the default L2TP VPDN group by deleting the terminate-from hostname command or use Cisco IOS software version 12.3 mainline train.
•
The Parallel Express Forwarding (PXF) chunk memory is not freed after the routes are removed. The %PXF-2-TALLOCFAIL message may occur and cause more PXF memory leaking.
This issue occurs on a Cisco 7200 series router with an NSE-1 processor board or a Cisco 7401 series router. When the PXF is enabled, adding/removing routes may not free PXF memory.
Workaround: There are no known workarounds.
•
A RADIUS NAS-Port attribute is not sent in accounting records and access-requests when:
–
–
This issue happens only with Non-CISCO LACs.
Workaround: Remove the vpdn aaa attribute nas-port vpdn-nas command.
•
When the IP User sends an Access Zone Router (AZR) Accounting Off command to the Active Host, the SSG does not clear the Host.
This issue occurs when the SSG is acting as a RADIUS server proxy with Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM) setup.
Workaround: Send an Accounting Stop command from the AZR Host.
Resolved MWAM Caveats
•
When a 7600 chassis with four MWAMs using the centralized configuration storage feature is reloaded, the MWAM reboot task to load the centralized configuration from Supervisor bootflash takes seven minutes.
•
If an MWAM is configured to perform IP multicast routing, it will not forward unicast traffic.
This only occurs on Processor Complexes (PCs) 3, 5, and 7.
Workaround: Only configure PCs 2, 4, and 6 to forward multicast traffic.
Resolved Caveats—Cisco IOS Release 12.3(5a)B2
All the caveats listed in this section are resolved in Cisco IOS Release 12.3(5a)B2. This section describes only severity 1 and 2 caveats and select severity 3 caveats.
Resolved SSG Caveats
•
A per-user IP route is not installed when:
–
–
–
Workaround: Clear the Virtual-Access interface (on which the PPP user is terminated) after IPCP renegotiation with the clear interface virtual-access x command.
•
When TCP connections are configured for PMTU discovery (disabled on router by default), the TCP connections may become vulnerable to spoofed ICMP packets. The spoofed ICMP packet may cause the TCP connection to use a very low segment size for 10 minutes at a time.
Workaround: Disable PMTU discovery.
•
Downstream packets from open garden service may not be properly process switched. DNS packets are process switched in SSG, so the DNS replies may not reach the client.
This issue occurs when an internet service is bound to the same interface as the open garden service and an unauthenticated user accesses open garden service.
Workaround: Use pass-through filters for downstream packets.
•
When multiple users simultaneously log on to and later log off from an SSG L2TP tunnel service, the Cisco platform may run out of IDBs, thus preventing users from connecting to a new SSG L2TP tunnel service.
This issue is observed when the number of virtual-access interfaces that are in use increases (as seen in the output of the show vtemplate command in the privileged EXEC mode). That is, the old virtual-access interfaces that have not been cleared show a long idle time (as seen in the output of the show user command in the user EXEC mode).
Workaround: Clear the unused virtual-access interfaces with the clear interface virtual-access command in the privileged EXEC mode.
•
A specifically crafted Transmission Control Protocol (TCP) connection to a Telnet or reverse Telnet port of a Cisco product running Cisco IOSŪ software may block further Telnet, reverse Telnet, Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access to the Cisco product. The Telnet, reverse Telnet, RSH and SHH sessions established before exploitation are not affected.
All other Cisco product services will operate normally. Services (such as packet forwarding, routing protocols and all other communication to and through the Cisco product) are not affected.
An advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-telnet.shtml.
•
In the current implementation, the prepaid server splits the subscriber credit into an equal amount of volume for both PRE and POST in QX at the tariff switch, such that the following two quota combinations have not been used up:
1.) QT>0, QX=TA>0; PRE>0; POST=0, Idle Timeout>0
2.) QT>0, QX=TA>0; PRE>0; POST=0, Idle Timeout>0
During operation, this behavior will show that the "equal splitting of the volume for TS" leads to a load problem, if
–
–
In the upcoming deployment, there will be a tariff every hour for every service with the introduction of HBR and DBR (in the current implementation, the TS occurs once a day at midnight). To avoid the "re-auth vibration" plans are to apply the two quota combinations as shown in the upcoming deployment. If a subscriber has a low credit time before the TS, the prepaid server will grant all of its credit to PRE and QX with Post=0. The SG sends a re-authorization request to the prepaid server when the tariff switch happens (if the PRE has not been consumed before TS).
But now we have a problem, SSG doesn't send the QB attribute in the re-authorization packets for the two cases above. Without QB (time stamp of TS), the prepaid server doesn't know the time point of the tariff switch, as if the TS would not have taken place.
•
When the NAS(GGSN) sends an accounting-on request after a reload, the SSG will clear the existing Host Object. It will take some time to clear (depends on the number of host objects and the accounting stop rate-limit that was configured). During that time period, the SSG ignores the new create request from that GGSN.
Workaround: This behavior can be resolved by reloading the NAS(GGSN) with 20,000 users logged in to SSG with the accounting stop rate-limit configured at 100. As a result, the SSG will accept a new create request after approximately 2-3 minutes.
Complete the following procedure:
a.
b.
c.
d.
e.
Resolved MWAM Caveats
•
When a 7600 chassis with four MWAMs using the centralized configuration storage feature is reloaded, the MWAM reboot task to load the centralized configuration from Supervisor bootflash takes seven minutes.
Open Caveats—Cisco IOS Release 12.3(5a)B1
This section documents possible unexpected behavior by Cisco IOS Release 12.3(5a)B1 and describes only severity 1 and 2 caveats and select severity 3 caveats.
Open SSG Caveats
•
When downstream traffic from the service network is sent as multiple packets to the same connection object before sending packets to the next connection object, processor usage is much less than if packets are sent consecutively to different connection objects (even though the rate of traffic sent for both the cases is the same).
There are no known workarounds.
Open MWAM Caveats
•
On rare occasions, the MWAM displays a minor error in response to the show mod command after the Supervisors switch activity for a failover condition:
<
