Table Of Contents
Release Notes for Catalyst 6500 Series Switch and Cisco 7600 Series Wireless LAN Services Module Software Release 1.x
Contents
System Requirements
Hardware Requirements
Software Requirements
Solution Requirements
Orderable Software Images
Features in Software Release 1.4
Features in Software Release 1.3
Features in Software Release 1.2
Features in Software Release 1.1
Limitations and Restrictions
Open and Resolved Caveats in Software Release 1.4(3)
Open Caveats in Release 1.4(3)
Resolved Caveats in Release 1.4(3)
Open and Resolved Caveats in Software Release 1.4(2)
Open Caveats in Release 1.4(2)
Resolved Caveats in Release 1.4(2)
Open and Resolved Caveats in Software Release 1.4(1)
Open Caveats in Release 1.4(1)
Resolved Caveats in Release 1.4(1)
Open and Resolved Caveats in Software Release 1.3(2)
Open Caveats in Release 1.3(2)
Resolved Caveats in Release 1.3(2)
Open and Resolved Caveats in Software Release 1.3(1)
Open Caveats in Release 1.3(1)
Resolved Caveats in Release 1.3(1)
Open and Resolved Caveats in Software Release 1.2(3)
Open Caveats in Release 1.2(3)
Resolved Caveats in Release 1.2(3)
Open and Resolved Caveats in Software Release 1.2(2)
Open Caveats in Release 1.2(2)
Resolved Caveats in Release 1.2(2)
Open and Resolved Caveats in Software Release 1.2(1)
Open Caveats in Release 1.2(1)
Resolved Caveats in Release 1.2(1)
Open and Resolved Caveats in Software Release 1.1(2)
Open Caveats in Release 1.1(2)
Resolved Caveats in Release 1.1(2)
Open and Resolved Caveats in Software Release 1.1(1)
Open Caveats in Release 1.1(1)
Resolved Caveats in Release 1.1(1)
Related Documentation
Obtaining Documentation
Cisco.com
Product Documentation DVD
Ordering Documentation
Documentation Feedback
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Submitting a Service Request
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Catalyst 6500 Series Switch and Cisco 7600 Series Wireless LAN Services Module Software Release 1.x
Current Release: 1.4(3)—November 21, 2005
Previous release: 1.4(2), 1.4(1), 1.3(2), 1.3(1) - Deferred, 1.2(3), 1.2(2) - Deferred, 1.2(1), 1.1(2), 1.1(1)
This publication describes the features, modifications, and caveats for the Catalyst 6500 series and Cisco 7600 series Wireless LAN Services Module software release 1.x.
Note 
For installation and configuration procedures for the Wireless LAN Services Module, refer to the Catalyst 6500 series and Cisco 7600 series Wireless LAN Services Module documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/cfgnotes/wlsm_1_1/index.htm
Contents
This document consists of these sections:
• System Requirements
• Orderable Software Images
• Features in Software Release 1.4
• Features in Software Release 1.3
• Features in Software Release 1.2
• Features in Software Release 1.1
• Limitations and Restrictions
• Open and Resolved Caveats in Software Release 1.4(3)
• Open and Resolved Caveats in Software Release 1.4(2)
• Open and Resolved Caveats in Software Release 1.4(1)
• Open and Resolved Caveats in Software Release 1.3(2)
• Open and Resolved Caveats in Software Release 1.3(1)
• Open and Resolved Caveats in Software Release 1.2(3)
• Open and Resolved Caveats in Software Release 1.2(2)
• Open and Resolved Caveats in Software Release 1.2(1)
• Open and Resolved Caveats in Software Release 1.1(2)
• Open and Resolved Caveats in Software Release 1.1(1)
• Related Documentation
• Obtaining Documentation
• Documentation Feedback
• Cisco Product Security Overview
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information
System Requirements
This section describes the system requirements for the Catalyst 6500 series and Cisco 7600 series Wireless LAN Services Module software release 1.x:
• Hardware Requirements
• Software Requirements
• Solution Requirements
Hardware Requirements
The wireless LAN (WLAN) software requires the following hardware:
•Catalyst 6500 series switch or Cisco 7600 series router
•Supervisor Engine 720
•Catalyst 6500 series and Cisco 7600 series Wireless LAN Services Module
Software Requirements
Table 1 lists the WLAN software versions supported by Cisco IOS software.
Table 1 Wireless LAN Software Compatibility
Product Number
|
Minimum WLAN Software Version
|
Recommended WLAN Software Version
|
Minimum Cisco IOS Software
|
Recommended Cisco IOS Software
|
| |
Application Image
|
Maintenance Image
|
Application Image
|
Maintenance Image
|
|
|
WS-SVC-WLAN-1-K9 with Supervisor Engine 720
|
1.1(1)
|
3.1(1)
|
2.1.1
|
3.1(1)
|
•Cisco IOS Releases 12.2(18)SXD through 12.2(18)SXE5 support all WLSM images, including 1.4(3) and later
•Cisco IOS Releases 12.2(18)SXF or later require WLSM images 1.4(3) or later
|
•Supervisor Engine 720: 12.2(18)SXF
•Access points: 12.3(8)JA
|
Solution Requirements
In addition to the hardware and software requirements, the Wireless LAN Services Module also requires the following:
•Cisco AP1100 or AP1200 series Aironet access points using Cisco IOS Release 12.2(15)XR or Release 12.3(2)JA or later, Cisco AP1130 series Aironet access point using Cisco IOS Release 12.3(2)JA or later, or Cisco Aironet 1310 Outdoor Access Point/Bridge (configured in AP mode) using Cisco IOS Release 12.3(2)JA or later
•CiscoWorks Wireless LAN Solution Engine (WLSE) release 2.7(1) or later
Orderable Software Images
Table 2 lists the software releases and applicable ordering information for the WLAN software.
Table 2 Orderable Software Images
Software Releases
|
Filename
|
Orderable Product Number
|
1.4(3)
|
c6svc-wlan-k9w7.1.4.3.bin
|
SWLSMW7K9-14
|
1.4(2)
|
c6svc-wlan-k9w7.1.4.2.bin
|
SWLSMW7K9-14
|
1.4(1)
|
c6svc-wlan-k9w7.1.4.1.bin
|
SWLSMW7K9-14
|
1.3(2)
|
c6svc-wlan-k9w7.1.3.2.bin
|
SWLSMW7K9-13
|
1.2(3)
|
c6svc-wlan-k9w7.1.2.3.bin
|
SWLSMW7K9-12
|
Features in Software Release 1.4
This section describes the features available in WLAN software release 1.4:
•Hardware platforms: Cisco AP1240 series Aironet access point
•Support for Secure Shell (SSH) version 2—SSHv2 is a standards-based protocol that provides secure Telnet capability for router configuration and administration.
•Support for Workgroup Bridge (WGB)—WGBs can associate to a mobility-enabled SSID and provide Layer-3 mobility to WGB wired clients.
•Support for CDP neighbor display for access points (AP)—Wireless Domain Services (WDS) can maintain and display CDP location information of APs.
Features in Software Release 1.3
This section describes the features available in WLAN software release 1.3:
•Hardware platforms: BR1310 configured in AP mode
•Local Authentication Server—The Wireless LAN Services Module can authenticate up to 50 wireless client devices using LEAP, EAP-FAST, or MAC-based authentication, and perform up to 5 authentications per second.
Features in Software Release 1.2
This section describes the features available in WLAN software release 1.2:
•Hardware platforms: Cisco AP1130 series Aironet access point
•Support for the VLAN by name feature on the access points
Features in Software Release 1.1
This section describes the features available in WLAN software release 1.1:
•Hardware platforms: Cisco AP1100 or AP1200 series Aironet access points
•Fast, uninterrupted, secure Layer 2 and Layer 3 wireless mobility
•Seamless Layer 3 roaming across subnets
•Radio-management aggregation
•Support for stateful switchover (SSO) with a redundant Supervisor Engine 720
•Wireless domain services (WDS) scalability
–300 access points
–6000 users
–16 different mobility groups (wireless network IDs) per access point
–Sustained roaming rate of 20 roams per second for WLAN clients
–Burst roaming rate of 100 roams per second for WLAN clients
Limitations and Restrictions
This section describes general limitations and restrictions:
•In software release 1.x, you can install one Wireless LAN Services Module in a chassis.
•You cannot configure wireless clients in the same subnet as wired clients.
•You cannot map multiple SSIDs to a single network ID.
•You cannot configure QoS on tunnel interfaces in systems with a PFC3A. There is full QoS support in systems with a PFC3B or PFC3BXL.
Open and Resolved Caveats in Software Release 1.4(3)
These sections describe open and resolved caveats in WLAN software release 1.4(3):
• Open Caveats in Release 1.4(3)
• Resolved Caveats in Release 1.4(3)
Open Caveats in Release 1.4(3)
This section describes open caveats for the WLAN software release 1.4(3):
•A computer running Windows 2000 or Windows XP might stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module, or enter the show mobility stat command on the supervisor engine. (CSCee67500)
•When a client is associating to a mobility-enabled SSID and the client's TCP/IP MTU is greater than 1476 bytes, the client might not be able to download Internet pages, transfer files using FTP, or connect to the Sametime server.
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Enter the mobility tcp adjust-mss command on the tunnel interface of the supervisor engine to adjust the TCP MSS value.
More information about this problem is documented at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
(CSCef33192)
Resolved Caveats in Release 1.4(3)
This section describes resolved caveats in WLAN software release 1.4(3):
•A wireless client remains active on the Wireless LAN Services Module, but the client is not associated to an access point.
Workaround: Enter the clear wlccp wds mn mac-address mac_addr command to remove the client entry from the Wireless LAN Services Module. The client can then associate and authenticate properly.
This problem is resolved in WLAN software release 1.4(3). (CSCsc01606)
Open and Resolved Caveats in Software Release 1.4(2)
These sections describe open and resolved caveats in WLAN software release 1.4(2):
• Open Caveats in Release 1.4(2)
• Resolved Caveats in Release 1.4(2)
Open Caveats in Release 1.4(2)
This section describes open caveats for the WLAN software release 1.4(2):
•A computer running Windows 2000 or Windows XP might stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module, or enter the show mobility stat command on the supervisor engine. (CSCee67500)
•When a client is associating to a mobility-enabled SSID and the client's TCP/IP MTU is greater than 1476 bytes, the client might not be able to download Internet pages, transfer files using FTP, or connect to the Sametime server.
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Enter the mobility tcp adjust-mss command on the tunnel interface of the supervisor engine to adjust the TCP MSS value.
More information about this problem is documented at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
(CSCef33192)
Resolved Caveats in Release 1.4(2)
This section describes resolved caveats in WLAN software release 1.4(2):
•Through normal software maintenance processes, Cisco is removing deprecated functionality from the OS boot routine. These changes have no impact on system operation or feature availability. (CSCei76358)
•After you configure the no snmp-server enable traps tty command and enter the write mem command, the snmp-server enable traps tty configuration is removed from the startup configuration but remains in the running configuration.
This problem is resolved in WLAN software release 1.4(2). (CSCee36192)
•After you upgrade to WLAN software release 1.4(1), Secure Shell (SSH) does not function. When you enter the crypto key generate rsa command, the console displays the following error message:
% Error in generating keys:no available resources
This problem is resolved in WLAN software release 1.4(2). (CSCsb66884)
Open and Resolved Caveats in Software Release 1.4(1)
These sections describe open and resolved caveats in WLAN software release 1.4(1):
• Open Caveats in Release 1.4(1)
• Resolved Caveats in Release 1.4(1)
Open Caveats in Release 1.4(1)
This section describes open caveats for the WLAN software release 1.4(1):
•A computer running Windows 2000 or Windows XP might stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module, or enter the show mobility stat command on the supervisor engine. (CSCee67500)
•When a client is associating to a mobility-enabled SSID and the client's TCP/IP MTU is greater than 1476 bytes, the client might not be able to download Internet pages, transfer files using FTP, or connect to the Sametime server.
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Enter the mobility tcp adjust-mss command on the tunnel interface of the supervisor engine to adjust the TCP MSS value.
More information about this problem is documented at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
(CSCef33192)
Resolved Caveats in Release 1.4(1)
This section describes resolved caveats in WLAN software release 1.4(1):
•Remote Authentication Dial In User Service (RADIUS) authentication on a device that is running certain versions of Cisco Internetworking Operating System (IOS) and configured with a fallback method to none can be bypassed.
Systems that are configured for other authentication methods or that are not configured with a fallback method to none are not affected.
Only the systems that are running certain versions of Cisco IOS are affected. Not all configurations using RADIUS and none are vulnerable to this issue. Some configurations using RADIUS, none and an additional method are not affected.
Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability.
More details can be found in the security advisory which posted at the following URL:
http://www.cisco.com/warp/public/707/cisco-sa-20050629-aaa.shtml
This problem is resolved in WLAN software release 1.4(1). (CSCee45312)
•When a Cisco AP1200 series Aironet access point that is acting as Workgroup Bridge (WGB) associates to a mobility-enabled SSID, the Supervisor Engine 720 might display the following error message:
10w3d: %L3MM-4-DUP_IPADDR: MN mac_address is requesting ip ip_address which is being
used by MN mac_address
The IP addresses of the WGB and its wired clients (nodes) might not be correctly programmed in the Layer 3 Mobility Manager (L3MM) database on the Supervisor Engine 720. As a result, traffic to such nodes might be discarded at the Supervisor Engine 720. This problem occurs when there is one or more wired clients attached to the WGB.
This problem is resolved in WLAN software release 1.4(1). (CSCeh68178)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients.
This problem is resolved in WLAN software release 1.4(1). (CSCee35232)
•Protected access credentials (PAC) auto enrollment fails when a Cisco Compatible Extensions (CCX) client sends both TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034) and TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) in the client hello message.
Workaround: Configure manual PAC provisioning. if the client supports it, or use Access Control Server (ACS) as the RADIUS server.
This problem is resolved in WLAN software release 1.4(1). (CSCeh54673)
•If Layer 3 mobility is enabled on the access point (AP), and mobility trust is enabled on the tunnel interface of the Supervisor Engine 720, then the AP, supervisor engine, and Wireless LAN Services Module do not learn the IP addresses of the wireless clients. The output of the show wlccp ap mobility forwarding command on the AP does not have an entry for the wireless clients. The output of the show dot11 association command shows that the wireless clients are associated. The output of the show mobility mn command on the supervisor engine shows that the wireless clients have IP address 0.0.0.0 (under MN IP Address). The output of the show wlccp wds mobility network-id command on the Wireless LAN Services Module shows "-" as the IP address of the wireless clients. The problem exists in Cisco IOS software Releases 12.3(2)JA2 and 12.3(4)JA.
Workaround: The problem is temporarily resolved by rebooting the AP.
This problem is resolved in WLAN software release 1.4(1). (CSCei18019)
•The command buffer history and cut-and-paste operations do not work properly if you are connected to the Wireless LAN Services Module through the console port.
Workaround: Introduce a transmit delay for the serial port.
This problem is resolved in WLAN software release 1.4(1). (CSCsa53672)
•The access point (AP) adds two sets of IP/GRE headers for the packet coming from the mobile node if the AP cannot resolve the IP address of the tunnel endpoint. The first GRE header added is in "fast switch path," the second header is in "process switch path." Typically, these packets are correctly double deencapsulated and forwarded to the correct destination address. However, two sets of IP/GRE headers causes the Supervisor Engine 720 to drop IP packets that are between 1425 bytes and 1448 bytes in length.
Workaround: Configure static ARP entries on the AP that corresponds to the route processor's mGRE tunnel source addresses by entering the arp ip-address hardware-address arpa interface command, for example: arp 10.10.10.1 00:11:33:44:55:66 arpa bvi1.
This problem is resolved in WLAN software release 1.4(1). (CSCsa81634)
•The Wireless LAN Solution Engine (WLSE) might fail to authenticate with the wireless domain services (WDS) that are running Cisco IOS software Release 12.3(4)JA or WLAN software release 1.3(1) due to incomplete ARP entries.
Workaround: Enter the ip proxy-arp command to enable proxy ARP on the router that is the first hop from the AP-WDS to the WLSE. If proxy ARP cannot be enabled for some reason, then create a static ARP entry on the AP.
This problem is resolved in WLAN software release 1.4(1). (CSCsa90418)
•In WLAN software release 1.4(1), the show wlccp wds ap command has been enhanced to display CDP neighbor information when used with Cisco Aironet AP running Cisco IOS software Release 12.3(7)JA or later releases:
–show wlccp wds ap—added a CDP-NEIGHBOR column
–show wlccp wds ap mac-address mac-address—added a CDP-NEIGHBOR column and displays the full hostname, IP address, and port ID of the CDP neighbor
–show wlccp wds ap cdp-neighbor—introduced to show MAC address, IP address, neighbor name, neighbor IP address, and neighbor port ID information. (CSCeh71021)
Open and Resolved Caveats in Software Release 1.3(2)
These sections describe open and resolved caveats in WLAN software release 1.3(2):
• Open Caveats in Release 1.3(2)
• Resolved Caveats in Release 1.3(2)
Open Caveats in Release 1.3(2)
This section describes open caveats for the WLAN software release 1.3(2):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
•When a client is associating to a mobility-enabled SSID and the client's TCP/IP MTU is greater than 1476 bytes, the client might not be able to download Internet pages, transfer files using FTP, or connect to the Sametime server.
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Enter the mobility tcp adjust-mss command on the tunnel interface of the supervisor engine to adjust the TCP MSS value.
More information about this problem is documented at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
(CSCef33192)
Resolved Caveats in Release 1.3(2)
This section describes resolved caveats in WLAN software release 1.3(2):
•Through normal software maintenance processes, Cisco is removing deprecated functionality from the OS boot routine. These changes have no impact on system operation or feature availability. (CSCei76358)
Open and Resolved Caveats in Software Release 1.3(1)
These sections describe open and resolved caveats in WLAN software release 1.3(1):
• Open Caveats in Release 1.3(1)
• Resolved Caveats in Release 1.3(1)
Open Caveats in Release 1.3(1)
This section describes open caveats for the WLAN software release 1.3(1):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
•When a client is associating to a mobility-enabled SSID and the client's TCP/IP MTU is greater than 1476 bytes, the client might not be able to download Internet pages, transfer files using FTP, or connect to the Sametime server.
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Enter the mobility tcp adjust-mss command on the tunnel interface of the supervisor engine to adjust the TCP MSS value.
More information about this problem is documented at this URL:
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
(CSCef33192)
Resolved Caveats in Release 1.3(1)
This section describes resolved caveats in WLAN software release 1.3(1):
•A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
This problem is resolved in WLAN software release 1.3(1). (CSCef60659, CSCef43691, CSCef44225, CSCsa59600, CSCef44699)
•Users are unable to authenticate using RADIUS, or accounting is not sent to the RADIUS server. In addition, when the debug radius command is entered, the following information is generated:
RADIUS(00000049): sending
%RADIUS-3-NOSERVERS: No Radius hosts configured.
RADIUS/DECODE: parse response no app start; FAIL
RADIUS/DECODE: parse response; FAIL
The output of the show running-config command indicates that there are in fact RADIUS servers in the server group.
These issues are observed after following these steps:
a. Remove and recreate a server group that is still referenced by one or more method lists, by entering the following commands:
no aaa group server radius XXXX
aaa group sever radius XXXX
b. Allow one of these method lists to be used, causing a transaction to be sent to a RADIUS or TACACS+ server in the server group.
c. Remove and re-add the radius-server host ... command lines for all authentication-capable (or accounting-capable if this group is used for accounting) servers in this server group.
Workaround: Remove all RADIUS or TACACS+ server configurations, remove all RADIUS or TACACS+ server group configurations, and remove all method lists. Then, reconfigure all of them.
This problem is resolved in WLAN software release 1.3(1). (CSCee42617)
•An 802.1X client may fail to authenticate when the RADIUS State(24) Field values change in between the "Access Challenge" and the "Access Request."
This problem is resolved in WLAN software release 1.3(1). (CSCef50742)
•When you configure Layer 3 mobility on an access point and the access point connects to the Wireless LAN Services Module, the access point sends out inter-access point protocol (IAPP) traffic in a non-native VLAN when a wireless client attempts to associate to the access point. There is no loss of functionality.
This problem is resolved in WLAN software release 1.3(1) and Cisco IOS Release 12.3(4)JA on the access point. (CSCef89795)
•The Wireless LAN Services Module does not properly support TACACS+. Sessions that are configured to authenticate to a TACACS+ server will hang indefinitely.
Workaround: Use a different method of authentication, such as RADIUS or the local database.
This problem is resolved in WLAN software release 1.3(1). (CSCef96534)
Open and Resolved Caveats in Software Release 1.2(3)
These sections describe open and resolved caveats in WLAN software release 1.2(3):
• Open Caveats in Release 1.2(3)
• Resolved Caveats in Release 1.2(3)
Open Caveats in Release 1.2(3)
This section describes open caveats for the WLAN software release 1.2(3):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
Resolved Caveats in Release 1.2(3)
This section describes resolved caveats in WLAN software release 1.2(3):
•Through normal software maintenance processes, Cisco is removing deprecated functionality from the OS boot routine. These changes have no impact on system operation or feature availability. (CSCei76358)
Open and Resolved Caveats in Software Release 1.2(2)
These sections describe open and resolved caveats in WLAN software release 1.2(2):
• Open Caveats in Release 1.2(2)
• Resolved Caveats in Release 1.2(2)
Open Caveats in Release 1.2(2)
This section describes open caveats for the WLAN software release 1.2(2):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
Resolved Caveats in Release 1.2(2)
This section describes resolved caveats in WLAN software release 1.2(2):
•A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
This problem is resolved in WLAN software release 1.2(2). (CSCef44225)
•A wireless client is not able to browse the Internet because of an MTU issue caused by the GRE header. To adjust the TCP MSS value of the connection, enter the mobility tcp adjust-mss command on the tunnel interface.
This problem is resolved in WLAN software release 1.2(2). (CSCeg26382)
•On occasion, when a Protected Extensible Authentication Protocol (PEAP) client performs machine authentication and user authentication through a wireless domain services (WDS) device, the WDS might mistakenly believe that the user authentication that immediately follows the machine authentication is a MAC address spoofing attack. In this situation, the WDS blocks the user from successfully authenticating to the network, but the constant reassociation attempts by the client results in continuous authentication requests being sent to the RADIUS server.
This problem is resolved in WLAN software release 1.2(2). (CSCsa47527)
Open and Resolved Caveats in Software Release 1.2(1)
These sections describe open and resolved caveats in WLAN software release 1.2(1):
• Open Caveats in Release 1.2(1)
• Resolved Caveats in Release 1.2(1)
Open Caveats in Release 1.2(1)
This section describes open caveats for the WLAN software release 1.2(1):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•When the Catalyst 6500 system is operating in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
Resolved Caveats in Release 1.2(1)
This section describes resolved caveats in WLAN software release 1.2(1):
•A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
This problem is resolved in WLAN software release 1.2(1). (CSCed78149)
•The access point does not send an EAP-FAILURE message to a client device that fails authentication when the ACS server sends an ACCESS-REJECT message.
This problem is resolved in WLAN software release 1.2(1). (CSCee38517)
•The WDS device now sends the class attribute to participating access points so that the access points can include the attribute in RADIUS accounting messages.
This problem is resolved in WLAN software release 1.2(1); you also need Cisco IOS software Release 12.3(02)JA or later operating on the access points. (CSCef18797)
Open and Resolved Caveats in Software Release 1.1(2)
These sections describe open and resolved caveats in WLAN software release 1.1(2):
• Open Caveats in Release 1.1(2)
• Resolved Caveats in Release 1.1(2)
Open Caveats in Release 1.1(2)
This section describes open caveats for the WLAN software release 1.1(2):
•A computer running Windows 2000 or Windows XP may stop responding during initial startup if it uses the default Aironet Client Utilities (ACU) profile that points to a Layer 3 mobility-enabled service set identifier (SSID).
Workaround 1: Set the MTU on the client network interface to 1476 bytes.
Workaround 2: Force Windows Kerberos Authentication to use TCP instead of UDP. Microsoft Knowledge Base article 244474 describes this procedure and can be found at this URL:
http://support.microsoft.com/default.aspx?scid=kb;en-us;244474 (CSCed76695)
•A mobile node with a static IP address has IP connectivity in an untrusted network, even though the mobile node should not be able to communicate over an untrusted network. This problem occurs when a mobile node with a static IP address is registered in a trusted network, and then the administrator changes the tunnel interface configuration from trusted to untrusted. (CSCed16337)
•In a redundant interswitch topology, if you remove the admin keyword from the WLAN VLAN configuration on the active Wireless LAN Services Module, a Layer 3 control protocol (LCP) communication failure occurs between the Wireless LAN Services Module and the Layer 3 Mobility Manager on the Supervisor Engine 720. The Supervisor Engine 720 shows the HSRP state as Unknown. However, the HSRP state of the Wireless LAN Services Module is still active. As a result, the wireless network is down even though there is a standby Wireless LAN Services Module that can service the clients.
Workaround: Before you modify the WLAN VLAN IP address or remove the admin keyword from the configuration, remove the standby configuration on the active module. (CSCee54884)
•DHCP snooping does not work properly if the DHCP packets that are sent to or received from a mobile node are received by the central switch over a WAN link.
Workaround: Use an intermediate router to terminate the WAN link, and use a LAN connection between the WAN termination router and the switch. (CSCef08877)
•When the Catalyst 6500 system is running in compact mode, you cannot ping the IP address of the Wireless LAN Services Module from the wireless clients. (CSCee35232)
•A mobile node on an untrusted network receives an IP address through DHCP. The DHCP database contains a MAC-to-IP address binding for the mobile node. When the network changes to trusted, the mobile node now has a static IP address. However, if the client does not release the IP address obtained through DHCP, the DHCP database will still contain the MAC-to-IP address binding. If the network returns to untrusted, the mobile node with the static IP address will be incorrectly mapped to the MAC-to-IP address binding in the DHCP database.
Workaround 1: Release the DHCP-based IP address before assigning a static IP address on the client.
Workaround 2: Renew the IP address when changing from a static IP address to a DHCP-based IP address on the client. (CSCed74302)
•Writing the DHCP database to the bootflash device creates a new file and marks the old file as deleted. However, the old file still exists on the bootflash device. If this process repeats numerous times, read and write processes on the bootflash device become very slow.
Workaround 1: Enter the squeeze bootflash: command to permanently remove all deleted files.
Workaround 2: Store the DHCP database on an external server. (CSCee23185)
•When mobility broadcast is configured on the GRE tunnel interface, the show wlccp wds mobility command output does not show the broadcast (B) flag. This condition does not affect any operation.
Workaround: Enter the show wds mn detail command on the Wireless LAN Services Module or enter the show mobility stat command on the supervisor engine. (CSCee67500)
Resolved Caveats in Release 1.1(2)
This section describes resolved caveats in WLAN software release 1.1(2):
•A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP" (draft-gont-tcpm-icmp-attacks-03.txt).
These attacks, which only affect sessions terminating or originating on a device itself, can be of three types:
1. Attacks that use ICMP "hard" error messages
2. Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3. Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.
Multiple Cisco products are affected by the attacks described in this Internet draft.
Cisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml.
The disclosure of these vulnerabilities is being coordinated by the National Infrastructure Security Coordination Centre (NISCC), based in the United Kingdom. NISCC is working with multiple vendors whose products are potentially affected. Its posting can be found at: http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
This problem is reso
