Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance
Important Considerations for A5(x) Release
New Software Features in Version A5(3.1)
Support of Radius Sticky Information
New Software Features in Version A5(3.0)
Support of Hex data in TCP / UDP Probe Send-data and Expect Regex
Enhancements in HTTP Content Rewrite
Configuration and Restrictions
Updates to Resource Parameter Monitoring
Ability to Configure Fragment Timeout in Milliseconds
Ability to Configure the Re-assembly Timer Interval
Automatic Capture of Exec Command Mode Output
Ability to Capture the Complete Output of the LbInspect Tool
Caching of snmp-get response for L4-L7 Resource Limit MIB
Ability to Allow SSL Record Parsing to a Specific Size
Ability to Allow HTTP to Parse the Non-encoded Characters
Sample Output of Show Serverfarm Detail
Support for A5(3.0)-Specific Features in ACE Appliance Device Manager GUI
Ordering an Upgrade License and Generating a Key
Performing ACE Appliance Software Upgrades and Downgrades
Supported Browsers for ACE Appliance Device Manager
Software Version A5(3.5) Resolved Caveats and Open Caveats
Software Version A5(3.5) Resolved Caveats
Software Version A5(3.4) Resolved Caveats and Open Caveats
Software Version A5(3.4) Resolved Caveats
Software Version A5(3.3) Resolved Caveats and Open Caveats
Software Version A5(3.3) Resolved Caveats
Software Version A5(3.3) Open Caveats
Software Version A5(3.2) Resolved Caveats and Open Caveats
Software Version A5(3.2) Resolved Caveats
Software Version A5(3.2) Open Caveats
Software Version A5(3.1b) Resolved Caveats and Open Caveats
Software Version A5(3.1b) Resolved Caveats
Software Version A5(3.1b) Open Caveats
Software Version A5(3.1a) Resolved Caveats and Open Caveats
Software Version A5(3.1a) Resolved Caveats
Software Version A5(3.1a) Open Caveats
Software Version A5(3.1) Resolved Caveats, Open Caveats, and System Messages
Software Version A5(3.1) Resolved Caveats
Software Version A5(3.1) Open Caveats
Software Version A5(3.1) System Log Messages
Software Version A5(3.0) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
Software Version A5(3.0) Resolved Caveats
Software Version A5(3.0) Open Caveats
Software Version A5(3.0) Command Changes
Related SNMP Changes for A5(3.0)
Software Version A5(3.0) System Log Messages
Obtaining Documentation and Submitting a Service Request
Note The most current Cisco documentation for released products is available on Cisco.com.
This release note applies to the following software versions for the Cisco 4700 Series Application Control Engine (ACE) appliance.
For information on the ACE appliance features and configuration details, see the ACE documentation located on www.cisco.com at:
http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html
This release note contains the following sections:
Please refer ACE Operating Considerations section for critical considerations for A5(x) Release at the end of the section.
Please refer to the ACE Operating Considerations section for important Notes on A5(3.1b).
Software version A5(3.1) provides the following new features:
In ACE A5(3.1) release following changes are being introduced:
ACE can be provisioned to use the cipher TLS_RSA_WITH_AES_128_CBC_SHA256 for SSL communication under front-end, back-end and end-to-end configuration modes. A new command has been added under the parameter-map type SSL command. In the cipher sub command support for TLS_RSA_WITH_AES_128_CBC_SHA256 { 0x00,0x3C }has been added.
Note This Cipher is only supported with TLS1.2
Note This cipher is not supported by HTTPS probes.
In this Software version support for ‘Deleting Fip Sticky Entries on Acct Stop with Session Stop Indicator’ feature has been added. This features enables to delete the sticky entry based on the Attribute 26 (VSA) 11 called the ‘Session Stop Indicator’ in the Accounting Stop request. In Device Manager 5(3.1) version, under the menu Config >Devices >Load Balancing >Stickiness >Add/Edit screen, when TYPE is selected as RADIUS, parameters can be added in the form of a check box - ‘Radius Purge Information’ parameter.
Software version A5(3.0) provides the following new features:
ACE software version A5(3.0) supports configuring of send-data and expect regex CLI commands to accommodate the configuration of Hex data. If Hex data configured is “ae5530”(6 bytes) then the converted value will be Hex ae,55,30 (3 bytes).
The first two bytes of the Hex string are taken and converted to one byte actual Hex value (For example- ‘a’ & ‘e’ from the string would be combined to form hex value ‘ae’). This conversion model is based on the existing hash value config under HTTP/HTTPS probe. The same CLI command modification can be covered under TCP and UDP probes.
The following new commands have been added to configure hex data and hex regex under TCP and UDP probes:
Note You can use the keyword send-hex-data to configure the probe for allowing hex data.
Note You can use the keyword hex-regex to configure the probe for allowing hex in expect regex CLI commands.
The following conditions should be taken care while configuring hex data:
The HTTP content rewrite feature provides the capability to rewrite configured regex patterns in the HTTP response data. This feature has been enhanced to introduce the rewrite functionality to support rewrite for HTTP content in server to client direction.
The feature uses a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested patterns on the fly. Content rewrite will provide a flexible and powerful content manipulation mechanism. URL content rewrite feature is effectively a search on the full content for each HTTP response in range and replace a match of regex search pattern with the defined regex replace pattern.
The following content rewrite command has been added newly as part of HTTP modify action list
Note Only one rewrite configuration is allowed per action list.
The content-rewrite happens for the response data based on the amount of data that HTTP module received from TCP. By default, HTTP receives up to 32K bytes (including headers) of response data (Default TCP buffer share is 32K). Hence the content-rewrite works fine up to first 32K response data, if the response data is more than 32K then ACE will send out the remaining data without doing any content-rewrite.
If you want to send more data from TCP to HTTP then you can increase the tcp buffer-share size to up to 48K, then ACE will do the content-rewrite for the first 48K response data and bypasses the remaining response data without content-rewrite.
Note We have observed ACE is taking more time to do content-rewrite for large response files, (For one GET request of 48K byte data with content-rewrite is taking approximately 6 seconds.)
The ability to support basic and extended regex will depend on the support of regex parser on DP. Content rewrite rule must have both content regex pattern and replacement pattern.
ACE Software A5(3.0) supports the newer versions of TLS (TLS 1.1 and TLS 1.2). This enables ACE to successfully negotiate with TLS1.1 and TLS1.2 clients (in front-end and end-to-end SSL configuration) and to also act as a TLS1.1 or TLS1.2 server (in back-end and end-to-end SSL configuration).
This feature is implemented over existing SSL/TLS software stack. The existing Handshake design or packet flow is re-designed to support application record and handshake record interleave feature, at the same time it does not impact existing features of SSL/TLS.
The following new commands have been added to support TLS1.1 and TLS1.2:
Note The configuration version Upto_TLS1_1 indicates that ACE supports SSL3.0, TLS1.0 and TLS1.1 versions.
Note The configuration version Upto_TLS1_2 indicates that ACE supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2 versions.
Note Only one version configuration is allowed in one ssl parameter map. The previous version gets overwritten if a new version is configured.
ACE only supports SHA256(0x04)/RSA(0x01) as the signature hash algorithm hash/signature hash algorithm signature in the case of TLS1.2 if client authentication is used. Handshake will fail if the peer doesn't support this combination.
For TLS1.1 and TLS1.2 SSL versions, only certain ciphers are supported as mentioned in the tables below. If you try to configure any unsupported SSL version or unsupported cipher, an error message will be displayed.
Table 1 Cipher suites supported by TLS 1.1
Table 2 Cipher suites supported by TLS 1.2
ACE does not block the configuration of export ciphers even when version version Upto_TLS1_1 or version Upto_TLS1_2 is configured. This is because when version Upto_TLS1_1 or version Upto_TLS1_2 is configured ACE will still negotiate with SSL3/TLS1 clients and use those export ciphers with those clients. ACE will not select export ciphers for TLS1.1/1.2 even if you have export ciphers configured in the parameter map.
If only export ciphers are configured in the ssl parameter map along with version Upto_TLS1_1/Upto_TLS1_2 (or a combination of Upto_TLS1_2 and only RSA_WITH_DES_CBC_SHA) then:
1. ACE as a server will not be able to accept any TLS1.1/1.2 request and will send an alert (no_shared_cipher)
2. ACE as a client will send a client hello with only TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff), which is not a cipher but only indicates that it supports secure renegotiation. Server will send alert (no_shared_cipher) in this case.
Note TLS1.1 requests will work with the combination of Upto_TLS1_2 and only RSA_WITH_DES_CBC_SHA.
Following are the new MIB objects for TLS1.1 and TLS1.2:
The application firewall currently supports a list of applications including HTTP, SIP, FTP. The FTP deep inspection is an application firewall that statefully monitors the File Transfer Protocol. Earlier version of ACE supports FTP with IPv4. With A5(3.0), the ACE now supports FTP with both IPv4 and IPv6.
Included below is a summary of the sample configuration to support FTP IPv6 in A5(3.0):
The existing CLI show resource monitor-params has been extended for displaying 1 min and 5 min average of the following utilization parameters:
1. System Level: Bandwidth, CPU, Memory, CPS, Total connections, Total SSL connections
2. Per Context: Bandwidth, CPS, Total connections
3. Per VIP: Bandwidth, CPS, Total connections
4. Per Rserver: Bandwidth, CPS, Total connections
Note 1 minute average is calculated based on 2 readings at 30 sec interval and 5 min average is calculated based on 5 readings at 1 minute interval.
With A5(3.0) release you can configure the fragment timeout in seconds (fragment timeout for IPV4 and ipv6 fragment timeout for IPV6). In re-assembly module, the shadow table maintains the time-out values of fragments received by ACE re-assembly. The Re-assembly module scans the shadow table entries and cleans the timed out entries. By default the Re-assembly timer interval timeout is 5 seconds for IPV4 and 60 seconds for IPV6. With the A5(3.0) release, the ACE includes the re-assembly-time-interval CLI command to provide a command option to configure the timer interval. By default, the re-assembly timeout scan happens once in a 1000 milliseconds (1 second). By using this command the time interval can be configured as per the requirement.
The syntax for the fragment timeout are as follows:
fragment timeout-msec <timeout value in mille seconds>
In re-assembly module, the shadow table maintains the timeout values of fragments received by re-assembly. The re-assembly timer scans the shadow table entries and cleans the timed out entries. By default the re-assembly timer interval is 1 second (1000 msecs). ACE A5(3.0) provides command option to configure the timer interval. By default, the re-assembly timeout scan happens once in a 1000 mille seconds (1 second). By using this CLI command the interval can be configured as per the requirement. This is a system level parameter.
The syntax for the re-assembly timer interval command is as follows:
system-defaults reassembly-timer-interval
Note This is a global level CLI command which is applicable for all the contexts.
With A5(3.0), the ACE now supports the ability to automatically capture output of any non-interactive Exec mode show command for debugging purposes.
Use the following CLI command to configure the automatic capture of Exec command mode output:
In the sample configuration shown above, the output of show tech CLI command will be captured and stored every 5 minutes and the latest 4 such outputs will get stored in core:AUTO-SNAP directory.
The content will be stored in.gz format, you must download and extract the content to obtain the text file with the required collected output.
Note This command will occupy disk space and hence needs to be used sparingly (only for debugging purpose).
With software version A5(3.0), the show np x lb-stats command is extended to include a sub-option all under following type of stats which would dump lb stats for:
With software version A5(3.0), caching has been implemented for snmpget query for objects in CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB (1.3.6.1.4.1.9.9.480).
In earlier version of ACE, snmpget requests for objects in above MIB was timing out intermittently due to read operations taking longer time. To overcome this, caching has been implemented. Hence, when first snmpget query is done, the response is cached and subsequent queries received within 15 secs interval of the 1st query are provided the same response.
ACE allocates predefined number of buffers for each packet that needs to be parsed due to some L7 configuration, this is 17 by default. However, the valid SSL records can potentially occupy more than this default number of buffers depending on the record size. For example, a record of 16400 bytes can occupy as many as 33 buffers. This falsely triggers an error and packet drop. In order to prevent this ACE allocates as many buffers for SSL requests as per the record size that the client legitimately sends. This will override the default buffer size of 17 for SSL packets that get parsed.
The syntax to configure the ACE SSL maximum record size is as follows:
Note This will allow ACE to parse SSL records up to the size defined (<number>) without resulting in a rejection such as a slow-loris detection.
With A5(3.0) release you can configure ACE HTTP to parse the non-encoded special characters.
By default, ACE follows RFC-2396 compliance and if any unwise characters (non-encoded special characters) comes in the url request then HTTP detects those non-encoded characters and resets the connection. If you configure this CLI command then ACE will allow the non-encoded special characters.
The syntax for this are as follows:
Note This is a global level CLI which is applicable for all the contexts.
Following are the sample output of “show serverfarm detail”. Here, the count under current represents the total active connections associated with the rserver. The count under total represents the total successful connections hit the rserver and this includes the count of current connection. The count under failure represents the total failed connections to hit the rserver.
With the A5(3.0) software release, the ACE appliance Device Manager GUI includes support for:
For details, refer to the Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance.
By default, the ACE supports the following features and capabilities:
You can increase the performance and operating capabilities of your ACE product by purchasing one of the optional license bundles. You can order your ACE product by ordering a license bundle. Each license bundle includes the ACE appliance and a software license bundle.
Note Regardless of the license bundle you choose, the maximum application acceleration performance is fixed at 100 concurrent connections and is not configurable.
You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license. You can access the license and show license commands only in the Admin context.
For more information on license bundles, see the Administration Guide, Cisco ACE Appliance Control Engine.
ACE demo licenses are available through your Cisco account representative. A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software. To view the expiration of a demo license, from the CLI command, use the show license usage command in Exec mode. If you need to replace the ACE appliance, you can copy and install the licenses onto the replacement appliance.
This section describes the process that you use to order an upgrade license and to generate a license key for your ACE. To order an upgrade license, follow these steps:
Step 1 Order one of the licenses from the list in the “Available ACE Licenses” section using any of the available Cisco ordering tools on cisco.com.
Step 2 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website:
http://www.cisco.com/go/license
http://www.cisco.com/go/license/public
Step 3 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.
Step 4 Provide all the requested information to generate a license key. Once the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions.
Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE).
For information on installing and managing ACE licenses:
For detailed information on performing an ACE appliance software upgrade or downgrade, see the Upgrade/Downgrade Guide, Cisco ACE 4700 Series Application Control Engine Appliance. You can find this document at the following location on www.cisco.com:
http://www.cisco.com/en/US/products/ps7027/prod_installation_guides_list.html
The ACE appliance Device Manager is supported on the following browsers listed in Table 3 . All browsers require cookies and DHTML (JavaScript) to be enabled.
The ACE operating considerations are as follows:
To make probes work, you have to remove this command by using “no ssl certificate-expiration ignore” under HTTPS probe and use valid certificates.
A performance degradation of 9% may be observed while using TLS1.0 compared to SSLv3.
When preempt disabled, and both ACE have the same priority after reloading the ACE(either Active/Standby), then the ACE which has the highest uptime will be elected as Active.
Note The ACE resets all Secure Sockets Layer (SSL) connections to a particular real server when you enter the no inservice command for that server.
The default HTTP and SSL ports (80 and 443) now have a default inactivity timeout of 300 seconds.
When you have finished making configuration changes to the active ACE, re-enable config sync by entering the following command:
After you re-enable config sync, the ACE automatically synchronizes the configuration changes from the active ACE to the standby ACE.
– If you upgrade the ACE from a version earlier than A4(2.0), the ACE software ignores the configured command and sets it to 100 connections.
– If you downgrade the ACE to a version earlier than A4(2.0), the command is removed from the startup configuration and you must reconfigure it after the downgrade process is completed.
We recommend that you do not make any configuration changes during this time and that you do not keep the ACEs in this state for a long time. However, if you must make configuration changes while the ACEs are in split mode, ensure that you manually synchronize to the standby ACE any configuration changes that you make on the active ACE. After you complete the software upgrade of both ACEs, a bulk sync occurs automatically to replicate the entire configuration of the new active ACE to the new standby ACE. At this time, dynamic incremental sync will be enabled again. For details about config sync, see Chapter 6, “Configuring Redundant ACEs” in the Administration Guide, Cisco ACE Appliance Control Engine.
When redundancy peers run on different version images, the SRG compatibility field of the show ft peer detail command output displays WARM_COMPATIBLE instead of COMPATIBLE. When the peer is in the WARM_COMPATIBLE state, the FT groups on standby go to the STANDBY_WARM state instead of the STANDBY_HOT state.
When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on) for use with ANM, enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
ACE Appliance: ACE4710_A5x_bash_security_fix.bin.
The dplug needs to be installed to address the issues mentioned under defect/bug: “CSCur02195”: ACE evaluation for CVE-2014-6271 and CVE-2014-7169
Please follow the procedure mentioned below to get the security fix installed via the dplug.
Procedure to install the dplug:
1. FTP the dplug to the ACE box
2. Load the dplug to the image directory
The dplug will install the fix and exit.
Note This dplug is only applicable for A5(3.1a) and previous releases.
Note The fix installed via dplug is not persistent. So, it needs to be re-installed across reboot of the ACE.
You can access the ACE appliance documentation on www.cisco.com at:
http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html
For information about installing the Cisco ACE 4710 appliance hardware, see the following documents on Cisco.com:
To familiarize yourself with the ACE appliance software, see the following documents on Cisco.com:
For detailed configuration information on the ACE appliance Device Manager, see the following software documents on Cisco.com:
For detailed configuration information on the ACE CLI, see the following software documents on Cisco.com:
Describes how to perform the following administration tasks on the ACE: |
|
Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance |
Describes the configuration of the application acceleration and optimization features of the ACE. It also provides an overview and description of the application acceleration features and operation. |
Cisco Application Control Engine (ACE) Configuration Examples Wiki |
Provides examples of common configurations for load balancing, security, SSL, routing and bridging, virtualization, and so on. |
Describes the procedures and methodology in wiki format to troubleshoot the most common problems that you may encounter during the operation of your ACE. |
|
Provides an alphabetical list and descriptions of all CLI commands by mode, including syntax, options, and related commands. |
|
Routing and Bridging Guide, Cisco ACE Application Control Engine |
Describes how to perform the following routing and bridging tasks on the ACE: |
Describes how to perform the following ACE security configuration tasks:
|
|
Server Load-Balancing Guide, Cisco ACE Application Control Engine |
Describes how to configure the following server load-balancing tasks on the ACE: |
Describes how to configure the following Secure Sockets Layer (SSL) tasks on the ACE: |
|
Describes how to configure system message logging on the ACE. This guide also lists and describes the system log (syslog) messages generated by the ACE. |
|
Describes how to operate your ACE in a single context or in multiple contexts. |
|
Describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services Switches (CSS) running-configuration or startup-configuration files to the ACE. |
For detailed configuration information on Cisco Application Networking Manager (ANM), see the following software document on Cisco.com:
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved caveats in software version A5(3.5):
The following resolved caveats apply to software version A5(3.5):
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved caveats in software version A5(3.4):
The following resolved caveats apply to software version A5(3.4):
– New CLI Commands: The following new command has been added to disable crypto chaingroup update feature:
– Functionality: The CLI is restricted to Admin and it is a global CLI. When we configure this CLI it will disable the "crypto chaingroup update function"(CSCue49212) to reduce the HA sync time after reload.
– Guidelines and Restrictions: The following conditions should be taken care while configuring CLI:
1. When we configure CLI we should not remove any certificate under "crypto chaingroup <NAME>
2. If we remove the certificates under "crypto chaingroup <NAME>" when CLI is configured, we need to add particular chaingroup again under ssl-proxy once again.
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.3):
The following resolved caveats apply to software version A5(3.3):
– In earlier versions, snmpget requests for objects in L4-L7 Resource Limit MIB used to time out intermittently due to more time taken for read operations. To resolve this, caching mechanism has been implemented in A5(3.0). The 15 seconds delay has been introduced for the snmpget bulk requests.
– In CSCuu39811, disabling the cache option has been provided to get a faster response. By default the cache is enabled and the CLI provides an option to disable the cache.
– A new CLI "get-request-cache-disable" is added under the token "snmp-server" to disable the cache i.e. the15 secs delay (To know more on the caching mechanism implementation please refer this link http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/VA5_3_x/release/note/ACE_app_rn_A53x.html#pgfId-907398). So once the CLI "snmp-server get-request-cache-disable" is configured and a bulk of snmpget is sent to ACE, the updated information is returned immediately.
a. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
b. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
– The Mozilla Firefox will disable the weak ciphers (mentioned above) in the version 39 or above. The DM 5.3.3 will work with the Mozilla Firefox version 39 or above with the fix to disable the ciphers. However in the older versions of Mozilla Firefox, we will be seeing the impact as there is no cipher overlap supporting these ciphers. Hence, login screen may not appear. Additionally, if the below versions of DM (A5.3.2 and below) are used in the Mozilla Firefox version 39 or above, it will result in the weak DHE Key being used for Handshake, and hence the login page may not appear.
– For new configurations, these will not be valid ciphers to put into the command and an error will be the result due to failed Handshake if the valid ciphers are not used.
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.2):
The following resolved caveats apply to software version A5(3.2):
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.1b):
The following resolved caveats apply to software version A5(3.1b):
Note ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2. A performance degradation of 9% may be observed while using TLS1.0 compared to SSLv3.
The following open caveats apply to software version A5(3.1b):
Configuring the command “ssl certificate-expiration ignore” under HTTPS probe will cause the HTTPS probes to fail.
Workaround: To make probes work, you have to remove this command by using “no ssl certificate-expiration ignore” under HTTPS probe and use valid certificates.
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.1a):
The following resolved caveats apply to software version A5(3.1a):
The following open caveats apply to software version A5(3.1a):
1. Remove the offending lines one at a time until the ACL can be applied successfully.
2. Remove the offending lines and try a different line number
Follow the instructions here: http://support.microsoft.com/kb/2643584
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.1):
The following resolved caveats apply to software version A5(3.1):
1. show ntp peer-status does not show NTP server
2. ACE cannot sync clock with NTPv3 server with authentication configured
3. "Could not find the relevant data" when trying to delete ntp server configured with authentication
1. Make sure that NTP key is entered before NTP server where this key is referenced:
2. This workaround will work until the box is rebooted, workaround should be applied again afterwards.
The following open caveats apply to software version A5(3.1):
1. Remove the offending lines one at a time until the ACL can be applied successfully.
2. Remove the offending lines and try a different line number
Note If we add/modify VIP address into class-map, ACE internally adds the new VIP address into icmp-vip table. During this, icmp-vip table update if there is any collision, the above sys log is generated.
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(3.0):
The following resolved caveats apply to software version A5(3.0):
CSCud71628—The bad performance is due to the way TCP tries to recover from the low Window Size ACE reports: When the client receives a Window Size lower than a certain threshold, it will wait for 5 seconds to allow the peer devices (the ACE in this case) to process the data in its buffers after which it should update the Window Size again. As ACE never sends an updated Window Size, the client waits for the full 5 seconds before attempting to send further data. As ACE still responds to this additional data with the same low (or an even lower) Window Size, the same procedure starts over again. Workaround : Disable the "tcp-options window-scale allow”.
CSCue38032—"ACE appliance giving ""write error: No space left on device"" when issuing various commands. Condition : ACE appliance with heavy use of the DM. Workaround: Log to debuguser and issue the following commands from the shell:
CSCue38310—ACE with IPV6 Enabled attempt to give same IPV6 address to different non shared interfaces fails. Workaround : None.
CSCue49212—The order of issuer certs in the SSL/TLS cert chain sent by the ACE in Server Hello, may be different than their order in the configured chaingroup.Workaround: Remove/re-apply chaingroup or configure a new chaingroup with the certs in the chaingroup in order, from lowest sub at the top, to root CA at the bottom.
CSCue73311—Cisco ACE includes a version of OpenSSL that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:CVE-2011-1473. Wokaround : The SSL/TLS renegotiation can be disabled by disabling the ''rehandshake'.
CSCue78766—Arp entry may be incorrect for an interface on a context. The output for that interface via ""show arp"" and ""show int"" do not match Workaround:Do a ""shut"" followed by ""no shut"" on the interface in the context."
CSCue75913—”ACE30 module crashes and generates core file snmpd_log.xxxx.tar.gz Workaround:Stop SNMP polling of ACE30 module."
CSCue88110—"ACE30 module crashes and generates core file snmpd_log.1033.xxxx.tar.gz. Last boot reason: Service ""snmpd"". Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL malloc_printerr () from /lib/tls/libc.so.6 in backtrace. Workaround:Stop SNMP polling of ACE30 module."
CSCue93409—ACE crashed due to service NTP. Workaround: none, the box recovers after the crash.
CSCue97543—"TCP connections across ACE are extremely slow (delays of several minutes are possible) or fail completely. In packet captures you will see a jump of the TCP timestamp (TSval) sent from ACE to the backend server at some point (more precisely: when the connection is unproxied on ACE). Workaround:a. Either remove the ""tcp-options timestamp allow"" b. Or, if the timestamp option is required, force the connection to remain proxied on ACE throughout its lifetime by adding ""set tcp wan-optimization rtt 0"" to the parameter map of type connection."
CSCuf16964—"If you add up current ""regexp"" for all contexts in an ACE, that can exceed Max. Workaround: none.
CSCuf90272—SNMPD on both Active and Standby crashed and core dumped Workaround:None.
CSCuf93815—"Fail-over between active and standby ACE registered. Workaround:None"
CSCty11329—"ACE appliance primary and standby units rebooted and created core files incfgmgr process while configuring class-map Workaround:A4x does not have this issue"
CSCub87352—"In A5(2.0), the ACE reloads/crashes with a cfgmgr crash continuously.Workaround:</B>Downgrade to A5(1.2)"
CSCug27144—"ACE30 crash with last boot reason: Service ""cfgmgr"" and cfgmgr_log core dump produced."
CSCub18452—SNMPD on both Active and Standby crashed and core dumped Workaround:None.
CSCug51467—"ACE intermittently rejects valid SSL certificates as revoked during the difference hours between timezones in CRL ""Next update"" and on the ACE itself.Workaround: As workaround a parameter map with ""cdp-errors ignore"" command can be configured."
CSCug93530—ACE FT behavior with equal priorities. one with highest IP address always elected as ACTIVE.
CSCuh47599—ACE inserts "internal error" as Session-Verify-Result when using an action-lists with "ssl header-insert session Verify-Result" and OCSP to validate the certificate. Workaround: None.
CSCui06230—’time-to-expire' value of sticky http-cookie database on standby ACE may not be decreased. This symptom maybe observed when ACE only receives 'Set-cookie' from server.It doesn't occur and recover when ACE receives http request with cookie from client. It only occur on standby ACE. Workaround: Send http request with cookie from client.
CSCui27005—"During config changes to HTTPS probes on ACE, the following error occurs %ACE-3-440003: Deletion failed for Probe Sfarm Table and no further probe config changes can be made. Workaround:Reload the device."
CSCui40439—ACE show rserver xml output has changed in A5(2.2).
CSCue56293—ACE is vulnerable to CVE-2013-0169 ''Lucky Thirteen'' TLS/DTLS attack. Workaround :None.
CSCui59155—ACE30 running A5(2.2) crash last boot reason ifmgr with signal 6. Workaround: None.
CSCuh30270—"Cisco Application Control Module (ACE) may accept a non-CA certificate under certain configurations.". Configuring a line using a CA certificate and afterwards changing the ''respsigncert'' for the same OCSP server will cause ACE to accept the non-CA certificate. Workaround: None
CSCuj31362—"Output of debug hm-scripted all does not show the received bind response code sent by Ldap server if ldap scripted probe is configured.
1. Take packet capture to verify the response code sent by server
2. Upgrade to A530 or higher to see the complete message in debug output.
CSCui38998—"FT sync does not happen as well as loss of network reachability in some contexts <B>Conditions:</B> If we go past the string limit of the port-channel interface vlan configuration <B>Workaround:</B> Workaround 1:Remove ""extra "" correct vlans and then try sync. Once sync successfully completes readd the vlans.However if device reloads, remove the 'extra, truncated' vlan, give sync and then add the ""extra correct"" vlans Workaround 2: consolidate the vlans. E.g Switchport trunk allowed vlan 1-4095 Workaround 2 is the preferred option."
CSCuj22959—"ACE 4710 running version A5(2.1) rebooted unexpectedly. Conditions: last boot reason: Service ""cfgmgr"""
CSCuj24550—"SSH to ACE (A5.x) fails from IOS switch/Router Conditions:User trying to connect to ACE module using SSH from IOS switch/router.Workaround: Use Putty/Secure CRT as a SSH client"
CSCuf25829—ACE 4710 config is lost. Workaround: Recover config from checkpoint or external archive."
CSCua85445—When multiple snmpwalk request is made along with LB traffic for extended hours ACE seems to crash with the reason NP 4 Failed : NP ME Hung.
CSCug24208—cfgmgr crash with certain configs in A5(2.0).
CSCuh42954—While sending TLS1.2 ipv6 EE in context request i am seeing NP ME Hung Crash.
CSCug78717—seeing?ME Dumper Process Crashed? in A530 #42 with SSl v3 configs while running the codenomicon script. Please find the core pcap and config in enclosures.
CSCtz96319—ACE crashes while doing checkpoint rollback on a config having user 'Admin' in non-default domain.
CSCui49546—ACE crashes while doing checkpoint rollback on a config having user 'Admin' in non-default domain. FT GOING TO COLD STATE AFTER KILL THE SYSINFO SIGNAL 11
CSCug44749—"conc-conn" traps are not generated for Per Rserver and per VIP
CSCuf35487—Unable to CERT in SSL Proxy.
CSCuh14830—ACE is sending malformed packet as a part of handshake message instead of certificate request when configured with TLS version 1.2 FE with authgroup.
CSCue29552—Service "Tacacs Daemon" crash on Active Appliance.
CSCuh54020—When ACE is configiured in BE with highest version as TLS1.2 and server is running on TLS1.1, ACE is sending CSS message with TLS1.2.
The following open caveats apply to software version A5(3.0):
CSCul34480—Using IE 9 browser, user can create Virtual Server by using the existing Server Farm and existing HTTP Header Modify Action List. However, when you try to Create/Edit “Server Farm” and “HTTP Header Modify Action List”, IE 9 will display a Java Script error message “SCRIPT70: Permission Denied”. To overcome this error in IE 9 browser, the following steps needs to be followed:
1. Navigate to Config > Virtual Contexts > Load Balancing > Server Farm > Add and create the Server Farm.
2. Navigate to Config > Virtual Contexts > Expert > HTTP Header Modify Action List > Add and create the HTTP Header Modify Action List.
3. Navigate to Config > Virtual Contexts > Load Balancing > Virtual Servers > Add and Deploy the Virtual Server by associating already created Server Farm and HTTP Header Modify Action under the Default L7 Load-Balancing Action.
1. Navigate to Config > Virtual Contexts > Load Balancing > Server Farm > Select existing Server Farm and Edit it.
2. Navigate to Config > Virtual Contexts > Expert > HTTP Header Modify Action List > Select an existing HTTP Header Modify Action and Edit it.
3. Navigate to Config > Virtual Contexts > Load Balancing > Virtual Servers > Add and Deploy the Virtual Server by associating already edited Server Farm and HTTP Header Modify Action under the Default L7 Load-Balancing Action.
1. Navigate to Config > Virtual Contexts > Load Balancing > Server Farm > Add and create the Server Farm.
2. Navigate to Config > Virtual Contexts > Expert > HTTP Header Modify Action List > Add and create the HTTP Header Modify Action List.
3. Navigate to Config > Virtual Contexts > Load Balancing > Virtual Servers > Edit and Deploy the Virtual Server by associating already created Server Farm and HTTP Header Modify Action under the Default L7 Load-Balancing Action.
1. Navigate to Config > Virtual Contexts > Load Balancing > Server Farm > Select existing Server Farm and Edit it.
2. Navigate to Config > Virtual Contexts > Expert > HTTP Header Modify Action List > Select an existing HTTP Header Modify Action and Edit it.
3. Navigate to Config > Virtual Contexts > Load Balancing > Virtual Servers > Edit and Deploy the Virtual Server by associating already edited Server Farm and HTTP Header Modify Action under the Default L7 Load-Balancing Action.
CSCul76427—ACE: kernel crash "Unable to handle kernel paging request".
CSCul99139—startup-config is not synced during bulk-sync.Conditions: This symptom may be observed when ACE boots up.
CSCum36871—ACE-30 crash A5(2.2b) / ME Dumper Process Crashed last boot reason: ME Dumper Process Crashed
CSCum41871—"%ACE-3-251014 message output wrong port#. Conditions: This symptom maybe observed when rserver is configured with port# in serverfarm.Workaround: None, it's just a cosmetic issue."
CSCue79554—"TCP connections destined for SSL-Proxy VIP stuck in connection table in CLSRST state well beyond TCP IDLE timeout configured. Workaround: Switching over the the standby context will clear the CLSRST conns that got stuck until that moment, but new ones will continue to pile on on the newly active ACE.”
CSCui02937—"Bandwidth resource denies occur prior to hitting maximum when the global pool is in use. Conditions: Modifying resource classes multiple times. Workaround: Reboot to allow resource pools to re-carve."
CSCui56286—The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.CVE-2010-5107 vulnerability seen on ACE4710.
CSCul39399—"Some messages are missing in 'show logging' output even though all messages are sent to the syslog server successfully."
CSCul90247—"SSL termination configured on ACE. ACE sending RESET after sending encrypt alert even after decrypting the packet"
Table 5 lists the command changes in software version A5(3.0).
Note For a summary of new features for software version A5(3.0), including the associated new or modified commands, see the “New Software Features in Version A5(3.1)” section.
The send-data and expect regex CLI commands are configured to accommodate the configuration of Hex data. If Hex data configured is “ae5530”(6 bytes) then the converted value will be Hex ae,55,30 (3 bytes). See the "Support of Hex data in TCP / UDP Probe Send-data and Expect Regex" section for more details |
||
The modify http command is used to rewrite configured regex patterns in the HTTP response data.See the “Enhancements in HTTP Content Rewrite” section for more details. |
||
The show resource monitor-params CLI command is used for displaying 1 min and 5 min average of the utilization parameters See the “Updates to Resource Parameter Monitoring.“ section for more details. |
||
The fragment timeout CLI command is used to configure the fragment timeout in seconds. See Ability to Configure Fragment Timeout in Milliseconds“for more information. |
||
The show tech CLI command is used to configure the automatic capture of Exec command mode output. See “Automatic Capture of Exec Command Mode Output” section for more details. |
||
The show np x lb-stats command is used to capture complete output of the LbInspect tool. See “Ability to Capture the Complete Output of the LbInspect Tool” section for more details. |
Per bug CSCtt13316, the following MIB objects have been added to the CISCO-SSL-PROXY-MIB:
"This object indicates the total number of full TLS 1.1 handshakes completed."
"This object indicates the total number of resumed TLS 1.1
"This object indicates the total number of TLS 1.1 connections failed in handshake phase."
"This object indicates the total number of TLS 1.1 connections failed in data phase."
"This object indicates the total number of full TLS 1.2 handshakes completed."
"This object indicates the total number of resumed TLS 1.2 handshakes completed."
"This object indicates the total number of TLS 1.2 connections failed in handshake phase."
"This object indicates the total number of TLS 1.2 connections failed in data phase."
Note Customers should only open TAC case if they notice any functional impact.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.