Table Of Contents
Release Notes for Cisco Service Control Operating System (MR), Release 3.6.6
Value Added Services Traffic Forwarding
Content Filtering Improvements
SCE8000 with Dual SCE8000-SCM Modules
Resolved Issues—SCE 2000 and SCE 1000 Only
Downgrading from Release 3.6.0 to Release 3.5.5 on the SCE8000 Platform
Port Scans on the Management Port
Open Caveats—Cisco SCE 1000 and Cisco SCE 2000
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco Service Control Operating System (MR), Release 3.6.6
Revised: October 12, 2012, OL-24280-03![]()
Note
This document supports all 3.6.x releases.
Overview
These release notes for the Cisco Service Control Operating System describe the functional enhancements and fixes provided in Cisco Service Control Operation System (SCOS) Release 3.6.x. These release notes are updated as needed.
For a list of the caveats that apply to Cisco Service Control Operation System (SCOS) Release 3.6.x, see the "Open Caveats" section. Some caveats apply only to the Cisco SCE8000, some apply to the SCE 2000 and SCE 1000, and others apply to all SCE platforms.
Supports: SCOS Release 3.6.0, 3.6.1, 3.6.5, and 3.6.6.
•
Obtaining Documentation and Submitting a Service Request
Introduction
Cisco Service Control Operating System (SCOS) Release 3.6.6 for the SCE platforms includes fixes of issues that were identified during internal testing and customer interaction.
This document outlines the functional enhancements and resolved issues delivered in SCOS Release 3.6.6 and previous releases. It assumes that the reader has substantial knowledge of the Cisco Service Control solution. For additional information, refer to the Cisco Service Control Engine documentation.
To access the new Cisco Service Control online documentation site, do the following:
1.
At Cisco.com, go to: http://www.cisco.com/cisco/psn/web/psa/default.html?mode=prod
2.
From the Products list, select Service Exchange.
3.
From the list that appears, select Cisco Service Control.
4.
From the list that appears, select a Cisco Service Control product.
SCOS Release 3.6.6
•
Resolved Issues—All Platforms
Compatibility Information
For information regarding the SCE platforms that are compatible with SCOS Release 3.6.6, see the Cisco Service Control Application for Broadband Download Guide.
Resolved Issues—SCE8000 Only
CSCtk15868
The non-default value configured for priority field during diameter realm configuration is not stored in the running configuration; therefore, not being saved to the start-up configuration. After a reload, SCOS fails in reapplying the configuration.
This issue is fixed in SCOS Release 3.6.6.
CSCtk64245
When the configured diameter peers are unreachable, or if the peer does not respond, the socket is not closed leading to FD leak. When the FD count reaches 1024, the SCOS watchdog reloads the box.
This issue is fixed in SCOS Release 3.6.6.
CSCtl22315
There is a decrease in performance when VAS traffic forwarding is enabled on the SCE 8000 platform. Performance is normal when VAS traffic forwarding is disabled.
This issue is fixed in SCOS Release 3.6.6.
Resolved Issues—All Platforms
CSCtf38759
The RDRs sent at the TCP level are lost during SM failure.
This issue is fixed in SCOS Release 3.6.6. The RDR history buffer per category feature ensures that the lost RDRs at the TCP stack level are resent, when a connection is established with the new active SM.
CSCth82129
First divided HTTP GET packet is not mirrored in VAS MIRROR env.
In the VAS MIRROR environment, the Long HTTP/GET is divided into two packets on the client PC. When the packets are sent to the server individually, the first part of the divided packet is not mirrored.
This issue is fixed in SCOS Release 3.6.6.
CSCtj76926
HA function is required for VAS mirroring.
The HA function for traffic mirroring is now supported in SCOS Release 3.6.6, using the same link that the original packet arrives for traffic mirroring.
This issue is fixed in SCOS Release 3.6.6.
CSCtj86544
There is an unusual number of subscribers in the Package_Active_Subs_per_Service report. The count of subscribers is shown incorrectly when the packages are switched after a pull response.
This issue is fixed in SCOS Release 3.6.6.
SCOS Release 3.6.5
Compatibility Information
For information regarding the SCE platforms that are compatible with SCOS Release 3.6.5, see the Cisco Service Control Application for Broadband Download Guide.
Functional Enhancements
The following section describes the major SCE-platform-related functional enhancements found in Release 3.6.5. For information regarding other functional enhancements in Release 3.6.5, see the Release Notes for Cisco Service Control Application for Broadband 3.6.x
Value Added Services Traffic Forwarding
The value added services traffic forwarding (VAS) feature uses the SCE platform to access an external "expert system" for classification and control of services not supported by SCA BB. Using the VAS feature, you can forward selected flows to an external, third-party system for per-subscriber processing in addition to the existing services and functions of the SCA BB solution. The VAS feature enables you to divert a specified part of the traffic stream to an individual VAS server or a cluster of servers, based on the subscriber package, flow type, and the availability of the VAS servers.
In SCE 8000 Release 3.6.5, VAS cannot coexist with the following modes and features:
•
The following line card connection modes—receive-only, receive-only-cascade, inline-cascade
•
Any link mode other than forwarding
•
Any link encapsulation, including VLAN, MPLS, and L2TP
•
Enhanced open flow mode
•
SCE redundancy in the cascade ports
![]()
Note
The "MGSCP" option is not supported for VAS health check on the SCE8000.
![]()
Note
Delay-sensitive flows cannot be classified for VAS processing.
Syslog Support
SCOS Release 3.6.5 introduces support for Syslog logging. When enabled, all user-log messages are sent to the configured Syslog servers as well as to the SCE user logs. Syslog support under SCOS is consistent with Syslog support under Cisco IOS, with some minor exceptions. For example, the SCE platform supports Syslog over UDP only.
Redundant MNG Port
The SCE8000 platform is equipped with two RJ-45 management ports (Port1 and Port2 on the SCE8000-SCM-E module in slot 1). In previous releases, Port2 was not supported. As of SCOS Release 3.6.5, both management ports are supported, providing management interface redundancy. Thus, ensuring management access to the SCE platform even if there is a failure in one of the management links.
4K VLAN Support
The SCE8000 platform now supports a maximum of 4K VLAN tags.
Content Filtering Improvements
URL filtering feature on SCE8000 supports up to 500,000 URL entries. As with previous releases, each URL entry may include wildcards.
This extended ability affects platform capacity only if the number of URL entries exceeds the previous maximum of 100,000 entries.
Zone-Based Reporting
The SCE now supports the Zone Usage RDR, which has the same structure as the Link Usage RDR, but the Link-ID is replaced by Zone-ID.
Resolved Issues
Resolved Issues—SCE8000 Only
CSCsc57512
The SW classifier, which handles fragmented exception packets, does not receive information about the tunnel ID. Therefore, it sometimes makes mistakes when there are fragmented packets over networks with private IPs, such as MPLS/VPN.
This issue is fixed in SCOS Release 3.6.5.
CSCtb75131
In the redirection parameters reported when a customer is redirected due to exceeding their quota, the SCE does not include the port number of the original URL.
This issue is fixed in SCOS Release 3.6.5, and the port number of the original URL is included in the redirection parameters.
CSCtd18459
The type for cscaDestinationAddress from CISCO-SERVICE-CONTROL-ATTACK-MIB.my is InetAddress. The type should be OCTET STRING.
This issue is fixed in SCOS Release 3.6.5.
CSCtd97515
There is a deadlock in the diameter stack code.
This issue is fixed in SCOS Release 3.6.5, when the new version of the diameter stack (2.8.4.12) was introduced.
CSCte63982
"linkServiceUsageUPVolume" cannot be displayed. This problem applies to both the CLI (show snmp MIB cisco-service-control-scas-bb) and the external SNMP manager (snmpwalk).
This issue is fixed in SCOS Release 3.6.5.
CSCtf38728
Trigger an interim Subscriber Usage RDR when the subscriber package changes.
The SCE8000 is configured to send an SUR for each subscriber traffic counter at five- minute intervals. To track network usage based on the configured package, the SCE must send an interim SUR upon receipt of a subscriber package update event from the API. Any remainder of the five- minute usage period is tracked using the new package ID added during the update.
A tunable parameter is added to generate SURs upon receipt of a subscriber package update event from the API.
This issue is fixed in SCOS Release 3.6.5.
CSCtf52984
Increase maximum number of zone entries in the SCE8000 to 20K.
This issue is fixed in SCOS Release 3.6.5.
CSCtf83899
ifPhysAddress is not populated on the SCE8000 platform.
This issue is fixed in SCOS Release 3.6.5.
CSCtf90142
On the SCE8000 platform, the sys command client process crashes occasionally. This leads to the loss of some functionality on the SCE platform, such as the ability to accept RPC connections.
This issue is fixed in SCOS Release 3.6.5.
CSCtg30100
To support snmpget and snmpwalk of MIBs equivalent to the pcube MIB in SCE 8000, four MIB tables were partially implemented. The following are the columns in those tables:
1.
entSensorValueTable (Sensor-MIB)— entSensorValue
2.
cefcFanTrayStatusTable (FRU-control-MIB)—cefcFanTrayOperStatus
3.
cefcFRUPowerStatusTable (FRU-control-MIB):
a.
cefcFRUPowerAdminStatus
b.
cefcFRUPowerOperStatus
4.
cefcModuleTable (FRU-control-MIB)—cefcModuleOperStatus
This issue is fixed in SCOS Release 3.6.5.
CSCtg44808
In the boot output of SCE8000 3.6.0, the following false warning may appear:
TvrSmm: actual version 0xf2c1702 does not match legal version ranges: accept-ranges = { [0x10005,0x10007] [0x20000,0xffffff] [0xf2c1701,0xf2c1701] }, deny-ranges = { }This warning is incorrect, since version 0xf2c1702 is a legal version.
This issue is fixed in SCOS Release 3.6.5.
CSCtg62878
In some situations, the SCE8000 does not send SNMP traps. This is due to a socket leak in the netsnmp code.
Disabling and then enabling the SNMP server restores the failure status.
This issue is fixed in SCOS Release 3.6.5.
CSCtg67245
When SNMP walk is performed on linkServiceUsageTable and PacketServiceUsageTable, the query takes too long to fetch the information from all the traffic processors. The SNMP agent sanity check fails if the system is in the middle of such a query.
This issue is fixed in SCOS Release 3.6.5 by improving the performance of the linkServiceUsageTable and PacketServiceUsageTable.
CSCth05201
Performance of the SCE8000 in SNMP query response for pcube MIB needs to be improved.
This issue is fixed in SCOS Release 3.6.5. The performance of snmpwalk and snmpget of the Pcube MIB in SCE 8000 were improved by approximately 70 percent and 90 percent respectively.
CSCth08597
The SCE platform discards some CDP packets with bad checksum error even when the packets are valid. This is caused by incorrect handling of unsigned characters when there is an odd number of bytes in the CDP packet.
This issue is fixed in SCOS Release 3.6.5.
CSCth72834
Add breach state indication to Network Usage RDRs and Subscriber Usage RDRs.
This issue is fixed in SCOS Release 3.6.5.
CSCth77974
The CPA client sends a URL query to the CPA server for each new flow, and each query is sent on a new UDP socket. The CPA client occasionally attempts to read from port 1026, which is in use by the traffic control client and fails, with the result that the buffer associated with the socket is never cleared.
This issue is fixed in SCOS Release 3.6.5 by disabling the traffic control client.
CSCth84608
The SCE crashes the Diameter stack when a CCA is returned on Gx from PCRF which has an empty username.
This issue is fixed in SCOS Release 3.6.5. The check for NULL username was added to the code.
CSCti05441
Gy subscriber attribute mapping configuration is lost after reload.
This issue is fixed in SCOS Release 3.6.5.
CSCti15487
When the SCE applies a policy with a change in the Concurrent Flows limit, it may result in a relatively high rate of error messages being written to the debug log, which in turn triggers a sanity check. The policy change that causes this is one that removes a concurrent session limiting rule that was previously set to limit for some value.
This issue is fixed in SCOS Release 3.6.5.
CSCti89819
The LUT used in SCOS to generate video TURs for various video streams needs to be updated to include all new video protocols.
This issue is fixed in SCOS Release 3.6.5. The video TUR LUT was updated to include all video protocols
CSCtj19967
RDR rate limiting is not working properly.
This issue is fixed in SCOS Release 3.6.5.
CSCtj20603
Add a new check box in the RDR Settings dialog box in the Transaction Usage RDRs tab under the "Protocol specific TUR" check box that provides the option to generate only clickstream HTTP TUR for the selected services.
This issue is fixed in SCOS Release 3.6.5.
CSCtj28075
Report CC-Input-Octets and CC-Output-Octets along with CC-Total-Octets as part of the Used-Service-Unit AVP sent to the Gy server in a Credit Control Request Update or Credit Control Request Termination message.
This issue is fixed in SCOS Release 3.6.5.
SCOS Release 3.6.1
Compatibility Information
For information regarding the SCE platforms that are compatible with SCOS Release 3.6.1, see the Cisco Service Control Application for Broadband Download Guide.
Functional Enhancements
The following section describes the major SCE-platform-related functional enhancement found in Release 3.6.1.
Support for CG-Address AVP
CG-Address AVP (described below) is now supported.
AVP Name AVPCode ValueType CommentsCG-Address AVP
846
Address
Holds the IP-address of the charging gateway
Support for Legacy Quota RDRs
Release 3.6.1 supports the legacy Quota State Restore RDR.
For a description of the Quota State Restore RDR, see Quota State Restore RDR.
![]()
Note
Enabling legacy Quota State Restore RDR disables all new quota RDRs. There is no option to work with QM using legacy QSR.
Sending legacy quota RDRs is disabled by default. To enable sending legacy quota RDRs, set the relevant const db variables as follows:
•
EngageConstDb.DataPlane.Quota.generateNewQuotaRDRs (controls generation of new quota RDRs): false
•
EngageConstDb.DataPlane.Quota.generateLegacyQSR (controls generation of legacy QSR): true
Resolved Issues
CSCtg10738
The Gy Event-Timestamp AVP contains local time, but indicates it as being UTC.
This issue is fixed in SCOS Release 3.6.1.
CSCtg35542
In rare instances, a subscriber package switch event was not detected. When this happens, subscriber "quota model" is not updated, causing many error messages to be written to the SCE debug log. This can trigger SCE reload due to the high rate of error messages.
This issue is fixed in SCOS Release 3.6.1.
CSCtg57031
In some cases, SCE8000 with enabled Diameter stack reports a constant control card CPU utilization of around 80%, even though there is no actual control card activity that requires such high CPU resources.
The problem is a result of a defect in the Diameter process.
This issue is fixed in SCOS Release 3.6.1.
CSCtg95851
On the SCE8000 10GBE platform in inline-cascade connection mode, the defined traffic behavior is that Link 1 interfaces swap roles, so that 3/2/0 becomes the Network side interface and 3/3/0 becomes the Subscribers side interface.
The GCs should be swapped accordingly, so that the proper GC is controlling each interface. However, this switch does not occur, so that on the cascade link, the upstream GC limit is enforced on downstream traffic and downstream GC limit is enforced on upstream traffic.
This issue is fixed in SCOS Release 3.6.1.
CSCtg95862
In aggregated global controller (AGC) mode, the GC limits configured per link are set correctly to the GCs but are not written to either the running-config or to the startup-config. Therefore, upon SCE reload, the per-link GCs are configured with the values as configured on the AGC (which might also be "unlimited") .
The problem occurs only when the Global Controller mode: "Enforce BW limitation on the sum of all links" is enabled.
This issue is fixed in SCOS Release 3.6.1.
CSCth14302
Multi-stage blocking does not work post-breach. Blocking on temp signature is only applied when the pre-breach rule is set to Block. However, if the post-breach rule is set to Block and the subscriber is indeed in quota breach state, blocking is not performed on temp signature.
The feature of blocking on temp signature is only applicable when Multi-Stage classification blocking is enabled in the Advanced Policy Settings window.
This issue is fixed in SCOS Release 3.6.1.
CSCth25757
In release 3.6.0, generating a technical support file fails if there are subscribers with more than a single IP address (either multiple IP addresses or a range of IP addresses). The following undesired effects occur when an attempt is made to generate a support file:
•
Full SCE disk (0 Bytes free disk space)
•
No logging (due to insufficient disk space)
•
Failure in performing operations that require disk space, such as:
–
Saving the running-config to startup-config
–
Applying a policy ("insufficient disk space on target device")
This issue is fixed in SCOS Release 3.6.1.
CSCth42692
The Quota Engine error message "No context in MCM" causes system reboot due to high error rate.
This issue is fixed in SCOS Release 3.6.1. The severity of this message has been changed from `Error' to `Warning.
CSCth42825
The charging ID mapping table does not support assigning the same `service id + rating group' combination to more than one package.
This issue is fixed in SCOS Release 3.6.1 and the same `service id + rating group' combination can be assigned to multiple packages within the same bucket.
CSCth95062
On SCE 1000 and SCE 2000 platforms running SCOS Release 3.6.0, enabling and using the SSH server may cause random system reboot.
This issue is fixed in SCOS Release 3.6.1.
SCOS Release 3.6.0
•
Downgrading from Release 3.6.0 to Release 3.5.5 on the SCE8000 Platform
Compatibility Information
For information regarding the SCE platforms that are compatible with SCOS Release 3.6.0, see the Cisco Service Control Application for Broadband Download Guide.
Functional Enhancements
The following section describes the major SCE-platform-related functional enhancement found in Release 3.6.0. For information regarding other functional enhancements in Release 3.6.0, see the Release Notes for Cisco Service Control Application for Broadband 3.6.x
SCE8000 with Dual SCE8000-SCM Modules
The SCE8000 now supports two SCE8000-SCM processor modules. The SCE8000-SCM modules are installed in slots 1 and 2 of the SCE8000 chassis.
The SCE8000-SCM in slot 1 performs both processing and management functions. The SCE8000-SCM in slot 2 serves only DPI and traffic processing purposes, doubling the performance and capacity of the SCE8000. Although the two modules are identical (with the same ports and LEDs), this second SCM module does not run chassis management or control software.
Support File Enhancement
The support file structure was enhanced in Release 3.6.0 to support two SCE8000-SCM modules:
•
A new file called gen_err.log was added. It contains a list of errors encountered during support file extraction.
•
On an SCE8000 with two SCE800-SCM modules, there will be stats files (*.csv) from 24 processors.
•
There are two new zip files (one per each SCE8000-SCM module) called env-master1.tar and env-master2.tar. These files contain many Linux files in hierarchical tree structure. Before v3.6.0, these files were located in the root directory of the support file and named with `_'
(e.g.: _var_log_auth. Log).Subscriber Capacities
In Release 3.6.0, various subscriber capacities have been increased, as follows:
•
Maximum number of static subscribers is 250,000
•
Maximum number of anonymous groups is 5000.
•
Maximum rate of creating anonymous subscribers is 360 per second.
Optical Bypass LED States
The behavior of the Optical Bypass LED on the SCE8000-SCM module has changed. The states of this LED are now as follows:
•
Green—Optical bypass modules are present, but not operating. (Traffic is not bypassed.)
•
Amber—Optical bypass modules are present and operating. (Traffic is bypassed.)
•
Unlit—Optical bypass modules are not present or there is no power.
On a slave SCE8000-SMC-E module (in slot 2), this LED is always off.
Resolved Issues
•
Resolved Issues—SCE 2000 and SCE 1000 Only
•
Resolved Issues—All Platforms
Resolved Issues—SCE8000 Only
CSCsx96249
SCOS crashes at HW initialization if a SIP module is not installed.
This issue is fixed in SCOS Release 3.6.0
CSCta89640
SCOS SNMP Agentx crashes in some circumstances, with the result that the SCE platform stops responding to SNMP queries.
This issue is fixed in SCOS Release 3.6.0.
CSCtb59891
snmpd may consume the total system memory, leaving no resources for other processes including scos and scos-sys-cmd-server.
This issue is fixed in SCOS Release 3.6.0.
CSCtc34922
Cabling information for the optical bypass module is wrong in the Cisco SCE8000 Installation and Configuration Guide.
This issue is fixed in SCOS Release 3.6.0 documentation.
CSCtc71781
SCE8000 appends illegal "" characters when it performs Layer 7 redirection. (This is illegal according to RFC1738 section 2.2).
This issue is fixed in SCOS Release 3.6.0
CSCtd59439
cscRdrConnectionStatusUpTrap/cscRdrActiveConnectionTrap are not generated.
The cscRdrConnectionStatusDownTrap is sent if the SCE platform fails, but the cscRdrConnectionStatusUpTrap/cscRdrActiveConnectionTrap are not sent when the RDR connection is re-established after SCE reload..
This issue is fixed in SCOS Release 3.6.0.
CSCte62188
In two cascaded SCE8000 GBE platforms with only one side populated (one GBE SPA module and one 10 GBE SPA module for the cascade connection), when the SCE8000 is reloaded, traffic is stopped after the reload until the boot is complete. This can result in traffic being cut off for a period of five minutes or even longer.
This issue is fixed in SCOS Release 3.6.0.
CSCte62201
In two cascaded SCE8000 GBE platforms with only one side populated (one GBE SPA module and one 10 GBE SPA module for the cascade connection), the previously active SCE platform comes back up as Active again after reload, rather than remaining in standby status.
This issue is fixed in SCOS Release 3.6.0.
Resolved Issues—SCE 2000 and SCE 1000 Only
CSCta68018
After upgrading to PP#17, the content filtering feature seems not to work properly. It classifies traffic to a wrong flavor ID despite the fact that the CPA client retrieves the correct category IDs from server.
This issue is fixed in SCOS Release 3.6.0.
CSCtc39738
ifHCOutOctets/ifHCInOctets MIBs for the management ports do not work.
This issue is fixed in SCOS Release 3.6.0.
Resolved Issues—All Platforms
CSCsx18461
When link 0 is not connected, the "active subscribers per service" information is not generated. This can lead to incorrect reports.
This issue is fixed in SCOS Release3.6.0.
CSCta07546
Reloading and overwriting the URL Blacklist database fails at about 70,000-80,000 entries.
This issue is fixed in SCOS Release3.6.0.
CSCta54208
Applying a policy in which the amount of HTTP URLs in the policy flavors tables is high (in the range of 100K URLs) affects subscriber login. It may also disconnect the SCE platform from the SM.
This issue is fixed in SCOS Release 3.6.0.
CSCtb66730
SMTP session is accounted twice with multi-stage classification.
This issue is fixed in SCOS Release3.6.0.
CSCtb80804
Sometimes, the user log seems to have duplicate messages. A specific message appears correctly and a duplicate of the message appears again later in the user log with the original message timestamp but not in the correct chronological position.
This issue is fixed in SCOS Release 3.6.0.
CSCtc24403
Reporter "Total Active Subscribers" graph displays an increase in the number of active subscribers as a function of time, although the actual number of subscribers has not changed.
This issue is fixed in SCOS Release3.6.0.
CSCtc51585
Subscriber database synchronization between cascaded SCE platforms does not take place when a new SCA BB application is loaded. Therefore, when a new PQI or Protocol Pack is installed (that does not support hitless upgrade), the subscriber DB is not replicated in the standby SCE platform.
This issue is fixed in SCOS Release3.6.0.
CSCtc69572
When a SIP call of longer than 40 seconds is done through an SCE platform, the Media Flow RDR duration field shows a duration 40 seconds shorter that the actual duration.
This issue is fixed in SCOS Release 3.6.0.
CSCtd44869
Configuration of the total link limit either by using CLI or from Policy apply is not propagated to the HW shaper that enforces the limit. Therefore, although the configuration appears in the running-config, it is not being enforced.
This issue is fixed in SCOS Release 3.6.0.
CSCtd46646
Subscriber BW per service fails with "
Divide by zero occurred
" error. Actual Duration field in Subscriber Usage RDR may be 0.This issue is fixed in SCOS Release3.6.0.
CSCtd51646
The coldStart trap cannot be generated.
This issue is fixed in SCOS Release 3.6.0.
CSCtd58161
Initial HTTP flow that starts nearly simultaneously with a subscriber login does not get blocked or redirected when the subscriber has insufficient quota, and his Post Breach rule is Block+Redirect.
This issue is fixed in SCOS Release 3.6.0.
Downgrading from Release 3.6.0 to Release 3.5.5 on the SCE8000 Platform
As part Release 3.6.0, the SMC and NJC CPLDs have been upgraded. Because the CPLDs are not downgraded when SCOS is downgraded, this issue is relevant to this release.
•
SCOS Release 3.5.5 runs with SMC CPLD version 0x816c and NJC (Nala or SIP) version 0x916c
•
SCOS Release 3.6.0 runs with SMC CPLD version 0x8274 and NJC (Nala or SIP) version 0x9274
One result of this in Release 3.6.0, is that the Bypass LED on the front panel still functions as supported in Release 3.6.0 rather than as supported in Release 3.5.5.
•
Release 3.5.5 Bypass LED states:
–
Steady amber—Optic bypass modules are not operating.
–
Unlit—Optic bypass modules are operating.
•
Release 3.6.0 Bypass LED states:
–
Green—Optic bypass modules are present, but not operating.
–
Amber—Optic bypass modules are present and operating.
–
Unlit—Optic bypass modules are not present or there is no power.
Workaround: Contact TAC for help in downgrading the CPLD.
Limitations and Restrictions
The upgrade to SCOS Release 3.6.0 may result in re-initialization of the SCE 1000 or SCE 2000 hardware bypass module. This re-initialization process may cause a failure of the GBE link where the system stalls for less than 1 second.
Table 1 lists cases in which re-initialization may occur (marked Yes).
Port Scans on the Management Port
When you perform a port scan operation on the SCE platform management port, the SCE platform may experience a reboot. The reboot is initiated by the SCE platform due to scheduling optimization for detecting failover conditions in periods of less than 1 second in a configuration of two cascaded SCE platforms. The following is recommended:
•
Use IP access lists to eliminate port scans that take place due to actual attacks.
•
If the system administrator must perform a port scan operation as part of a security check, it is advisable to disable the SCE watchdog only for the period in which the port scan is performed.
To disable the SCE watchdog, use the following root-level CLI commands:
configure watchdog software-reset disabled interface linecard 0 no watchdog•
To re-enable the SCE watchdog, use the following root-level CLI commands:
configure watchdog software-reset enabled interface linecard 0 watchdogOpen Caveats
•
Open Caveats—Cisco SCE 1000 and Cisco SCE 2000
Open Caveats—Cisco SCE8000
CSCsm12163
SNMP protocol version v1 does not present 64-bit fields properly.
Workaround: Use SNMP v2.
CSCsq95048
The IP table contains entries for internal IP addresses and interfaces. This results in an inconsistency in the If index representation of the following components of the IP table:
•
ipAddrTable
•
ipRouteTable
•
ipNetToMediaTable
Workaround: Ignore all entries in the IP tables, except for the management interface. Refer to the following example:
The If MIB represents five interfaces as follows:
1. if index 1—mng port
2. if index 2—Traffic port 0
3. If index 3—Traffic port 1
4. If index 4—Traffic port 2
5. If index 5—Traffic port 3
The Ip tables and the at tables represent six interfaces as follows:
1. if index 1—eth0 - currently simba to simba
2: if index 2—eth1 - mng port
3. if index 3—eth2 - cofico 1 that is not connected
4. if index 4—lo
5. ifDescr.5—dummy0 - configure to skynet
6. ifDescr.6—skynet0
The only relevant ifIndex in these tables is the management interface, with IfIndex 1 in the IF table being equal to IfIndex 2 in the IP tables.
CSCsq96310
The default gateway cannot be configured before there is an IP address already configured. Trying to set the default gateway when IP address is set results in an error.
Workaround: Before adding the default gateway, configure the IP address.
CSCsr83407
The input and output interface byte counters are not consistent with each other. The input counters include the four bytes of the CRC, while the output counters do not include those four bytes.
Workaround: None
CSCsy09562
When connecting to the SCE8000 using SSH, the connection may fail with the following error message printed to screen:
Error: invalid option '<some-ip>'.scos-cli-proxy version 3.5.1 Build 65Usage: scos-cli-proxy [-d] [-df <file-name>] [-dc] -h <remote-addr> -c <CLI-port> -s <shell-name> [-u <user-name>]-d : Enable debug mode-df : Enable debug mode, output debug data to file-dc : together with -d or -df, outputs every character being moved.-h : address of remote host for this session-c : port to connect to for CLI session-s : name of shell to execute for shell session-u : username of remote user--version : print the version and exitWorkaround: Type one or more arbitrary characters for the username (although the username is not defined on the SCE8000).
CSCsz38909
Output GMAC counters do not show multicast and broadcast packets. This is a defect of the Marvel MAC.
Workaround: None
CSCsz60632
Drop flow action sometimes does not work.
Workaround: None
CSCtb62067
There is an implicit logout when a subscriber is logged in with multiple IP ranges.
For example: Log in a subscriber with the following mappings: "1.1.1.1/16", "2.2.2.2/16", "3.3.3.3/8". Then log in the same subscriber with the following mappings "3.1.1.2/16", "4.4.5.6/8", "7.7.8.9/24" and additive mapping=false. The subscriber will have two mappings instead of three mappings.
Workaround: None
CSCtc28950
DDos global attacks (such as TCP-syn and UDP-fragment) do not result in sending a relevant SNMP trap. Note however that specific IP DDos attacks do result in sending a relevant SNMP trap.
Workaround: None
CSCtd98432
The diameter origin realm cannot be changed on the SCE platform. Even when the diameter origin-realm CLI command is executed, diameter messages were still sent with the default SCE realm (sce.cisco.com).
Workaround: None
CSCte34741
The show bucket-state CLI command shows the wrong bucket status for breached buckets.
When you run the following CLI command on a subscriber that has several buckets in different states (some of them are in breach status), the output shows that all the buckets are "not breached".
show interface LineCard 0 subscriber name <sub_name> bucket-state
When you run the following CLI command on a specific bucket in breach state, the bucket status is "breached". And the next time you run the general show bucket-state CLI command (shown above), it will show as "breached", also
show interface LineCard 0 subscriber name <sub_name> bucket-state id <bucket_id>
Workaround: None
CSCte75842
SCE8000 not configured for ToS marking sometimes changes the ToS value. This problem is observed mainly on TCP SYN packets. The problem is reduced when "quick forwarding" is enabled.
Workaround: Enable "quick forwarding". Although this may not solve the problem completely, it greatly reduces it.
CSCte92800
In high availability forwarding mode, when a peer is removed, it should be replaced in the list automatically, but it is not. As a result, when the primary Gy peer is removed, CCRs are not sent.
Workaround: None
CSCtf24792
In a chassis with two SCE8000-SCM modules installed, the management ports of the second SCM are active. If you plug a network cable into the management port of the SCE8000-SCM in slot 2, the Link LED turns on. This is confusing since this port has no IP address configured and should not be used.
Workaround: Use the management ports on the SCE8000-SCM in slot 1 only.
CSCtf43847
"No Such Object available on this agent at this OID" message is returned by snmpget command, even if a correct OID is requested. It occurs when taking the support file or applying the policy.
It occurs more often if multiple OIDs are requested in one snmpget command.
Workaround: Request only one OID per snmpget command.
CSCtf74153
A Diameter TPS rate higher than 400 might cause memory exhaustion and reload of the SCE platform.
Workaround: TPS rate must be under 400.
CSCtf75310
When using the SCE API in push mode, no Gy sessions are created upon login.
Workaround: Use SM API or Gx
CSCtf75313
When using the SM API in push mode, no Gy sessions are created.
If the SM logs in a subscriber with no policy, Gx will then set a policy. And, although Gy is enabled , no Gy session will be opened.
Workaround: Log in subscriber via SM with policy with Gy profile.
CSCtg06262
Release 3.6.0 Mobile—Logins are stopped due to lock problems when working with the SM.
Workaround: None
CSCth28020
When the autofailover state is changed from "on" to "off", the inactive port does not retain the originally configured speed and duplex values.
Workaround: Configure the speed for the inactive port after autofailover is set to "off".
CSCth49754
3.6.0 Mobile—Sometimes the prompt does not return after series of show diameter CLI commands.
Workaround: None
CSCth55499
The actual maximum rate for the ZUR is greater than the configured value. This is because ZURs are sent separately from each PPC, whereas one aggregated ZUR for all PPCs should be sent. As a result, the maximum rate for ZURs is not properly enforced.
Workaround: None
CSCth82235
SCE8000 might reboot without leaving any explanation in the logs. It was found to happen occasionally in Release 3.5.5. However, this does not seem to happen in Release 3.6.x
Workaround: None
CSCth82475
After package change, CCR-U messages continue to be sent every 30 seconds.
Workaround: None
CSCti15865
SCE8000 crashed during Gx/Gy capacity testing while having 250K active sessions with long VSAs. All VSAs used were more than 200 bytes.
Workaround: Use normal VSAs rather than long VSAs.
CSCti18334
Introduction of VAS health-check in SCE8000 causes a minor performance degradation even when VAS is not enabled.
Workaround: None
CSCti78964
show process cpu CLI sometimes shows very large values, indicating unrealistic CPU utilization. This is suspected to be a bug in Linux kernel 2.6.23+
Workaround: None
CSCtj37754
No SNMP trap is sent when the external-bypass command is issued on the SCE8000 GBE when OPB-SCE8K-2L-SM optical bypass modules are installed.
Workaround: None
CSCtj38391
After enabling SSH, you cannot log in after disabling SSHv1 (no ip ssh SSHV1 command). However, if you enable SSH again (ip SSH command), then, even though it is showing "SSHv1 support is disabled.", you can log in through SSHv1.
Workaround: None
CSCtj46134
On the SCE8000, VAS processing is done entirely by the software, and involves a performance hit. Therefore, VAS processing is not supported for delay sensitive, bundled flow handling.
Workaround: None (Known limitation)
CSCtj50046
The "on-failure cutoff" option of the connection-mode command does not block ICMP traffic when the SCE 8000 is rebooted.
Workaround: None
CSCtj52935
VAS - More no of ftp packets are forwarded to vas server than expected
When the rate of FTP traffic is high, along with a high rate of TCP message exchanges, more FTP packets are forwarded to the VAS server than is expected.
Workaround: None
CSCtj56344
In releases 3.6.0 and 3.6.1, an SCE8000 platform configured in "IP-Tunnel L2TP Skip" mode does not process traffic on the first traffic processor.
This problem is a result of bad handling of non-first-fragments packets. Therefore, in networks with little IP fragmentation, it is likely that the problem will not be observed even if "IP-Tunnel L2TP Skip" is configured.
Workaround: The appropriate workaround depends on whether L2TP tunneled traffic must be processed based on the internal IP layer.
•
If L2TP tunneled traffic does not need to be processed based on the internal IP layer:
Workaround: disable L2TP Skip
•
If L2TP tunneled traffic must be processed based on the internal IP layer:
Workaround:
Run the following root level CLI command:
debug slot 0 ppc 0 func SimbaDPT[0].4DP[0].RegWr16 0x28 0x1000This command provides an immediate solution to the problem, but it is not persistent across SCE reboot. To make this debug command run during the SCE8000 boot-up process, the command must be added to the genstart.txt file.
The genstart.txt file is located under /apps/data/scos/system/p3hidden/config/ (or /system/p3hidden/config/ from the SCE CLI). The genstart.txt file should exist on your SCE disk space and should be empty. If the file does not exist, create it under /apps/data/scos/system/p3hidden/config/ .
To edit the file, you must use FTP to copy the file from the SCE platform to an FTP server. Then, edit the file, and use FTP to copy it back to the SCE platform.
The line to append is:
do debug slot 0 ppc 0 func SimbaDPT[0].4DP[0].RegWr16 0x28 0x1000The following sample CLI session shows how to copy the file to an FTP server, copy the file back to the appropriate path in the SCE platform, and then verify that the added line does appear in the file:
enable 15copy /system/p3hidden/config/genstart.txt ftp://username:password@10.10.10.30/./genstart.txt(Edit the file.)copy ftp://username:password@10.10.10.30/./genstart.txt /system/p3hidden/config/genstart.txtmore /system/p3hidden/config/genstart.txt(The added line should be displayed.)CSCtj58409
Nala MIP max node interrupts are generated, even though the subscriber ranges are present in NALA RAM. This interrupt does not affect functionality and is harmless.
Workaround: None
CSCtj70144
SNMP traps are not generated when VAS servers are enabled and disabled.
Workaround: None
CSCtj71847
When the SCE applies a block rule and generates a TCP RST towards the client and the server, the RST directed towards the VAS server is sent to the network side with the VLAN tag added by VAS. The RST therefore does not reach the server.
Workaround: None
CSCtk64233
The "no diameter realm all" does not remove the forwarding mode associated with the realm.
Workaround: None
CSCtk67558
The notification of first QuotaStatus RDR is delayed after subscriber logs in. Subsequent notifications come through correctly.
Workaround: None
CSCtk54906
The show interface LineCard 0 counters bandwidth command displays a wrong output which refers to the L1 bytes, when actually, TotalBW is L1 and RxBW is L2.
Workaround: None
CSCtk08011
Transmit queue overflow warnings appear when VLURs are enabled.
Workaround: None
CSCtj99315
RDRs are observed for a few minutes after SCE is put into bypass mode.
Workaround: None
CSCtk57464
SCE 8000 default management configuration is wrong. For the second management port feature in SCE 8000, the default configuration about "auto-failover" and "active-port" is not documented.
Workaround: Manually configure the autofailover.
CSCtk76058
Unable to activate the management port without reload. For the second management port feature in SCE 8000, after setting the IP address in the management port, you must reload SCE to make the port active.
Workaround: Reload SCE after changing the IP address.
CSCtl05749
Delayed Logout feature cause "Party DB: PartyDB::waitForState" warning. Delayed logout was newly added in 3.6.5. The warning is harmless but it can fill up the logs.
Workaround: None
CSCtl10121
SNMP traps are not sent when only one of the eight fans fail.
Workaround: None
CSCtl42778
To improve PCRF failover time and ignore additional socket FDs.
When unreachable diameter peers are configured, execution of diameter related CLI commands takes few minutes before returning to the command prompt.
Workaround: This can be avoided by not configuring unreachable peers.
CSCtz74897
Total Link Limit feature fails on Cisco SCE 8000 devices when multiple global controllers are configured.
Workaround: Use only one global controller while using the Total Link Limit feature.
Open Caveats—Cisco SCE 1000 and Cisco SCE 2000
CSCpu11798
When a PQI application file is installed or upgraded on the SCE, the SCE may lose a few packets for a few seconds. The overall percentage of this phenomenon is very low.
Workaround: Perform the upgrade in non-peak time.
CSCsc49573
When VAS mode is enabled, the system generally assumes that traffic with a VLAN tag is VAS traffic coming from the VAS servers, and therefore forwards it to the non-VAS link.
However, under the following conditions, a flow is forwarded by the SCE platform on the same link on which it was received and with no VLAN tag:
•
VAS mode is enabled
and
•
The FIF packet has a VLAN tag
and
•
A traffic rule to bypass the flow exists, or the SCE platform is in congestion
In some topologies, this behavior may cause VAS traffic to be incorrectly routed back to the VAS link.
Workaround: None
CSCse05325
When the VAS Health Check initializes, the show interface linecard 0 VAS-traffic-forwarding VAS server-id <ID> command shows the server being UP even if it is actually Down
The operative state of a VAS server while the Health Check is in Init state is considered to be Up as shown in the CLI command show interface linecard 0 VAS-traffic-forwarding VAS server-id <ID>. In addition, during this time, the SCE platform may forward VAS traffic to this server.
Workaround: None
CSCsj32282
A tunnel-id-based traffic rule defining DSCP marking applies the DSCP marking to non-tunneled traffic, also.
Workaround: When you define the traffic rule, always set the URG flag. For existing rules, replace with a new rule that is identical, with the addition of setting the URG flag.
CSCsj85601
When you remove all VPNs from the SM using the --force option, some management operations cannot be performed on the SCE until the operation completes. This occurs only when you remove several VPNs that have active subscriber mappings in the SCE.
Workaround: Instead of removing the VPNs along with their subscriber mappings by using the --force option, remove the subscribers first, and only then remove the VPNs (without the --force option).
CSCti17836
When SSH sessions are rapidly opened and closed and FTP sessions are run simultaneously, the SCE 2000 crashes with a fatal SafeFdManager error. Not observed in Release 3.6.x.
Workaround: Disable SSH.
CSCti18005
When SSH sessions are rapidly opened and closed, traffic rate is 1 GBE and FTP sessions are run simultaneously, the SCE 2000 crashes with a criticalSection error. Occurs only in Release 3.6.1. Not observed in Release 3.6.5.
Workaround: Disable SSH
CSCth95062
On SCE 1000 and SCE 2000 platforms running SCOS Release 3.6.0, enabling and using the SSH server may cause random system reboot.
Workaround: Disable the SSH server using the following configuration mode command: no ip ssh.
Telnet access to the device can be leveraged. For information on telnet access, see the Cisco Service Control SCE 2000 and SCE 1000 Software Configuration Guide.
![]()
Tip
Applying an ACL that does not permit access to SSH does not prevent the problem. You must actually disable the SSH server.
![]()
Note
This issue is fixed in SCOS Release 3.6.1.
CSCtk67558
The notification of first QuotaStatus RDR is delayed after subscriber logs in. Subsequent notifications come through correctly.
Workaround: None
CSCtk54906
The show interface LineCard 0 counters bandwidth command displays a wrong output which refers to the L1 bytes, when actually, TotalBW is L1 and RxBW is L2.
Workaround: None
CSCtk08011
Transmit queue overflow warnings appear when VLURs are enabled.
Workaround: None
CSCtj99315
RDRs are observed for a few minutes after SCE is put into bypass mode.
Workaround: None
CSCtl05749
Delayed Logout feature cause "Party DB: PartyDB::waitForState" warning. Delayed logout was newly added in 3.6.5. The warning is harmless but it can fill up the logs.
Workaround: None
Open Caveats—All Platforms
CSCsd48922
The configured attack threshold is set for each PPC separately. For certain types of attacks, an attack is detected by the SCOS attack-filter module only if it is three times stronger (as measured by flow rate per second) than the configured value.
This occurs when the IP address common to all the flows of the attack is on the network side of the SCE platform, so all attacks of the single-side-network type have this issue.
Workaround: None
CSCsg46885
When link reflection on all ports with line- card aware is configured, a link failure may be reflected to all ports (rather than only to the relevant link) if one of the ports that is connected to the failed line card is flickering due to a hardware problem.
Workaround: None
CSCsm19587
Quota events are not received by the SCE subscriber API client or QM because the internal RDR connection to destination 127.0.0.1 port 33001 is not configured.
Workaround: Configure the internal RDR connection as follows:
Step 1
Configure the internal connection on category 4 to destination 127.0.0.1. port 33001.
Step 2
Name category 4 with a special, fixed name. Do not configure any additional destinations on category 4.
CSCsw79718
If failover occurs in a pair of cascaded SCE platforms, mirrored packets enter an infinite loop under the following conditions:
•
Failover occurs and one of the SCE platforms becomes the stand-alone
•
Mirrored traffic exists
•
The configured VAS traffic link is link-1 (the default)
In normal operation, the packets that are passed on the cascade ports are forwarded by the cascade bypass mechanism to the other link. If either SCE platform enters a stand-alone state, the cascade ports no longer perform a cascade bypass and instead they move the packets from one port to the other (0<->1, 2<->3). In such a case, if the mirroring is performed to the cascade ports link (usually link-1), the SCE duplicates packets from the other link into link-1, which is now functioning as a loop. The loop stops after the boxes are out of the stand-alone state.
The following error message is written in the log file:
Detected packets loop between a VAS server designated for mirroring and the SCE. This indicates an installation problemWorkaround: Configure the VAS traffic link on both SCE platforms to be link-0, so that packets are not mirrored over the cascade ports:
>configure>interface LineCard 0>VAS-traffic-forwarding traffic-link link-0>exit>exit>copy running-config startup-configCSCtc56711
The SCE fails to authenticate login through the TACACS server when the shared key contains a spaces. This causes login to the SCE to fail although valid username/password are used to login. The SCE does not treat the space as a valid character in the key and terminates the key on the first space.
For example: if the configured key is "3b663ea010446e 72ecea2f1244853f73", the SCE takes the key as "3b663ea010446e".
Workaround: Do not use keys that contain spaces.
CSCtd18312
Cascade links may remain down when link failure-reflection is configured if:
•
Link failure-reflection is configured on both SCE platforms.
•
Both cascade links are disconnected and then connected again.
Workaround: Disable and enable link failure-reflection on the secondary SCE platform. Execute the following CLI command sequence on the secondary SCE:
#configure(config)#interface LineCard 0(config if)#no link failure-reflection(config if)#link failure-reflection(config if)#exit(config)#exitCSCtd94013
If fragmented UDP packets come from subscriber side at a rate higher than PIR(Permitted Information Rate), the SCE cannot control the bandwidth properly because the fragmented packets are not dropped at the network side.
Workaround: Try to avoid using fragmented packets. (Use the no accelerate-packet-drops CLI command to throttle fragmented packets at the software level.)
CSCte21978
When a power supply is removed, a trap is not sent and the SCE does not change the operational status to reflect the failure of one power supply.
Workaround: None.
CSCth00248
SCE might reload during a policy apply operation. This was observed on rare occasions in Release 3.5.5 in SCE 2000 and SCE8000. Could not be reproduced.
Workaround: None
CSCtl05846
PartyDBManager shows high CPU usage only when there is no Subscriber Manager.
Workaround:
Run the following root level CLI command:
debug db get CcConstDb.Party.pullRetryQuotaInMillisecs 0High CPU utilization happens because of the presence of a subtask that tries to send a pull request to the subscriber manager for every anonymous subscriber.
Setting the pullRetryQuotaInMillisecs to 0 suppresses these pull requests until a subscriber manager becomes available.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.