The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Within the Cisco Bug Search Tool, each bug is given a unique identifier (ID) with a pattern of CSCxxNNNNN, where x is any letter (a-z) and N is any number (0-9). The bug IDs are frequently referenced in Cisco documentation, such as Security Advisories, Field Notices and other Cisco support documents. Technical Assistance Center (TAC) engineers or other Cisco staff can also provide you with the ID for a specific bug.
You can save searches that you perform frequently. You can also bookmark the URL for a search and email the URL for those search results
Note If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.
This section consists of the following subsections:
Symptom: If a linecard is reset (either due to an error or a command such as hw-module slot reload) at the precise time an SNMP query is trying to communicate with that linecard, the RP could reset due to a CPU vector 400 error.
Conditions: This symptom occurs when the linecard is reset (either due to error or a command such as hw-module slot reload) at the precise time an SNMP query is received.
Workaround: There is no workaround.
Symptom: The standby supervisor reloads after removing an IPSLA probe via CLI:
Conditions: This issue only occurs if the probe is configured via SNMP.
Workaround: Remove the probe via SNMP.
More Info: This issue is applicable to a Cisco Catalyst 6500 platform running Cisco IOS 12.2SX releases. It may also affect other high availability (HA) platforms running Cisco IOS 12.2 or 15.X releases.
Symptoms: EIGRP authentication is not working.
Conditions: This symptom is observed when authentication is configured with key-id 0.
Workaround: Use any other key-id for authentication.
Symptoms: When sub appid is triggered by end points, the network does not recognize it and displays it as “Unknown identifier”.
Conditions: This symptom occurs when the limitation results in not supporting traffic classification based on sub appid.
Workaround: There is no workaround.
Symptoms: Metadata class-map matches only the first of the following filter, if present, in a class map (the other media-type matches are skipped):
Conditions: This symptom occurs when the class map has the aforementioned filters.
Workaround: There is no workaround.
Symptom: Multiple symptoms may occur including the following:
– Multiple sessions established to TACACS+ server which never clear are seen in the output of show tcp brief.
– Pings to the loopback address from directly connected equipment suffers packet loss.
– Traffic and pings through the switch suffers packet loss.
– CPU utilization remained stable and below 10% when the issue was occurring, the interface counters were not reporting any errors or drops.
– TACACS+ authentication errors, authorization errors, or accounting errors.
– SSH/TELNET via VTY not accessible.
– If condition exists for a period of time the switch may stop passing traffic.
Conditions: The symptom is observed when the device is configured with TACACS+. It is seen mostly on Cisco 3750/3760 switches, but has been observed on Cisco 6500 switches.
1. Remove the AAA and TACACS+ server configuration.
2. Clear the existing TCP connections with clear tcp tcb.
3. Reconfigure the TACACS+ server configuration to use "single-connection" mode.
4. Reconfigure the AAA configuration.
Mitigation using EEM: A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP connection that causes the symptoms to be observed. The policy allows administrators to monitor TCP connections on a Cisco IOS device. When Cisco IOS EEM detects hung or stale TCP connections, the policy can trigger a response by sending a syslog message or a Simple Network Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this document is based on a Tcl script that monitors and parses the output from two commands at defined intervals, produces a syslog message when the monitor threshold reaches its configured value, and can reset the TCP connection. The EEM script is available at:
https://supportforums.cisco.com/docs/DOC-19344
Symptoms: The router stops passing IPsec traffic after some time.
Conditions: This symptom is observed when the show crypto eli command output shows that during every IPsec P2 rekey, the active IPsec-Session count increases, which does not correlate to the max IPsec counters displayed in SW.
Workaround: Reload the router before active sessions reach the max value.
Symptoms: No logging messages are seen when configuring the syslog server in CLI mode until configuration mode is exited. However when unconfiguring the syslog server, syslog messages will appear within configuration mode.
Conditions: This symptom is observed when, in CLI configuration mode, you enter the following command:
Workaround: There is no workaround.
Symptom: Router crash due to IPC timeout during registering ICC request port.
Conditions: This symptom is observed when the router, which is in RPR mode, is reloaded. The active starts booting up as the standby and crashes.
Workaround: There is no workaround.
Symptom: 7600-SIP-400 linecard crash seen with SPA reload.
Conditions: This symptom is observed with an SPA reload.
Workaround: There is no workaround.
Symptom: A router may experience a crash in the “BGP Task” process during best path selection. In a rare corner case, when the last two remaining multipaths are deleted around the same time by two different threads of execution, a null pointer exception can be raised in the “BGP Task” process.
Conditions: This symptom occurs when a BGP multipath is configured as shown in the following example:
Workaround: Disable BGP multipath.
Symptom: Traffic loss occurs on the Cisco ASR 1000 Series Routers during an RP SSO switchover.
Conditions: This symptom occurs during an RP SSO switchover on the Cisco ASR 1000 Series Routers.
Workaround: There is no workaround.
Symptom: Router crashes while configuring xconnect after traffic over SAToP over UDP.
Conditions: The symptom is observed when you send traffic using SAToP over UDP. After that try to configure SAToP over MPLS and router crashes.
Workaround: There is no workaround.
Symptom: Ethernet CFM and ELMI interworking. If CFM is configured on xconnect and interworking with ELMI, incorrect EVC state may be reported to ELMI on MPLS configuration changes.
Conditions: The symptom is observed with the following conditions:
– CFM configured on xconnect EFP.
– ELMI configured on same interface.
– CFM-ELMI interworking enabled.
Workaround: There is no workaround.
Symptoms: Traffic drops for sometime after doing a switchover.
Conditions: The symptom is observed when a switchover is performed on a Cisco ASR 903.
Workaround: Put a neighbor command where the neighbor has no meaning and will never be up. This will solve the timing issue.
Symptom: Standby interface stays UP/UP after a reload:
Conditions: The symptom is observed when “backup interface” and “carrier-delay” are configured under the interface:
Workaround: Flap the standby interface.
Symptom: Egress HQF policy needs to be blocked for MLPPP/MFR member links. Ingress HQF policy application needs to be blocked for MLPPP/MFR bundles without member links. Ingress HQF policy needs to be enabled for Gige subinterfaces and EVCs.
Conditions: The symptom is observed with HQF policy.
Workaround: There is no workaround.
Symptom: Standby RSP crashes while unconfiguring interfaces on ACR controller.
Conditions: The symptom is observed when using a TCLSH script to teardown 450 CEM CKTs.
Workaround: There is no workaround.
Symptom: Active RP crash during sessions bring up after clearing PDP.
Conditions: The symptom is observed after clearing PDP.
Workaround: There is no workaround.
More Info: This is a negative test where DHCP IP under APN on IWAG is the access interface IP. In real world, we do not configure access interface IP as a DHCP IP for an APN.
Symptoms: This problem is specific to the Catalyst 6000 platform. With IPv4 crypto map, ICMP echo reply is not triggered from the remote end.
Conditions: This symptom is observed in IPv4 crypto map configuration and Catalyst 6000 platform.
Workaround: There is no workaround.
Symptom: Traceback is observed with error message “standby cannot allocate VLAN for Tunnel Rsvd Vlan”.
Conditions: The issue seen while configuring L2VPN and L3VPN with scaled tunnel configurations.
Workaround: There is no workaround.
Symptom: Multiple crashes observed with the following tracebacks after upgrading the Cisco IOS Release from 12.2(33)SRC1 to 12.2(33)SRE6:
Conditions: The symptom is observed with a combination of BGP VPNv4 prefixes + PBR enabled on the interface for the VRF and during upgrade of image or reload of the device. If “mls mpls recirc agg” is enabled in global mode, then this crash will not be observed.
Workaround: Enable “mls mpls recirc agg” in global mode.
Symptoms: A leak in small buffer is seen at ip_mforward in Cisco IOS Release 15.1(4)M3. Device: Cisco 2911 Cisco IOS: c2900-universalk9-mz.SPA.151-4.M3.bin
Conditions: This symptom is observed with the Cisco 2911 running Cisco IOS Release 15.1(4)M3.
Workaround: There is no known workaround. Reboot frees memory.
Symptom: FTP download fails in FTS client.
Conditions: The symptom is observed with FTS transfer over FTP via VRF.
Workaround: There is no workaround.
Symptom: The active route processor crashes because of a segmentation fault in the PIM IPv6 process after de-configuring a VRF.
Conditions: This symptom is observed when BGP, multicast-routing, or a VRF is de-configured while VRF-forwarding for the affected VRF is still configured on some interfaces and IPv6 multicast state entries exist within the affected VRF.
Workaround: Before removing a VRF using no vrf definition xxx, de-configuring “router bgp...” or de-configuring multicast-routing for any VRF or for the global routing table, de-configure the IPv6 and the IPv4 MDT tunnels for affected VRFs as follows:
1. Under the “vrf definition...”/”address-family ipv6” configuration sub-mode, execute no mdt default....
2. Under the “vrf definition...”/”address-family ipv4” configuration sub-mode, execute no mdt default....
Symptom: On a SIP 400 with gigeV2 SPA, when EVC is configured with “encap default”, it is seen that sometimes the FUGU TCAM is not programmed with correct VVID for the EVC. This results in incoming traffic reaching the linecard with wrong VVID. This can impact traffic incoming on the EVC.
Conditions: The symptom is observed with an “encap default” configuration under EVC, or removal and re-application of “encap default” under EVC.
Workaround: There is no workaround.
Symptoms: Redistributed internal IPv6 routes from v6 IGP into BGP are not learned by the BGP neighboring routers.
Conditions: This symptom occurs because of a software issue, due to which the internal IPv6 redistributed routes from IGPs into BGP are not advertised correctly to the neighboring routers, resulting in the neighbors dropping these IPv6 BGP updates in inbound update processing. The result is that the peering routers do not have any such IPv6 routes in BGP tables from their neighbors.
Workaround: There is no workaround.
Symptom: When the system is under scaling conditions, and you issue the shut then no shut commands on the access interface, the IOSd process may crash.
Conditions: The symptom is observed when the system is under scaling conditions, and you issue the shut then no shut commands on the access interface.
Workaround: Do not issue shut then no shut on the access interface when the system has traffic running and the device is under load.
Symptom: After deleting a VRF, you are unable to reconfigure the VRF.
Conditions: The symptom is observed when BGP SAFI 129 address-family is not configured, but unicast routes are installed into multicast RIB to serve as upstream multicast hop, as described in RFC 6513. This applies to VRFs configured before BGP is configured.
Workaround: Beyond unconfiguring BGP, there is no workaround once the issue occurs. Configuring a dummy VRF multicast address-family under BGP before the issue occurs can prevent the problem from occurring.
Conditions: The symptom is observed with VPLS VC going over GRE tunnel and chassis having both ES+ and SIP 600 card.
Workaround: Remove VPLS over GRE. This configuration is not supported.
Symptom: After a linecard is removed and reinserted (OIR), traffic may fail to pass through some virtual circuits which have been configured for pseudowire redundancy.
Conditions: This symptom is observed when the first segment ID in the redundancy group is numerically greater than the second segment.
After the OIR is performed, it can be seen that the segments are reversed on the linecard.
Workaround: There is no workaround.
Symptom: If bandwidth qos-reference value is configured on an interface which bandwidth can change, then the actual interface bandwidth will be used for QoS service-policy validation when the interface bandwidth changes. This can result in a service-policy being removed if the interface bandwidth is insufficient to meet the requirements of the service-policy, such as bandwidth guarantees.
Conditions: Affects variable-bandwidth interfaces such as EFM interfaces or PPP multilink bundles.
Workaround 1: Use proportional actions in the QoS service-policy, such as “police rate percent....”, “bandwidth remaining ratio...”, “bandwidth remaining percent...”, and “priority percent”.
Workaround 2: You can configure bandwidth qos-reference with maximum bandwidth of the interface:
This can prevent policy-map detached due to interface bandwidth change.
Symptom: Ping failures. Traffic gets dropped.
Conditions: The symptom is observed when you configure MPLSoMGRE tunnel on PE1 and PE2. Initiate ping from CE1 to CE2. Packets reach the CE2 and replay is coming back but these packets are getting dropped on PE2. After PE2 switchover, ping fails from CE1 to CE2. PE2 is configured with MPLSoMGRE on an HA system. Topology:
Workaround: There is no workaround.
Symptom: BGP routes remain installed in multicast RIB even after “address-family” configuration has been removed from “vrf definition”.
Conditions: This symptom is observed in MVPN topology, where the stale routes are installed as an upstream multicast hop, as described in RFC: http://tools.ietf.org/html/rfc6513
Workaround: There is no workaround.
Conditions: This symptom occurs due to CSCuf62756.
Workaround: There is no workaround.
Symptom: When using session protection and graceful restart for LDP, LDP neighbor goes down immediately after filtering LDP hello between routers. The LDP neighbor should go down after 10 minutes (default value of forwarding state holding time for GR).
Conditions: The symptom is observed when you enable session protection and graceful restart for LDP
Workaround: There is no workaround.
Symptom: Redistributed default route not advertised to EIGRP peer.
Conditions: This symptom is observed when Cisco ASR router is rebooted or the route is cleared via the clear ip route command, the route disappears form the spokes.
Workaround: Clearing the EIGRP Neighborship restores the route on the spokes.
Symptom: The “mod” value in the SSRAM may be inconsistent to the number of ECMP paths.
Conditions: This occurs with ECMP TE tunnels with tunnel mpls traffic-eng load-share value commands configured.
Workaround: Remove the tunnel mpls traffic-eng load-share value commands from the TE tunnels.
Symptom: CTS environment-data download fails from ISE.
Conditions: The symptom is observed if there is less PAC and environment-data refresh timer is configured in ISE. After multiple refreshes of PAC and environment data and the switch is reloaded, sometimes a CTS environment-data download fails from ISE on the switch.
Workaround: Unconfigure pac key CLI and configure it again as below:
A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.
Cisco has released free software updates that address this vulnerability. There are no workarounds to this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp
Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.
Individual publication links are in “'Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html
Symptom: SP/DFC crash is seen when churn on multicast is done, either through provisioning/unprovisioning or other network event.
Conditions: The issue occurs when a pointer to an already freed hal_context is still present in a replicate queue. Later during churn the same pointer is accessed which leads to the crash.
Workaround: There is no workaround.
Symptom: RP crash seen at be_interface_action_remove_old_sadb.
Conditions: The symptom is observed while unconfiguring the 4K SVTI sessions after an HA test.
Workaround: There is no workaround.
Symptom: Switch crashes with following message:
Conditions: Making SSH connection to remote device from the switch, while having multiple SSH connections to the same switch.
Workaround: There is no workaround.
Symptom: Device crashes with CPU hog messages.
Conditions: The symptom is observed when the device is reloaded after configuring NTP peer:
Workaround: There is no workaround.
Symptom: L3 QoS policy not working in EVC L3 VPN.
Conditions: The symptom is observed when CFM is enabled globally.
Symptom: The clear xconnect all command causes xconnect related CFM configuration to be removed permanently.
Conditions: This symptom is observed only when using xconnect related CFM configuration.
Workaround: Avoid issuing the clear xconnect all command.
Symptom: A crash is seen due to double free of memory.
Conditions: The symptom is seen when the accept interface VLAN goes down.
Workaround: There is no workaround.
Symptom: PW traffic is not flowing after SSO/card reset the active PTF card.
Conditions: The symptom is observed with the following conditions:
1. Create a unprotected tunnel between the active PTF card and create a PW.
2. Apply the table map. Bi-directional traffic is flowing fine.
3. SSO/reset the active PTF card in node 106 (4/1).
4. Now tunnel core port is in standby card.
5. Observed bi-directional traffic is not flowing once the card becomes up.
6. Again reset the active PTF card (5/4).
7. Observe uni-directional traffic only is flowing.
Workaround: Delete the PW and recreate it again. However, note that if you do an SSO/card reset, the issue reappears.
Symptom: A RIB route is present for a prefix, but the router continues to LISP encapsulate.
Conditions: The symptom is observed when a LISP map-cache existed for a prefix and then the RIB route was added later.
Workaround: Use the following command:
Symptom: Usernames do not show up in CCP Express. Username shows up on a router with default configuration.
Conditions: The symptom is observed on routers with configurations that break show runn | format.
Workaround: Use default configuration.
Symptom: A crash is seen on the RP in the SS manager process:
Conditions: The issue appears to be related to NAS port. It looks like a key is being set when the issue occurred. The exact conditions are still being investigated.
Workaround: Possibly remove radius or more specifically, NAS port configurations. This still needs to be verified.
Symptom: Multicast traffic across ES+ cards stop flowing across subinterfaces.
Conditions: The symptom is observed after a linecard OIR. After the linecard comes up, multicast traffic stops flowing across subinterfaces.
Workaround: Shut/no shut the subinterface.
Symptom: Crypto session does not comes up in EZVPN.
Conditions: This symptom is observed when a Crypto session is being established.
Workaround: There is no workaround.
Symptom: EIGRP neighbor flaps due to EIGRP SIA. Troubleshooting shows that a race condition causes EIGRP successor loop first and it leads to EIGRP QUERY loop resulting in the neighbor flaps.
Conditions: The issue is observed when a worse metric update is received from the successor, once the route is already in active state, in a partially peered multiaccess network.
Workaround: There is no workaround.
Symptom: Router crash is seen.
Conditions: The symptom is observed when you issue the following command:
Workaround: Do show ip subscriber mac e01d.3b70.108e only for the sessions in connected state, i.e.: sessions should not be in “Attempting” state in sh sss sess | i mac address.
Symptom: TE Tunnel constantly performs signalling attempts instead of holding down the path option, which causes CPU to become very busy.
Conditions: The symptom is observed with the following conditions:
– Configuration of multiple verbatim explicit path options.
– Path error during LSP signalling.
Workaround: There is no workaround.
Symptom: ES+ card crashes with an unexpected exception to CPU: vector 200, PC = 0x0.
Conditions: The symptom is observed on the ES+ series linecards on a Cisco 7600 series router. Symptom is reported on the ES+ console and in the crashinfo file on the ES+ flash disk. It is not reported in the syslog.
Workaround: There is no workaround.
Symptom: Inter-AS/Aggregate label is not re-originated after the directly connected CE facing interface (in VRF) is shut down.
Conditions: Inter-AS MPLS VPN set-up with Cisco 7600(PE)Router running on Cisco IOS Release 12.2(33)SRE4.
Workaround: Downgrade to Cisco IOS Release 12.2(33)SRE3 or earlier.
Symptom: A Cisco ASR 1000 running ISG with “radius-proxy session-restart” crashes when WiFi clients are roaming between hotspots.
Conditions: The symptom is observed if a client roams between WiFi access points and the accounting-stop message from the initial access point does not reach the ISG where the subscriber session is active as can sometimes be the case of roaming between access points on a wireless LAN controller.
Workaround: Disable “radius-proxy session-restart” and reload the chassis to clear the session-cache.
Symptom: The crypto session remains UP-ACTIVE after tunnels are brought down administratively.
Conditions: This symptom occurs in tunnels with the same IPsec profile with a shared keyword.
Workaround: There is no workaround.
Symptom: With VPLS configuration with IP-FRR, on doing multiple churns SP/LC may crash.
Conditions: The issue occurs when xconnect internal data structre is to be freed up and IP FRR is still pointing to it.
Workaround: Remove IP-FRR configuration before unprovisioning xconnect.
Symptom: Mac entries learned on a trunk link are flushed after removing VLANs.
Conditions: The symptom is observed when some allowed VLANs are removed on a trunk link, all mac address entries learned on this link are flushed. This is issue is specific to extended VLAN IDs.
Workaround: Executing ping to destination IP after removing VLANs will recover this condition.
Symptom: BGP routes are not marked Stale and considered best routes even though the BGP session with the peer is torn down. A hard or soft reset of the BGP peering session does not help.
For BFD-related triggering, the following messages are normally produced with the BGP-5-ADJCHANGE message first, and the BGP_SESSION-5-ADJCHANGE message second. Under normal conditions, the two messages will have identical timestamps. When this problem is seen, the order of the messages will be reversed, with the BGP_SESSION-5-ADJCHANGE message appearing first, and with a slightly different timestamp from the BGP-5-ADJCHANGE message. In the problem case, the BGP_SESSION-5-ADJCHANGE message will also include the string “NSF peer closed the session”
For example when encountering this bug, you would see:
Log messages associated for non-BFD triggers are not documented.
Conditions: This symptom is observed when BGP graceful restart is used in conjunction with BFD, but it is possible (but very low probability) for it to happen when BGP graceful restart processing happens when any other type of BGP reset (eg: clear command) is in progress.
Affected configurations all include: router bgp ASN... bgp graceful-restart...
The trigger is that BGP exceeds its CPU quantum during the processing of a reset, and gives up the CPU, and then BGP Graceful Restart processing runs before BGP can complete its reset processing. This is a very low probability event, and triggering it is going to be highly dependent on the configuration of the router, and on BGP’s CPU requirements.
It is not possible to trigger this bug unless BGP graceful-restart is configured.
Workaround: If you are engaged in active monitoring of router logs, and the bug is being triggered by a BFD-induced reset, you can detect this situation by watching for the reversal of log message order described in the Symptoms section, and then take manual steps to remedy this problem when it occurs.
On the problematic router, issue no neighbor <xxx> activate command under the proper address-family will clear the stale routes.
The other option is to manually shutdown the outgoing interface which marks the routes as “inaccessible” and hence not been used anymore. This prevents the traffic blackhole but the routes will stay in the BGP table.
More Info: This bug affects all releases where CSCsk79641 or CSCtn58128 is integrated. Releases where neither of those fixes is integrated are not affected.
Symptom: On a dual-RP system which is configured for stateful switchover (SSO), some VPLS virtual circuits may fail to be provisioned on the standby route processor.
Conditions: This symptom is observed when the VFI consists of VLAN interfaces that are also configured for IP.
Workaround: Reload the standby RP.
Symptom: After upgrading to Cisco IOS Release 15.0(2)SE3, you can no longer authenticate using TACACS. The TPLUS process on the switch will be pushing the CPU up to 99%.
Conditions: The symptom is observed when you use TACACS for authentication.
Workaround: Downgrade the switch to a version prior to 15.0(2)SE3.
Symptom: Router crashes and reloads with dynamic EID scaling.
Conditions: The symptom is observed with dynamic EID scaling.
Workaround: There is no workaround.
Symptom: Router crashes when service-policy is installed on the interface.
Conditions: The symptom is observed with service-policies having random-detect aggregate configuration.
Workaround: Use non-aggregate random-detect for WRED configurations. If the platform supports only aggregate random-detect, then there cannot be a workaround other than not using the WRED configuration altogether.
Symptom: Router crashes with DLFI configurations.
Conditions: The symptom is observed while doing a shut/no shut.
Workaround: There is no workaround.
Symptom: There is a memory leak in PfR MIB.
Conditions: This symptom occurs when PfR is configured.
Workaround: There is no workaround.
Symptom: During a crash on the Cisco Catalyst 6500, the normal crash information from the crashinfo files may be missing due to the crashes showing the Routing processor (RP) being reset by the Switching Processor (SP) and the RP crashinfo also showing the RP being reset by the SP. This bug addresses this serviceability issue and it has nothing to do with the root cause of the crash itself.
In a majority of cases, the crash has been a single-event crash and has not repeated.
Conditions: Conditions of this symptom are not known currently. At this point, it is believed that the real fault of the crash belongs to the SP.
Workaround: There is no workaround.
Symptom: Memory leak seen with following messages:
Conditions: The conditions are unknown.
Workaround: There is no workaround.
Symptom: The “clear counter pseudowire <#>” commands do not clear the pseudowire specific counters.
Conditions: This symptom is reported to be present in all Cisco IOS Release 15.X(S) versions.
Workaround: Issuing global clear count (“clear counters”) will clear counters including pseudowire specific counters.
Symptom: BGP routes are displayed.
Conditions: This symptom occurs after removing the “send-label” from PE.
Workaround: There is no workaround.
Symptom: ES+ module is crashing with “%NP_DEV-DFC1-2-WATCHDOG: Watchdog detected on NP 0” error.
Conditions: The issue is specific to the type of packet and its content which is unique when vidmon is configured.
Workaround: Remove vidmon configuration.
Symptom: PfR “OER border router” process might report exception and the router reloads under stress traffic.
Conditions: The symptom is observed with a PfR configuration with scaling traffic-class actively, and stress control traffic between PfR MC and BRs.
Workaround: There is no workaround.
Symptom: An ES+ crashes upon the dynamic addition/deletion of class-maps.
Conditions: The symptom is observed with the dynamic addition/deletion of class-maps of a policy applied in scale number of PC EVCs.
Workaround: There is no workaround.
Symptom: The PXE client network boot fails when an ME3600 running 152-4.S is the DHCP relay agent.
Conditions: This symptom occurs when the ME3600 changes the option 54 “DHCP Server Identifier” address to its own IP address in the DHCP offer received from the PXE DHCP server. This causes the client to send the PXE boot request (port 4011) to the ME3600 instead of the PXE server.
Workaround: Downgrade ME3600 to Cisco IOS Release 15.1(2)EY.
Symptom: Valid dynamic authorization requests which are not retransmissions are marked as retransmission.
Conditions: This may occur when valid dynamic authorization requests with the same RADIUS packet identifier is sent from different source ports.
Workaround: There is no workaround.
Symptom: Redistribute or source (network statement) VRF route into BGP. BGP VRF prefix with next hop from global, the next-hop will be inaccessible.
Conditions: This symptom is observed when redistribute VRF routes into BGP with global NH.
Workaround: There is no workaround.
Symptom: Rarely, the WCM fails to send the configuration to a WaasExpress device.
Conditions: This symptom occurs when CM tries to send the configuration to a WaasExpress device. Rarely, the “SSL peer shutdown incorrectly” error is seen, leading to failure to send the configuration.
Workaround: Go to any WAAS-EXP configuration page and click submit.
Symptom: Removal of the service instance on the target device causes a crash.
Conditions: Not consistently reproducible on all configurations as the underlying cause is a race condition.
Workaround: De-schedule the probe before removing the service instance.
Symptom: SUP720 supervisor module may hang in ROMMON after the module reset triggered by TM_DATA_PARITY_ERROR.
Conditions: The issue is observed after a module reset triggered by TM_DATA_PARITY_ERROR.
Workaround: Power off/power on the router.
Symptom: When a PC is moved between two VLAN ports (on one port, ISG is enabled and the other port is non-ISG) several times by its LAN cable connection on the L2SW that is connected to the Cisco ASR 1000 router, the PC is unable to receive DHCP OFFER due to the wrong VLAN ID from the DHCP server on the Cisco ASR 1000 router.
Conditions: This symptom is observed with Cisco IOS Release 15.2(4)S1.
Workaround: There is no workaround.
Symptom: Compared to V1 ATM SPA, V2 SPAs are having more latency and bad bandwidth partition.
Conditions: The symptom is observed under the following conditions:
1. V2 SPA configured in L3 QoS mode.
2. Policy map contains “no priority queue”.
3. Policy map has more than one QoS class.
4. Each class has a WRED profile configured.
Workaround: While using a policy-map with a WRED profile, use the drop-probability value as 8. This improves the partition.
Symptom: DHCP client is not getting an IP address.
Conditions: The symptom is observed with an interface change like this:
1. Create one l2-connected single stack unclassified-mac IPv4 session on interface g0/2/1 using ping from client with mac 000a.000b.000c.
2. Do an interface-change with DHCP session (i.e.: send DHCP discover with same mac 000a.000b.000c on other interface g0/2/2.100).
Workaround: There is no workaround.
Symptom: After multiple VRF transfers, the session goes down (i.e.: VRF transfer from global VRF to VRF2 then to VRF1).
Conditions: The symptom is observed with multiple VRF transfers.
Workaround: There is no workaround.
Symptom: There is a route-map which matches tags and set a new value. This route-map is used in an EIGRP outbound distribute list. One in 10 times based on the received route tag, the correct route tag value is not set while advertising out.
Conditions: The symptom is observed when you use a route map which matches tags and sets a new tag. Used in distribute-list route-map name out.
Workaround: Clear the EIGRP process or re-advertise the route.
Symptom: DMVPN hub ASR 1004 may crash after the fetching CRL from MS CRL server.
Conditions: The crash occurs when there are five CDPs for the hub router to fetch the CRL. Since there are multiple CDPs, the hub router fetches the CRL in a parallel way, which leads to a crash under a timing issue.
Workaround: Setting up one CDP instead of multiple CDPs will greatly reduce the timing condition that leads to the crash.
Symptom: Incremental memory leaks are seen at IPSec background process.
Conditions: This symptom is observed with "clear nhrp cache".
Workaround: There is no workaround.
Symptom: The cost-minimization test command is not accepted.
Conditions: This symptom is observed with the cost-minimization test command.
Workaround: There is no workaround.
Symptom: The BGP MIB reply to a getmany query is not lexicographically sorted.
Conditions: This symptom is observed when IPv4 and IPv6 neighbor IP addresses are lexicographically intermingled, for example, 1.1.1.1, 0202::02, 3.3.3.3.
Workaround: There is no workaround.
Symptom: Some flows are not added to the Flexible Netflow cache, as indicated by the “Flows not added” counter increasing in the show flow monitor statistics command output. “Debug flow monitor packets” shows “FNF_BUILD: Lost cache entry” messages, and after some time, all cache entries are lost. At that moment, debug starts showing “FLOW MON: ip input feature builder failed on interface couldn’t get free cache entry”, and no new entries are created and exported (“Current entries” counter remains at 0).
The following is sample output when all cache entries are lost:
Conditions: This symptom occurs when all of the following are true:
– Flexible Netflow is enabled on a DMVPN tunnel interface.
– Local policy-based routing is also enabled on the router.
– Local PBR references an ACL that does not exist or an ACL that matches IPsec packets.
1. Make sure that the ACL used in the local PBR route-map exists and does not match IPsec packets sent over the DMVPN tunnel interface.
2. Disabling encryption on the tunnel interface, or changing tunnel mode from mGRE to GRE also removes this bug.
3. The issue will not be seen if FNF is not configured, or if FNF is configured but is not monitoring VPN traffic.
Symptom: There is a LISP control process crash when unconfiguring.
Conditions: The symptom is observed when you unconfigure LISP.
Workaround: There is no workaround.
Symptom: “Collect Identifier mac-address” -- for routed session is not working for the client who roams to a new interface.
Conditions: This symptom is observed if the subscriber already has a session available in Interface 1.
Workaround: There is no workaround.
Symptom: OTV ISIS adjacency keeps going down/up every ten minutes.
Conditions: The symptom is observed during normal operation, while IGMP snooping is enabled on switches connected to the routers.
Workaround: Disable IGMP snooping on the switches.
Symptom: VG350 gateway crashes when the configuration file is downloaded from CUCM. This occurs when the VG350 has 144 ports configured.
Conditions: The VG350 supports a maximum of 144 FXS ports. Configure MGCP control and download configuration from CUCM, gateway crashes.
Workaround: Use no ccm-manager config to stop the configuration download from CUCM.
Symptom: The Cisco 7600 router crashes at show_li_users.
Conditions: This symptom is observed under the following conditions: In li-view, create an username: lawful-intercept and li_user password: lab1. Then, attempt its delete by "no username li_user". Later, show users of LI.
Workaround: There is no workaround.
Symptom: If an xTR enabled for LISP mobility is a “home xTR” (that is, it has the mobility subnet as a directly connected route) then traffic arriving non-LISP encapsulated for a host who has moved away, will not trigger a map-request. This means that this xTR does not have a pre-existing map-cache entry for the host who moved away, and traffic will be dropped.
Conditions: The symptom is observed if an xTR enabled for LISP mobility is a “home xTR”.
1. On the xTR use the lig tool to cause a map-cache entry to be created.
2. Configure the xTR as a PITR instead of an ITR.
Symptom: The crash is observed for SDP pass through or call forward or antitrombone cases.
Conditions: The crash is observed for a basic call involving SDP pass through or call forward or antitrombone cases.
Workaround: There no workaround.
Symptom: The connected interface that is enabled for EIGRP will not be redistributed into BGP.
Conditions: This symptom occurs when the prefix of the connected interface is in the EIGRP topology table with “redistribute eigrp” under BGP address-family IPv4.
Workaround: Redistribute the connected interface and EIGRP.
Symptom: A Cisco router doing authentication proxy may unexpectedly reload when running the test aaa command command.
Conditions: This symptom occurs when the router is using LDAP authentication and has a misconfigured LDAP authentication configuration.
Workaround: Correct the misconfiguration.
Symptom: Ping fails with security applied and IKE disabled.
Conditions: This symptom is observed when the Cisco IOS Release 15.3(1.15)T image is loaded.
Workaround: There is no workaround.
Symptom: The Cisco 7600 router may crash while performing the NSF IETF helper function for a neighbor over a sham-link undergoing NSF restart.
Conditions: This symptom occurs when a router is configured as an MPLS VPN PE router with OSPF as PE-CE protocol. OSPF in VRF is configured with a sham-link and a neighbor router over a sham-link is capable of performing an NSF IETF restart on sham-links.
Note: This problem cannot be seen if both routers on sham-link ends are Cisco IOS routers.
Workaround: Disable the IETF Helper Mode protocol by entering the following commands:
Note: Disabling Helper Mode will result in an OSPF peer dropping adjacency if the peer is reloaded.
Symptom: Extra IPsec flow is shown in the “show crypto session” output.
Conditions: This symptom is observed with the Cisco ASR 1000 RP1 FlexVPN Client.
Workaround: There is no workaround.
Symptom: Router crash at ipigrp2_redistribute_process.
Conditions: The crash is observed when EIGRP is configured/unconfigured with redistribution from BGP continuously. Redistribution is being configured with route maps having both IPv4 and IPv6 prefixes. In a scenario with routes flapping, RIB has deleted the route while EIGRP has not yet finished processing.
Workaround: There is no workaround.
Symptom: HTTP POST messages may not be fixed properly after adding scansafe headers.
Conditions: This symptom was first identified on a Cisco ISR running a Cisco IOS Release 15.2(4)M2 image. A Cisco IOS Release 15.2(4)M1 image does not show the problem.
Workaround: Whitelist the domain from being sent over to the towers.
Symptom: Client MAC/framed IP missing in the coa:session query response from ISG.
Conditions: The symptom is observed when you do a COA account-query for lite-session.
Workaround: There is no workaround.
Symptom: For an MGRE tunnel, internal VLANs are not allocated in the standby supervisor.
Conditions: The symptom is observed when an HA router boots up with MGRE tunnel configurations. Internal VLANs are not allocated in the standby supervisor due to a sync issue during bootup.
Workaround: There is no workaround.
Symptom: Cisco ME-3600X-24FS-M switch drops R-APS PDU packets and the following error messages are seen in the debug:
Conditions: The symptom is observed when used with devices that support only G.8032 (2008) for ERPS.
Workaround: There is no workaround.
Symptom: In a dual-homing topology, switching from the backup mode to the nominal mode ends up with the active “source” router sending a data MDT but transmitting on the default MDT.
Conditions: The symptom is observed on a dual-homing topology with CORE GRE tunnel.
Workaround: Use the following command:
Symptom: The Dynamic Performance Monitor fails to report the metrics.
Conditions: This symptom is observed after recreating the interface.
Workaround: There is no workaround.
Symptom: VRF service applied on the L2 initiated DHCP session over EoGRE tunnel is not working.
Conditions: DHCP offer packets from the VRF pool are getting dropped under the above mentioned case.
Workaround: There is no workaround.
Symptom: Adding an event listener returns an error.
Conditions: The symptom is observed when you do a no service set pathtrace and service set pathtrace.
Workaround: Do no onep and onep again.
Symptom: Redistributed internal IPv6 routes from v6 IGP into BGP are not learned by the BGP neighboring routers.
Conditions: This symptom occurs because of a software issue, due to which the internal IPv6 redistributed routes from IGPs into BGP are not advertised correctly to the neighboring routers, resulting in the neighbors dropping these IPv6 BGP updates in inbound update processing. The result is that the peering routers do not have any such IPv6 routes in BGP tables from their neighbors.
Workaround: There is no workaround.
Symptom: A BFD session is created for tunnel-tp without any BFD configuration underneath it.
Conditions: This symptom occurs only on bootup and when there is no BFD configuration underneath tunnel-tp.
Workaround: There is no workaround.
Symptom: Increment memory leaks are seen at IPSec background proc.
Conditions: This symptom occurs when “clear cry session” is issued multiple times when bringing up the tunnel.
Workaround: There is no workaround.
Symptom: Standby RP crashes during bulk sync with:
Conditions: The crash occurs while syncing a shutdown TE tunnel interface configuration.
Workaround: Delete the shutdown TE tunnel configuration, if not required.
Symptom: A Cisco 10000 series router crashes.
Conditions: Seen while running the below script which churns the mixed sessions (DHCP SIP/PMIP/GTP).
1. Using landslide with performance accelerator enabled to emulate EoGRE client and GGSN:
2. Per tunnel, after all sessions established, bi-directional traffic at 10pps per direction is applied per session.
3. Each session has absolute timeout of 45 minutes.
4. DHCP lease time is 45 minutes.
5. After all 48,000 sessions are established, landslide is stopped.
6. Wait till all sessions go down due to session absolute timeout.
7. Wait till all DHCP bindings are released.
Workaround: Without scaling the crash is not seen.
Symptom: ASR with PKI certificate may crash when issuing show crypto pki certificate command.
Conditions: This symptom is observed when the show crypto pki certificate command is issued on ASR with PKI certificate.
Workaround: There is no workaround.
Symptom: E-OAM state is going down when LACP is going down.
There are LACP and E-OAM running on both the routers.
The behavior we observe is that the Cisco 7600 puts a member link into OPER DOWN state if LACP is not received on the port (on active mode). This OPER DOWN link state is propagated to all protocols including E-OAM.
This is incorrect as E-OAM runs below LACP and hence E-OAM must be able to receive/transmit and has a protocol state of UP irrespective of LACP indication if its state machine indicates so.
Workaround: There is no workaround.
Symptom: LISP IOS xTR configured with {ip|ipv6} etr map-server server-address key key hash-function sha2 generates a SHA256 authentication incorrectly truncated to 160 bits causing registrations on a non-IOS map-server to fail.
When a registering xTR uses SHA2 authentication, the LISP IOS map-server expects a truncated authentication and will reject a correctly formatted SHA256 authentication.
Conditions: The symptom is observed on a router configured with LISP SHA2 map-server registration authentication.
Workaround: Configure SHA1 authentication instead of SHA2 on the xTR.
Symptom: GM fails to register with keyserver.
Conditions: The symptom is observed when SGT tagging is enabled.
Workaround: There is no workaround.
Symptom: DSP crash with the following console error:
Conditions: Error occurs during an RP switchover process. The standby RP presents DSPs failing to come up.
Workaround: This command may clear up the DSPs:
Symptom: When the port-security configured interface goes to blocking state (MST), the VLANs configured on the port go to not-forwarding state temporarily. The secure mac-addresses are not added back resulting in loss of traffic.
Conditions: The symptom is observed when the port-security configured interface goes to blocking state.
Workaround: Shut and no shut the port-security interface to re-add the mac-addresses.
Symptom: Calls hang at SIP, CCAPI and VOIP RTP components (but are cleared in the dataplane of the Cisco ASR 1000 series platform).
Conditions: This symptom occurs when a video call is setup as an audio call. The call then gets transferred with REFER but the caller hangs up the call before the call gets transferred. This is an intermittent problem.
Workaround: If there is an SIP call dangling (sh sip call sum), then use the clear cal voice causecode 16 command to clear the dangling call.
Symptom: Memory leaks are observed with a Cisco ASR router with CVP call flows.
Conditions: The symptom is observed under load conditions. Memory leaks are seen in Cisco IOS XE 3.8.
Workaround: There is no workaround.
Symptom: Standby continuously crashes with traceback on pm_vlan_deallocate.
Conditions: The symptom is observed when the router has both active and standby. When the router is coming up, the standby is crashing continuously though the active comes up without any issues. The router has an MDT configuration.
Workaround: There is no workaround.
Symptom: Upon doing a clear ip bgp * soft out or graceful shutdown on a PE, all VPNv4/v6 routes on an RR from this PE are purged at the expiry of enhanced refresh stale-path timer.
Conditions: The symptom is observed with the following conditions:
1. PE must have BGP peering with at least one CE (VRF neighbor) and at least one RR (VPN neighbor).
2. PE must have a rtfilter unicast BGP peering with the RR.
3. IOS version must have “Enhanced Refresh” feature enabled.
4. A clear ip bgp * soft out or graceful shutdown is executed on the PE.
Workaround: Instead of doing clear ip bgp * soft out, do a route refresh individually towards all neighbors.
Symptom: DHCP SIP database not cleared completely after session churning. Some sessions would end up in state “Waiting for cleanup” or “Down”.
Conditions: This can happen when there is a IP session and a renew comes to restart the DHCP session. Another case is DHCP renew comes but the LMA/GTP responded with a different IP. In that case, the ISG will NACK the client. If the client does not come back with a new discover the DHCP SIP session can be seen in down state.
Workaround: There is no workaround.
Symptom: A Cisco ASR router crashes while sending notify with KPML digit.
Conditions: The symptom is observed on a Cisco ASR router. It is seen when the DTMF type is changing to SIP-KPML midcall.
Workaround: Do not change DTMF type mid-call.
Symptom: No per-session features are applied on session if ISG first-sign-of-life is triggered by accounting-start from AZR.
Conditions: The symptom is observed when an accounting-start from AZR triggers MAC-TAL attempt on an ISG which fails to leave the session in unauthenticated-state. When subscriber logs into their sessions via the webauth-portal the ISG activates the features on the applied ISG-service but those applied to the ISG-session (e.g.: idle-timeout, accounting-method, etc.) are not applied. With no idle timer applied, sessions remain in stale-state indefinitely after subscriber had moved away from WiFi hotspot range without logging out their session.
Workaround: There is no workaround.
Symptom: The router crashes due to null pointer dereference.
Conditions: This symptom occurs with the C4 VSS system (2 sup vss) with dual- homed fex stack (This has not been seen on other platforms, but the fix is ported as a precautionary measure). During the first SSO, no crash is observed [Active and Standby (Hot-Standby)]. During the second SSO, a is crash observed.
Workaround: There is no workaround.
Symptom: TDM voice call gets terminated due to voice-port shutdown when T1/E1 module on other NIM slot is reloaded (OIR).
Conditions: The symptom is observed when an OIR of T1/E1 module in any NIM slot shuts down the voice-ports (if any) on all other T1/E1 NIM slots.
Workaround: There is no workaround.
1. Certain counter values will appear to wrap around for condition 1 under the section “Aggregate traffic distribution statistics”.
2. Certain counter values will appear to decrement instead of incrementing for condition 2 under the section "Aggregate traffic distribution statistics".
The following fields are affected:
Conditions: The symptom is observed:
1. When counter values exceed 4294967296.
2. One of the following clear commands are run and value exceeds 4294967292:
– clear service-insertion statistics
– clear service-insertion statistics service-node
– clear service-insertion statistics service-node-group
The symptom will occur when viewing the output from either of the two show commands: show service-insertion statistics service-node or show service-insertion statistics service-node-group.
Workaround: Avoid issuing clear service-insertion statistics service-node-group and clear service-insertion statistics service-node. The stats for the counter values can be monitored up to 2^32 and wraparound thereafter. This limits the counter values to 2^32 instead of 2^64.
Symptom: Sometimes some of the sessions will get stuck in authenticating/attempting state.
Conditions: The symptom is observed when the session is being restarted. At that point of time, the SSS will send a message to the policy to get the authorization details if we get a terminate/release from the DHCP. The session will start the terminate process. Since the session does not have an SSS handle it will not send a disconnect to SSS.
Workaround: Manually clear session using clear subscriber session. If there is an associated binding, then also clear it using clear ip dhcp binding.
Symptom: Traffic drops with scalable EoMPLS.
Conditions: This symptom occurs when the MPLS label allocates 21 bit for the label with TE tunnel in the core.
Workaround: There is no workaround.
Symptom: Mobility (PMIPv6/GTP) sessions fail to come up, get stuck at unauthen/service attempting state.
Conditions: The symptom is observed during session churning. Some mobility (PMIPv6/GTP) sessions fail to come up, but get stuck at unauthen/service attempting state.
Workaround: Manually clear the sessions.
Symptom: Router crashes when you flap the tunnel interface.
Conditions: The symptom is observed when sessions are there, and you do a shut/no shut multiple times.
Workaround: There is no workaround.
Symptom: CLI command show crypto session xxx results in memory leaks.
Conditions: Execution of show crypto CLI command appears to cause 168-byte memory leak for each of the following commands:
Workaround: There is no workaround.
Symptom: Linecard crash is seen with machine-check exception.
Conditions: There is no trigger. The crash is random.
Workaround: There is no workaround.
Symptom: A CPU hog is caused by unnecessary requests to calculate the dynamic MPLS label range for each of the service instances configured (especially for L3VPN services).
Conditions: This symptom will occur if there is any MPLS ip-propagate-ttl, label range, or per-interface MPLS MTU configuration on the switch/router. When this configuration is present, and there are a large number of interfaces, any operation that involves generating the configuration will be slow (for example, show run, copy run, write mem, etc).
This can result in the copy operation taking more than 300 seconds (for an average configuration size of 1000kB). Note that it will complete in due course, and the generated configuration will be correct (it takes longer than it should).
Workaround: Reducing the number of BGP routes injected for L3VPN sessions causes the CPU hog to last for a smaller duration as it reduces the number of MPLS labels assigned and thus the amount of unnecessary work being done.
Symptom: On LAC, with “l2tp hidden” configured under VPDN template, L2TP sessions are failing to establish on existing L2TP tunnels after RP failover.
Conditions: The symptom is observed with “l2tp hidden” configured under VPDN template.
Workaround: Tear down L2TP tunnels after RP failover, or unconfigure “l2tp hidden”. Disabling L2TP redundancy with “no l2tp sso enable” will fix issue as well.
Symptom: Call is failing if transcoder is needed for DTMF interworking and offer-all is configured.
Conditions: CUBE will reserve transcoder for codec mismatch and release the transcoder since codec are same, but DTMF still requires transcoder for interworking.
Workaround: There is no workaround.
Symptom: LISP control packets dropped in the network.
Conditions: The symptom is observed when there are more than 32 hops between sender and receiver.
Workaround: There is no workaround.
More Info: LISP control packets are sent with an IP TTL of 32, meaning if there is more than 32 IP hops between the sender and receiver, they will be dropped in the network.
Symptom: Router displays malloc failure error message.
Conditions: The symptom is observed when the router is running IPsec.
Workaround: There is no workaround.
Symptom: CUBE reloads while testing SDP passthrough with v6.
Conditions: The symptom is observed while testing SDP passthrough with v6.
Workaround: There is no workaround.
Symptom: GETVPN IPv6 packets get dropped.
Conditions: The symptom is observed whenever an IPv6 GETVPN group is configured.
Workaround: There is no workaround.
Symptom: IPv6 sessions will not come up with this traceback “idle with blocking disabled”.
Conditions: The symptom is observed with IPv6 sessions.
Workaround: There is no workaround.
More Info: No workaround if you are trying IPv6 sessions. For IPv4 sessions tracebacks are seen but there is no effect in functionality.
Symptom: Router crashes when it checks whether the interface is configured as DHCP SIP session initiator.
Conditions: The symptom is observed DHCP and ISG are configured.
Workaround: There is no workaround.
Symptom: MPLS traffic engineering BC MAM model does not take effect when configured.
Conditions: The symptom is observed when you configure the BC MAM model.
Workaround: There is no workaround.
Symptom: Router drops ESP packets with CRYPTO-4-RECVD_PKT_MAC_ERR.
Conditions: The symptom is observed when the peer router sends nonce with length 256 bytes.
Workaround: There is no workaround.
Symptom: SG3 fax call fails in STCAPP set up.
Conditions: The symptom is observed when you disable fax and modem with no fax-relay sg3-to-g3 to use audio pass-through for voice port controlled by STCAPP. The CM tone detection is turn on and affected the fax.
Workaround: There is no workaround.
Symptom: vg350-universalk9-mz.SSA image fails to build.
Conditions: Building image fails.
Workaround: There is no workaround.
Symptom: A Cisco ISR 4451 router crashes under traffic.
Conditions: The symptom is observed with a Cisco ISR 4451, when used as CUBE under extended traffic.
– Software Version: Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental Version 15.3(20130501:122311) [v153_2_s_xe39_throttle-BLD-BLD_V153_2_S_XE39_THROTTLE_LATEST_20130501_111211-ios 170]
– Type of traffic: SIP-SIP (basic and supplementary services).
– Traffic Rate: 200 concurrent calls.
This section describes possibly unexpected behavior by Cisco IOS Release 15.3(2)S. All the bugs listed in this section are open in Cisco IOS Release 15.3(2)S. This section describes only severity 1, severity 2, and select severity 3 bugs.
Symptoms: The router stops passing IPsec traffic after some time.
Conditions: This symptom is observed when the show crypto eli command output shows that during every IPsec P2 rekey, the active IPsec-Session count increases, which does not correlate to the max IPsec counters displayed in SW.
Workaround: Reload the router before active sessions reach the max value.
Symptoms: Add event listener returns error
Conditions: Do no service set pathtrace and service set pathtrace.
Workaround: Do no onep and onep again.
Symptoms: Router crashes while bootup from sup-bootdisk.
Conditions: Issue seen in two routers and formatting the bootdisk.
Workaround: There is no workaround
Symptoms: GM failed to register with KS.
All the bugs listed in this section are resolved in Cisco IOS Release 15.3(2)S. This section describes only severity 1, severity 2, and select severity 3 bugs.
Symptoms: A router may reload unexpectedly when opening a terminal session.
Conditions: This can be seen on any platform. It can be seen when starting any terminal session from the router, including a mistyped command which the router by default will try to resolve as an address to telnet to.
This bugs is not specific to X.25 config and is seen when initiating an outbound telnet/ssh/rlogin session from the device. Occurs when there are multiple outbound sessions from the same terminal (console,vty).
Workaround: There is no workaround.
Symptoms: A router may go into initial configuration dialog on bootup.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(11)T2 with the c7200p-adventerprisek9-mz image.
Workaround: There is no workaround.
Symptoms: A Cisco 5400XM may reload unexpectedly.
Conditions: This symptom is intermittent and is seen only when the DSPs available are insufficient to support the number of calls.
Workaround: Ensure that sufficient DSPs are available for transcoding.
Symptoms: A router loses its default gateway during autoinstall.
Conditions: This issue was seen on Cisco IOS Release 12.4(15)T5, but should affect every Cisco IOS version.
1. Manually do a shut followed by a no shut on the interface.
2. Create an EEM script, for example:
3. In network-config, configure “ip address dhcp” for the interface which is supposed to get the default gateway from DHCP.
Symptoms: A Cisco 870 router may fail to write a crashinfo file and will display the following error on the console:
Conditions: The symptom is observed with certain types of memory corruption.
Workaround: There is no workaround.
Symptoms: A communication failure may occur due to a stale next-hop.
Conditions: This symptom is observed when the static route for an IPv6 prefix assigned by DHCP has a stale next-hop for terminated users.
Workaround: Reload the router.
The Resource Reservation Protocol (RSVP) feature in Cisco IOS Software and Cisco IOS XE Software contains a DoS vulnerability.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130327-rsvp
Note: The March 27, 2013, Cisco IOS Software Security Advisory bundled publication includes seven Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2013 bundled publication.
Individual publication links are in “Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar13.html
Symptoms: The IP SLA destination IP/port configuration changes over a random period of time. This issue is hard to reproduce but has been reported after upgrading to Cisco IOS Release 15.1(1).
So far, it only seems to have affected the destination IP and port. The destination IP may be changed to an existing destination IP that has already been used by another probe. The destination port is sometimes changed to 1967 which is reserved for IP SLA control packets. Other random destination ports have also been observed to replace the configured port for some of the IP SLA probes.Each time when the change happens, many of the IP SLA probes will stop running.
Conditions: This symptom is observed in Cisco IOS Release 15.1(1)XB and Cisco IOS Release 15.1(1)T. Other Cisco IOS versions may also be affected.
Workaround: A possible workaround is to downgrade to any Cisco IOS versions older than Cisco IOS Release 15.1.x.
Symptoms: Cisco 2960 and 3750 series switches running Cisco IOS Release 12.2 (53)SE1 may crash.
Conditions: This symptom is observed if two traps are generated by two separate processes, and if one process suspends and the other process updates some variables used by the first process.
Workaround: Disable all snmp traps.
Symptoms: Routers configured to dump core to flash: or flash0: fail to dump correctly to 4GB CompactFlash card.
Conditions: The symptom is observed with the following configuration:
Then when you issue a wr core, it fails to dump core files.
Workaround: Dump cores to TFTP.
Symptoms: If an IPv4 or IPv6 packet is sent to a null interface, a Cisco ASR 1000 series router will not respond with an ICMP or ICMPv6 packet.
Conditions: This symptom occurs with a prefix routed to Null0 interface.
Workaround: There is no workaround.
Symptoms: The Cisco Catalyst 4000 series switches running Cisco IOS Release 12.2(54)SG experiences high CPU when issuing an unsupported command, https://ip-address, in which ip-address is accessible from this device.
Conditions: This symptom is observed with the Cisco Catalyst 4000 series switches.
Workaround: There is no workaround.
Further Problem Description: Even if SSL handshake fails, the HTTP CORE process is looping and is scheduled repeatedly.
Symptoms: Password aging with crypto configuration fails.
Conditions: The symptom is observed when Windows AD is set with “Password expires on next log on” and the VPN client is initiating a call to NAS. NAS does not prompt for a new password and instead gives an Auth failure.
Workaround: There is no workaround.
Symptoms: IOS password length is limited to 25 characters.
Conditions: IOS password length is limited to 25 characters on NG3K products.
Workaround: There is no workaround.
Symptoms: After reload, ISDN layer 1 shows as deactivated. Shut/no shut brings the PRI layer 1 to Active and layer 2 to Multi-frame established.
Conditions: This symptom occurs when “voice-class busyout” is configured and the controller TEI comes up before the monitored interface.
Workaround: Remove the “voice-class busyout” configuration from the voice-port.
Symptoms: A Cisco router may unexpectedly reload due to bus error or generate a spurious access.
Conditions: The issue occurs when fragmentation of a tunneled packet fails due to the F/S particle pool running out of free particles. The F/S pool is used for fragmentation, so this exhaustion of this pool will occur when there is a large amount of traffic flowing for which fragmentation is required. By default, path MTU discovery is enabled for tunnels which means that fragmentation is done at the tunnel interface, rather than the underlying interface and this issue is not hit. If the MTU is overridden then it may become exposed to this issue. Assuming the tunnel is over an ethernet interface with MTU of 1500, then this will happen by setting the tunnel MTU to greater than 1476 bytes.
1. Remove MTU override from the tunnel interface; or
2. Configure “service disable-ip-fast-frag”; or
3. Reduce hold queue sizes such that the total size of the queues for all active interfaces in the system does not exceed 512.
Symptoms: Spurious memory access seen on video monitoring router.
Conditions: The issue is seen after recreating the interface.
Workaround: There is no workaround.
Symptoms: Expected ACL/sessions not found for most of the protocols.
Conditions: The symptom is observed with expected ACL/sessions.
Workaround: There is no workaround.
Symptoms: Router crashes due to Mediatrace performance monitor debug.
Conditions: The issue is seen with debug performance monitor database.
Workaround: There is no workaround.
Symptoms: Tracebacks are seen for PLATFORM_INFRA-5-IOS_INTR_OVER_LIMIT.
Conditions: This symptom is observed with RPSO.
Workaround: There is no workaround.
Symptoms: There is a memory leak in PfR MIB.
Conditions: This symptom occurs when PfR is configured.
Workaround: There is no workaround.
Symptoms: Tracebacks are seen at swidb_if_index_link_identity on the standby RP.
Conditions: This symptom is observed when unconfiguring and reconfiguring “ipv4 proxy-etr” under the router LISP.
Workaround: There is no workaround.
1. Inline service policy Configuration: Unable to configure monitor parameters once the flow monitor is specified. See the following example:
2. Non-inline service policy: Unable to change monitor parameters once the flow monitor is bound to a policy-map and attached to an interface. See the following example:
If an attempt is made to change monitor parameters of an already attached policy as below, it will be rejected.
1. This symptom is seen when configuring an inline service policy for performance monitor on ASR platform.
2. This symptom is seen when modifying monitor parameters of a non-inline service policy for performance monitor on a Cisco ASR platform.
1. To configure inline service policy, always specify all monitor parameters first and put the flow monitor monitor name command as the last command in the configuration.
2. To change monitor parameters, remove the service-policy by using the no service-policy command, make your changes, and then reattach the service-policy.
The above configuration restrictions do not apply if the enclosing policy-map is not attached to any interface. Also the changes do not apply if you specify an “empty” flow monitor, for example a flow monitor without an enclosing valid flow record.
1. Inline service policy Configuration: Unable to configure monitor parameters once the flow monitor is specified. See the following example:
2. Non-inline service policy: Unable to change monitor parameters once the flow monitor is bound to a policy-map and attached to an interface. See the following example:
If an attempt is made to change monitor parameters of an already attached policy as below, it will be rejected.
1. This symptom is seen when configuring an inline service policy for performance monitor on ASR platform.
2. This symptom is seen when modifying monitor parameters of a non-inline service policy for performance monitor on a Cisco ASR platform.
1. To configure inline service policy, always specify all monitor parameters first and put the flow monitor monitor name command as the last command in the configuration.
2. To change monitor parameters, remove the service-policy by using the no service-policy command, make your changes, and then reattach the service-policy.
The above configuration restrictions do not apply if the enclosing policy-map is not attached to any interface. Also the changes do not apply if you specify an “empty” flow monitor, for example a flow monitor without an enclosing valid flow record.
Symptoms: Sometimes, users may face a “peer leak” situation with EzVPN.
Conditions: This symptom may occur when an NAT box gets reloaded/rebooted with live translations.
Workaround: Reload the router to clear the leaked peers.
Symptoms: A Cisco ASR 1000 crashes with clear ip route *.
Conditions: The symptom is observed when you configure 500 6RD tunnels and RIP, start traffic and then stop, then clear the configuration.
Workaround: There is no workaround.
Symptoms: Tracebacks are seen when configuring the key server.
Conditions: This symptom occurs when configuring the key server.
Workaround: There is no workaround.
Symptoms: The router may unexpectedly reload when OSPFv3 MIB is polled via SNMP.
Conditions: This symptom occurs when OSPFv3 is configured with area ranges whose prefix length is /128. A router with no area ranges is not vulnerable.
Workaround: Configure area ranges to have a smaller prefix length (that is, in the range of /0 to /127).
Symptoms: The crypto session stays in UP-NO-IKE state.
Conditions: This symptom occurs when using EzVPN.
Workaround: There is no workaround.
Symptoms: A crash is seen while applying the policy map with more than 16 classes with the Cisco 3900e platform.
Conditions: This symptom occurs when applying the policy map with more than 16 classes.
Workaround: There is no workaround.
Symptoms: An MTP on a Cisco ASR router sends an “ORC ACK” message through CRC for the channel ID that is just received but does not reply to the ORC for the next channel.
Conditions: The symptom is observed when there is a very short time lapse between the ORC and CRC, say 1 msec.
Workaround: There is no workaround.
Symptoms: RP crash is observed on avl_search in a high scaled scenario.
Conditions: This symptom is observed in a high scaled scenario with continuous traffic flow.
Workaround: There is no workaround.
Symptoms: A traceback is seen after applying DMLP configurations while doing a line card reload.
Conditions: This symptom occurs during a line card reload.
Workaround: There is no workaround.
Symptoms: In a multihomed setup, set up the traffic as explained in the DDTS. Once end-to-end traffic flows fine, do a RP switchover on ED1. Traffic from Ixia 3 to Ixia 1 and Ixia 3 to Ixia 2 on odd VLANs (ED1 is the AED for odd VLANs) is dropped with UnconfiguredMplsFia counters incrementing.
Conditions: This symptom is observed when you do an RP switchover with a scaled OTV configuration in a multihomed setup.
Workaround: There is no workaround.
Conditions: This symptom occurs when you remove and add service policies on unsupported interfaces.
Workaround: There is no workaround.
Symptoms: MIB walk returns looping OID.
Conditions: The symptom is observed when a media mon policy is configured.
Workaround: Walk around CiscoMgmt.9999.
Symptoms: The following is displayed on the logs:
Conditions: This symptom is seen when video Xcode call with plain audio fails.
Workaround: There is no workaround.
Symptoms: A layer-3 (routed) interface can be converted to layer-2 (switched) interface by applying the switchport configuration command. If the interface was configured as a vnet trunk the vnet subinterfaces are deleted. Subsequently, if the switchport command is removed the “vnet trunk” configuration will reappear but the vnet trunk will no longer be functional. When a switchover is performed following the sequence above the new active takes over as expected, but when the old active reboots as standby, configuration sync fails because the standby attempts to create the vnet subinterfaces which no longer exist on the active. This results in a ifindex-sync failure and a PRC error that causes the RP to go into a continuous reboot loop.
Conditions: The symptom only occurs on switch platforms with a redundant RP.
Workaround: Remove the “vnet trunk” configuration from an interface before converting it from layer-3 to layer-2.
Symptoms: The router crashes when trying to test the MVPN6 functionality.
Conditions: This symptom is observed with the following conditions:
– Configure the router to test the MVPN6 functionality.
– Delete the VRF associated with the interface in the MVPN6 test configuration.
Workaround: There is no workaround.
Symptoms: On a Cisco ME 3600X or Cisco ME 3800X, when traffic for a group (S2,G) is sent to an interface that is already acting as the source for another group (S1,G), it does not receive any traffic since no (S2,G) entry is formed.
Conditions: This symptom is observed when the receiver interface is already a source interface for another multicast stream.
Workaround: There is no workaround.
Symptoms: The BGP GSHUT feature needs to add support for the AA:NN format for community.
Conditions: This symptom is observed when support is added for the AA:NN format for community when using the BGP GSHUT feature.
Workaround: The <1-4294967295> community number can be used instead of the AA:NN format.
Symptoms: The Standby router crashes for an SRTP call on Active.
Conditions: This symptom occurs intermittently. This issue is seen due to a transient scenario, where unstable data from Active is checkpointed on Standby.
Workaround: There is no workaround.
Symptoms: The Cisco ASR 901 router may lose rmon configuration post reload.
Conditions: This symptom occurs when you reload the Cisco ASR 901 router.
Workaround: Reconfigure rmon after bootup.
Symptoms: A small percentage of IPv6 packets that should be blocked by an interface ACL is instead pass through.
Conditions: In certain conditions, when an IPv6 ACL is applied to an interface, a small percentage of IPv6 packets that would otherwise be dropped, will instead bypass an ACL and get through.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-3946 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: Memory leaks on the active RP and while the standby RP is coming up.
Conditions: The symptom is observed when ISG sessions are coming up on an HA setup.
Workaround: There is no workaround.
Symptoms: Source connected to dual home node is not forwarded to receivers in PIM SSM mode. The issue was due to the PIM joins not reaching the source node.
Conditions: This symptom occurs with dual home node with PIM SSM with traffic source.
Workaround: Add static group to forward the traffic to next hop router.
Symptoms: Shut down the physical interface of tunnel source interface. The router crashes with traffic going through some of the tunnels.
Conditions: This symptom is seen with tunnel interface with QoS policy installed.
Workaround: There is no workaround.
Symptoms: Not able to ping HSRP VIP address over Routed VPLS.
Conditions: Two Cisco ME 3600s (me360x-universalk9-mz.152-2.S.bin) are connected together via VPLS. The Cisco ME 3600X-1 is configured with HSRP under VLAN50, and the R1 is able to ping. The R2 and Cisco ME 3600X-2 are not able to ping the VIP (HSRP) address. The R2 and Cisco ME 3600X-2 are able to ping physically the IP address of R1 and the Cisco ME 3600X-1. We do have ARP entry for the VIP address on all routers.
Workaround: There is no workaround.
Symptoms: IMA functionality does not work properly.
Conditions: Occurs after an RSP switchover when the router is running an IMA configuration.
Workaround: Reload the interface module with the IMA configuration.
Symptoms: When the system reloads, both active standby route processors (RP) crash.
Conditions: This symptom occurs when the standby RP crashes during RFS ISSU negotiation. This event causes the active RP to crash as well.
Workaround: There is no workaround.
Symptoms: Switchover/reload fails in the Cisco ASR 903 HA setup due to the “LICENSE-3-ISSU_ERR: ISSU start nego session FAILED, error:-287” error message.
Conditions: This symptom is observed with the Cisco ASR 903 router. This issue is seen only when doing a Route Processor (RP) switchover using the redundancy force-switchover command.
Workaround: There is no workaround.
Symptoms: Traffic is not forwarded for a few mroutes.
Conditions: This issue is seen when multiple routers in the network are reloaded simultaneously.
Workaround: Using the clear ip mroute vrf vrf name command may resolve the issue.
Conditions: Occurs when you configure CFM, SCE over MPLS, VPLS, or G.8032 services while running SNMP polling.
Workaround: There is no workaround.
Symptoms: The router crashes on using the config replace command with certain QoS configured on the box.
Conditions: This symptom occurs when certain QoS are configured on the box are replaced with the configuration that is removing the configurations.
Workaround: There is no workaround.
Symptoms: Ingress QoS Tcams are not cleared after certain dynamic changes.
Conditions: This symptom is observed on removing the encapsulation from the service instance and then deleting the service instance. QoS Tcams are not cleared.
Workaround: Instead of deleting the encapsulation first, delete the service instance first.
Symptoms: Continuous “platform assert failure” tracebacks with CFM over Xconnect on the router.
Conditions: CFMoXconnect with mpls TE in core. Flap the core facing link.
Workaround: There is no workaround.
Symptoms: Changing the speed of one of the member interfaces of a port-channel causes a traceback on the Cisco ASR 901 and the node reloads.
Conditions: This symptom occurs when you execute the “speed” CLI to change the speed of one of the member interfaces belonging to a port-channel.
Workaround: In order to change the speed of one of the port-channel members, remove that member interface from the port-channel, change the speed, and add it back to the port-channel.
Symptoms: In a VSS system, the old Active Supervisor hangs after a mistral error interrupt occurs on the SP.
Conditions: This symptom occurs on a VSS system, after a mistral hardware error (such as a parity error) occurs on the SP of the router. There is no issue if the error occurs on the RP.
Workaround: There is no workaround. The switch with the old Active Supervisor must be power cycled.
Symptoms: With a scaled 6PE and 6VPE configuration, a crash is observed.
Conditions: This symptom is observed on flapping the interfaces, and defaulting the configurations with a scaled 6PE and 6VPE configuration.
Workaround: There is no workaround.
Symptoms: MLDP traffic is dropped for a few minutes a couple of times after SSO.
Conditions: This issue is seen soon after performing SSO.
Workaround: There is no workaround.
Symptoms: The MPLS-TP link number configured for the SVI interface is not cleared after deleting the SVI.
Conditions: This symptom is observed when the TP link number configured on the SVI is not allowed to be configured for any other interface.
Workaround: There is no workaround.
Symptoms: When testing for DMVPN in a HUB-SPOKE topology, where there are 170 tunnels protected with IPsec on Spoke and one mGRE tunnel on hub. B2B redundancy is configured. No QoS is applied on the scaled IPSec tunnels. Upon doing SSO with this configuration, the a “%VPNSMIOS-3-MACEDONTUNNELVLANERR: Tunnelx: allocated idb has invalid vlan id” error message is seen repeatedly on the new active and the router becomes almost inaccessible. As can be seen from show vlan int usage command output, there are more than 3K free VLANs on both the Hub and Spoke.
After a continuous flood of error messages, a Granikos crash is seen, and the show cry eli command shows only one SPA and this SPA is stuck in INIT state.
Conditions: This symptom occurs when doing a shut/no shut using the interface range command, and once all tunnels are up, doing an SSO.
Workaround: There is no workaround.
Symptoms: MFR memberlinks-T1 serial interfaces created under a CHOC12 controller, do not get decoupled from MFR even after the MFR bundle interface is deleted. Once the MFR bundle interface is reconfigured, the memberlinks do not appear under it.
Conditions: This symptom is seen with MFR with memberlinks as T1 serials from CHOC12 sonet controller.
Workaround: Unconfigure and reconfigure the “encap frame-relay MFRx” under each memberlink after reconfiguring the MFR bundle interface.
Symptoms: The router’s NAS-IP address contained in the RADIUS accounting-on packet is 0.0.0.0:
Conditions: Occurs when you restart the router.
Workaround: There is no workaround.
Symptoms: IPv6 multicast routing is broken when we have master switchover scenarios with a large number of members in stack. Issue is seen on platforms like Cisco 3750E and Cisco 3750X where IPV6 multicast routing is supported.
Conditions: This symptom is observed when IPV6 multicast routing is configured, mcast routes are populated and traffic is being forwarded. Now, in case of master switchover, synchronization between master and members is disrupted. This is seen only for IPv6 multicast routing. Observed the issue with 9-member stack and either during first or second master switchover. No issues are seen for IPv4 multicast routing.
Workaround: Tested with 5-member stack, and no issues are seen. It is recommended to enable IPv6 multicast routing when there is deployment with low members in stack.
Symptoms: Routes for the converted dedicated P sessions are missing after a RP switchover.
Conditions: This symptom occurs when converted dedicated IP sessions are not HA aware. After a RP switchover, these sessions will be reestablished at the new active RP. Routes are not installed for some of these sessions. As a result, downstream traffic is dropped.
Workaround: There is no workaround.
Symptoms: The Cisco Catalyst 6000 and Cisco ASR 1000 learning candidate default routes from the Cisco Nexus due to which the default route is not being learned properly and causes an outage.
Conditions: This symptom occurs when the Cisco Nexus is running into a bug CSCtz79151 because of which it is advertising the candidate defaults to its downstream neighbors.
Workaround: Configure “default-information in xxxx” on the Cisco Catalyst 6500, where xxx is an ACL denying all default candidates from being learned, except 0.0.0.0/0.
Symptoms: After upgrading to Cisco IOS Release 15.2(2)S, users cannot get IP address via PPP IPCP from DHCP pool on Cisco ASR router. There is no configuration change.
Conditions: This symptom occurs with an upgrade to Cisco IOS Release 15.2(2)S.
Workaround: Remove the vpdn authen-before-forwardf command.
Symptoms: IPv6 BFD sessions flap.
Conditions: This symptom occurs after SSO.
Workaround: There is no workaround.
Symptoms: When service change occurs at the Cisco ISG, in some particular conditions, the SCE is not ready to accept the CoA. In such a case, the Cisco ISG resends an Update Session on the ISG-SCE Bus. The Update Session is sent but it is not populated with the required attribute for SCE (policy, service-monitor)
Conditions: This symptom is observed with the Cisco ISG.
Workaround: There is no workaround.
Symptoms: After SSO, all the GRE tunnels get admin down and stay down until the security module SSC-600/WS-IPSEC-3 comes up. Complete traffic loss is seen during this time.
Conditions: This symptom is observed when Vanilla GRE tunnels are configured in the system where HA and the IPsec Module SSC-600/WS-IPSEC-3 card is present, “crypto engine mode vrf” is configured and SSO is issued.
Workaround: Remove the “crypto engine mode vrf” configuration if IPsec is not enabled on the router.
Symptoms: The recursive IPv6 route is not installed in the multicast RPF table.
Conditions: This symptom occurs in the multicast RPF table.
Workaround: There is no workaround.
Symptoms: Cisco IOSd crashes at ipv6_address_set_tentative.
Conditions: This symptom occurs while unconfiguring IPv6 subinterfaces during the loading phase of a box with Netflow configuration.
Workaround: There is no workaround.
Symptoms: The SIP-400 line card crashes with the below error message:
Conditions: This symptom occurs when you reload the router running the Cisco IOS XE Release 3.8S mcp_dev supervisor image without any configurations. This issue is not reproducible every time.
Workaround: Reboot the line card.
Symptoms: The VRF to the global packet’s length is corrupted by -1.
Conditions: This symptom occurs when the next-hop in the VRF is global and recursive going out labeled. This issue is seen from Cisco IOS Release 15.0(1)S3a onwards, but is not seen in Cisco IOS Release 15.0(1)S2.
Workaround: Use the next-hop interface IP instead of the recursive next-hop.
Symptoms: A Cisco ASR router may crash due to a CPU Watchdog upon invocation of “show ip eigrp neighbor detail”.
Conditions: This symptom occurs when the Cisco ASR router is experiencing rapid changes in EIGRP neighborship, such as during a flap. One way to artificially create this scenario is to mismatch the interface MTU.
Workaround: There is no workaround.
Symptoms: The router does not pass multicast traffic consistently; only some traffic passes.
Conditions: Occurs when you configure 255 EVCs spanning across different slots on the router.
Workaround: There is no workaround.
Symptoms: Malformed RTCP packets are observed.
Conditions: This symptom occurs when DTMF interworking is enabled or SRTP/SRTCP is in use.
Workaround: Disable DTMF interworking if not required for the call.
Symptoms: DFC cards in a Cisco Catalyst 6500 with a single Sup720 may remain up, continue forwarding traffic, and create L2 loops when the “test crash” command is used.
Conditions: The symptom is observed on a Catalyst 6500 with a single Sup720 and DFC cards when the “test crash” command introducing a parity error in the ARP process is executed.
Workaround: Do not use the “test crash” command.
Symptoms: The Cisco Catalyst 6000 crashes after the removal of the supervisor module from active VSS with the following traceback:
Conditions: This symptom occurs when the following reproduction procedure is performed: NSF is disabled including helper using the below given commands:
Adjacency flapped. NSF enabled again. Performed switchover.
Workaround: Avoid the reproduction procedure in the production. Neighbors should see the router configured for “nsf cisco” as OOB resync capable:
If the router is configured for the “nsf cisco”, but the neighbor does not see LR bit set for router with “nsf cisco”, flap the adjacency, and OOB resync capability will be renegotiated.
Symptoms: The nine-member stack of the Cisco Catalyst 3750 gets into a low memory condition.
Conditions: This symptom occurs with a default configuration on bootup.
Workaround: There is no workaround.
Symptoms: The ingress PE in an MVPNv6 setup crashes.
Conditions: This symptom is observed on performing SSO with MVPNv6 SM and SSM traffic for 50 VRFs.
Workaround: There is no known workaround.
Symptoms: PWs do not come up after SSO.
Conditions: This symptom is only a specific case, where the primary pseudowire path is DN when the active RP coming up, so the backup PW comes to UP state. Later, when the primary path is available, pseudowire redundancy switchover occurs and the primary PW becomes UP. At this stage, if the Software Switchover occurs, the PWs on the newly active RP is DN. This is a corner case and the chances of this issue occurring in the real deployment scenarios is very low.
Workaround: Issue the clear xconnect all command to bring the PWs UP.
Symptoms: QoS will not work on one of the subinterfaces/EVC.
Conditions: This symptom occurs when HQoS policy is configured on more than one subinterface/EVC on ES+ and then add flat SG on them.
Workaround: Remove and reapply SG.
Symptoms: Abnormal line card reload occurs.
Conditions: This symptom occurs when an MVPNv6 scaled router acts as PE on which source traffic is ingressing and the line card is connected on the access side.
Workaround: There is no workaround.
Symptoms: The syslog is flooded with the following traceback message:
Conditions: Occurs under the following conditions:
– You establish 36k EAPSIM sessions using a RADIUS client on server A.
– You establish 36k roaming sessions using a RADIUS client on server B.
– The roaming sessions have the same caller-station-id but use a different IP address than the EAPSIM sessions.
Workaround: There is no workaround.
Symptoms: Traffic loss is observed during switchover if,
1. BGP graceful restart is enabled.
2. The next-hop is learned by BGP.
Conditions: This symptom occurs on a Cisco router running Cisco IOS XE Release 3.5S.
Workaround: There is no workaround.
Symptoms: Incorrect minimum bandwidth is displayed when 0k bandwidth is received from a peer of a different version.
Conditions: This symptom occurs under the following conditions:
– Different behavior in Cisco ASR code when the bandwidth for a route is very high, that is, more than 10G.
– Cisco IOS XE Release 2.6.2 and earlier releases send 0K when the bandwidth for a route is more than 10G.
– Cisco IOS XE Release 2.6.2 and earlier releases use incoming interface bandwidth, when BW = 0 is received.
– Cisco IOS XE Release 3.4.3S and later releases send the real bandwidth, even if it is more than 10G.
– Cisco IOS XE Release 3.4.3S and later releases use the lesser value between “received bandwidth” and “incoming interface bandwidth”.
– Cisco IOS XE Release 3.4.3S and later releases convert incoming bandwidth to 1K in case BW = 0 received.
– When the peers are of the same or compatible version, that is, both peers are Cisco IOS XE Release 2.6.2 and earlier releases or both peers are Cisco IOS XE Release 3.4.3S and later releases, there is no issue. However, when the peers are of different or incompatible version, that is, one peer is Cisco IOS XE Release 2.6.2 or an earlier release and the other peer is Cisco IOS XE Release 3.4.3S or a later release, then this issue is seen.
Workaround: There is no workaround.
Symptoms: Label replication VLANs are leaked even after deleting VRFs.
Conditions: This symptom is observed with a plain MLDP feature configuration.
Workaround: There is no workaround.
Conditions: This symptom occurs after adding or removing a policy-map to a scaled GRE tunnel configuration.
Workaround: There is no workaround.
Symptoms: IGMP and PIM control packets are not reaching RP. As a result, the mac-address table for IGMP snooping entries is not populated.
Conditions: This can be seen on a Cisco 7600 series router that is running IOS where IGMP and PIM control packets come in on an SVI only after the condition where the SVI link state goes down and comes up again. This does not affect routed ports.
Workaround: In the SVI configuration mode:
1. Unconfigure PIM by using no ip pim.
2. Unconfigure IGMP snooping by using no ip igmp snooping.
3. Re-enable both PIM and IGMP snooping.
Symptoms: CUBE reloads on testing DO-EO secure video call over CUBE when SDP passthru is enabled.
Conditions: The symptom is observed when running Cisco IOS interim Release 15.3(0.4)T.
Workaround: There is no workaround.
Symptoms: BGP sometimes fails to send an update or a withdraw to an iBGP peer (missing update)
Conditions: This symptom is observed only when all of the following conditions are met:
1. BGP advertise-best-external is configured, or diverse-path is configured for at least one neighbor.
2. The router has one more BGP peers.
3. The router receives an update from a peer, which changes an attribute on the backup path/repair path in a way which does not cause that path to become the best path.
4. The best path for the net in step #3 does not get updated.
5. At least one of the following occurs:
– A subsequent configuration change would cause the net to be advertised or withdrawn.
– Dampening would cause the net to be withdrawn.
– SOO policy would cause the net to be withdrawn.
– Split Horizon or Loop Detection would cause the net to be withdrawn.
– IPv4 AF-based filtering would cause the net to be withdrawn.
– ORF-based filtering would cause the net to be withdrawn.
– The net would be withdrawn because it is no longer in the RIB.
The following Cisco IOS releases are known to be impacted if they do not include this fix:
– Cisco IOS Release 15.2T and later releases
– Cisco IOS Release 15.1S and later releases
– Cisco IOS Release 15.2M and later releases
– Cisco IOS Release 15.0EX and later releases
Older releases on these trains are not impacted.
Workaround: If this issue is triggered by a configuration change, you can subsequently issue the clear ip bgp neighbor soft out command.
Symptoms: Scalable EoMPLS traffic drop is observed at the disposition side after performing provision/unprovision of xconnect VCs.
Conditions: This symptom occurs when scalable EoMPLS is configured between PE routers and AC is the interface of ES+ model 76-ES+T+XC-40G, with ES+ HD as the core-facing interface.
Workaround: There is no workaround.
Symptoms: CME reloads for E911 call ELIN translation for incoming FXS/FXO trunk.
Conditions: The symptom is observed from Cisco IOS interim Release 15.3(0.2)T.
Workaround: There is no workaround.
Symptoms: BGP routes are displayed.
Conditions: This symptom occurs after removing the “send-label” from PE.
Workaround: There is no workaround.
Symptoms: Authentication of EzVPN fails.
Conditions: The symptom is observed with BR-->ISP-->HQ.
Workaround: There is no workaround.
Symptoms: FNF records do not get exported when a user reloads the router.
Conditions: This symptom occurs if a user configures a non-default export-protocol, i.e., anything other than “netflow-v9”. If the user configures a non-default export-protocol such as IPFIX or netflow-v5, after saving the configuration to the start-up configuration and reloading the router, the exporter will not export any records.
Workaround: Either one of the following methods will fix this issue:
1. Remove and reconfigure the exporter configuration after reload.
2. Change the export-protocol to the default value (netflow-v9).
Symptoms: Encapsulation for CFM messages may not be correct after the service instance encapsulation is changed. IOS-FMAN-EAOM-ERR message may be observed.
Conditions: This symptom occurs on an Ethernet CFM configured on a bridge-domain or xconnect service instance.
Workaround: There is no workaround.
Symptoms: Following a misconfiguration on a two-level hierarchical policy with a user-defined queue-limit on a child policy, the UUT fails to attach the QoS policy on the interface even when corrected queuing features are used.
Conditions: This symptom is observed with the following conditions:
1. The issue must have the user-defined queue-limit defined.
2. This error recovery defected is confirmed as a side effect with the c3pl cnh component project due to ppcp/cce infrastructure enhancement.
Workaround: There is no workaround.
Symptoms: Flapping BGP sessions are seen if large BGP update messages are sent out and BGP packets are fragmented because midpoint routers have the smaller “mtu” or “ip mtu” configured.
Conditions: This symptom is observed between two BGP peers with matching MD5 passwords configured and can be triggered by the following conditions:
– If the midpoint path has the “mtu” or “ip mtu” setting that is smaller than the outgoing interface on BGP routers, it will be force the BGP router to fragment the BGP packet while sending packets through the outgoing interface.
– Peering down and the MD5 error do not always occur. They occur only once or twice within 10 tests.
Workaround: There is no workaround.
Symptoms: Ingress Qos on EVC stops working after reload or after interface flap.
Conditions: This symptom occurs only on EVC QOS.
Workaround: Remove and reconfigure the QOS on EVC.
Symptoms: The WS-IPSEC-3 Module crashes post configuration change.
Conditions: This symptom occurs when you dynamically modify the GRE tunnel protected with IPsec to the sVTI tunnel and vice versa while traffic is traversing across the IPsec tunnel.
Workaround: There is no workaround.
Symptoms: Memory leak occurs during rekey on the IPsec key engine process.
Conditions: This symptom occurs after rekey, when the IPsec key engine does not release KMI memory, causing the IPsec key engine holding memory to keep increasing.
Workaround: Clear crypto session for IPsec key engine to release memory.
Symptoms: Auto-RP group is not automatically joined upon bootup.
Conditions: The symptom is observed when the router reboots and starts from the existing configurations.
Workaround: Manually re-enable “ip pim autorp” after bootup.
Symptoms: Hung calls are seen on CME. Hung calls seen in “show call active voice brief” are as follows:
Conditions: This symptom is observed when an inbound H225 call setup request to a CME gateway results in a hung call if a release complete is received while still in alerting state. This issue occurs only when the shared line is configured on the phone and the shared line is not registered.
Workaround: Remove the shared line or register the shared line.
Symptoms: Reload may occur when issuing the show oer and show pfr commands.
Conditions: This symptom is observed with the following commands:
– show oer master traffic-class performance
– show pfr master traffic-class performance
Workaround: There is no workaround.
Conditions: The no ip routing command is issued when router isis is running and there are thousands of ip routes being processed by isis.
Workaround: Only issue ip routing after deconfiguring isis ip by issuing no ip router isis before issuing no ip routing.
Symptoms: RMEPs from a Cisco ASR 9000 are not learned on a Cisco ME 3800X with CFM running over an xconnect. The Cisco ASR 9000 does learn the RMEPs from the Cisco ME 3800X.
Conditions: This symptom is seen when QoS is enabled on the Cisco ME 3800X prior to enabling CFM.
Workaround: Apply the CFM configuration before QoS or reload the switch with both QoS and CFM enabled in the configuration.
Symptoms: Tracebacks are seen at adjmgr_free_met.
Conditions: This symptom occurs on defaulting an attachment interface having an L2PT configuration and used for VPLS.
Workaround: There is no workaround.
Symptoms: fibidb is not getting intialized.
Conditions: This symptom is observed when LFA FRR is configured in Cisco ME 3800x and ME 3600x switches.
Workaround: There is no workaround.
Symptoms: IPv6 PIM null-register is not sent in the VRF context.
Conditions: This symptom occurs in the VRF context.
Workaround: There is no workaround.
Symptoms: AD in the route installed by client is not updated to the configured value.
Conditions: This symptom is seen when the CLI “ip route 0.0.0.0 0.0.0.0 dhcp 5” is configured. AD is not updated to 5.
Workaround: There is no workaround.
Symptoms: The router may lose OSPF routes pointing to the reconfigured OSPF interface.
Conditions: This symptom occurs after quick removal and adding of the interface IP address by script or copy and paste.
For example, configure the following:
Then, quickly remove/add the IP address:
Workaround: Insert a short delay in between commands for removing/adding the IP address. The delay should be longer than the wait interval for LSA origination; by default, it is 500 ms. Or, refresh the routing table by “clear ip route *”.
Symptoms: In a 1:1 (one active and one standby) scenario, when the hot standby converges to active, port-channel does not come down, but the REP reconverges. The fast-switchover occurs nearly in 1 second.
Conditions: This symptom occurs in a 1:1 (one active and one-standby) scenario, when the hot standby converges to active, port-channel does not come down, but the REP reconverges.
Workaround: There is no workaround.
Symptoms: In an IPFRR configuration, a traceback is seen about changing the FRR primary OCE where the new OCE has a different interface and next-hop, which blocks such a linkage.
Conditions: This symptom occurs while changing the FRR primary OCE interface to a new OCE with a different interface.
Workaround: There is no workaround.
Symptoms: The IPSLA sender box can reload with the following message:
SYS-6-STACKLOW: Stack for process IP SLAs XOS Event Processor running low, 0/6000
Conditions: This symptom is observed with the IPSLA sender box.
Workaround: There is no workaround.
Symptoms: OSPFv2 NSR on quad-sup VSS does not work. The router stops sending hello packets after switchover.
Conditions: This symptom is observed with quad-sup VSS with OSPFv2 NSR.
Workaround: Clear the IP OSPF process after NSR switchover.
Symptoms: When the BGP MDT address-family is configured with one or more VRFs having “mdt default x.x.x.x” with 4000 VRFs, of which 400 VRFs have “mdt default x.x.x.x” and with 8000 BGP neighbors in VRF (4K IPv4 & 4K IPv6), then the router takes close to 30 minutes to apply the configuration.
Conditions: This symptom occurs if neighbors are configured under BGP VRF address-family with the update-source command, that is, neighbor X.X.X.X update-source <interface>.
Workaround: Do not use neighbor X.X.X.X update-source <interface> under the BGP VRF address-family.
Symptoms: Router crash when MR-APS switch is made. Crash is coming randomly.
Conditions: Configured for MLP with 12 links.
Workaround: There is no workaround.
Symptoms: If we do not define the profile in the AAA and send DHCP discover for MN to MAG/ISG. ASR crashes immediately.
Conditions: This symptom occurs when the profile is not defined.
Workaround: Define the profile in ISG.
Symptoms: A crash with traceback is seen, and all calls are dropped.
Conditions: This symptom is observed under all conditions.
Workaround: There is no known workaround. The gateway crashes, and the soak time appears to be six weeks.
Symptoms: The router reloads when “no mediatrace initiator” is issued.
Conditions: This symptom occurs when traceroute is enabled for a mediatrace session.
Workaround: Disable traceroute under each configured mediatrace session.
Symptoms: Traffic drop of MVPNv6 data MDT packets is seen.
Conditions: This symptom is observed on doing a VRF delete and adding it on the encapsulated PE in a scaled MVPNv6 setup; the L3 DENY RESULT drop counters increment for the encapsulated VLAN v4. From a multicast point of view, the drop is at the point where the packet reaches the encapsulated VLAN v4 to proceed further with backbone forwarding.
Workaround: There is no workaround.
Symptoms: A VRF cannot be deleted. The following error message is displayed:
Conditions: This symptom occurs after having previously issued “sh ip cef vrf * sum”.
Workaround: There is no workaround. Reboot is required to remove the VRF.
Symptoms: Cisco IOSD crashes seen with 1K MVPN sessions. (When the sessions are cleared, all the IGMP joins are released, and then the sessions are brought up. When there are about 400 to 500 IGMP joins, the crash is seen.)
Conditions: This symptom occurs while clearing the 1K MVPN sessions on LAC using “clear pppoe all”.
Workaround: There is no workaround.
Symptoms: MPLS TE LM error messages
Workaround: There is no workaround.
Symptoms: There is no re-registration after switching from HW to SW crypto engine.
Conditions: The symptom is observed after switching from HW to SW crypto engine.
Workaround: There is no workaround.
Symptoms: A Cisco ME 3800 running Cisco IOS Release 15.2(2)S1 may crash under certain scenarios due to a stack overflow.
Conditions: This symptom is observed when QoS is configured.
Workaround: There is no workaround.
Symptoms: Path confirmation fails for a SIP-SIP call with IPV6 enabled.
Conditions: This symptom occurs when UUTs are running Cisco IOS Release 15.2(2)T1.5.
Workaround: There is no workaround.
Symptoms: Route flaps could occur after a switchover when a router is configure to use ISIS IETF NSF. The route timestamp is refreshed in the show ip route command output. Packet traffic going through the router could be dropped as a result of the switchover. This issue is seen only with a point-to-point interface or on a LAN configured as point-to-point.
Conditions: This symptom occurs when you configure ISIS NSF IETF and the point-to-point interface.
Workaround: There is no workaround.
Symptoms: Native MCAST traffic is not forwarded over a nile1 after core interface shut/no shut.
Conditions: This symptom is observed after doing shut/no shut or interface flap a couple of times.
Workaround: “clear ip mroute <mcast_group>” or “clear ip route *”.
Further Problem Description: Not all the multicast groups will be affected. The behavior is inconsistent.
Symptoms: Very specific events/packet types cause the ES20 LC to stop passing traffic. Information on these events and packets that lead to the issue are not known currently.
Conditions: This symptom occurs when the ES20 interface has an EVC or MPLS configuration.
Symptoms: An Access-Request sent by a BRAS might miss ANCP-attributes.
Conditions: This symptom is observed if an ANCP-enabled subinterface is set up the first time or it gets removed/readded.
Workaround: Reconfigure the ANCP neighbor name.
Symptom: Overlord crashes with 2000 crypto sessions (4000 IPSec SA’s) upon repeatedly clearing and reestablishing the SA’s.
Condition: The box is configured with 1K VRFs and 1K Virtual templates. And the crypto sessions are repeatedly cleared/reestablished.
Workaround: There is no workaround.
Symptoms: A Cisco ISG router configured for Layer 2 Connected Subscriber Sessions does not respond to ARP replies once a subscriber ARP cache has expired.
Conditions: This symptom occurs when the router is configured as ISG L2-Connect, the router has configured HSRP as the high-availability method, and the subscriber-facing interface is configured with “no ip proxy arp”. This issue is not seen if either HSRP is removed or if “ip proxy arp” is enabled.
Workaround: Clear the subscriber session. After the subscriber is reintroduced, the issue is resolved. You can also configure “ip proxy arp” on the HSRP-configured interface.
Symptoms: The router crashes in EIGRP due to chunk corruption.
Conditions: This symptom is observed on EIGRP flaps.
Workaround: There is no workaround.
Symptoms: Default profiles showing up as custom.
Conditions: The symptom is observed with a Cisco Catalyst 3000/Catalyst 4000 platform which supports the IP SLA video operation. Has no affect on the operation itself.
Workaround: There is no workaround.
Symptoms: The Remote-ID option received on the server does not contain the VLAN ID of the subinterface configured on the relay in Cisco IOS XE Release 3.8S.
Conditions: This symptom occurs when the connection between the client and relay is on a subinterface (VLAN).
Workaround: There is no workaround.
Symptoms: A basic call between 2 SIP phones over SIP trunk (KPML-enabled) fails.
Conditions: This symptom is observed with Cisco ISR G2 platforms.
Workaround: There is no workaround
Symptoms: Enabling Dynamic ARP Resolution (DAI) on a VLAN may cause ARP resolution to fail for hosts in other VLANs.
Conditions: This symptom is seen when enabling DAI on a VLAN.
Workaround: Enable DAI for the failing VLAN with the ip arp inspection vlan x command.
Workaround: Enable DAI for the failing VLAN with the ip arp inspection vlan x command. Configure an ARP ACL to permit traffic for valid IP source + MAC source pair with the arp access- list acl_name command. Configure DAI filter and associate with the ARP ACL with the ip arp inspection filter acl_name vlan x command. Configure DAI trust on egress port with ip arp inspection trust.
Symptoms: RP crash is observed at rrr_lm_resource_link_ready after performing SSO on the midpoint router on protect LSP.
Conditions: This symptom is observed when an RP card hosting the TP tunnel midpoint is undergoing the SSO operation. During SSO recovery, the TP fails to recover the TP tunnel midpoint interface (virtual) that is causing it to send a NULL interface to TE for checking its readiness. TE is not checking the NULL pointer condition and accessing the link elements that are causing the crash.
Workaround: There is no workaround.
Symptoms: When the ME3800 router is running IOS 15.2(04)S software, if EVC maximum MAC security address limit is reached for a service instance, new MAC address is not rejected.
Conditions: When EVC MAC security is enabled under a service instance.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: Scaling up routes result in huge memory allocations, eventually depleting the SP memory, leading to MALLOC FAIL and subsequent system crash.
Conditions: This symptom occurs in normal conditions.
Workaround: There is no workaround.
Symptoms: Standby reloads due to no switchport.
Conditions: Configure a port as “no switchport”. No IP configuration needed. Set the “tftp source interface <>”. Now defaulting the interface causes this issue.
Workaround: There is no workaround.
Symptoms: When static recursive routes are used in an MVPNv6 environment, multicast traffic loss can occur due to failure to determine the correct RPF interface for a multicast source or rendezvous point.
Conditions: This symptom occurs if a static route to an IPv6 address at a remote site (remote side of a VPN cloud) resolves via a BGP route, resulting in a failure to install the required MDT alternate next-hop in the recursively referenced BGP route.
Workaround: Executing “show ipv6 rpf vrf X <address>” for any address within the recursively referenced BGP prefix range will cause installation of the required alternate next-hop.
Symptoms: Unexpected exception to CPU: vector 200, PC = 0x0. Traceback decode is irrelevant.
Conditions: The symptom is observed on the ES+ series linecards on a Cisco 7600 series router. Symptom is reported on the ES+ console and in the crashinfo file on the ES+ flash disk. It is not reported in the syslog.
Workaround: There is no workaround.
Symptoms: IGMP snooping debugs get turned on automatically.
Conditions: This symptom occurs when the console is flooded with debug messages.
Workaround: There is no workaround.
Symptoms: The router crashes continuously after a normal reboot due to power or some other reason.
Conditions: This symptom is observed with the following conditions:
– Take out all the modules from the router.
The lab test recreated as follows:
1. Disable auto-configuration, that is, “no ccm-manager config”.
3. Enable the CCM manager configuration and the router does not crash.
Workaround 1: Bypass the start-up configuration and log in via ROMmon without any configuration. Add the configuration one by one. Once the configuration is added, save the configuration and reload the gateway.
Workaround 2: Shut down the router and add the cards one by one in slots 0, 1, 2, 3, and 4. The device is stable until the third slot is inserted and brought up. As soon the router is powered on, after adding the fourth slot, the crash starts. Shut down the router and remove the card in slot 4 (EVM-HD-8FXS/DID). Bring the device up without the card in slot 4 (EVM-HD-8FXS/DID). Remove the “mgcp” and “ccm-manager fallback-mgcp” configuration from the device because the console log is displaying the “Call Manager backhaul registration failed” error message. Shut down the router and add the card which was removed. Bring up the router. Readd the ccm-manager fallback-mgcp command and do a “no mgcp/mgcp”. The router becomes stable.
Workaround 3: Remove the ccm-manager config command by no ccm-manager config which tears down the connection from the call manager to the MGCP gateway. The gateway will not download the configuration from the call agent at the time of startup. Reload the router. Once the router is back and stable, readd the command.
Symptoms: Stale scansafe sessions are seen on the router. They do not get cleared even with the clear content-scan sessions * command.
Conditions: This issue occurs when one of the end points (client or server) does not properly close the connection. In TCP terms, when one end does not send an ACK to the FIN request sent by the other end in L4F UNPROXIED state.
Workaround: There is no workaround. The router needs to be rebooted to clear the stale sessions.
Symptoms: OQD drop counters increment on the mGRE tunnel even though there are no drops.
Conditions: This symptom is observed with an mGRE tunnel when multicast traffic is sent over the tunnel. This issue is seen when EIGRP or OSPF is configured on the tunnel.
Workaround: There is no workaround.
Symptoms: The switch may crash following SYS-2-FREEFREE and SYS-6-MTRACE messages while a CDP frame is being processed.
Workaround: Disable CDP using “no cdp run”.
Symptoms: Connecting from Windows 7 L2TP/IPSec client to the VPN fails when using HSRP virtual IP as a gateway IP and Error 788 is displayed.
Conditions: This symptom is observed with Cisco IOS Release 15.2(3)T or later releases, and the Windows 7 L2TP/IPsec VPN client.
Workaround: Downgrade to Cisco IOS Release 15.1(3)T.
Symptoms: The image cannot be built with an undefined symbol.
Conditions: This symptom occurs as the commit error triggers the compiling issue.
Workaround: There is no workaround.
Symptoms: Sp crash is observed @oce_to_sw_obj_type on a router reload.
Conditions: This symptom is seen with core link flap at remote end during IP- FRR cutover.
Workaround: There is no workaround.
Symptoms: Static tunnels between hubs and spokes fail to rebuild.
Conditions: The symptom is observed when you reload the hub on the DMVPN IPv6 setup with DPD on-demand enabled on all spokes.
Workaround: There is no workaround.
Symptoms: Trifecta may crash with watchdog timeout. No crashinfo is generated without this fix.
Conditions: This symptom can occur whenever there is a ROMmon read or write.
Workaround: There is no workaround.
Symptoms: MPLS pseudowire ping from the peer to the Cisco ASR 903 fails if the peer is using TTL-based ping.
Conditions: This symptom occurs when the peer is using TTL-based ping.
Workaround: There is no workaround.
Symptoms: The negotiated global IPv6 remains intact on the Dialer interface.
Conditions: This symptom is observed when the physical interface goes down.
Workaround: Remove the global IPv6 address manually from the Dialer interface.
Symptoms: When executing Media Forking with midcall codec change, memory leaks are found in Cisco ASR for CCSIP_SPI_CONTROL. After decoding, the memory leak is found to be for the function is_x_participant_sips() as it is not releasing the memory after allocated with some memory. This seems to be a side effect of one of the DDTS that was committed to Cisco IOS Release 15.3M&T (CSCtz96408).
Conditions: This symptom occurs when executing Media Forking with midcall codec change.
Workaround: The fix is done and is committed to Cisco IOS Release 15.3M&T.
Symptoms: In an MLDP + MVPNv6 setup, abnormal RP reload occurs after the deletion and addition of few subinterfaces on the encapsulated PE.
Conditions: This symptom occurs after deletion and addition of few subinterfaces on the router acting as the encapsulated PE on the access side for a few VRFs running MLCP inband.
Workaround: There is no workaround.
Symptoms: Ping fails after doing EZVPN client connect if CEF is enabled.
Conditions: This symptom is observed with the Cisco IOS Release 15.3(0.8)T image. This issue is seen only for a specific topology, where the in/out interface is the same.
Workaround: There is no workaround.
Symptoms: Traffic drop might be seen after reloading the router.
Conditions: This symptom is observed on a particular SFP interface (the issue is seen on ge0/8) after reloading the router.
Workaround: Shut/no-shut of the interface or clearing the IPv6 neighbor will recover the traffic.
Symptoms: When IGMP query with source IP address 0.0.0.0 is received on an interface, it is marked as mrouter port for that VLAN.
Conditions: This symptom is seen when IGMP query with source IP address 0.0.0.0 is received.
Workaround: There is no workaround.
Symptom: The radius-server attribute 6 on-for-login-auth command is not configurable any more.
Conditions: There are no specific conditions under which this issue occurs.
Workaround: There is no workaround.
Symptoms: The CPU remains at 100% after the SNMPv 2c walk even after 5 minutes.
Conditions: This symptom occurs when an SNMP walk is done on mplsLsrStdMIB.
Workaround: There is no workaround.
Symptoms: ME-3600X-24CX-M Box crashes on executing the command “Diagnostic start test all”.
Conditions: On executing “Diagnostic start test all” command.
Workaround: There is no workaround.
Symptoms: Standby RSP is periodically reset after memory exhaustion. This can be checked by checking free memory on standby SP by the show memory statistic command.
Conditions: This symptom is triggered by standby RSP restart or router reload.
Workaround: There is no workaround.
Symptoms: SVI is not coming up for a long time even there are active ports in that VLAN.
Conditions: This symptom is seen with flexlink with preemption and VLAN load balance configuration.
Workaround: There is no workaround.
Symptoms: The POS interface line protocol is down with encapsulation PPP in an MPLS setup.
Conditions: This symptom occurs when configuring encapsulation PPP on both ends of PE1 and CE1, and then configuring xconnect in the customer-facing interface of PE1.
Workaround: Reconfigure the xconnect settings. Then, the interface will come up in the proper state.
Symptoms: Standby RP crash is seen on the Cisco ASR 1000 BRAS during the longevity test.
Conditions: This symptom is observed with a full scale churn test, with 28K PPPoEoA sessions with two ISG Services on each session, and the LI activated on 500 sessions, with 40cps churn rate.
Workaround: There is no workaround.
Symptoms: Incorrect MAC learning is observed over pseudowires that are part of HVPLS, causing traffic failure.
Conditions: This symptom is observed when VPLS autodiscovery is in use, with MPLS over SVI in the core. This issue is also seen with LDP-based VPLS, when split horizon-enabled pseudowires are configured after the non-split horizon-enabled pseudowires.
Workaround: There is no workaround.
Symptoms: The router can crash when “clear ip bgp *” is done in a large-scale scenario.
Conditions: This symptom is observed only in a large-scale scenario, with ten of thousands of peers and several VPNv4/v6 prefixes.
Workaround: “clear ip bgp *” is not a very common operation. Hence, this issue has not been observed by customers. The crash can only happen when “clear ip bgp *” is done. The workaround is not to execute “clear ip bgp *”.
Symptoms: The show voice register pool on-hold brief command displays the same number (for both phone number and remote number) when both local and remote phone are put on-hold.
Conditions: This symptom is observed when with Cisco IOS Release 15.3(8)T.
Workaround: There is no workaround.
Symptoms: CLI being executed failed to sync to standby and results in standby reload.
Conditions: This happens when the following conditions are met:
1. Active and standby are running different version of IOS image.
2. The CLI being applied is not PRC compliant. Meaning that this CLI does not return a valid parser return code.
Workaround: Avoid applying CLIs that are not PRC compliant during image upgrade or downgrade.
Conditions: This symptom occurs when bringing up 8000 PPP sessions with QOS and eBGP routes.
Workaround: There is no workaround.
Conditions: This symptom occurs upon router reload
Workaround: There is no workaround.
Symptoms: The RSP720 may crash if a high rate of traffic is punted to the RP.
Conditions: This symptom occurs on a Cisco 7600 with RSP720. It is specific to a driver used only by the RSP720. Other supervisor models are not affected. The issue is only seen in Cisco IOS Release 15.1(03)S and later releases, because of a code change made to the RSP720 driver.
Workaround: Isolate and stop the traffic being punted to the RP.
Symptoms: Intermittently during Phase II rekey, after new SPIs are negotiated and inserted into SPD, old SPIs are removed and then the VTI tunnel line protocol goes down.
Conditions: This symptom is observed with Cisco IOS Release 15.2(3)T, with VTI over GRE.
Workaround: There is no workaround.
Symptoms: In the Cisco ASR 903, during SSO, the age of some of the ARP entries gets corrupted.
Conditions: This symptom is observed with the Cisco ASR 903.
Workaround: It has been observed that for few ARP entries the value of timeout gets corrupted during SSO. As of now, the following workaround has been done for the corrupted timeout ARP entries:
1. The refresh timer is set to the configured value.
2. The router sends an ARP request for the corrupted entries.
Symptoms: Ping fails from host1 (192.168.1.2) to host2 (192.168.4.2).
Conditions: This symptom occurs when Suite-B is configured on IPsec sa.
Workaround: There is no workaround.
Symptoms: PIM VRF neighbor is not coming up.
Conditions: This symptom is seen with MVPNv6 configurations.
Workaround: Use earlier images.
Symptoms: Multicast traffic drops over the IPSec GRE tunnel.
Conditions: This symptom is observed when the mls mpls tunnel-recir command is configured on the router.
Workaround: There is no workaround.
Symptoms: Router crashes with MVPNv6 setup.
Conditions: This symptom is seen while unconfiguring VRF.
Workaround: There is no workaround.
Symptoms: Codec changes spontaneously during midsession without a RE-INVITE.
Conditions: This symptom occurs with the following conditions:
– Fax passthrough is configured.
– Codec negotiated is G711alaw, and changes to G729.
Workaround: There is no workaround.
Symptoms: The match user-group commands do not appear in the running configuration after being configured.
Configure an inspection type class-map:
Save the configuration. Try to view the configuration in the running configuration:
But, view the configuration directly in the class-map:
The configuration never shows up in the running configuration, but it is in the class-map configuration. As a note, the functionality exists on the ZBFW, but the configuration does not show up in the running configuration.
Conditions: This symptom is only observed with the match user-group commands.
Workaround: This issue only affects devices after a reload as the router will read the startup configuration, which will not have the match user-group command. As a result, the match user-group commands need to be reentered after ever reload.
Symptoms: The following interface configuration should be used:
Dead interval is calculated according to network type; in this case, it is 120s. Issue the no ospfv3 dead-interval command on dead interval. Dead interval is set to the default of 40s instead of 120s, which is correct for manet or P2MP interface types.
Conditions: This symptom is an OSPFv3-specific issue (see the configuration example).
Workaround: Configure dead interval explicitly or reapply the network command.
Symptoms: A Cisco router may experience alignment errors. These alignment errors may then cause high CPU.
Conditions: This symptom occurs as the alignment errors require using Get VPN. It is currently believed to be related to having the Get VPN running on a multilink interface, but this is not yet confirmed.
Workaround: There is no workaround.
Symptoms: Randomly, there is no audio if a call comes from the following call flow using G729:
If one of the phones in CME tries to GPickup the call randomly, it will have no audio. When this happens, if you check the codec directly in the phone, it is G711. However, when it works, it is G729. Everything is configured for G729. Even if you hard code the phone in CME to use G729, this issue will occur. This issue does not occur in CME 7.1.
Conditions: This symptom occurs if a call comes from GK as G729 and CME 9.1 is being used.
Workaround: Use CME 7.1 or enable fast start in CUCM Trunk by enabling the following check boxes:
– Media Termination Point Required
Symptoms: SSL handshake between Cisco VCS and the Cisco ASR fails if the Cisco ASR is running Cisco IOS XE Release 3.7S.
Conditions: This symptom occurs in a working setup, if the Cisco ASR is upgraded to Cisco IOS XE Release 3.7S, then SSL handshake and subsequently SIP-TLS calls start to fail. If in the same setup, the Cisco ASR is downgraded back to Cisco IOS XE Release 3.5S or Cisco IOS XE Release 3.4.4S, then the calls work (without requiring any additional changes).
Workaround: There is no workaround.
Symptoms: NTP broadcast mode does not work on the Cisco ASR 901 (client).
Conditions: This symptom occurs when the Cisco ASR 901 does not receive NTP “broadcast” messages from the NTP server.
Workaround: Use NTP unicast mode.
Symptoms: BFD session flapping occurs or fails to get established on flapping REP ring.
Conditions: This symptom is observed with the software BFD session or echo mode.
Workaround: Disable echo mode.
Symptoms: DSCP-based WRED does not work in egress on the member-link. This is a regression caused due to CSCty30952.
Conditions: This symptom occurs when a policy (not only WRED) is applied on an Etherchannel and a trunk port with allowed VLAN none is a member-link. This issue is seen because there is a new internal handling to take care of switchport trunk and access cases by CSCty30952 to handle VLAN combinations.
Workaround: There is no workaround.
Symptoms: Router crashes with G8302 configs.
Conditions: 11k eompls vc and G8302 configs.
Workaround: There is no workaround.
Symptoms: When scan safe is enabled on the interface, latency may be seen. Some pages may not load at all or show severe latency if the SYN request sent by the ISR does not receive an appropriate SYN ACK response from the Scan Safe Tower.
Conditions: Scan Safe must be enabled on the interface. In this case, there was an ASA in the path that was doing sequence number randomization.
Workaround: Disable sequence number randomization on the firewall in the path before the ISR.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C CVE ID CVE-2012-4651 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: After multiple RP switchover, the router crashes with the “UNIX-EXT-SIGNAL: Segmentation fault(11), Process = BGP HA SSO” error.
Conditions: This symptom is observed with MVPN with 500 VRFs, when performing multiple switchovers on PE1.
Workaround: There is no workaround.
Symptoms: Multicast traffic gets forwarded to the wrong tunnel protected with IPsec.
Conditions: This symptom is observed when Multicast (PIM) is enabled on the GRE tunnel protected with IPsec on the Cisco 7600.
Workaround: Shut/no shut on the tunnel protected with IPsec resolves the issue.
Symptoms: A crash occurs due to NULL pointer access in a BGP C-Route function.
Conditions: This symptom is very timing-sensitive and will occur only in a specific sequence of runtime events in a specific timing instance. In this case, this issue is triggered in a scaled setup when “mpls mldp” is toggled after two SSOs and when each SSO takes a very long time to complete due to HA Bulk Sync failure in IP Multicast that has addresses separately.
Workaround: There is no workaround.
Symptoms: Running the clear ip access-list dynamic counters command triggers spurious memory access and adds traceback information in the logging buffer of the Cisco uBR router.
Conditions: This symptom occurs when running the clear ip access-list dynamic counters command.
Workaround: Do not configure the clear ip access-list dynamic counters command.
Symptoms: In a VTI scenario with HSRP stateless HA, the tunnel state on standby is up/up.
Conditions: This symptom occurs when HSRP is configured and there is no SSO configuration.
Workaround: There is no workaround.
Symptoms: The atm keyword for the show command disappears.
Conditions: This symptom occurs when you do a powered shutdown of the SPA card and bring it back up using the no form of the previous command.
Workaround: There is no workaround.
Symptoms: If CUBE has midcall reinvite consumption enabled, it also consumes SIP 4XX responses. This behavior can lead to dropped or hung calls.
Conditions: This symptom occurs when midcall reinvite consumption is enabled.
Workaround: There is no workaround.
Symptoms: Internal VLAN is not deleted even after waiting for 20 minutes, and the VLAN cannot be reused.
Conditions: This symptom is seen with any internal VLAN allocated dynamically that is not freed up after 20 minutes in the pending queue.
Workaround: There is no workaround.
Symptoms: CEF does not get programmed and traffic does not flow across IPv6 VTI tunnels post router reload.
Conditions: This symptom occurs when reloading the box that has scale IPv6 sVTI IPsec tunnels configured.
Workaround: Shutdown/no shutdown on the IPv6 tunnels resolves the issue.
Symptoms: Traffic is dropped silently on the VLAN.
Conditions: This symptom is observed when all the VLANs in the router are used (0 free VLAN). Any new internal VLAN creation will fail, and an appropriate error message is not shown.
Workaround: There is no workaround.
Symptoms: Certificate validation fails with a valid certificate.
Conditions: This symptom is observed during DMVPN setup with an empty CRL cache. This issue is usually seen on the responder side, but the initiator can also show this behavior.
Workaround: There is no known workaround.
Symptoms: One-way video from CTS-1000 to TS-7010 is seen in the following topology:
Conditions: This symptom occurs when SDP Passthru mode on CUBE is used.
Workaround: RTP payload types 96/97, which are associated with fax/faxack need to be remapped to some other unused values.
Symptoms: Traceback is observed with the following message:
SP-STDBY: pm_get_standby_vlan:Cannot allocate VLAN for IPv6 VPN 0x1E000050 Egress multicast VLAN 1019 is use by Tunnel2
Conditions: This symptom is observed when applying a scaled MLDP configuration.
Workaround: There is no workaround.
Symptoms: After Cisco IOS XE bootup, there are no static reverse routes inserted as a result of applying/installing and HA crypto map. The same issue is present on the HSRP standby device, namely, the static RRI routes will not get installed in case a failover occurs. The show cry map command can be used to verify that RRI is enabled. The show cry route command can be used to determine if RRI has happened and if it has been done correctly.
Conditions: This symptom is observed with the following conditions:
– Cisco IOS XE Release 3.5 up to Cisco IOS XE Release 3.7
– VRF-aware IPSec with stateless HA and static RRI - IPv4
Workaround: Removing and reentering the reverse-route static command into the configuration will actually trigger the route insertion.
Symptoms: Error message seen on standby.
Conditions: The symptom is observed with tunnel configurations.
Workaround: There is no workaround.
Symptoms: A packet loss is seen with a stateful switchover (SSO) in a Cisco ASR 1000 router with scaled configuration.
Conditions: This symptom is a day one issue and is seen with a scaled configuration.
Workaround: There is no workaround.
Symptoms: The IPsec session does not come up for spa-ipsec-2g if you have disabled “Volume Rekey”.
Conditions: This symptom occurs when “Volume Rekey” is disabled on spa-ipsec-2g.
Workaround: Do not disable the “Volume Rekey” on spa-ipsec-2g.
Symptoms: The show int command output displays the input queue size as bigger the 0, and never goes down. Shut/no shut does not help as well.
Conditions: This symptom is observed with the following conditions:
– A Cisco IOS router actions as XOT.
– The XOT Server becomes not reachable for sometime while the x25 client is attempting to send traffic.
– Cisco IOS Release 12.4(24)T7, Cisco IOS Release 15.1M, or later releases.
Workaround: Increase the input hold queue size from default 75 to max. Monitor it periodically manually or by script and perform a planed reload when the queue size is close to max.
Symptoms: The Cisco ASR 1000 router running Cisco IOS Release 15.2(4)S acting as a GM in a Get VPN deployment starts using the most recent IPsec SA upon KS rekey instead of using the old key up to 30 seconds of expiration.
Conditions: This symptom is observed only in Cisco IOS Release 15.2(4)S.
Workaround: There is no workaround.
Symptoms: The Cisco ASR 1000 router being GM in a Get VPN deployment fails to start GDOI registration after a reload.
Conditions: This symptom occurs when running Cisco IOS Release 15.2(4)S. The following error is displayed in the show crypto gdoi command output after reload.
Workaround: Use an EEM script to issue “clear crypto gdoi” some time after boot time or issue this manually.
Symptoms: The command no monitor capture name control-plane leads to a crash.
Conditions: The symptom is observed with the command no monitor capture name control-plane.
Workaround: There is no workaround.
Symptoms: The “PM-SP-STDBY-3-INTERNALERROR” error message is seen on Active for the Tunnel Reserved VLAN and the Tunnel Global Reserved VLAN.
Conditions: This symptom is observed with an HA router with a scale configuration of the MDT Tunnel.
Workaround: There is no workaround.
Symptoms: After reload, sometimes MPLS forwarding function on some interfaces was not enabled. Some interfaces which were configured “mpls ip” and link-state-up have not shown at “show mpls interface” command. This issue depends on a timing of the interface up.
Conditions: Sometimes it may occur after a router reload or SIP/SPA reload. It is not affected when you configure “mpls ip” on an interface, admin-shutdown/no shutdown, and link-flap.
Workaround: When the issue occurs, do an admin-shutdown/no shutdown on affected interface or disable/re-enable mpls on interface.
Symptoms: Traffic flowing through EVCs that do not belong to any service group will see incorrect bandwidth values because of wrong bandwidth value programmed on the port-default node.
Conditions: This symptom is seen when a mixture of flat and HQoS SGs having bandwidth configurations on their policies are applied on PC EVCs. Two mem- links are part of this PC, and default load-balancing is used.
Workaround: There is no workaround.
Symptoms: When an L2TPv3 xconnect with IP interworking is configured on a Switched Virtual Interface (interface vlan), it may fail to pass traffic. With debug subscriber packet error enabled, debug messages like the following are output:
Conditions: This symptom has been observed in Cisco IOS Release 15.2(3)T4 and earlier.
Workaround: There is no workaround.
Symptoms: IPv6 DMVPN spoke fails to rebuild tunnels with hubs.
Conditions: This symptom occurs when the tunnel interface on the spoke is removed and reapplied again.
Symptoms: The cos-inner value is not preserved in the case of POP2.
Conditions: This symptom occurs when traffic is flowing from the service instance with POP2 configured to another service instance with POP2, which has a marking with cos. The cos-inner value also gets affected with the QOS policy-map. Without QOS, the current behavior is POP2 -> POP2. The outer VLAN cos value gets copied to both the inner and outer cos value of the egress VLAN tag.
Workaround: There is no workaround.
Symptoms: A switching failure occurs after applying the CEM configuration.
Conditions: This symptom occurs when there is a PW redundancy and the primary VC is down. Reapply configuration.
Workaround: Remove the xconnect configuration. Potentially, wait for 20 minutes in the worst case for “sh mpls l2 pwid” to age out labels.
Symptoms: Under certain conditions, running a TCL script on the box, may cause software traceback and reload of the affected device.
Conditions: Privilege 15 user may run TCL commands that may lead to an affected device reloading.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.8/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:H/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: In the Cisco 7600, multicast traffic does not flow in some scenarios. In the case of PIM SM mode, many times, (*,G) is present, but not (S,G) in mroute. In the case of PIM SSM mode, (S,G) is present but still traffic does not flow through.
Conditions: This symptom is observed only with Cisco IOS Release 15S-based releases.
– Either use a different source IP or a different group IP.
Symptoms: When Cisco IOS XE is configured to use subscriber-service for authorization, it will ignore this configuration for the named list and fall back on the default for subscriber-profile or, if this is not present, on the default authorization method for the network. If none of these default authorization methods are configured, authorization will not take place.
Conditions: This symptom occurs when a named authorization list is configured.
Workaround: Set the default authorization list (subscriber-service or network) to use the correct Radius server.
Symptoms: When the Cisco ME3600/ME3800 is the encapsulation box in MVPN, if the packet size if greater than the default MTU, packets will not flow out of the box.
Conditions: This symptom is observed when MVPN is configured on the Cisco ME3600/ME3800 box. The box should be a core the encapsulation box and traffic should be going on the tunnel to hit this situation. Only packets beyond the default MTU will not go out and get dropped.
Workaround: Send packets of a smaller size from the source so that after encapsulating with 24 bytes of the outer IP of the MDT tunnel, it does not go beyond the size of the egressing interface MTU.
Symptoms: T1 controller will stay DOWN after switchover.
Conditions: This symptom is seen when SATOP is configured on T1.
Workaround: Do a shut and no shut.
Symptoms: Address Error exception is observed with ccTDUtilValidateDataInstance.
Conditions: This symptom is observed with ccTDUtilValidateDataInstance.
Workaround: There is no workaround.
Symptoms: The egress service policy on EFP drops all traffic in egress. The offered rate equals the drop rate. The interface output rate is zero, and output drop increases.
Conditions: This symptom is observed with the Cisco ME36xx running Cisco IOS Release 15.2(2)S.
Workaround: There is no workaround.
Symptoms: The Cisco IOSd process crashes due to a segmentation fault in the PPP process:
The root cause for the PPP process crash is wrong IPCP option processing inside PPP control packets.
Conditions: This symptom occurs when the BRAS functionality is configured, which includes ISG and PPPoE session termination.
Workaround: There is no workaround.
Symptoms: The default class is not being exported with the class option template.
Conditions: This symptom occurs when class-default is not exported when typing the option c3pl-class-table under the flow exporter.
Workaround: There is no workaround.
Symptoms: If the ISM-VPN module is turned on and ZBFW is configured, when asymmetric routing occurs, the router crashes.
Conditions: This symptom occurs when the ISM-VPN module is turned on and ZBFW is configured, and when asymmetric routing occurs.
Workaround: There is no workaround.
Symptoms: Ping failure is seen through poch for the g8032 ring.
Conditions: This symptom is observed on reloading all devices running g8032.
Symptoms: Subscriber session on LAC/LNS in attempting state with “vpdn authen- before-forward” CLI configured and auto-service in the RADIUS profile is getting stuck.
Conditions: This issue is seen with CLI “vpdn authen-before-forward” and one auto-service in the user profile in RADIUS.
Workaround: Configure and apply one policy-map with SESSION-START rule with at least one action.
Symptoms: REP occasionally fails when a peer device that is running REP on the same segment is reloaded.
Conditions: This symptom is seen when a remote device is reloaded. The REP state machines on both devices can get stuck.
Workaround: Flap the link of the unit which did not go into the REP wait state. This will bring the REP state machines at both ends.
Symptoms: The counters are not polling the correct stats.
Conditions: This symptom was first observed on the ATM interfere, but it is not particular to the ATM as this issue was reproduced on the Gigabit Ethernet interface as well.
Workaround: There is no workaround.
Symptoms: MVPN over GRE PIM VRF neighbor is not up after SSO.
Conditions: This symptom is seen when MVPN over GRE PIM VRF neighbor is not up after SSO.
Workaround: There is no workaround.
Symptoms: Active Cisco IOSd was found to have crashed following the “clear ip mroute *” CLI.
Conditions: This symptom occurs with 4K mroutes (2k *,G and 2K S,G) running the FFM performance test suite.
Workaround: There is no workaround.
Further Problem Description: So far, this issue is only seen in the FFM performance test script.
Symptoms: Traceback and CPU hog is seen due to spurious memory access when Flexible NetFlow (FNF) is enabled.
Conditions: This symptom is seen when enabling FNF.
Workaround: Use classic netflow or configure FNF on the tunnel template interface (preferred).
Note: the first option of using classic netflow is not available on some platforms which only support FNF. Notably these are Cat 6k, Sup 2T and the Cat 4K K10.
Symptoms: The console displays a message indicating that offloading is not supported for BFD echo mode.
Conditions: Occurs when you configure a BFD session in echo mode.
Workaround: There is no workaround; however, the issue has no functionality impact.
Symptoms: The voice gateway router is configured as a CME for handling ephone reloads due to spurious memory access.
Conditions: This symptom occurs as the voice gateway router is capable of handling ephones. Reload is very specific to ephone handling.
Workaround: There is no workaround.
Symptoms: IPv6 HbH Traffic traversing across BD SVIs will not be rate-limited by HbH rate-limiter that is configured.
Conditions: This symptom is seen when enabling HbH rate-limiter on an NP of ES+ and IPv6 HbH traffic traversing across SVIs part of EVC BD of ES+ interface.
Workaround: There is no workaround.
Symptoms: The router crashes due to high CPU and lack of memory.
Conditions: This symptom occurs when using a local connect between an EFP with encap dot1q and an EFP with encap untagged.
Workaround: There is no workaround.
Symptoms: TD probes in fast mode are gone when the link flaps (not PfR external interfaces).
Conditions: This symptom is observed with TD, fast mode, and link flap, which cause SAF session flap.
Workaround: Issue “clear pfr mas tr”.
Symptoms: Outage and CPU remain astonishingly high against XDR MCAST process on a scaled HWO BFD testbed.
Conditions: This symptom is seen after a router reload, when OSPF converge is getting completed, and started 10g traffic through the box.
Workaround: There is no workaround.
Symptoms: With a primary PW in the down state, if the Xconnect redundancy configuration is removed and added, then switching may remain down and the VC goes down.
Conditions: This symptom is observed with the following conditions:
1. The platform supports hot standby (Cisco ASR 903/Cisco 7600/Cisco ASR 901).
2. PW redundancy with primary down.
3. Configuration removed + added or added afresh.
Workaround: Fix the primary PW and then remove/add the configuration.
Symptoms: CUBE fails to resolve the configured DNS through A query when the SRV query fails.
Conditions: This symptom occurs when running Cisco IOS Release 15.3(0.11)T.
Workaround: Use DNS SRV records for SIP servers.
Symptoms: Router crashes when removing GDOI groups.
Conditions: KS has 100 GDOI groups configured.
Workaround: There is no workaround.
Symptoms: Traffic drop is seen due to misprogramming in the VLAN RAM table.
Conditions: This symptom is observed when the router is reloaded multiple times.
Workaround: There is no workaround.
Symptoms: Memory leaks are seen in the statistics.
Conditions: This symptom occurs when the probe is executed and statistics are updated.
Workaround: There is no workaround.
Symptom: Active RP crashes on SSM connection manager during session disconnect after CoA got rejected (COA-NAK).
Conditions: This symptom is observed when established L2TP session send CoA to active 3 ISG services. One of the service failed to be applied with COA-NAK reply. Disconnect session and triggered RP crashes on SSM connection manager SegFault.
Workaround: This is considered as negative test case; apply working COA.
Symptoms: The traffic rate comes down to one IMA link rate.
Conditions: This symptom is observed on router reload or IM OIR.
Workaround: Delete the ATM PVP configuration and recreate it.
Symptoms: Crash in pim_reg_enc_src_update_mvrf in complex multicast setup.
Conditions: This symptom is observed if the traffic is active for a combination of different IPv4 multicast VPN features or scenarios, then Cisco IOS may crash upon interface coming up notification.
Workaround: There is no workaround.
Symptoms: A pending-issue-update is seen at SSL CPP CERT on the Cisco ASR 1002, ESP-1000 platform.
Conditions: This symptom is observed with the following configuration:
Workaround: There is no workaround.
Symptoms: Traffic coming in with a particular label might experience drops on ES+.
Conditions: This symptom is observed with traffic coming in on the ES+ interface with MPLS enabled. This issue is seen when the box has AToM (Scalable mode on the Cisco 7600) configured.
Workaround: Reset the core facing ES+ module.
Symptoms: The Cisco ME3600 and Cisco ME 3800 switches crash.
Conditions: This symptom occurs on triggering POCH LACP fast switchover that is part of G.8032 ring carrying UCAST and MCAST traffic.
Workaround: There is no workaround.
Symptoms: Crash is observed when removing the crypto call admission limit ike in-negotiation-sa value configuration and clear crypto sessions, which triggers a connection from all the clients burdening the server and forcing it to crash within seconds.
Conditions: This symptom happens only when 150 connections simultaneously try to establish connection with the head-end EzVPN server.
Workaround: Configure crypto call admission limit ike in-negotiation- sa 20 when scaling to 150 tunnels.
Symptoms: VSS crashes on reconfiguring “ipv6 unicast-forwarding” multiple times.
Conditions: This symptom occurs when CTS is configured on an interface and “ipv6 unicast” is toggled multiple times.
Workaround: There is no workaround.
Symptoms: If configuration replace is tried after session-based poll, which has an address type (IPv4/IPv6) mismatch with initiator source-IP, then a crash is seen.
Conditions: This symptom occurs when configuring Mediatrace initiator with a particular type of address, for example, IPv4 only or IPv6 only. This issue is seen when trying a session-based poll with the address type for a path-specifier not matching the address type of the initiator. Then, configuration replace on the same configurations leads to a crash.
Workaround: There is no workaround.
Symptoms: The upgrade for Handoff FPGA from version 3000F to 30017 fails.
Conditions: This symptom is observed when upgrading Handoff FPGA.
Workaround: There is no workaround.
Symptoms: DHCP snooped bindings are not restored after an RTR reload.
Conditions: This symptom might occur when bindings are learnt on Cisco ES20 EVCs.
Workaround: After the RTR is UP, renew from the agent database by issuing the renew ip dhcp snooping database URL command.
Symptoms: No-way audio is observed on hair-pinned calls back from CUBE to SIP Provider.
Conditions: This symptom is observed only after upgrading to Cisco IOS Release 15.2(2)S.
Workaround: Modify the diversion header on the transfer leg invite, so Verizon handles the call differently.
Symptoms: Complete traffic loss occurs for V6 mroutes.
Conditions: This symptom occurs during deletion and addition of VRFs for the MVPNv6 inband signaling configuration.
Workaround: There is no workaround.
Symptoms: Forwarding loop is observed for some PfR-controlled traffic.
Conditions: This symptom is observed with the following conditions:
– Traffic Classes (TCs) are controlled via PBR.
– The parent route is withdrawn on selected BR/exit.
Workaround: This issue does not affect configured or statically defined applications, but only affects learned applications so this can be used as one workaround. Another option is to issue shut/no shut on PfR master or clear the related TCs with the clear pfr master traffic-class... command (this fixes the issue until the next occurrence).
Symptoms: Multicast traffic for few mroutes gets dropped on the bud node. This issue occurs as sub-LSPs are not created due to LSP IDs getting exhausted.
Conditions: This issue occurs after reload, TE-FRR, and churning of mroutes.
Workaround: There is no workaround.
Symptoms: The router crashes when configuring the ATM interface.
Conditions: This symptom is observed with the following sequence:
1. Move OC3 IM with the ATM configuration to a different bay.
2. Configure an ATM interface on the new bay.
3. Cisco IOSd crash is seen due to a segmentation fault.
Workaround: There is no workaround.
Symptoms: Cisco IOS Unified Border Element (CUBE) contains a vulnerability that could allow a remote attacker to cause a limited Denial of Service (DoS). Cisco IOS CUBE may be vulnerable to a limited Denial of Service (DoS) from the interface input queue wedge condition, while trying to process certain RTCP packets during media negotiation using SIP.
Conditions: Cisco IOS CUBE may experience an input queue wedge condition on an interface configured for media negotiation using SIP when certain sequence of RTCP packets is processed. All the calls on the affected interface would be dropped.
Workaround: Increase the interface input queue size. Disable Video if not necessary.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C CVE ID CVE-2012-5427 has been assigned to document this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: A Cisco ASR 1000 hub on dual-hubs DMVPN crashes. This issue is only seen in Cisco IOS XE Release 3.9S.
Conditions: This symptom is observed with shut/no shut of the tunnel interface.
Workaround: There is no workaround.
Symptoms: The IPv6 HbH packets get punted to RP as a result of HbH rate-limiter not working.
Conditions: This symptom is observed when IPv6 HbH packets hit the bridged interface on SIP400/SIP200 with IPv6 HbH rate-limiter configured.
Workaround: There is no workaround.
Symptoms: The instance range command works only for the first index in a given range.
Conditions: This symptom is observed under normal conditions.
Workaround: Manually configure schema for all single indices.
Symptoms: There is a memory corruption issue with loading NBAR protocol pack.
Conditions: This symptom occurs when an NBAR protocol pack is loaded into the router using the ip nbar protocol-pack command.
Workaround: There is no workaround.
Symptoms: Multicast traffic is not forwarded to downstream, even when the groups show up in the group list.
Conditions: This issue is seen only when the traffic comes on RPF fail interface, and the downstream port is blocked due to STP or similar protocol.
Workaround: Disable IGMP snooping.
Symptoms: The switch/router crashes while processing NTP.
Conditions: This symptom occurs if NTP is configured using DNS, along with the source interface. For example:
Workaround 1: config# ntp server <dns>
Workaround 2: config# ntp server <ip>
Workaround 3: config# ntp server <ip> source <interface>
For workarounds 1 and 2, the device automatically selects the source interface. For workarounds 2 and 3, resolve the DNS and use the corresponding IP address for that DNS. For example:
The above command gives the IP address for DNS. Use that IP address to configure the NTP server.
Symptoms: The show ip eigrp neighbors detail vmi command displays large delay values.
Conditions: This symptom is observed only for the VMI interface in MANET networks.
Workaround: There is no functional impact because of this. For any other practical purposes, convert the displayed value from pico second to microsecond as the value displayed is in pico seconds and units displayed are in usec.
Symptoms: EIGRP flapping is seen continuously on the hub. A crash is seen at nhrp_add_static_map.
Conditions: This symptom is observed in the case where there are two Overlay addresses of a different Address Family on the same NBMA (such as IPv4 and IPv6 over Ipv4). This issue is observed after shut/no shut on the tunnel interface, causing a crash at the hub. A related issue is also seen when there is no IPv6 connectivity between the hub and spoke, causing continuous EIGRP flapping on the hub.
Workaround: There is no known workaround.
Symptoms: Leaks are seen at nhrp_recv_error_indication.
Conditions: This symptom occurs only when the fix of CSCub93048 is present in the image.
Workaround: There is no workaround.
Symptoms: CUBE does not send a response to an early dialog UPDATE in a glare scenario.
Conditions: This symptom occurs when CUBE receives an early dialog UPDATE when it sends 200OK to INVITE and expects ACK.
Workaround: There is no workaround.
Symptoms: Router hangs and crashes by WDOG.
Conditions: This symptom occurs when IPv6 ACL is applied to a port-ch sub-if. The sub-if is deleted followed by deletion of the ACL.
Workaround: Delete the ACL before deleting the port-ch sub-if.
Symptoms: There is an RP crash at __be_NetworkInterface_setAddressIDL.
Conditions: This symptom occurs when an interface IP address is removed through OnePk API.
Workaround: Use CLI to resolve the issue.
Symptoms: Static routes are not getting removed.
Conditions: This symptom is observed with Smap - Smap. Removal of CLI does not remove the static route.
Workaround: Remove the ACL before removing the SA.
Symptoms: IKEv2 STOP Accounting records show wrong counters for packets/octets, when the sessions are locally cleared using “clear crypto sa” or “clear crypto session” on ASR1K.
Conditions: This symptom is observed with latest Cisco IOS XE Release 3.8S images when IKEV2-Accounting is enabled. This issue is easily reproducible with a single session, and may be service impacting as STOP Accounting records are usually used for billing purposes.
Workaround: The STOP records reflect the right counters when the disconnect is through the remote-end.
Symptoms: Removing the channel group configuration on a CEM controller causes the device to hang in a particular scenario.
Conditions: This symptom is observed when the following steps are performed: (a) Configure CEM group (CESoPSN or SAToP) on a controller (b) Configure channel group on this controller with same time slots used in (a) for CEM group (c) Remove channel group configured in step (b)
Workaround: Perform hard reboot of the device.
Symptoms: EVC Xconnect UP MEP is sending CCMs when the remote EFP is shut.
Conditions: This symptom occurs when EFP is admin down.
Workaround: There is no workaround.
Symptoms: Traffic from the Label Edge Router (LER) is dropped at the Label Switch Router (LSR) peer. LER is using a invalid/outdated label, unknown to LSR. This issue can be seen with a regular MPLS connection over a physical interface or with a connection over an MPLS TE tunnel interface. The root cause is that LER is using CEF long-path extension, installed to the prefix by a different routing protocol in the past.
Conditions: This symptom occurs when the prefix is learned by both BGP and IGP, while BGP has lower Administrative Distance, pointing via the MPLS TE tunnel carrying MPLS. This issue is seen once the prefix is installed to RIB by IGP and then by BGP (Reload, BGP flap, etc.); then, the CEF will keep using the IGP/LDPs label without updating it in case of LDP label change.
Workaround: Issue the clear ip route prefix mask command.
Symptoms: An infinite loop is seen at tunnelInetConfigIfIndex.ipv6 while doing SNMP walk.
Conditions: This symptom occurs when an SNMP walk is done on the Cisco ISRG2 router and the Cisco ASR 1000 router.
Workaround: There is no workaround.
Symptoms: Observing CPU HOG at IP RIB Update after multiple flaps of IGP and MPLS TE tunnels.
Conditions: Multiple mpls enabled interface flaps results in IP RIB update crash.
Workaround: There is no workaround.
Symptoms: The Cisco ASR 901 router part of REP ring blocks traffic.
Conditions: This symptom occurs when on re-convergence of REP ring, the Cisco ASR 901 router blocks traffic even though it is in the open state and not alt port.
Workaround: There is no workaround.
Symptoms: The router crashes while enabling L2TP debugs using the debug l2vpn l2tp error | event command.
Conditions: This symptom always occurs on enabling the debug l2vpn l2tp error | event command.
Workaround: The same debugs can be enabled using the alternate command debug xcl2 error | event.
Symptoms: 6PE and 6VPE traffic drops on shutting the ECMP link.
Conditions: This symptom occurs after configuring the 6PE/6VPE between UPE-2 and UPE-1 with ECMP paths between both nodes and then shutting the ECMP link.
Workaround: There is no workaround.
Symptoms: ARP related traceback with isg_ha_sanity_diol SSR test script.
Conditions: This symptom is observed due to Cisco High Availability.
Workaround: There is no workaround.
Symptoms: LDP sessions are not established.
Conditions: This symptom is observed on a router with more than one LDP adjacency to a neighbor. This issue is seen when the TCP session establishment to that neighbor is delayed, and while it is delayed, the adjacency that is the active adjacency times out (no more UDP packets are received), resulting in the TCP listen socket being deleted and not created.
Workaround: Issue the clear mpls ldp neighbor * command.
Symptoms: The SVTI always-up feature is broken.
Conditions: This symptom occurs in clear and rekey cases.
Workaround: Use shut and no shut.
Symptoms: The following error message is seen during a system reboot/boot:
“Notification timer Expired for RF Client: Redundancy Mode RF(5030)”
Conditions: This symptom occurs during a system reboot/boot.
Workaround: There is no workaround. This is a rare bug which needs a specific timing sequence to occur. The system reloads after this error. In most cases, the system will come up smoothly after a reload, else it will come up after one or two reloads.
Symptoms: SNMP MIB cbQosCMDropPkt and cbQosCMDropByte report 0.
Conditions: This symptom is observed with Cisco IOS Release 15.1(3)S1 and Cisco IOS Release 15.2. This issue is not seen with Cisco IOS Release SRE4.
Workaround: Use SNMP MIB cbQosPoliceExceededPkt and cbQosPoliceExceededByte.
Symptoms: IPv6 static route cannot resolve the destination.
1. A VRF is configured by the old style CLI (for example “ip vrf RED”).
2. Configure “ip vrf forwarding RED” under an interface.
3. Configure IPv6 address under the same interface (for example 2001:192:44:1::2/64).
4. Configure IPv6 static route via the interface configured in item 3, (for example IPv6 route 2001:192:14:1::/64 2001:192:44:1::1).
5. Then, we are not able to ping the 2001:192:14:1::2 although we can reach 2001:192:44:1::1.
Workaround: There is no workaround.
Symptoms: A Cisco 3945 that is running 15.2(3)T2 and running as a voice gateway may crash. Just prior to the crash, these messages can be seen:
Conditions: This happens when a media loop is created (which is due to misconfiguration or some other call forward/transfer scenarios).
Workaround: Check the configurations for any misconfigurations, especially with calls involving CUBE and CUCM.
Symptoms: Interface configurations do not work post HA switchover.
Conditions: This symptom occurs after HA switchover and is observed with OC3 IM.
Workaround: There is no workaround.
Symptoms: Crash info generation is incomplete.
Conditions: This symptom is observed when a crash occurs.
Workaround: There is no workaround.
Symptoms: The switch may crash when issuing “show platform qos policer cpu x x”.
Conditions: This symptom occurs only when issuing “show platform qos policer cpu x x” through an SSH session.
Workaround: Execute the command through Telnet or the console.
Symptoms: The Cisco ASR 901 router crashes with REP platform debugs enabled.
Conditions: This symptom is observed with REP functional on Cisco ASR 901 router and after enabling “debug platform rep”.
Workaround: Enabling REP debugs on customer nodes is not recommended.
Symptoms: Cisco ME 380x and ME 360x fail to trigger watchdog crash in certain scenarios.
Conditions: This symptom is seen when soaking over a prolonged period of time.
Workaround: There is no workaround.
Symptoms: Pseudowires stop passing traffic until the LSP is reoptimized.
Conditions: This symptom is observed when pseudowires stop passing traffic until the LSP is reoptimized.
Workaround: The common fix is reoptimizing the LSP onto a new path in one or both directions.
Symptoms: Redistribute or source (network statement) VRF route into BGP. BGP VRF prefix with next hop from global, the next-hop will be inaccessible.
Conditions: This symptom is observed when redistribute VRF routes into BGP with global NH.
Workaround: There is no workaround.
Symptoms: The crash occurs while removing MPLS TE tunnels.
Conditions: This symptom occurs when a shut/no shut on the interface is executed before performing “no mpls traffic-eng tunnels”.
Workaround: There is no workaround.
Symptoms: The SIP-400 LC card crashes during router boot up.
Conditions: This symptom does not occur under any specific conditions, as this issue is not consistent and rarely reproducible.
Workaround: There is no workaround.
Symptoms: The following traceback may be displayed after performing Stateful Switchover:
Conditions: This symptom is observed when Stateful Switchover is performed with the template type pseudowire command configured.
Workaround: There is no workaround.
Symptoms: A Cisco ME 3600X HSRP failover is seen in VPLS.
Conditions: This symptom occurs when HSRP state changes from active to standby. The MAC address on the active router is not flushed.
Workaround: Clear MAC table on HSRP active router.
Symptom: The router does not learn remote Connectivity Fault Management (CFM) Maintenance Endpoint (MEPs).
Conditions: Occurs on interfaces with an xconnect statement after a reload on a peer device.
Workaround: Remove and re-apply the CFM configuration.
Symptoms: On dual RP configurations, a standby route processor might crash when establishing new interfaces (could be PPP sessions).
Conditions: This symptom is observed when IDB reuse is turned on on a dual RP configuration, and when some interfaces are deleted and created again.
Workaround: Turn off the IDB reuse option.
Symptoms: A crash occurs with the show ip sla summary command with the IP SLAs RTP-Based VoIP Operation.
Conditions: This symptom occurs when the IP SLAs RTP-Based VoIP Operation is configured on the box.
Workaround: Use the show ip sla statistics command to check the status and statistics of the IP SLAs RTP-Based VoIP Operation rather than show ip sla summary command, when the IP SLAs RTP-Based VoIP Operation is configured on the box.
Symptoms: Layer 2 traffic loop seen in REP topology for a transient time, when the Cisco ASR 903 which is a part of the REP ring is reloaded.
Conditions: This symptom is observed when the Cisco ASR 903 is part of an REP ring, and the box is reloaded with saved REP configurations.
Workaround: Traffic loop is transient, once REP convergence looping is stopped.
Symptoms: The port-channel goes down operationally thereby deleting remote mep information causing 1DM session to be inactive on initiator.
Conditions: This issue occurs when 1DM probe is started on the responder followed by initiator with cos value 7.
Workaround: There is no workaround.
Symptom: With a rare combination, and VRF-related RG configurations, the router may crash following the configuration commands.
Conditions: This symptom is observed with the following configuration:
Workaround: There is no workaround.
Symptoms: The standby IOMD crashes on booting up the standby RSP.
Conditions: This symptom occurs when booting up the standby RSP with a configuration that is already present.
Workaround: Boot up the standby without any configurations and start configuration once the standby has reached STANDBY_HOT state.
Symptoms: A crash occurs while running CME smoke regression.
Conditions: This symptom is observed while running CME smoke regression.
Workaround: There is no workaround.
Symptoms: About 10 minutes after CUBE boot, the router crashes with the following traceback:
After the reload from the crash, it may take some time before it crashes again.
Conditions: This symptom occurs when CUBE receives the SIP REFER message with the Refer-To header having no user part.
Workaround: There is no workaround.
Symptoms: RRI routes are not installed in DMAP. “reverse-route” is a configuration in the DMAP. This prevents packets from being routed through the intended interface, and hence packet loss occurs.
Conditions: This symptom is observed when a simple reverse-route is configured in DMAP without any gateway options.
Workaround: There is no workaround.
Symptoms: Significant transaction time degradation is observed when an e-mail with attachment(s) is sent from the Windows 7 client using Outlook to a server running Outlook 2010 on the Windows 2008 server and the WAN latency is low, that is, ~12ms RTT.
Conditions: This symptom is observed when the client is Windows 7 and data is being uploaded using the MAPI protocol and the connection is being optimized by WAAS-Express.
Workaround: Disable WAAS-Express.
Symptoms: Execution of the show run command and other commands such as copy run start and show access-list cause the router to stop for a few minutes before completing.
Conditions: This symptom is observed with Cisco ISR G2 routers. This issue is seen only with IPV6 configured and used.
Workaround: There is no workaround.
Symptoms: On the Cisco 7600, both sides running Cisco IOS Release SRE4, Ethernet SPA configured with “negotiation Auto” and changed to “no negotiation auto”. The interface is operating in half-duplex instead of full-duplex mode.
Conditions: This is a timing issue seen when configuring/un-configuring auto-negotiation or when doing continuous router reload.
Recovery action: Configuring “shut” and “no shut” on the interface changes the duplex state to full-duplex.
Workaround: There is no workaround.
Symptoms: The IPv6 default route is not redistributed in BGP(VRF).
Conditions: This symptom occurs when the OSPFv3 “default-information originate always” is configured in the same VRF.
Workaround: To clear the issue, enter “cle ip bg *”. To avoid the issue, remove “default-information originate always” from OSPFv3 in the respective VRF.
Symptoms: RSA keys are not generated correctly.
Conditions: This symptom occurs when you first clear the RSA keys that are already generated on the router, and then generate the RSA keys.
Workaround: There is no workaround.
Symptoms: IPsec SAs are not getting deleted even after removing ACL.
Conditions: This symptom occurs when using the IPsec feature with Cisco IOS Release 15.3(0.18)T0.1.
Workaround: There is no workaround.
Symptoms: In ASR B2B HA setup, the new active router crashes at ccsip_send_ood_options_ping immediately after switchover with OOD OPTIONS enabled.
Conditions: This crash is seen in the following scenario:
– Standby router has OOD OPTIONS enabled either because it is present in startup configuration or enabled after boot-up.
Workaround: Reload standby router once after OOD OPTIONS configuration changes from enabled to disabled.
Symptom: Crash on rp2 : be_ip_arp_retry_
Workaround: Disable arp retry feature. To disable arp retry feature following two commands are needed: no ip arp incomplete enable and no ip arp incomplete retry.
Symptoms: Xconnect fails to negotiate to the correct vc-type on reload.
Conditions: This symptom is seen in vc-type4 session.
Workaround: Clear xconnect peer.
Symptoms: 2X1GE-SYNCE (metronome) SPA does not boot on a 2RU (Cisco ASR 1002).
Conditions: This symptom is observed with Cisco IOS XE Release 3.7S onwards, when metronome SPA (2X1GE-SYNCE) fails to boot on a 2RU. An error message indicating that the SPA is not supported is displayed on the RP console.
Workaround: There is no workaround.
Symptoms: Upon reload or OIR, the CFM MEP configuration on an xconnect EFP is removed and cannot be reconfigured.
Conditions: This symptom is observed with a CFM MEP on xconnect service instance. This issue is seen when reload or OIR is performed.
Workaround: Remove the domain configuration.
Symptoms: The GETVPN/GDOI Secondary Cooperative Key Server (COOP-KS) does not download the policy (that is, when the show crypto gdoi ks policy command is issued on the Secondary COOP-KS and the command output shows that no policy is downloaded) and Group Members (GMs) registering to the Secondary COOP-KS fail to register without any warning/error message.
Conditions: This symptom is observed when the GETVPN/GDOI group (with COOP configured) has an IPsec profile configured with one of the following transforms in its transform-set:
Workaround: Use esp-sha-hmac as the authentication transform instead.
Symptoms: Randomly, when the below condition is met, SP crashes followed by RP reset.
Conditions: Multicast enabled (PIM) on the tunnels protected with IPsec.
Workaround: There is no workaround.
Symptoms: Memory leak is observed.
Conditions: This symptom occurs after flapping the interface, keeping the setup idle, and executing “clear xconnect”.
Workaround: There is no workaround.
Further Problem Description: The PI front-end pseudoport is not deleted when the xconnect is removed, which causes the memory leak. This issue occurs because PD returns BDOMAIN_PP_FAILED to PI when pp_engine_context is a NULL pointer.
Symptoms: On a Cisco 7600 running Cisco IOS Release 15.2(4)S1, packets from FWSM are dropped when the servicemodule session is enabled. Ping fails for the VLAN interface on the FWSM module from the supervisor. The ARP entry is incomplete on the Cisco 7600.
Conditions: This symptom is observed with the following conditions:
– This issue is seen on the Cisco 7600 with FWSM and SUP-720-3B running Cisco IOS Release 15.2(4)S1.
– The FWSM is in Crossbar mode.
– The system is in “distributed” egress SPAN replication mode.
This issue is not seen with Cisco IOS Release 12.2(33)SRE7.
– Disable the servicemodule session.
– Change the fabric switching mode to bus.
– Change SPAN egress replication mode to “centralized”.
Symptoms: When a dynamic-EID host moves from one site to another, the hosts at the old site may not be able to communicate with the host that moved away.
Conditions: This symptom occurs if the xTR at the old site had a map-cache entry for the dynamic-EID host that moved, for example, due to lig self. Then, this map-cache entry prevents communication after the dynamic-EID host moved away.
Workaround: Clear the map-cache entry for the host prefix in question.
Symptoms: A Cisco ASR 1001 running Cisco IOS XE Release 3.6.2S or Cisco IOS XE Release 3.7.1S crashes with SNMP traffic.
Conditions: This symptom is observed with SNMP polling with an IP SLA configuration.
The crash signature is as follows:
Workaround: Remove the SNMP configuration from the router or schedule the probe before polling via SNMP.
Symptoms: Path confirmation fails for blind transfer scenarios for both SIP Line and trunk-side scenarios.
Conditions: This symptom is observed if “no supplementary-service sip refer” is configured.
Workaround: Configure “supplementary-service sip refer”.
Symptoms: A VRF cannot be deleted from CLI.
Conditions: This symptom is observed when “no ipv6 pim vrf <vrf name> rp-address <ipv6 address>” is entered immediately after “no vrf definition <vrf name>”
Workaround: After “no vrf definition <vrf name>”, do not enter “no ipv6 pim vrf <vrf name> rp-address <ipv6 address>”, until VRF deletion is completed.
Symptoms: The router crashes while configuring inherit peer-session.
Conditions: A peer-session template is inheriting from another peer-session template where the inherited template has the “ha-mode sso” configured. For example:
Workaround: There is no workaround.
Symptoms: When a dynamic cryptomap is used on the Virtual Template interface, SAs do not created and thus the testscripts fail. This issue occurs because the crypto map configurations are not added to the NVGEN, and hence there is no security policy applied on the Virtual Template interface.
Conditions: This symptom occurs only when a dynamic map is used on the Virtual Template interface. However, this issue is not seen when tunnel protection is used on the Virtual Template interface or when a dynamic map is used on the typical physical interface.
Workaround: There is no workaround apart from using tunnel protection on the Virtual Template interface.
Symptoms: A memory leak is seen at cca_realloc_cb_ce_mask.
Conditions: This happens when CCA is configured on multiple interfaces and one of them is brought down.
Workaround: There is no workaround.
Symptoms: Memory leak is caused by executing “show vpdn history failure” after PPP authentication failure.
Conditions: This symptom occurs when executing the “show vpdn history failure” CLI.
Workaround: There is no workaround.
Symptoms: Attaching the QoS policy on EFP with rewrite action as ingress rewrite push was not supported previously. Now, policy with only class-default can be attached to these EFPs.
Conditions: This symptom is observed only for EFPs with rewrite action configured as ingress rewrite push.
Workaround: There is no workaround.
Symptoms: Ping fails over RoutedPW.
Conditions: This symptom is seen with SVI based MPLS uplink.
Workaround: Disable mac learning.
Symptoms: Adding EFP to Bridge-Domain fails and errors are seen when reloading with Cisco IOS XE Release 3.7.1a.
Conditions: This symptom is observed when reloading the Cisco ASR 903 with Cisco IOS XE Release 3.7.1a, when EFP and PW are in the same Bridge-Domain.
Workaround: Post reload, remove the EFP configurations, and configure PW first and then EFP.
Symptoms: SSH use of Diffie-Hellman exchange to negotiate keying material is insecure and may lower the security of Diffie-Helman exchange.
Conditions: There are known attacks against DH that takes effort of the effectively halving the length of the private key. Due to SSH use of DH private values of certain lengths, if the SSH is negotiated using AES-128 and HMAC-MD5, the time needed to recover the keys is lower than expected.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.6/3.2:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do? dispatch=1&version=2&vector=AV:N/AC:H/Au:S/C:P/I:P/A:N/E:POC/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptoms: The mDNS responses are not received by client in latest mcp_dev.
Conditions: This symptom does not occur under any specific conditions.
Workaround: There is no workaround.
Symptoms: Bulk Sync failure when standby comes up with ser-policy on CEM PW.
Conditions: Bulk-sync failure when standby is brought up from rommon while having service-policy configured on cem circuit on the active.
Workaround: There is no workaround.
Symptoms: The PTP processor boot failure may lead to file descriptor leakage.
Conditions: This symptom is observed when the PTP processor is enabled.
Workaround: There is no workaround.
Symptoms: “ip” protocol is not accepted in the ping command with the IPv6 address configured.
Conditions: This symptom occurs when a single interface is configured with an IP address, and later, the mask alone is changed. For example:
Workaround: Configure a different IP address and then revert to the same address with the changed mask. For example:
Symptoms: Phase 2 for EzVPN client with split network and VTI does not come up if IPsec SA goes down.
Conditions: The root cause of the issue is that IPsec SA is not being triggered after IPsec SA is down due to no traffic. So in spite of traffic IPsec SA is not coming up leading to packet drops in client network. The same problem is not seen with Cisco IOS Release 15.0(1)M7. This behavior is introduced post-PAL where virtual-interface creates a ruleset where traffic cannot trigger IPsec SA again once IPsec SA is deleted.
Workaround 1: Configure “ip sla” on EZVPN client for split networks, so IPsec SA will not go down.
Workaround 2: Remove “virtual-interface” from EZVPN client profile if that is not needed.
Further Problem Description: The problem is not seen in Cisco IOS Release 15.2(4)M1 without virtual-interface.
Symptoms: SHA2 processing in software causes low throughput or high CPU.
Conditions: This symptom is observed with the Cisco 892 with SHA2 configured and the onboard crypto engine enabled running Cisco IOS Release 15.2(4)M and later releases.
Workaround: There is no workaround.
Conditions: This symptom is seen with rigorous flapping of the core.
Workaround: Have a stable core network.
Symptoms: After receiving the CRCX message, the Cisco AS5400 does not send 200 ok to SSW. SSW sends the CRCX message to the Cisco AS5400 again. Between these messages, debug outputs are displayed. It seems that the call is not disconnected completely for the end point by the previous disconnect request (the DLCX is received after the CRCX message from SSW). The end point may be stuck in call_disconnecting state.
Conditions: This symptom is observed with MGCP. This issue occurs when the Cisco AS5400 receives DLCX before sending 200 ok for the first CRCX message.
Workaround: There is no workaround.
Symptoms: The Cisco Y.1731 Performance Monitoring SLM interworking between the Cisco ME3400 and the Cisco IOS-XR ASR 9000 is not functioning.
Conditions: This symptom is observed when SLM is running on the Cisco ME3400 and Cisco IOS-XR ASR 9000 router.
Workaround: There is no workaround.
Symptoms: ARP exchange between the Cisco 7600 and the client device fails. The Cisco 7600 has an incomplete ARP entry in its ARP table for the client. This issue is likely to be seen between the Cisco 7600 and other Cisco platforms with MAC address 6073.5Cxx.xxxx. The incoming ARP reply is parsed by the platform CEF as an IP packet and dropped.
The following OUIs (as of October 30, 2012) are affected: (first 3 bytes from MAC address/MAC starts with)
60-73-5C (One of Cisco's OUI ranges)
Conditions: This symptom is observed with the EVC pseudowire and 802.1q subinterface on the same physical interface, and connectivity via the subinterface is affected.
– There should be a static ARP entry on the Cisco 7600 for the client’s MAC and IP.
– Change the MAC address of client to a nonaffected OUI.
NOTE: This ddts is caused/exposed due to fix of CSCtc22745
Symptoms: Incoming calls through e1 r2 stop working in Cisco IOS Release 15.2(4)M1.
Conditions: This symptom is observed with incoming calls through e1 r2 in Cisco IOS Release 15.2(4)M1. Outgoing calls work fine.
Workaround: Use Cisco IOS Release 15.2(2)T.
Symptoms: MPLSTPoSVI: Working path goes down after shut/no shut on SVI interface.
Conditions: This symptom is not observed under any specific conditions.
Workaround: Remove and re-add TP link configuration on SVI interface.
Symptoms: After SSO, traffic on the P2P-GRE tunnel within an MVPN may be affected.
Conditions: This symptom is observed with Cisco IOS Release SREx- and RLSx-based releases.
Workaround: Shut/no shut the P2P tunnel interface.
Symptoms: The PPPoE subscribers stop coming online.
Conditions: This symptom is not observed under any specific conditions.
Workaround: The following workaround are used to resolve the issue:
1. Remove radius attribute “ip mtu x” from the user profile.
2. Remove accounting list from the service applied to the subscriber.
Symptoms: One-way voice audio issue is seen over CUBE after session re-INVITE is sent.
Conditions: This symptom is observed with the following call flows:
Workaround: Do not use SRTP on the CUCM <-> CUBE leg.
Symptoms: When a PC is moved between two VLAN ports (on one port, ISG is enabled, and the other is non-ISG) several times by its LAN cable connection on the L2SW that is connected to the Cisco ASR 1000 router, the PC becomes unable to acquire an IP address from DHCP on the router. At that time, an incorrect interface is shown in “show ip dhcp binding”.
Conditions: This symptom is observed with Cisco IOS Release 15.2(4)S1.
Workaround: There is no workaround.
Symptoms: The Embedded Packet Capture (EPC) for the Cisco ASR1000 platform is currently only available in the adventerprisek9 feature set. This is a basic infrastructure feature and needs to be enabled in all feature sets.
Conditions: this symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptoms: The Cisco ME3800X hangs and crashes several times after receiving corrupted frames with CRC errors on TenGig interface.
Conditions: This symptom occurs due to bad quality optical link.
Workaround: Fix the link to remove line injected errors.
Symptoms: EIGRP routes, that are not FS are getting into the routing table.
Conditions: The issue happens when we increase variance and maximum paths.
Workaround: There is no workaround.
Symptoms: A crash occurs in CME while accessing a stream in sipSPIDtmfRelaySipNotifyConfigd.
Conditions: This symptom occurs in CME.
Workaround: There is no workaround.
Symptoms: Under an extremely rare occurrence, a router can crash during “no router ospf <pid>” execution.
Conditions: This symptom is observed when there is a redistribute statement configured under the OSPF process.
Workaround: There is no workaround.
Symptoms: The extension mobility feature is failing.
Conditions: This symptom is observed in Cisco IOS Release 15.3(2)T.
Workaround: There is no workaround.
Symptoms: The EIGRP routes are not coming up after removing and reenabling the tunnel interface.
Conditions: This symptom is observed when EIGRP routes do not populate properly.
Workaround: There is no workaround.
Symptoms: The TCP HA connection gets closed with SSO disabled from standby.
Conditions: This symptom is observed when the connection is initiated from a non-HA box to an HA box.
Workaround: There is no workaround.
Symptoms: All the paths using certain next-hops under the route-map are marked inaccessible.
Conditions: This symptom occurs under the following conditions:
2. Apply BGP NHT with route-map (no BGP neighbors are created or added to peer groups).
5. Configure the BGP neighbor and add them to peer groups.
Workaround: Configure “route-map permit <seq-num> <name>” or activate at least one neighbor in “address-family ipv4”.
Symptoms: After SSO, sometimes the repair path over the remote LFA tunnel may point to drop adjacency.
Conditions: This symptom is a rare condition that appears infrequently in an older code base.
Workaround: Shut/no shut the interface to force recreating the tunnel.
Symptoms: The Cisco 7600 LC crashes when the frame interval is set less than 25 ms and aggregate interval is greater than 10.
Conditions: This symptom is observed when the frame interval is set less than 25 ms and aggregate interval is greater than 10.
Workaround: Do not set the frame interval to less than 25ms.
Symptoms: There is traceback after the Cisco SSO.
Conditions: This symptom is observed with Cisco EoMPLS and TE.
Workaround: There is no workaround.
Symptom: The MAC-address gets corrupted when user sends the multicast traffic.
Conditions: This symptom is observed with Cisco IOS Release 15.1(4)M3 image, where as the same multicast traffic works as expected with Cisco IOS Release 12.4T image.
Workaround: A possible work around is to enable the ip pim nbma- mode command at the CPE end.
Symptoms: The Cisco router crashes upon clearing of the AppNav counters.
Conditions: This symptom can occur in a normal running device.
Workaround: There is no workaround.
Symptoms: Local ID is 0.0.0.0 in PfR target discover feature.
Conditions: This symptom is seen when manual EIGRP is used for PfR target discover feature.
Workaround: There is no workaround.
Further Problem Description: A site will not be able to publish its local prefixes.
Symptoms: There is no sync of SADB on an active router when it reloads from the current standby router.
Conditions: This symptom occurs when the active and standby routers are up. Whenever a session is up, there is a sync of SADB from active to standby. When active reloads and is up, there is no sync of SADB from the current active router.
Workaround: Remove the isakmp-profile configuration under the crypto map.
Symptom: The ASR 903 is unable to pass traffic to the ASR 9000. Conditions: Occurs with a clear-channel ATM over MPLS configuration using AAL0 encapsulation. Workaround: Enable MPLS control-word on the ASR 9000.
Symptoms: SP crashes at “cfib_update_ipfrr_lbl_ref_count”.
Conditions: This symptom is observed with a scaled IP-FRR configuration.
Workaround: Remove the IP-FRR configuration.
Symptoms: The Cisco ASR 1000 router crashes with “Exception to IOS Thread” and the following error: “UNIX-EXT-SIGNAL: Segmentation fault(11), Process = Virtual Exec”
Conditions: This symptom is observed when an ACL used with “ip pim rp-address” is moved from standard to extended and “no ip multicast-routing” is configured (either in global or in a mVRF). The standard ACL must be deleted and recreated as extended, for example:
The following series of commands are necessary to trigger the crash:
Workaround: Crash can be prevented by any of the following methods:
1. Disassociate the standard ACL from “ip pim rp-address” before deleting ACL. For example.
2. Do not convert a standard ACL to extended while it is still being referenced in “ip pim rp-address”. Use a new name for the new extended ACL.
3. Do not disable multicast routing using “no ip multicast-routing”.
Symptoms: After reload, ISDN layer 1 shows as deactivated. Shut/no shut brings the PRI layer 1 to Active and layer 2 to multiframe established.
Conditions: This symptom occurs when “voice-class busyout” is configured and the controller TEI comes up before the monitored interface.
Workaround: Remove the “voice-class busyout” configuration from the voice-port.
Symptoms: The following error message is seen on the console:
Conditions: This symptom is seen under the following conditions:
Workaround: There is no workaround.
Symptoms: The following traceback appears in the console:
Conditions: This symptom is observed when you enable IPv6.
Workaround: There is no workaround. This symptom does not have a functional impact.
Symptoms: The Cisco WS-SUP720 running Cisco IOS Release 12.2(33)SRE3 crashes.
Conditions: This symptom occurs during a CPU process history update.
Workaround: The issue can be avoided by removing the configuration statement for “CPU Utilization Statistics”.
Symptoms: The Cisco ME3600X/ME3800X switch crashes as soon as you apply policy-map referencing table-map.
Conditions: This symptom occurs when applying a service policy that has an unsupported combination of police action with table-map and without table-map.
Workaround: Configure a service policy which does not have the combination of police action with table-map and without table-map.
Symptoms: The CoS-inner value is getting copied to CoS in case of Q-in-Q configuration on EVC bridge-domain.
Conditions: This symptom is observed with EVC bridge-domain with Q-in-Q and no rewrite configuration.
Workaround: There is no workaround.
Symptoms: PW redundancy on the Cisco 7600 does not work when the primary VC goes down and the backup VC takes over, and CE to CE communication is broken.
Conditions: This symptom is observed with the following conditions:
– The MPLS facing LC is WS-X6704-10GE.
Workaround: Use another HW on the MPLS core.
Symptoms: Traffic drops for few VPLS VCS when we have ECMP links.
Conditions: This symptom occurs when you shut one of the ECMP path when more than 200 VPLS VCS is configured.
Workaround: There is no workaround.
Symptoms: ES+ line card reload occurs with the following error messages:
Conditions: This symptom is observed with the ES+ line card.
Workaround: There is no workaround.
Symptoms: NAT CLIs expose the vrf keyword on the Cisco 7600, which is not supported.
Conditions: This symptom is observed with a NAT configuration.
Workaround: Do not use the vrf keyword for NATing on the Cisco 7600.
Symptoms: All L2PT protocols do not work when you have l2pt configured only on the port-channel EVC.
Conditions: This symptom is observed when you have a l2pt EVC only under port-channel interface and it does not configure the EARL redirect register.
Workaround: Configure a l2pt EVC under any physical interface.
Symptoms: DHCP-Restart-session doesn’t get synced to the standby for dual-stack session
Conditions: First we have to create a dual-stack session (one stack should be DHCPv4) on the box and then clear it. Then we should restart the DHCP-session.
Workaround: There is no workaround.
Symptoms: On a router running two ISIS levels and fast-reroute, the router may crash if “metric-style wide level-x” is configured for only one level.
Conditions: Issue may happen if metric-style wide is configured for only one level on router running both levels, and fast-reroute is configured.
Workaround: Configure metric-style wide for both levels (by default).
Symptoms: The ICC 12.0 compiler warning on mcp_dev - policy.
Conditions: This symptom is observed during compilation warning thrown by policy code.
Workaround: There is no workaround.
Symptoms: MPLS-TP tunnels remain down after the standby RSP boots.
Conditions: Occurs when you boot the standby RSP after applying an MPLS-TP configuration and performing an SSO. The issue occurs rarely.
Workaround: Issue a shutdown/no shutdown on the MPLS-TP tunnel. A nonintrusive workaround is to cause a flap on the protect label switched path (LSP) by reconfiguring the path or physically shutting down and restoring the interface.
Symptoms: Performing a default MDT toggling on a VRF results in the encapsulation tunnel adjacency’s MTU being set to a lower MTU.
Conditions: This symptom is observed with Cisco IOS XE Release 3.7S (Cisco IOS Release 15.2(4)S) and later releases when the mdt default <> is toggled on a VRF.
Workaround: Delete and add the affected VRF.
Symptoms: On shut/no shut on SVI with SRC and receivers connected on same VLAN on encape PE, causes the router to crash.
The same crash was reproducible while shut/no shut of the access interface on CE connected to the PE. At this point IGMP snooping was disabled and MLD is enabled.
Conditions: This symptom occurs under the following conditions:
1. IGMP snooping was disabled and mld is enabled
2. Cisco IOS version RLS 11 (15.2(01)S) and above
Workaround: Enabling IGMP resolves this issue.
Further Problem Description: An IGMP specific structure was getting accessed which would be invalid when IGMP is disabled. This leads to the crash.
Symptom: The map cache entries are lost after RP switchover when lisp_patr is configured.
Conditions: This symptom occurs after RP switchover.
Workaround: There is no workaround.
Symptoms: Changing policy-map parameters triggers a Cisco IOSd crash.
Conditions: This symptom is observed when the policy-map is attached to a service instance on the Cisco ASR 903.
Workaround: Remove the policy-map from the target and then make the changes.
Symptoms: WS-SUP720-3B running Cisco IOS Release 12.2(33)SRE4 crashes at get_alt_mod after issuing “sh run int g4/13” with several trailing white spaces until the cursor stops moving.
Conditions: This symptom occurs when you issue the show run interface command with trailing spaces until the cursor stops moving.
Workaround: Do not specify trailing spaces at the end of the show run interface command.
Symptoms: SP was crashing on doing no mpls ip followed by shut on port-channel acting as core link for scaled vpls and eompls setup.
Conditions: In case of VPLS going over port-channel protected by ip-frr, when port-channel is shut the atom vc was going down and getting created again - also the PPO object is getting created afresh. VC going down was not handled for vpls case and atom vc’s pointer were still stored in ip-frr’s eompls list which was getting access and hence crashing.
Workaround: There is no workaround.
Symptoms: Configured DHCP routes is seen twice in show run.
Conditions: This symptom is observed when we configure a route through DHCP.
Workaround: There is no workaround.
Symptoms: SPA crash is seen when invoking spa_choc_dsx_cleanup_atlas_ci_config with no data packed.
Conditions: This symptom is observed when the packed data size should be 1 and the status should be success.
Workaround: There is no workaround.
Symptoms: Traffic with wrong tag is sent on dynamically modifying the rewrite tag.
Conditions: This symptom is observed when on dynamically changing the tag to be pushed, device sends traffic with previously configured tag.
Workaround: Remove the service instance and reconfigure with new rewrite tag to be pushed.
Symptoms: MVPNv6 is not working with IPservices image.
Conditions: This symptom is observed as MVPNv6 is supported only from Cisco IOS Release 15.2(4)S. So, this issue is applicable for any release after Cisco IOS Release 15.2(4)S.
Workaround: Use the enterprise image.
Symptoms: With the two commands configured listed under the conditions of this release note, the Cisco router might start advertising a low TCP receive window size to the TCP peer for a specific TCP transaction. The value of this receive window size becomes equal to the configured MSS value, and it will never exceed this value anymore. This might impact TCP performance.
Conditions: This symptom happens only if the following two commands are configured on the router:
Workaround: Either change the path-mtu discovery ager timeout to 0, or remove one of the two commands.
Symptoms: Standby crash after doing account-logon with v4 session.
Conditions: Perform Account Logon.
Workaround: There is no workaround.
Symptoms: Excessive loss of MPLS VPN traffic and high CPU utilization is observed due to the process switching of MPLS traffic over the ATM interface.
Conditions: This symptom occurs when MPLS is enabled on the ATM interface with aal5snap encapsulation.
Workaround: There is no workaround.
Symptoms: The L2PT packets are not reaching the destination from one peer to another.
Conditions: This symptom is observed under the following conditions:
1. When you have L2PT EVC along with non-L2PT EVCs on the same interface or port-channel interface.
2. On LC OIR or reload, the L2PT packets does not get tunneled.
Workaround: Remove and add the L2PT config on the EVC.
Symptoms: BFD sessions are not offloaded.
Conditions: This symptom occurs when XDR infra creates a split event for an XDR mcast_grp and the BFD client ignores it. For this bug, the reason for the split is that a slot is not able to process messages as fast as other slots, thus causing distribution for all slots to block while it catches up. This issue typically occurs with either of the following conditions:
1. The slot has a slower CPU than the others.
2. The amount of work being down during processing of messages is greater than on other slots.
Symptoms: 6VPE packets get punted and policed.
Conditions: This symptom is seen when ESP header is enabled.
Workaround: There is no workaround.
Symptoms: Router running IOS and having an LDP session configured to use a key-chain password crashes when the password expires.
Conditions: LDP configured to use a keychain for a session and that keychain is configured with a lifetime causing the password to expire.
Workaround: Do not configure the keychain with a lifetime - this causes the keychain to never expire.
Symptoms: There is a trace back without any traffic loss.
Conditions: This symptom occurs when you disable and enable multicast routing on vrf without any delay.
Workaround: If disable/enable of multicast routing is given with a time gap, this issue does not occur.
Symptoms: IOSD crashes on ISG policy handling process.
Conditions: This symptom is seen while handling ISG subscriber traffic.
Workaround: There is no workaround.
Symptoms: Multicast traffic does not flow over mvpn.
Conditions: SVI is used as core interface.
Workaround: Use a physical interface as core interface.
Symptoms: Ping fails between CE routers.
Conditions: This symptom is observed when you configure MPLS VPN Inter-AS IPv4 BGP Label Distribution and flaps “mpls bgp forwarding” in the interface between ASBRs.
Workaround: Removing and adding (flapping) the static routes between ASBRs resolves the issue.
Symptoms: The multilink ID range has to be increased from the existing 65535.
Conditions: This symptom is observed specifically with the Cisco MWR1.
Workaround: There is no workaround. The range is now made configurable based on PD.
Symptoms: RPF information for IPv6 multicast mroutes is not updated when routing changes.
Conditions: This symptom occurs when an IPv6 multicast configuration is present in the startup configuration.
Workaround: After startup, remove all IPv6 multicast configurations, if any, and then apply the configuration as needed.
Symptoms: Scale 48k ISG IP sessions which are weblogon and tal authenticated sessions, and then churn the sessions.
Conditions: This symptom occurs when the system runs out of memory after churning for a couple hours.
Workaround: Reboot the system to recover memory.
Symptom: The router records incorrect delay measurements after a reload.
Conditions: Occurs under the following conditions: You configure Delay Measurement Message (DMM) on a port-channel interface The port-channel member links are on different interface modules (IMs) You reload the router.
Workaround: You can use the following workarounds: Remove the ethernet cfm global command and re-apply it after the port-channel member links recover. Configure PTP clock synchronization.
Symptoms: Router is showing CPU utilization at 99%. LDAP seems to be hogging the CPU process.
Conditions: This issue can occur randomly at any point of time where NTLM authentication is deployed. This issue is observed only when the server is not able to handle the churn of requests and requests are being stuck at Bind On-Going state, which can be verified with show ldap server server-name connections.
Workaround: Clearing LDAP server connections helps in resolving this issue:
clear ldap server server-name.
Symptoms: After a clear crypto session, sometimes ident SM remains at responder side.
Conditions: Doing a clear crypto session multiple times, crypto map deletes but ident remains due to race condition between new connections also coming up. Since map is removed and ident remains, the new connections never come up.
Symptoms: The Gateway fails to send ACK after 200 OK while testing DNS/SRV Lookup on a VOIP peer with weight/priority.
Conditions: This symptom is observed when a Cisco router is loaded with c2900-universalk9-mz.SSA.153-1.7.T image.
Workaround: There is no workaround.
Symptoms: Router goes down due to crash.
Conditions: Have CFM over xconnect with PC in the core and run Y1731 DMM on it.
Workaround: There is no workaround.
Symptoms: The NBAR error message with protocol discovery is activated when we move HTTP to another port [using “ip nbar port-map” command].
Conditions: This symptom occurs when we move HTTP to another port [using “ip nbar port-map” command].
Workaround: There is no workaround.
Symptoms: For an elected BSR in an HA system, shortly after the standby becomes active, there is a 2-3 minutes period with no BSR messages sent.
Conditions: This symptom occurs when there is an HA switch on the elected BSR.
Workaround: There is no easy workaround other than not configuring a C-BSR on an HA system.
Symptoms: Memory leak is seen on the router related to CCSIP_SPI_CONTRO.
Conditions: This symptom is observed in CME SIP phones with Presence in running-configuration.
Workaround: There is no workaround. You may try to remove Presence from running-configuration.
Symptoms: After a reload on the Cisco ASR 1000 series router, several key syslogs are sent with the incorrect source address for a few seconds. Due to the wrong source address, the syslogs are dropped at the collector end.
Conditions: This symptom is observed when the loopback interface is configured as the source address of the syslogs.
Workaround: There is no workaround.
Symptoms: The scansafe socket is not closed by reset from the client
Conditions: This symptom occurs when sending a connection request from the client (SYN packet). This issue is seen when ack is sent instead of syn+ack for a syn request from the server. The client will send a Reset(RST) signal for ack received instead of syn+ack. The L4F/scansafe box displays that the flow is not closed.
Workaround: Make sure that the server does not have a stale TCP tuple flow entry before trying for a connection from the client.
Symptom: When you apply an QoS policy with a port level class-default configuration containing a shaper value to a serial interface. the router applies the shaper value to the channel-level PIR for all serial interfaces on the IM. Conditions: Occurs when you apply QoS policy with a port level class-default configuration containing a shaper value to a serial interface. Workaround: Add a dummy class-default level at the top of the policy and apply the shaper as a child policy of this class.
Symptoms: Build breakage occurs due to CSCub81489 partial export to mcp_dec.
Conditions: This symptom is observed with export to mcp_dec.
Workaround: There is no workaround.
Symptoms: The Cisco ASR1k router crash was observed while running the RPR switch- over test.
Conditions: This symptom occurs when the RPR switch-over test is performed.
Workaround: There is no workaround.
Symptoms: The system crashes when monitoring traffic with performance monitoring policies on the incoming and outgoing interfaces.
Conditions: This symptom is observed when a large number of flows is being monitored and traffic changes.
Workaround: Redefine the match criteria to reduce the number of flows generated with the type of traffic being monitored.
Symptoms: When the Ethernet SPA with Catskills SFPs (GLC-SX-MMD /GLC-LH-MMD) is reloaded, the SPA could go out of service with the following error message:
Conditions: This symptom occurs when the Ethernet SPA is booted with the Catskills SFPs (GLC-SX MMD/GLC-LH-MMD). The defect could be hit during both reload and initialization.
Workaround: Boot the Ethernet SPA without the Catskills SFPs and insert the Catskills SFPs after the Ethernet SPA has completely booted.
Symptoms: The DHCP clients were not allocated IP addresses.
Conditions: This symptom occurs when a default session is configured on the interface and we receive DHCP discover on that interface.
Workaround: Keep the DHCP and Walkby sessions on different interfaces.
Symptoms: The “initial-contact” configuration option not needed, as the behavior is already enabled.
Conditions: This symptom is observed when you use IKEv2, along with Cisco IOS Release 15.2(4)M.
Workaround: There is no workaround.
Symptoms: Active router reloads, and standby takes over.
Conditions: This symptom occurs with continuous deletion of VRFs with much less time gap between the deletions.
Workaround: Delete a few VRFs at a time with time gap between deletions.
Symptoms: The Cisco ASR 901 may crash while running an automated test script containing several tests to test the multi-nni feature.
Conditions: This symptom occurs when you run the automated tests several times.
Workaround: Do not run the test script (configure manually).
Symptoms: CUBE crashes during a blind-transfer scenario and when “media preference IPv6” is configured.
Conditions: This symptom occurs only when “media preference IPv6” is configured but is not seen when “media preference IPv4” is configured.
Workaround: Configure “media preference IPv4”.
Symptoms: The values reported for “application media packets rate variation [sum]” may be incorrect. The functionality of Media Rate Variation TCA (Threshold Crossing Alarm) may also be impacted by this.
Conditions: This symptom is observed when the user wants to obtain MRV metrics by including the following command in the Performance Monitor flow record configuration:
Workaround: There is no workaround.
Symptoms: In a GETVPN scenario, the GM fails to install policies on reload. A crypto map is applied on ethernet 0/0 while the local address of the crypto map is configured with ethernet 0/1.1
Conditions: This symptom occurs after a reload. The GM fails to install policies from the key server.
Workaround: Remove the crypto map configuration on the interface and reapply.
Symptoms: HQF does not clear up when the Bandwidth remaining ratio is misconfigured on the Child Policy.
Conditions: This symptom is observed when an incorrect configuration triggers the policy rejection and fails on the cleanup with the nondefault queue-limit setting in the class-default class.
Workaround: Apply the configuration with the correct setting.
Symptoms: A crash may occur while using GETVPN with fragmented IPv6 traffic.
Conditions: This symptom occurs when IPv6 IPsec is used. This issue is triggered by fragmented IPv6 packets.
Workaround: There is no workaround.
Symptoms: On the Cisco 7200, the tunnel is established correctly and encryption and decryption occur correctly. However, after decryption, the packet is not punted to the iVRF in which the tunnel interface resides, leading to a broken IPSec-DataPath.
Conditions: This symptom is observed with the Cisco 7200 with VSA under the following conditions:
– Tunnel (GRE/mGRE) in an iVRF with Tunnel protection configuration.
Workaround: This issue has been observed with Cisco IOS Release 15.0(1)M9 and Cisco IOS Release 12.4(24)T8, so downgrade might be an option. There is no known configuration-related workaround yet, although software crypto will work just fine.
Symptoms: Virtual Access are not removed.
Conditions: Issue is seen only when CSCuc45115 is already in image.
Workaround: There is no workaround.
Symptoms: One-way audio is observed when a call goes through BACD and comes over SIP trunk.
Conditions: This symptom occurs when a call comes through SIP trunk and is connected to an agent phone via BACD during the third call xfer, along with the “headset auto-answer” configuration in the ephone.
Workaround: Remove the “headset auto-answer” configuration in the ephone configuration.
Symptoms: The Cisco ASR 1000 series router and Cisco ISR 4400 series hubs crash.
Conditions: This symptom occurs when the physical and tunnel interface are flapping.
Workaround: There is no workaround.
Symptoms: End to end L3 traffic is affected if the host queue (cpu queue 2) increments continuously at high rates (2000 packets/s and above).
Conditions: This symptom occurs when the host queue (cpu queue 2) increments continuously at high rates (2000 packets/s and above).
Workaround: There is no workaround.
Symptoms: The Call Progress Analysis (CPA) feature does not work. Though DSP is allocated and programmed for the CPA functionality, no CPA events are detected and reported.
Conditions: The symptom is observed for those call flows, where media bridging occurs after 200 OK responses.
Workaround: There is no workaround.
Symptoms: Incremental memory leaks are seen at IPSec background proc.
Conditions: This symptom is observed with “clear nhrp cache”.
Workaround: There is no workaround.
Symptoms: The mpls traffic-eng reoptimize timers delay cleanup command does not take effect in the path protection. When path protection kicks in and “mpls traffic-eng reoptimize timers delay installation” expires, the new best LSP is installed, but the protection path is torn down at the same time. This can cause a few seconds of packet drops, which are being carried over the protection LSP.
Conditions: This symptom occurs when the path protection switchover is triggered on the protected tunnel.
Workaround: There is no workaround.
Symptoms: The router crashes after issuing the show platform nrm- mpls fid-chain handle value command.
Conditions: If the value entered is beyond the addressable memory, the router will crash. This is an engineering command that was not intended to be viewable by customers.
Workaround: Do not issue the command except under the direction of a Cisco engineer.
Symptoms: When using RLFA repair paths traffic loss may occur during reconvergence following a link failure.
Conditions: RLFA tunnel is used as a repair path. The greater the number of prefixes affected by the topology change the more likely the traffic loss is to be seen.
Workaround: There is no workaround.
Symptoms: The cos inner value gets changed on marking with cos in egress on QinQ service instance without rewrite.
Conditions: This symptom occurs on QinQ service instance without the rewrite operation.
Workaround: There is no workaround.
Symptoms: L2 subscriber packets with new IP addresses on different interfaces would be dropped even when “ip subscriber l2-roaming” is enabled.
Conditions: This symptom occurs when both ISG and DHCP servers are in the same L2 broadcasting domains. ISG should not act as the DHCP server/client.
Workaround: Place ISG and DHCP servers in different broadcasting domains.
Symptoms: The arp packets from the subscriber are not getting resolved.
Conditions: This symptom occurs when both HSRP and arp ignore local are configured on the same interface and there exists a session for that MAC address. The interfaces should be configured as l2-connected.
Workaround: Do not configure HSRP and arp ignore local on the same interface.
Conditions: This symptom is seen when applying IVRF configuration on IKE profile.
Workaround: There is no workaround.
Symptoms: PTP session is stuck in HOLDOVER after PTP is unconfigured and configured on Master.
Conditions: This symptom occurs when unconfiguring and configuring PTP on Master.
Workaround: Do not configure below configurations as part of PTP configuration, when we do not have any physical ToD and 1PPS cables connected to Wh2.
Symptoms: An IPsec VPN tunnel fails to be established. The debug crypto ipsec command shows no output when attempting to bring up the tunnel.
Conditions: This symptom occurs when all of the following conditions are met:
1. The crypto map is configured on a Virtual-Template interface.
2. This Virtual-Template interface is configured with “ip address negotiated”.
3. The tunnel is initiated locally (in other words, if the tunnel is initiated by the peer, it comes up correctly).
Workaround: Downgrade to Cisco IOS Release 15.2(2)T3 or earlier releases or always initiate the VPN tunnel from the peer.
Symptoms: Serial interface with FRF12 feature is not coming up.
Conditions: The flags related to FRF12 feature are not properly updated in elocal ucode table.
Workaround: There is no workaround.
Symptoms: Abnormal CPUHUG is observed when doing “config replace”.
Conditions: This symptom is observed with “config replace” in a LISP scaling configuration.
Workaround: There is no workaround.
Symptoms: The MAC flaps in the network happen on the reload of the device.
Conditions: The MAC flaps occur because multicast BPDUs are being sent back into the VPLS core after they reach the destination. This behavior causes MAC flaps on every device that is on the path through which the BPDU traverses.
Workaround: Apply split horizon at the bridge-domain where the MAC flaps happen.
Symptoms: Multicast traffic might not flow through when the P2P tunnel is the incoming interface in the Cisco 7600 router.
Conditions: This symptom occurs in the Cisco IOS Release 12.2SREx and Cisco IOS Release 15.0x.
Workaround: Shut and no shut of the P2P tunnel interface.
Symptoms: The Whales box crashes due to link flaps.
Conditions: This symptom occurs due to link flaps.
Workaround: There is no workaround.
Symptoms: Call transfer with Trombone and ANAT fails.
Conditions: This symptom occurs when CUBE is configured with ANAT and Antitrombone, and during call transfer, the call fails due to wrong media negotiation.
Symptoms: A Cisco 3900 running with CME and Skinny Phones could experience CPUHOGs and a Watchdog, resulting in a crash.
Conditions: This symptom is observed with Cisco 3900 running with CME and Skinny Phones.
Workaround: There is no known workaround.
Symptoms: A router running Cisco IOS Release 15.2(4)M2 will reload with a bus error soon after the DSP reloads when there is a live transcoding session.
Conditions: This symptom is observed with Cisco IOS Release 15.2(4)M2.
Workaround: There is no workaround.
Symptoms: IP SLA does not show any statistics and raw db will not be populated.
Conditions: This symptom occurs when the core interface is switch port trunk.
Workaround: There is no workaround.
Symptoms: In a multi-home MLDP inband setup with different RDs configured, there is no MLDP state on ingress PE if BGP best path is different than multicast RPF PE.
1. MLDP inband profile is configured in multi-home setup with different RDs. #
2. BGP chosen best path is different than chosen RPF PE for multicast.
Workaround: Configure route policy on egress PE such that chosen RPF PE is same as BGP best path.
Symptoms: Data encapsulation fails in the Cisco IOS Release 15.3(1.11)T image.
Conditions: This symptom occurs when ISM-VPN is enabled as the crypto engine.
Workaround: Disable ISM-VPN and use either the Onboard crypto engine or the Software crypto engine.
Symptoms: There may be a delay of 15 or more seconds before switching over to a backup pseudowire in a pseudowire redundancy configuration.
Conditions: This symptom has been observed on the ME3600 platform when the attachment circuit is a VLAN.
Workaround: There is no workaround.
Symptoms: A crash may happen while loading a protocol pack.
Conditions: The protocol pack buffer that is being used to load a protocol pack is not null-terminated
Workaround: The protocol pack buffer must be null terminated.
Symptoms: User-defined classes in the policy-map applied on EVC with rewrite push are not supported. This configuration gets accepted in certain conditions.
Conditions: This symptom happens when the QoS policy is applied first to the EFP, and then the Bridge domain configuration is applied.
Workaround: There is no workaround.
Symptoms: SNMP GET fails for VPDN related MIB.
Conditions: Receiving a SNMP GET for the MIB before all VPDN config is applied.
Workaround: Reloading the router.
Symptoms: sla_sender gets crashed with resetting even with 50 active probes.
Conditions: The probes should be active while getting resetted.
Workaround: There is no workaround.
Symptoms: Receivers on slot10 - 13 of the Cisco 7613 chassis cannot receive multicast traffic when the egress replication mode is used.
Conditions: This symptom occurs on RSP720-10G + CISCO7613 chassis and when using the egress replication mode.
Workaround: Change the replication mode to ingress by using the below given CLI:
Symptoms: CPU errors are seen with (*, G/M) entries on ACL.
Conditions: This symptom is seen on ME3600CX boxes operating in Mode 3 or Mode 4.
Workaround: Operate the ME3600CX boxes in Mode 2.
Symptoms: The Cisco ASR1k (ISG) router crashes when service-activate is pushed through CoA/web logon.
Conditions: This symptom occurs when a subscriber is already authenticated and gets a redirect to a web-portal page and tries to activate the service. The ISG receives the CoA and crashes.
Workaround: There is no workaround.
Symptoms: VLAN-RAM is programmed with VPN as 0. Traffic destined to a particular vpnid is dropped though it comes on a proper VLAN.
Conditions: This symptom occurs during P2P scaled configuration when the router boots up and notices the VLAN-RAM is programmed with vpnid 0.
Workaround: Reload the line card.
Symptoms: During archive download to upgrade a software version, an old image present in the board does not get deleted or displayed.
Conditions: This symptom occurs during an archive download.
Workaround: There is no workaround.
Symptoms: Router crashes during scale testing.
Conditions: During scale, the box is running out of memory resulting in malloc fail. Memory malled is not checked for failure resulting in crash.
Workaround: There is no workaround.
Symptoms: Remote CFM MEPs are not discovered with the command “show ethernet cfm maintenance-points remote”. CFM packet debug also does not show any received CCMs even though it is sent correctly from the other end.
Conditions: This symptom is seen when we have UP MEP on EVC-BD with VPLS L2 VFI in the core. The issue occurs in Cisco IOS Release 15.2(2)S2 and later releases.
Workaround: Downgrade to Cisco IOS Release 15.2(1)S2 or lower.
Symptoms: Carrier-delay does not work on an ES+ card under the following specific condition:
Carrier-delay configured on gig 4/13 does not work on an ES+ card when we sh down gig0/1 on peer C3560 in the below given situation:
2. do [ sh] on gig0/1 right after 1
gig4/1 will go up as soon as gig 4/3 gets down instead of waiting till the configured carrier-delay timer expires.
Conditions: This symptom occurs when we enter sh on the peer device.
Workaround: There is no workaround.
Symptoms: The following error message is displayed:
Conditions: This symptom is an intermittent issue seen on a new standby RP after an RP switchover when a second fault, that is, the dataplane fault occurs while the VC is still recovering from RP failover.
Workaround: Remove the “aaa new-model” configuration and reconfigure xconnect.
Symptoms: FRR LFA will wrongly switch to the alternate path if BFD is unconfigured on the peer router.
Workaround: Shut the interfaces with BFD configured, remove the BFD config on both routers, then re-enable the interfaces.
Symptoms: DHCP Snooping client ignoring IPC flow control events from CF.
Conditions: This condition occurs when CF gives flow control off event and client does not handle it.
Workaround: There is no workaround.
Symptoms: The Cisco 3925 router running Cisco IOS Release 15.0(2)SG reloads when connecting to a call manager.
Conditions: This symptom is observed with the Cisco 3925 router running Cisco IOS Release 15.0(2)SG.
Symptoms: Classification based on the prec/dscp egress policy does not work as expected.
Conditions: This symptom occurs in L2VPN scenarios when the user has the below given configurations:
1. dscp/prec based policy on egress access EVC of SVI based EoMPLS
2. cos based policy on egress access EVC xconnect
Workaround: There is no workaround.
Symptoms: Classification does not work properly.
Conditions: This symptom occurs only if we have classes based on ACL match and normal DSCP match. Only ACL class will classify properly and other classes do not work.
Workaround: There is no known workaround.
Symptoms: A CPU hog is seen at nile_mgr_bdomain_get_efp_count and is followed by a crash.
Conditions: This symptom occurs on booting the router with some tunnel configurations.
Workaround: There is no workaround.
Symptoms: When multipath static routes are added and if they exceed the maximum multipath route limit for the platform, the routes will not be installed in the RIB. Later, when installed routes go unreacheable, the previously uninstalled routes are not added back.
Conditions: This symptom is observed with multipath static routes. The maximum number of multipath routes for a destination depends on the platform. For instance, it is 8 for Cisco Catalyst 4500 Series.
Workaround: Issue the following command:
Symptoms: Executing “no ip icmp redirect” globally does not result in icmp redirects to stop.
Conditions: None.This command is not functioning as expected
Workaround: There is no workaround.
Symptoms: The router crashes because of chunk corruption.
Conditions: This symptom occurs when mLDP Rosen and Inband are configured on the router.
Workaround: There is no workaround.
Symptoms: This defect is to disable BGP PIC core in the code level for the time being.
Conditions: The conditions for this symptom are not known at present.
Workaround: There is no workaround.
Symptoms: Configuring long list of rep block port preferred vlan will result in losing part of this config after the reload.
will result in two lines in running conf:
after the reload second line will overwrite first and only one will remain
Workaround: Reconfigure rep block list after the reload.
Symptoms: The ISG box crashes when a specific policy-map rule is applied.
Conditions: This symptom occurs when a “default-exit” action is being configured for a regular session.
Workaround: Do not configure the “default-exit” action for regular sessions as it is not a valid action for regular sessions.
Symptoms: Packet loss seen over pseudowire and high CPU.
Conditions: When IPv6 site-local multicast mac traffic is sent over SVI EoMPLS, the traffic is looped between the PE of the eompls.
Workaround: There is no workaround.
Symptoms: A Cisco Router or switch may unexpectedly reload due to bus error or SegV when running the command “show ip cef... detail”.
Conditions: The crash happens when the output becomes paginated ( ---More---) and the state of the cef adjacency changes while the prompt is waiting on the more prompt.
Workaround: Set “term len 0” before running “show ip cef... detail”.
Symptoms: Filtering based on L4 ports does not happen for redirection to CE.
Conditions: This symptom occurs when the WCCP service uses a redirect-list and this ACL has its first entry as a “deny”.
Workaround: Make the first entry in the redirect-list ACL as a “permit”.
Symptoms: Ping fails with security applied and IKE disabled.
Conditions: This symptom is observed when the Cisco IOS Release 15.3(1.15)T image is loaded.
Workaround: There is no workaround.
Symptoms: Cisco IOS router may crash while performing NSF IETF helper function for neighbor over sham-link undergoing NSF restart.
Conditions: Router is configured as MPLS VPN PE router with OSPF as PE-CE protocol; OSPF in VRF is configured with sham-link; neighbor router over sham-link is capable of performing NSF IETF restart on sham-links.
Note: problem cannot be seen if both routers on sham-link ends are Cisco IOS routers.
Workaround: Disable the IETF Helper Mode protocol via:
Note: Disabling Helper Mode will result in an OSPF peer dropping adjacency if the peer is reloaded.
Symptoms: A crash occurs when MLP is configured.
Conditions: This symptom is observed with an MLP configuration.
Workaround: There is no workaround.
Symptoms: ES crashes after the second 401 challenge.
Conditions: This symptom occurs when the second 401 is received after SDP offer/answer with 183/PRACK is complete. This is a rare scenario.
Workaround: There is no workaround.
Symptoms: The router crashes when the fair-queue policy is removed from the dialer interface.
Conditions: This symptom occurs when the fair-queue policy is removed from the dialer interface or a dynamic session.
Workaround: There is no workaround.
Symptoms: CPU hog seen @ nile_mgr_bdomain_get_efp_count and followed by crash.
Conditions: On booting the router with scaled mVPN configurations.
Workaround: There is no workaround.
Symptoms: VLAN-RAM is programmed with VPN 0. PIM neighborships of random sessions (10-12 out of 30) go DOWN.
Conditions: This symptom occurs when MVPN is configured with 30 L3VPN sessions. When there is a boot up, PIM neighborships of random sessions (10-12 out of 30) go DOWN.
Workaround: Remove and add the VRF configuration for these MVPN sessions.
Symptoms: IOS memory leak at com.cisco.cxsc-cxsc-5651.
Conditions: Two firewall and kWAAS configured.
Workaround: There is no workaround.
Symptoms: Traffic stops forwarding over port-channels configured with FAST LACP after an RP switch over.
Conditions: This symptom occurs after an RP fail over.
Workaround: A shut/no shut interface will help recover.
Symptoms: TAL-failed lite sessions do not convert into dedicated sessions.
Conditions: This symptom occurs when VRF is applied on the access interface.
Workaround: There is no workaround.
Symptoms: The SBC CUBE device rejects call connections.
Conditions: This symptom is observed when the Chunkmanager holds a lot of memory and calls do not get processed.
Workaround: Reloading the box helps to make the box stable.
Symptoms: Crash upon defaulting and doing shut no shut on the backup switch interface.
Conditions: When the working and backup SVIs are connected back to back with the peer device.
Workaround: There is no workaround.
Symptoms: Compilation error in tunnel_endpoints.c breaks the build.
Conditions: This symptom is observed in tunnel_endpoints.c.
Workaround: There is no workaround.
Symptoms: A Cisco ME3600/ME3800 series switch may reload when a BGP session flaps.
Conditions: This will only been seen if there are more than one BGP neighbor configured on the ME3600/ME3800 and only applies to 15.3(1)S.
Workaround: There is no workaround. This issue is not present in 15.2(2)S and will be fixed in 15.3(1)S1.
Symptoms: When using remote-LFA repair paths traffic loss may occur during reconvergence following a link failure.
Conditions: In a ring topology with a mix of fast and slower platform and remote-LFA tunnel is used as a repair path.The greater the number of prefixes affected by the topology change the more likely the traffic loss is to be seen.
Workaround: There is no workaround.
Symptom: Archive download command is failing in mcp_dev/xe39 nightly image which is being used for software up gradation.
Conditions: Only on whales2 box.
Workaround: There is no workaround.
Symptoms: Classification based on qos group egress policy is not working correctly.
Conditions: With L3VPN configuration, on the core interface packets should be classified based on exp and marked with qos-group. On the egress interface packets should be classified based on qos group on the service instance.
Workaround: There is no workaround.
Symptoms: Crash in PD prefix update handler.
Conditions: In a 6vpe setup, after configuring an overlap ip address on the PE and then sending traffic.
Workaround: There is no workaround.
Symptoms: Redistributed internal IPv6 routes from v6 IGP into BGP are not learned by the BGP neighboring routers.
Conditions: This symptom occurs because of a software issue, due to which the internal IPv6 redistributed routes from IGPs into BGP are not advertised correctly to the neighboring routers, resulting in the neighbors dropping these IPv6 BGP updates in inbound update processing. The result is that the peering routers do not have any such IPv6 routes in BGP tables from their neighbors.
Workaround: There is no workaround.
Symptoms: Increment memory leaks are seen at IPSec background proc.
Conditions: This symptom occurs when “clear cry session” is issued multiple times when bringing up the tunnel.
Workaround: There is no workaround.
Symptoms: Unexpected behavior caused with Ingress QoS, caused by commit CSCuc01040.
Workaround: There is no workaround.
Symptoms: A router running IOS with ISIS remote-LFA configured could crash.
Conditions: Do shut and no shut on an interface multiple times
Workaround: Disable the ISIS remote-LFA configuration.
Symptoms: Classification based on qos group along with prec/dscp @ egress policy is not working correctly.
Conditions: With L2VPN/L3VPN configuration, on the core interface packets should be classified based on exp and marked with qos-group. On the egress interface packets should be classified based on qos group and prec/dscp/cos inner etc.
Workaround: There is no workaround.
Symptoms: LISP control packets dropped in the network.
Conditions: More than 32 hops between sender and receive.
Workaround: There is no workaround.
Further Problem Description: LISP control packets are sent with an IP TTL of 32, meaning if there is more than 32 IP hops between the sender and receiver, they will be dropped in the network.
Symptoms: With PIM enabled on a P2P GRE tunnel or IPSec tunnel, SP of 7600 might crash.
Conditions: Probability of seeing this issue is more when there are more number of tunnels going via the same physical interface.
This issue would be seen in SREx and 15.S based releases only.
Workaround: There is no workaround.
A vulnerability in the DHCP implementation of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability occurs during the parsing of crafted DHCP packets. An attacker could exploit this vulnerability by sending crafted DHCP packets to an affected device that has the DHCP server or DHCP relay feature enabled. An exploit could allow the attacker to cause a reload of an affected device.
Cisco has released free software updates that address this vulnerability. There are no workarounds to this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130925-dhcp
Note: The September 25, 2013, Cisco IOS Software Security Advisory bundled publication includes eight Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the September 2013 bundled publication.
Individual publication links are in “'Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication” at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep13.html