Resolved Caveats—Cisco ASR 1000 Series Aggregation Services Routers Release 3.11S
This section documents the resolved issues in Cisco ASR 1000 Series Aggregation Services Routers Release 3.11S.
Symptom: No calls shown in show call active voice brief, however many active calls may be running.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: A crash occurs during registration in SRST mode.
Conditions: This symptom occurs during registration in SRST mode.
Workaround: This issue is fixed and committed.
Symptom: When tunnel source pivoting is used, based on track object states with FlexVPN client, it does not change tunnel source when there is change in track object state. Instead, it only changes tunnel source subsequent due to a DPD failure. This can lead to potential one-way traffic and traffic blackholing from spoke to hub.
Conditions: This symptom occurs when tunnel sources are dynamically set using object tracking feature.
Workaround:
– Use IKE routes using config-set.
– Use RPF (reverse path forwarding) check on the spoke outside interfaces, so that when traffic arrives from a hub on a interface, and there is no route, it will get dropped, thus DPD on spoke will delete existing IKE SA and cause.
– Use periodic IKE DPD (dead peer detection) on spoke.
– Enable IKE DPD on Hub.
Symptom: ASR1001 or ASR1002 may report the following message after booting IOS
%IOSXEBOOT-1-BOOTFLASH_FAILED_MISSING: (rp/0): Required Bootflash disk failed or missing, reloading system
Conditions: This Error message is due to the internal eUSB memory device rarely not responding to the initial accesses. A reboot will address the issue.
Workaround: Rebooting the system will clear the condition.
Symptom: IOS CA issues incorrect rollover identity certificates to its clients; the rollover certificates issued will have an expiry date corresponding to the end-date of the currently active (and soon to expire) CA certificate. Thus, the rollover identity certificate will not be valid after the CA rollover takes place.
Conditions: The symptom is observed only if the clients have sent the rollover certificate request via an IOS RA certificate server.
Workaround: There is no workaround.
Symptom: %IOSXE-3-PLATFORM: R0/0: kernel: physmap-flash.0: Chip not ready
Conditions: This symptom occurs when performing redundancy force-switchover on ASR1006 (RP1).
Workaround: Reload ASR1006.
Symptom: Router experiences crashes due to SIP due to a freed pointer in memory.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: The number if IPSec SAs on the box keeps increasing.
Conditions: This symptom occurs when IPSec eekeys occurs due to volume lifetime exhaustion.
Workaround: Turn off the volume based rekey.
Symptom: SIP secure phones drop calls when they Hold and Resume a call to a non-secure phone.
Conditions:
– CONDITION I (tested in lab) 8945 SIP Phone Reproduce steps:
3 phone A,B,C register to secure-SRST sip phone A B, sccp phone C. A,B in encrypted mode, phone C in non-secure mode. A call B, establish a secure call. B press transfer to C. After B and C establish a non-secure call, B press transfer. then B toast display call transfered successfully!, but A and C do not establish a call. phone A and C should establish a non-secure call.
– CONDITION II (Customer scenario) Secure SRST. SIP Phones registered to the router with secure and non-secure profiles. Call Flow:
SIP Phone A (secure) ---> SIP Phone B (non-secure). A pressed Hold, Resume. SIP Phone A (secure) ---> SIP Phone C (secure) -----> Transfers call to SIP Phone B (secure). Phone A is not asked by router to stop transmitting SRTP and switch to RTP. Problem has been observed on 6941, 7962 and 8945 SIP phones.
Workaround: There is no workaround.
Symptoms: A router unexpectedly reboots and a crashinfo file is generated. The crashinfo file contains an error similar to the following:
%ALIGN-1-FATAL: Illegal access to a low address 04:52:23 UTC Wed Sep 19 2012 addr=0x4, pc=0x26309630z, ra=0x26309614z, sp=0x3121BC58
Conditions: This symptom occurs when IPsec is used. More precise conditions are not known at this time.
Workaround: There is no workaround.
Symptom: ASR router drops IPSEC packets that are larger than the MTU and no error message is logged. Following is the error message:
%CRYPTO-4-RCVD_PKT_INV_SPI
Error messages were available in earlier releases, but in the newer XE 3S releases no logs are available for troubleshooting even during drops.
Conditions: Router A and router B act as CE access routers in an MPLS/VPN network. The command ipsec fragmentation after-encryption is enabled on router A, but platform ipsec reassemble transit is not enabled on the peer router B.
Workaround: There is no workaround.
Symptom: ASR1k filters out the ARP requests with its own src address. This leads to ping failure between two interfaces which belong to different vrf and own same IP subnet; vrf v1 1.0.0.1/24 and vrf v2 1.0.0.2/24, for instance.
Conditions: gig0/0/0 connected b2b to another interface on same router (with VRF configured on atleast one of the interfaces).
Workaround: Configure some mac on gig0/0/0 and then unconfigure the mac.
Symptom: Console error message similar to the following:
%ASR1000_INFRA-3-EOBC_SOCK: R0/0: linux_iosd-image: Socket event for EO0, fd 16, failed to send 1472 bytes; Resource temporarily unavailable.
Conditions: This symptom is observed when large number of features are configured.
Workaround: There is no workaround.
Symptom: Router crash related to DNS and VRF
Conditions: This symptom is observed in ASR running IOS XE image 03.07.03.S
Workaround: There is no workaround.
Symptom: CME not pushing agent stats fields to tftp.(logged in and out times)
Conditions: This symptom is observed when Benelli specific fields not getting pushed.
Workaround: There is no workaround.
Symptoms: On ASR1002 system, show platform hardware crypto-device context packet count does not show correctly.
Workaround: There is no workaround.
Symptom: SIP phones not registering to SRST when number cli with wild card configured under voice register pool.
Conditions: This symptom occurs when you configure number cli with wild card configuration under voice register pool. number 1 900....
Workaround: Create separate pools for all the phones without wild cards.
Symptom: Reset reason is not correctly displayed for some of the IOS-XE reloads.
Conditions: This symptom is observed when IOS-XE reloads due to punt path keepalive failure.
Workaround: There is no workaround.
Symptom: IKE_CP_ATTR_SPLIT_EXCLUDE support is needed on IOS side for anyconnect client.
Conditions: This symptom is observed when you include local LAN.
Workaround: There is no workaround.
Symptom: Ipsec-MIBs:- cikeTunHistPeerLocalValue and cikeTunHistPeerRemoteValue does not return an IP address
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: EzVPN client cannot access the Internet over the VPN. Access to Hub internal resources works fine. The ZBF firewall on the Hub drops the encrypted ESP(udp) traffic from self to out containing reply from the host on the Internet. Log on the hub:
%FW-6-DROP_PKT: Dropping udp session 8.8.8.2:0 8.8.8.1:53000 on zone-pair self-out class class-default due to DROP action found in policy-map with ip ident 0 source IP and port is incorrect.
Conditions: EzVPN client behind NAT and source port is PATed - is not udp 4500. EzVPN client reaching the Internet with u-turn on the Hub. Hub has ZBF policy from self to outside permitting VPN traffic. Hub has CEF enabled.
Workaround: Remove the ZBF policy from self to outside.
Symptom: Only single L2TP IPSEC vpn client can connect to vpn when they are behind PAT device even though NAT DEMUX is configured.
Conditions: VPN clients behind PAT device.
Workaround: There is no workaround.
Symptom: Packets drops occur when performing a ping-from an ASR1001 console with packets of large size (i.e. several kilobytes).
Conditions: This issue is specific to the ASR1001 and requires a burst of data from the Control Plane to the Forwarding Plane such that internal hardware buffers are saturated. Normal processing will continue, however there will be drops when the hardware buffer is full.
Workaround: The is no workaround.
Symptom: The user should not be allowed to reconfigure an existing NAT64 dynamic mapping if the mapping has active translations.
Conditions: Issue occurs when modifying a dynamic NAT64 mapping with active translations to an overload NAT64 mapping.
Workaround: Clear the translations before modifying the mapping, or delete the mapping with a forced option before configuring overload.
Symptom: We saw again GTP-U drops for communication that should not have been dropped. Swisscom agrees that this might be related to some timers and pending PDP sessions that need to be terminated. Since local tests with mobile devices were all successful, Swisscom wants and needs to go for 24 h test to see if the GTP-U drops really lead to a service impact for mobile users. To document this issue, a SR was opened: SR 624629207 ASR1K? Release 3.7.2 -GTP?U drops due to missing pinholes All log files and a PCAP file are attached to that SR.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: There is no CLI options and flags for enabling/disabling the EZchip provided debug levels.
Conditions: Popinac ELC.
Workaround: There is no workaround.
Symptom: Small packet performance for multicast traffic has unexpected dip with 03.07.01S on ESP40.
Conditions: A change made while optimizing performance for ESP80 and ESP160 was to use the internal recycle queue for the root of the replication tree instead of the leaves recycle queue used for all other nodes. Unknowingly, this resulted in a big performance impact on the ESP40.
Workaround: Small packet performance can be returned to acceptable levels by disabling MLRE with the configuration command platform multicast lre off. The downside of disabling MLRE is that large packet performance will be reduced by almost half for large packets.
Symptom: Transcoding sessions are intermittently becoming stuck after call is cleared.
Conditions: When transcoding configured in DSPfarm.
Workaround: Reload Gateway F.
Symptoms: The Cisco AS5350 stops processing calls on PRI with a signaling backhaul from PGW. In the packet trace, there is no q931message from PGW. Further analysis shows that as5350 sends a q_hold (0x5)message in BSM, causing peer (PGW) to stop sending signaling traffic. However, there is no BSM_resume message or BSM_reset sent after it. Hence, PGW is stuck in this condition. There was earlier defect for CSCts75818 with similar symptoms in U-state.
Conditions: This symptom is observed due to some RUDP timing issues that cause BSM session switchover.
Workaround: Reload the Cisco AS5350 (but only when CU notices the outage). Also, shutting both Ethernet interfaces may help, but this workaround has not been tested.
Symptom: ASR1K ucode crash with interrupt cause REM_REM_MISC_ERR_LEAF_INT_INT_REM_POP_REQ_TO_EMPTY_SCHED
Conditions: Issue can be seen on when flapping a Multilink PPP or MLFR interfaces. Timing window to hit this issue is very small so not a common occurrence on a bundle flap.
Workaround: There is no workaround.
Symptom: Call failure / disconnect during Call hold seen after SSO.
Conditions: When call hold is with c-line=0.0.0.0 in flow around mode.
Workaround: There is no workaround.
RNE Enclosure Symptom: ASR cube-ent failover happens under heavy load conditions.
Conditions: This issue is caused due to glare condition while destructing an established call under heavy load.
Workaround: There is no workaround.
Symptom: No Video legs out put for DO-DO BWcac with multicodec call.
Conditions: No Video legs out put for DO-DO BWcac with multicodec call.
Workaround: There is no workaround.
Symptom: Asr1001 Series router throws error messages when a RP (IOS) switch over is done.
Conditions: Asr1001 Series router throws error messages when a RP (IOS) switch over is done along with traffic.
Workaround: There is no workaround.
Symptom: SIP PSTN gateway may delay response to BYE message at end of a T.38 call.
Conditions: Incoming call to SIP gateway goes out a PRI Call successfully switches no T.38 BYE is received by SIP gateway. 200 OK response is delayed by a few seconds.
Workaround: There is no workaround.
Symptom: CUBE fails to send options-keepalive after dnslookup.
Conditions: Sending out Options works fine when Dns is configured to IPv4. When Dns is configured to resolve to IPv6 address, Dial-peer is Busied Out with out sending the Options.
Workaround: Disabling Options Keepalive.
Symptom: Video calls are failing with improper call legs.
Conditions: After doing test case specific configurations, basic call is done. while checking the call legs after call is connected improper call-legs are seen on CUBE3.
Workaround: There is no workaround.
Symptom: Consult transfer with remote optional-mandatory strength fails as SDP precondition does not match.
Conditions: This happens only for consult transfer but not for blind transfer.
Workaround: There is no workaround.
Symptom: It is very difficult to debug empty video recordings.
Conditions: For all video recording calls.
Workaround: Do packet capture.
Symptom: mem-leaks found. with eap authentication.
Conditions: flexvpn client using eap authentication. mem-leak at every clint connect
Workaround: There is no workaround.
Symptom: Traceback at DMVPN Spoke registration, DMVPN QoS policy not deployed to datapath component.
Conditions: When there is a routing issue such that the ASR1k acting as the DMVPN hub can receive spoke registrations but does not have a valid route to the spoke (i.e. the spoke's forwarding interface is Null0) and the spoke's QoS configuration include a queuing feature, then the QoS policy will fail to get applied and the ESP will be in a state that requires it to be reloaded to recover from this.
Workaround: There is no workaround, but the following actions can get the router operational again.
1. Correct routing issue and reload the ESP and/or
2. Remove the QoS queuing feature and reload the ESP
Symptom: The Agent Greeting is not played out.
Conditions: This symptom is observed with the Agent Greeting Call Flow using CVP.
Workaround: There is no workaround.
Symptoms: ASR with PKI certificate may crash when issuing show crypto pki certificate command.
Conditions: This symptom is observed when the show crypto pki certificate command is issued on ASR with PKI certificate.
Workaround: There is no workaround.
Symptom: The interrupt infrastructure is in place; the user space handling of interrupt delivery to Aggregation ASIC userspace driver code is not being done correctly.
Conditions: This fixes the user space handling of interrupt delivery to Aggregation ASIC user space driver code.
Workaround: There is no workaround.
Symptom: After execution of 'show platform hardware qfp active feature mma client policy-map name <name> detail' wrong number of classes were presented in detailed view.
Conditions: FAll tools avc config.
Workaround: There is no workaround.
Symptom: A FlexVPN spoke configured with an inside VRF and front-door VRF may have problems with spoke-to-spoke tunnels if they are not the same. During tunnel negotiation, two Virtual-access interfaces are created (while only one is needed), the one in excess may fail to cleanup correctly. As a result, the routes created by NHRP process may lead to loss of traffic, or traffic may continue to flow through the Hub.
Conditions: This symptom occurs when the VRF used on the overlay (IVRF) and the VRF used on the transport (FVRF) are not the same.
Workaround: There is no workaround.
Symptom: Both outgoing RTP streams are dropped on the router interface. When looking into output, both incoming and outgoing RTP streams are clearly visible, however packet capture from the interface contains only two incoming RTP streams. What is more, router console presents the following error message:
IP-3-LOOPPAK Looping packet detected and dropped - src=172.22.233.65, dst=172.22.233.76, hl=20, tl=200, prot=17, sport=16390, dport=20832 in=GigabitEthernet0/1, nexthop=172.22.233.76, out=GigabitEthernet0/1 options=none -Process= "IP Input", ipl= 0, pid= 126 -Traceback= 21127EC4z 21129118z 2112A560z 2112AA38z 2112AFA4z 21110178z 2112C580z 21110918z 21110B58z 21110C38z 21110E50z 23C1ACA4z 23C1AC88z
Conditions: Defect was encountered in 2900 series routers with IOS version: 15.2-3.T2 when using no ip cef command.
Workaround: Issue the ip cef command.
Symptom: cpp_cp_svr crash @ cpp_ifm_if_delete_cntx is seen.
Conditions: While removing PVCs and invalid interfaces.
Workaround: There is no workaround.
Symptom: A Cisco 3845 that is running Cisco IOS Release 15.1(4)M2 may have a processor pool memory leak in CCSIP_SPI_CONTROL.
Conditions: Seen while using DNS as target destination and DNS resolution failure occurs. Sample
config: sip-ua retry invite <snip> timers expires <snip> timers buffer-invite <snip> sip-server dns:<hostname removed>
reason-header override Leak can be seen in normal call flow if DNS configured and DNS resolution fails because of insufficient bandwidth, not able to create SDP or container.
Workaround: There is no workaround.
Symptom: if mnc code is 001, aic can not match it.
Conditions: match mcc or mnc.
Workaround: There is no workaround.
Symptoms: TRP Sessions not found after making Basic SRTP Call.
Conditions: Router loaded with c2951-universalk9-mz.SSA.153-1.4.T.
Workaround: There is no workaround.
Symptom: GDOI version mismatch on KS1.
Conditions: Script executing show logging | inc CTS-SGT on secp23-11 (KS1). And showing the GDOI ver as 0x13EBE8B0 but instead of this it should show 0x1000002.
Workaround: There is no workaround.
Symptom: The traffic may not be shaped correctly resulting in more traffic to leak through or the router crashes when model 3/4 subscriber policy is applied.
Conditions: The model 3 and 4 hierarchy is built incorrectly on ESP-100/200 and ASR1002X when the subscriber policy is added after the main interface is already active.
Workaround: There is no workaround.
Symptom: LSC installation fails if the RSA Key pair size associated with CAPF server is larger than 512 Bytes.
Conditions: Secure CME implementation. Sample config:
! crypto pki trustpoint capf enrollment url http://<ip-addr>:<port-num> serial-number revocation-check none rsakeypair capf 1024 1024 ! capf-server auth-mode null-string cert-enroll-trustpoint <trust-point> trustpoint-label capf source-addr <ip-addr> !
Workaround: Use 512 Bytes RSA key size crypto pki trustpoint capf enrollment url http://<ip-addr>:<port-num> serial-number revocation-check none rsakeypair capf 512 512
Symptom: Only one call leg is shown at stand by router instead of 2 call legs.
Conditions: Issue is seen in HA set up on stand by router for fax call scenario between H323 <---> SIP.
Workaround: There is no workaround.
Symptom: Substantial drop of performance. High latency and packets drops.
Conditions: Router is configured with full AVC config (NBAR,ART,QoS) and Ipsec. This issue will be seen with high traffic (more than 500mbps). Packet drops can be verified by issuing this command.
show platform hardware qfp active statistics drop clear ------------------------------------------------------------------------- Global Drop Stats Packets Octets ------------------------------------------------------------------------- IpsecOutput 3250 3242721 Ipv4NoAdj 797 1056357 PuntErr 1 276
Workaround: Disable AVC from the interface.
Symptom: Routes are not routed via the gateway being configured.
Conditions: Routes are not routed via the gateway being configured.
Conditions: There is no workaround.
Symptom: In SBC-B2B, after no attach/attach an adjacency, calls rejected with 503 Service Unavailable.
Conditions:
– config vrf001 on BOX1(ACTIVE) then on BOX2(STANDBY).
– config adjacency's vrf&signaling-address and media-address... vrf... both refer to vrf001.
– switch-over.
– no attach/attach adjacency on BOX2(ACTIVE).
– later calls rejected with 503 Service Unavailable.
Workaround: Always add or change vrf related SBC config on the same box.
Symptom: When the configuration option file verify auto is enabled and a local copy operation is done for a file that does not contain a signature, e.g. a log file or configuration back, the copy will fail.
Conditions: file verify auto is enabled in running configuration.
Workaround: Use copy /noverify or disable file verify auto.
Symptom: A router may crash when the tunnel interface is flapped or while booting the router with VPN configs.
Conditions: The crash occurs in a VPN enabled scenario with either sessions being active and a shut/no shut is issued on the interface or the sessions coming up on the box after a reload.
Workaround: There is no workaround.
Symptom:
%IOSXE_RP_SPA-4-IFCFG_CMD_TIMEOUT: Interface configuration command.
Conditions: Observed tracebacks and traffic drop during MDR upgrade.
Workaround: There is no workaround.
Symptom: DND does not show any status update unless you are in a hunt group.
Conditions: 6945 phone, running 9.3.3.2 and some earlier loads.
Workaround: There is no workaround.
Symptom: Trace back is seen when user portion is missing in Req-URI or To Header URI.
Conditions: This symptom is observed in a basic call.
Workaround: There is no workaround.
Symptom: Copper SFPs always show Half-Duplex in show interface.
Conditions: Basic copper SFP bringup.
Workaround: There is no workaround.
Symptom: When the ipsec lifetime is changed globally it does not take effect on the ipsec session.
Conditions: Any ipsec implementation with ipsec profile.
Workaround: Unconfigure the lifetime from the ipsec profile.
Symptom: ASR-CUBE: Crash observed with DSMP.
Conditions: Load scenario issue is observed.
Workaround: There is no workaround.
Symptom: UPDATE is not being forwarded to UAC and it is being responded with 200OK to UAS. This issue is seen when UPDATE is received from UAS, when 18X transaction is still pending on UAC side.
Conditions: 18x response is transmitted reliably on both call-legs.
Workaround: When UPDATE is received from UAS after some delay (i.e after completion of 18X ?PRACK transaction on UAC side), then CUBE is sending the early dialog UPDATE to the UAC side correctly.
Symptom: One-way video is seen while CUBE is trying to negotiate packetization mode=1 for H264 video codec in both the legs and one video endpoint doesn't support packetization mode=1 for H264 video codec.
Conditions: When there is DO-DO video call from a video endpoint which supports only Packetization Mode=0 for H264 video codec to a video endpoint which supports both packetization modes like 0 & 1.
Workaround: Make an EO-EO video call from the endpoint which only support packetization mode=0,so that CUBE will negotiate packetization mode=0 for both the legs and two-way video will be seen.
Symptom: CUBE reloads while testing SDP pass through with v6.
Conditions: The symptom is observed while testing SDP pass through with v6.
Workaround: Do not use SDP pass through and use normal SIP processing call flows.
Symptom: Certain PKI CLIs may show wrong values.
Conditions: First found on IOS 15.1(4)M6 but not exclusive to it.
Workaround: There is no workaround.
Symptom: After a brief unavailability of LDAP CRL, no new CRL fetches can be performed. The following messages are seen on the interface: ---- Mar 28 08:23:37.988: CRYPTO_PKI: Retrieve CRL using LDAP DIRNAME Mar 28 08:23:37.988: CRYPTO_PKI: Failed to send the request. There is another request in progress. -----
Conditions: This symptom was first seen in Cisco IOS Release 15.1(4)M6. The issue is not limited to this release.
Workaround: Configure the revocation-check none command under the affected trustpoint. Reload the router.
Symptom: On an ASR1K the clock timezone command is meant to be used as follows: clock timezone zone hours-offset [minutes-offset] where zone is a text field e.g. EDT, PST, and hours-offset and minutes-offset are integers. Incorrectly adding a hyphen or a dash in the zone text field causes unintended and harmful behavior.
Conditions: One way to cause this to happen (essentially a typo) is to configure clock timezone EST-5 0 0 where one really meant to type clock timezone EST -5 0.
Workaround: If 0 is the intended offset it is probably best to simply remove the config line entirely. If 0 is not intended then correcting the typo will correct the issue. In any case the root cause of the issue is the hyphen in the text field and should always be avoided.
Symptom: A packet gets dropped when a spoke-spoke session is triggered in Dynamic Multipoint VPN (DMVPN).
Conditions: This symptom occurs when a ping is sent using a tunnel interface as the source or the destination.
Workaround: Send traffic from host-host.
Symptom: Hit an ucode crash in lisp zbfw scaling case, scaling number is 500 lisp instances, 50k eid table, 500 pair zone. The crash is hit in unconfigure fw data stage. it is reproducible.
Conditions: Unconfigure the lisp fw.
Workaround: There is no workaround.
Symptom: An NHRP resolution request is forwarded to the first NHS on the tunnel interface instead of being forwarded along the routed path.
Conditions: DMVPN phase 3 implementation.
Workaround: There is no workaround.
Symptom: playout-delay fax CLI is not changing T.38 and modem pass through playout buffer to accommodate packet jitter.
Conditions: Ability to reduce the default Fax playout delay.
Workaround: There is no workaround.
Symptom: Call failure.
Conditions: Media antitrombone Call farward cases SDP pass through.
Workaround: There is no workaround.
Symptom: Fields from a refer are not sent out on the corresponding INVITE when this is a SIP GW.
Conditions: 15.1.4M6.
Workaround: There is no workaround.
Symptom: Interface where HSRP is configured, crypto ikev2 clustering feature does not work.
Conditions: Master/Slave do not sync with each other and the socket error is seen.
Workaround: Feature works without vrf.
Symptom: Transcoder insertion failed with specific Contact Center call flow.
Conditions: Transcoder insertion is failing with following call flow:
ISP CUBE CVP Initial Call Leg with RTP-NTE on ISP Leg and Inband on CVP leg INVITE ------> | 100 Trying <------ | | ------> INVITE (g711) | <------ 100 Trying | <------ 180 Ringing | <------ 200 OK (g711, g729) 180 Ringing<------ | | -------> ACK (Invite) 200 OK <------ | ACK ------> | REINVITE from CVP | <------ INVITE (g729 g711) | -------> 100 Trying | -------> 200 OK (g729) | <------ ACK BYE ------> | 200 OK <------ | | ------> BYE | <------ 200 OK
Transcoder is not getting invoked when CVP sends reinvite with g729 g711. From logs it is observed that CUBE is sending 200 Ok with g729, but clearing all transcoder reservation.
Configuration:
– Midcall-signaling block enabled at outbound.
– VCC enabled without offer-all cli.
Workaround: There is no workaround.
Symptom: In a NAT64 configuration, show policy-map type inspect zone-pair sessions shows NATed ipv4 address for the ipv6 host. It should show the hosts' real IP addresses, i.e. v6->v4 or v4->v6, not v4->v4. The PD command sh plat ha qf ac fe fir da scb actually shows the scb's addresses as the real hosts' addresses, i.e. v6->v4 or v4->v6. However, the v6 host's port number is still shown as the translated v4 port number. In the ZBFW datapath log at cpp_cp*.log, the session key printed in the debug messages is showing wrong port number. The session key is supposed to be all v4, but the port number is actually printed as v6 port number. For the PD show scb command filter such as sh plat ha qf ac fe firewall datapath scb ipv6 3000::2 44 ::1d00:2 444, we can't use the v6 port to match the session and have to use v4 port of the v6 host to match.
Conditions: NAT64 configuration. For the issues involving v6/v4 port numbers, they are only visible if there is PAT configuration, i.e. if the v6 host's port number can be changed after NAT64 translation.
Workaround: There is no workaround.
Symptom: Missing dial tone when pressing new call with existing two-way whisper call.
Conditions: This symptom is observed with whisper intercom only.
Workaround: There is no workaround, however you are able to make outgoing call without dial tone.
Symptom: Mid-call UPDATE with SDP is rejected with 500 Internal Server Error.
Conditions: This issue is seen only for DO-DO call-flow.
Workaround: There is no workaround.
Symptom: A path confirmation failure occurs for Dual Tone Multifrequency (DTMF) tones.
Conditions: This symptom occurs in an SIP-SIP call flow in IPv4 and IPv6 scenarios.
Workaround: There is no workaround.
Symptom: On an ASR involving transcoded calls, hung data plane issue is seen during abnormal disconnect of the calls.
Conditions: On an ASR involving transcoded calls, hung data plane issue is seen during abnormal disconnect of the calls.
Workaround: There is no workaround.
Symptom: DTMF digits are not being heard when there is an interworking between rtp-nte-98 to inband.
Conditions: When working with some third party sip switches that can only RTP-NTE with a payload type of 99 on the ingress side and another third party SIP IVR that can only support INBAND DTMF, ASR CUBE will fail to convert the RTP-Events to Inband even though a Xcoder is invoked on the call flow.
Workaround: Configure voice-class sip asymmetric payload full, voice-class sip midcall-signaling block on the incoming dial-peer and voice-class sip midcall-signaling block on the egress dial-peer.
Symptom: DNS query failure occasionally with MPLS deployed.
Conditions:
– dns server response 5k.
– Inside mpls interface default MTU.
– Repeat dns query for serveral times.
Workaround: Set mpls MTU to 9216 or change tcp mss on both client server side.
Symptom: RP crash seen at be_interface_action_remove_old_sadb.
Conditions: The symptom is observed while unconfiguring the 4K SVTI sessions after an HA test. Workaround: There is no workaround.
Symptom: Topology:
S---asr1k---D1--\ | x.x.x.x/32 ------D2--/ * ISIS, fast-reroute per-prefix configured * LDP on all interfaces * x.x.x.x/32 is reachable via D1 (primary) and D2 (backup) * Sending traffic from S to x.x.x.x * S, D1, and D2 are simulated (Agilent) * Version 15.3(1)S
Upon failing link asr1k-D1 (laser shut on Agilent, equivalent to pulling fiber), FRR is not triggered and traffic flow is restored when ISIS reconverges.
Conditions: The symptom is observed in IP network and when FRR is enabled and when ethernet interface is one of the primary path and protected path and when plugging out ethernet wire or remote shutdown.
Workaround: There is no workaround except changing interface type to POS/ATM.
Symptom: Topology:
S---asr1k---D1--\ | x.x.x.x/32 ------D2--/ * ISIS, fast-reroute per-prefix configured * LDP on all interfaces * x.x.x.x/32 is reachable via D1 (primary) and D2 (backup) * Sending traffic from S to x.x.x.x * S, D1, and D2 are simulated (Agilent) * Version 15.3(1)S.
Conditions: Upon failing link asr1k-D1 (laser shut on Agilent, equivalent to pulling fiber), asr1k quickly (<50msec) starts forwarding packets (dest x.x.x.x) to D2 (backup), but with D1's advertised label! Only after ISIS converges the packets are forwarded with the correct label (from D2).
Workaround: There is no workaround.
Symptom: Layer 1 on the ISDN PRI does not come up after a reload.
Conditions: This symptom occurs after a reload.
Workaround: Perform a shut/no shut to bring back the PRI up.
Symptom: A router may crash on 15.3(2)T code when handling SIP video phone calls. After several calls are made, IOS's checkheaps process will crash the device after detecting memory block header or redzone corruption.
Conditions: Call gateway handling SIP-SCCP video calls with h264 codec.
Workaround: There is no workaround.
Symptom: I/O Leak in the middle/DSPRM buffer pools are observed.
Conditions: Flex DSPs are present.
Workaround: There is no workaround.
Symptom: Cisco router crashes at ccsip_spi_incoming_reg_contact_change.
Conditions: This symptom is observed when configuring registrar ipv4:9.60.51.254 under sip-ua.
Workaround: There is no workaround.
Symptom: Ingress IPSec data packets are process switched on an EzVPN server.
Conditions: cTCP encapsulation is configured.
Workaround: Use UDP encapsulation.
Symptom: CUBE is modifying the refresher role in mid-dialog after 491 transaction.
Conditions: Session refresh is enabled for only one call-leg and not for other.
Workaround: There is no workaround.
Symptom: VTCP need to make adjust in case 10k h323 resemble packets size received. Clear DF bit to decrease the impact on MPLS Path Selection & Limit Packet length for assembled h.323 packet to 8K.
Conditions:
– Send 10K tcp segments from server.
– pmod manipulate the 1st tcp segment into h323 realization format (03 00 length after tcp header).
– The response src port 80 and dst 1720.
Workaround: Disable h323 alg.
Symptom: DNS zone transfer fails through NAT.
Conditions: IOS-XE.
Workaround: If you don't need to NAT the DNS payload, use no ip nat service dns tcp.
Symptom: SG3 fax call failures observed for STCAPP audio calls.
Conditions: Fax CM tone detection is turned ON even when all fax and modem related configurations have been disabled on the STCAPP gateway.
Workaround: STCAPP modem pass-through feature can be enabled, but you may run into issues with some answering SG3 fax machines which have stringent requirements for fax CM signal.
Symptom: Audio is skipped when short timeout is configured in Form Element in CVP Studio application.
Conditions: Short timeout.
Workaround: Inserting short silence at the first audio.
Symptom: Topology:
========= < -----(SIP Trunk A)-----CUBE-----(SIP Trunk B)-----> CUBE is not forwarding the REINVITE message received from Trunk A to the SIP Trunk B when 491 Request Pending is received from SIP Trunk B for the previous SIP transaction.
Conditions: When 491 Request Pending is received.
Workaround: There is no workaround.
Symptom: Crash on Router.
Conditions: PPTP ALG with BPA.
Workaround: There is no workaround.
Symptom: The order of packets in the packet trace is not stable.
Conditions: When checking the output of packet trace, the order of packets with same flow change every time.
Workaround: Check the output of the specific packet before and after the expected with ~2 packets deviation.
Symptom: ASR DTMF interworking failed after reinvite with block configured.
Conditions: Dtmf with different preference configured will result in issue.
Workaround: There is no workaround.
Symptom: ESP continuously crashes while traffic is going through the box.
Conditions: The issue will occur when a performance-monitor with ART (Application-Response-Time) metrics is applied on a tunnel interface that is running crypto (DMVPN, IPSEC, etc...) and also the subsequent physical interface from which the packets are transmitted is configured with performance-monitor that contains ART metrics (not necessarily the same monitor). It is important to note that the TCP traffic is encrypted on the tunnel interface and is encapsulated using IPSec protocol (#50), so when the packets are received on the physical interface they are no longer of type TCP. Nuances: In case AOR (Account-on-Resolution) feature is enable on the physical interface then statefull traffic is necessary in order to hit the crash. Stateful traffic is the common case in life production networks.
Workaround: Stop all traffic on the impacted interfaces then remove the performance-monitor(s) configured on the physical output interface.
Symptom: During MDR in a APS Setup, under certain conditions, IOSXE_APS-3-CCCONFIGFAILED, message is seen.
Conditions: If the MDR of Protect interface is Started first followed by a MDR of the Working, then the above TB will occur.
Workaround: Ensure that the working Interface is the first which goes through the MDR. IF the interfaces are on the SAME SIP, the traffic must be flowing through the Working interface, to ensure zero traffic drops.
Symptom: Reload of QFP occurs with one of the following backtraces:
– Driver Interrupt: DPE5_CPE_CPE_DPE_INT_SET_0_LEAF_INT_INT_S4_WPT_ERROR or
– BackTrace #0 hal_abort () at /scratch/mcpre/BLD-BLD_V153_3_S_XE310_THROTTLE_LATEST_20130428_224613/cpp/dp/hardware/cpp/hal/hal_logger.c:81 #1 0x8032998a in tw_fire_timer_events () at /scratch/mcpre/BLD-BLD_V153_3_S_XE310_THROTTLE_LATEST_20130428_224613/cpp/dp/infra/logger.h:207 #2 0x8032a4bc in time_process_timer_hb () at /scratch/mcpre/BLD-BLD_V153_3_S_XE310_THROTTLE_LATEST_20130428_224613/cpp/dp/infra/time.c:837...
Conditions: These type of cores can appear of various conditions. The caveat only addresses when this condition occurs after unconfiguring NAT PAP mode. This includes changing PAP or BPA configuration.
Workaround: After unconfigure PAP it is recommend to reload the box which is more desirable than an uncontrolled reset.
Symptom: ICMP v6 traffic is observed to drop.
Conditions: ICMP v6 traffic is observed to drop with cxsc configured under the zbfw policy-map. Drops are observed the zone is applied on a DMVPN tunnel.
Workaround: There is no workaround.
Symptom:
%SMC-2-BAD_ID_HW: is output, and SPA is not disabled.
SPA should be disabled if authentication fail.
Conditions: ASR1001 Built-in SPA.
Workaround: There is no workaround.
Symptom: When attaching/detaching performance monitor to/from interface, memory is leaking <conf t> perf mon context perf-mon prof appl traffic-monitor all <conf t> interface GigabitEthernet0/0/3 performance monitor context perf-mon no performance monitor context perf-mon.
Conditions: FAll tools avc config.
Workaround: There is no workaround.
Symptom: Crash.FP is reloading.
Conditions: SIP ALG with BPA.
Workaround: Single session from user.
Symptom: ASR1002-X acting as LNS, RP Crashes after shutting the interface which is connecting LAC.
Conditions: 5000 sessions with per-session QoS. All these sessions are setup on 1 L2TP tunnel.
Workaround: There is no workaround.
Symptom: Memory leak and crash preceded with error messages like
Apr 24 15:52:40.776: %DIALPEER_DB-3-ADDPEER_MEM_THRESHOLD: Addition of dial-peers limited by available memory memory leak due to skinny msg server and alloc_pc = asnl_get_new_evInfo
Conditions: 2951 router running 15.3(2)T.
Workaround: There is no workaround.
Symptom: ESP may crash with NAT BPA.
Conditions: ESP may crash with NAT BPA with ALG Traffic.
Workaround: There is no workaround.
Symptom: CUOM could not process MOSCQEReachedMajorThreshold clear trap from CUBE SP. For MOSCqe alert clear trap, CUBE should not sent CurrentLevel Varbind but should send csbQOSAlertCurrentValue Varbind.
Conditions: This symptom is observed when CUBE SP generates clear trap for voice quality alerts.
Workaround: The code fix is included in CUBE Cisco IOS Release 15.2(4)S4. Manually clean the alarm at CUOM after root cause is rectified if earlier CUBE version is used.
Symptom: Usernames do not show up in CCP Express. Username shows up on a router with default configuration.
Conditions: The symptom is observed on routers with configurations that break show run | format.
Workaround: Use default configuration.
Symptom: An ASR1001 may reload when used as a hub in a scaled DMVPN environment.
Conditions: This is seen when the traffic rates approaches the limit of the encryption capabilities of the router.
Workaround: There is no workaround.
Symptom: The output show sip-ua status registrar is used to display all the SIP endpoints that are currently registered with the contact address. In the call-id field of the output the last octet is missing:
Router#show telephony-service | i Version CONFIG (Version=9.1) Version 9.1
Router#show sip-ua status registrar Line destination expires(sec) contact transport call-id peer ============================================================ 1004 10.106.118.105 3021 10.106.118.105 UDP 68bdaba5-19070002-63993ca0-73066260@10.106.118 40006 1098 10.106.118.105 3021 10.106.118.105 UDP 68bdaba5-19070003-4f9a3f93-4572d758@10.106.118 40010 1005 10.106.118.104 3024 10.106.118.104 UDP e8ba7006-23010002-5bfc761c-4a34d712@10.106.118 40009 1097 10.106.118.104 3024 10.106.118.104 UDP e8ba7006-23010003-627c6fe9-524366a5@10.106.118 40008
Conditions: The issue is seen only with recent CME versions (8.6 and above). This functionality was working before and broken with newer CME/SRST releases.
Workaround: There is no workaround.
Symptom: After FP switchover, new standby does not boot up.
Conditions: This symptom is observed in dual FP configured boxes, when a FP boot up and pulls entire configures from RP, it may crash and can not boot into ready state.
Workaround: Complete reload of the box.
Symptom: In some traffic conditions running AVC configuration on the ASR1002-X platform may lead to a crash.
Conditions: Under heavy load and with specific traffic pattern, usually found at ISP network, running AVC configuration on ASR1002-X may lead to a crash.
Workaround: There is no workaround.
Symptom: CUBE crashes for DO-EO ReINV_HD call.
Conditions: CUBE crashes for DO-EO ReINV_HD call.
Workaround: Issue fixed and committed.
Symptom: Matching the last protocol under it's attributes will not work.
Conditions: Using the default protocol-pack.
Workaround: There is no workaround.
Symptom: A DMVPN spoke router running Cisco IOS Release 15.2(4)M3 and configured with if-state nhrp might not re-form eigrp neighbourship if the line protocol on the interface goes down and comes back automatically.
Conditions: This symptom occurs in a DMVPN spoke router running 15.2(4)M3 with if-state nhrp configured and interface line protocol going down. It must also be using the new multicast code (15.1(4)M onwards).
Workaround: Removing ip nhrp map multicast x.x.x.x y.y.y.y and reading it resolves the problem.
Symptoms: Under certain conditions, malformed IKEv2 packets may cause a traceback in the Crypto IKEv2 process:
Feb 13 21:07:15.812: %SYS-2-MALLOCFAIL: Memory allocation of 4294967078 bytes failed from 0x16A15FF8, alignment 0.
Conditions: The condition is only causing traceback message to be printed. No actual crash is happening.
Workaround: There is no workaround.
Symptom: DSPs are getting hung when receiving an incoming Video call.
Conditions: When making the incoming video call On the AS5400XM gateway, the DSP's channels are not freed up after the call is disconnected. Because of this issue, if there is any incoming call (normal audio call) the calls fail with resource unavailable. We need to reboot the router to clear the DSPs.
Workaround: Reloading the Router temporarily fixes it.
Symptom: Traceback observed @ service_controller_delete_sc_node on doing RP switchover.
Conditions: On performing RP switchover and when the ASR is registered with the CM.
Workaround: There is no workaround.
Symptom: MQC Shaper not working correctly for specific CIR rates.
Conditions: When there are more than one QoS policy-maps applied to different sub-interfaces, with shape rates having a huge disparity, such as more than 1000:1, this problem can occur.
Workaround: Do not configure shape rates on subinterfaces with a disparity > 500:1.
Symptom: Attaching performance monitor to OTV interface should be blocked.
<conf t> interface Overlay1 otv control-group 239.1.1.1 service-policy type performance-monitor output new-policy ==>
This configuration line should be blocked.
Conditions: FAll tools avc config.
Workaround: There is no workaround.
Symptom: A previous code commit to address the same issue caused a catastrophic issue wherein SPA is going out of service, during the SPA reload & chassis reload after the RP switchover on 1ru. This bug improves the fix so that this catastrophe is not seen again. The original issue was exposed during regression testing while doing an ISSU upgrade.
Conditions: Aforementioned commit should be present in the image and chassis should be ASR1001. Issue is seen when SPA is reloaded after RP switchover.
Workaround: The issue is not seen if:
1. Chassis is not ASR1001
2. Aforementioned fix is not present in the image.
Symptom: DSP fails to recover using Test DSP Device 0 All Reset.
Conditions: This symptom is observed when a crashed DSP (LSI PVDM3) fails to recover via the CLI command test voice dsp device 0 all reset.
Workaround: A complete reload of the router is required to recover the DSP.
Symptom: ESP Crash observed during HSRP failover Test.
Conditions: HSRP Enabled on BDI Interface with OTV feature combination configured.
Workaround: There is no workaround.
Symptom: ASR1000 RP crash after software upgrade
Conditions: Device configured with SBC with interchassis redundancy
redundancy mode none application redundancy group 1 name ECS preempt priority 150 failover threshold 100 timers delay 100 control Port-channel30.8 protocol 1 data Port-channel30.9 track 1 decrement 200 track 2 decrement 200 protocol 1 name BFD timers hellotime msec 250 holdtime msec 1000
Workaround: Do not setup B2B redundancy between XE36(or older) and XE37(or later)
Symptom: ESP fails to initialize and reboots. A message like the following will be seen on the IOS console:
*Jan 01 16:22:35.562: %CPPHA-3-INITFAIL: F0: cpp_ha: CPP 0 initialization failed - startup init (0x1) *Jan 01 16:22:35.562: %CPPHA-3-INITFAIL: F0: cpp_ha: CPP 0 initialization failed - start CPP (0x1)
The cpp_driver tracelog contains an entry indicating the Hoover PLL failed to lock. This could be on CIF,FIF, or ICM. Here is an example from CIF:
01/01 16:22:35.120 [cpp-drv]: (ERR): COMP0053/CIF/1028: QFP0.0 - timeout waiting for Hoover TX PLL to lock.
Conditions: Router configuration or traffic pattern does not affect this problem. This software error is fixed in to XE3.7.4, XE3.9.2, XE3.10.0 and later releases.
Workaround: There is no workaround.
Symptom: Crypto session does not comes up in EZVPN.
Conditions: This symptom is observed when a Crypto session is being established.
Workaround: There is no workaround.
Symptom: ESP fails to initialize and reboots. Cman-fp indicates error due to Hoover PLL lock failure.
Conditions: Router configuration or traffic pattern does not affect this problem. This software error is fixed in to XE3.7.4, XE3.9.2, XE3.10.0 and later releases.
Workaround: There is no workaround.
Symptoms: Match on precedence and dscp do not work properly.
Conditions: Does not work under all conditions.
Workaround: Development fix to back out the implementation of bit0 and bit1 of TOS byte.
Symptom: I/O memory leaks occur with the following error messages:
SYS-2-MALLOCFAIL Memory allocation of 268 bytes failed from 0x6076C1C0, alignment 32 Pool: I/O Free: 3632 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "SCCP Application", ipl= 0, pid= 234 -Traceback= 6082E5B4z 60761188z 607618A8z 60764930z 6237DFA4z 62379CB4z 623873A4z 62373474z 62374E64z 607FAE64z 607FAE48z
Conditions: This symptom occurs due to a slow memory leak in the SMALL and MIDDLE buffers.
Workaround: There is no workaround.
Symptom: Static DMVPN spoke-spoke tunnel initially comes up when tunnel comes up, but if IPsec SAs go down (cleared or are not rekeyed) then the IPsec SAs will not come backup. Data traffic that is supposed to got directly over the spoke-spoke tunnel is forwarded over the spoke-hub-spoke path.
Conditions: Running DMVPN Phase 3 on an ASR1k as spoke routers, on both ends of the spoke-spoke tunnel. If the IPsec SAs for the spoke-spoke tunnel are cleared either because there was no spoke-spoke traffic for long enough for the IPsec SAs to not be rekeyed or or the idle-timer to expire or the IPsec SAs are cleared manually.
Workaround: Have a process (like IP SLA) ping the remote spokes tunnel IP address to keep the IPsec SAs up or to bring them back up if they happen to go down. Probably ping about every 60-120 seconds.
Symptom: Group Member is registering the third Key Server in its list in a redundant KS scenario, when certificate of first KS has been revoked.
Conditions: This has been observed under the following conditions: - GM has a list of 3 or more Key server - Certificate based authentication with OCSP validation - First KS certificate has been revoked.
Workaround: There is no workaround.
Symptom: ASR1001 prints following error messages and crashes:
% Internal error: Connection to peer process lost %MCP_SYS-0-ASSERTION_FAILED: SIP0: cmcc: Assertion failed: Assertion failed: cman/cc/./src/cmcc_util.c:322: bay < cmcc_max_spas_per_cc()
Conditions: Issue show platform hardware subslot 0/3 plim statistics command in CLI.
Workaround: Not issuing show platform hardware subslot 0/3 plim commands will avoid this problem.
Symptom: Customer is running a CME Environment with Cisco 2901 series Router. Once or twice every week during high Call Volume, the soft key such as Transfer, End Call Stops responding.
Conditions: Once phone sends EndCall softkey(0x26) to CUCME the CUCME does not send CallState (0x111) and CloseReceiveChannel (0x106) and StopMediaTransmission(0x8B) to phone, so the call is not terminated.
Workaround: There is no workaround.
Symptom: Failed to do ISSU in CC/SPA upgrade.
Conditions: Seen when the user does a subpackage ISSU in a system for only sip* packages.
Workaround: There is no workaround.
Symptom: When down physical interfaces on remote site routers, local router physical interface go down and tunnel interfaces become up down. The ISAKMP for the tunnel that is connected with serial T3 goes down but for Gig link, ISAKMP remain QM_LDLE.
Conditions: Irrespective of the Serial and Ethernet links, sometimes, multiple IKE SAs (duplicate SAs) get created with the same peer. When the dpd is configured and the interface of the peer is shutdown, the duplicate SA continues to exist.
Workaround: There is no workaround.
Symptom: ASR1K CUBE RP may crash with Segmentation fault(11), Process = CCSIP_SPI_CONTROL when sip headers are manipulated using a sip profile for 200 response messages for KPML notify.
Conditions: Crash seems to be happening due to SIP profiles configs being wrongly applied to Notify response (this profile was meant for 200 OK Invite response).
Workaround: Do not configure sip profiles to manipulate the headers for 200 responses.
Symptom: ZBFW syslog for passing and dropping ICMPv6 packets shows wrong value in the port number fields. The src/dst port numbers should be the ICMP type and code. In addition, the passing syslog is showing Passing Unknown L4 protocol.
Conditions: The router is configured in 66, 64 or 46 case. syslog for pass or drop logging is enabled. Sending ICMPv6(or ICMP from v4 side) packets.
Workaround: There is no workaround.
Symptom: Traffic drops seen with FTP NAT PAP mode.
Conditions: With FTP NAT PAP configured on BOX.
Workaround: There is no workaround.
Symptom:
ASR1001-5-DEV(config-sbc-sbe-sip-hdr-ele)# sip header-profile hprof2 ASR1001-5-DEV(config-sbc-sbe-sip-hdr)# store-rule entry 1 ASR1001-5-DEV(config-sbc-sbe-sip-hdr-ele-act)# condition request-uri sip-uri-user store-as uname Error: sip-uri-user is only valid for To, From and Request-Line
Conditions: This happens if following config is paste into config terminal or on reading startup-config with following config ---------------------------------------------------------------------------------------------- sip header-profile hprof1 store-rule entry 1 condition header-name Allow header-value store-as Avalue store-rule entry 2 condition request-uri sip-uri-user store-as uname.
Workaround: exit sbc, re-enter the specified store-rule/condition
---------------------------------------------------------------------------------------------- sip header-profile hprof1 store-rule entry 1 condition header-name Allow header-value store-as Avalue exit exit exit exit sbc test sbe sip header-profile hprof1 store-rule entry 2 condition request-uri sip-uri-user store-as uname
Symptom: It takes a long time (5 seconds) to disconnect the call after the user pressing Endcall soft key.
Conditions: - A new voicemail is read/deleted. Every phone has two sidecars (7914s) attached to it. Thus, 20 additional lines per phone.
Workaround: Use MWI outcall method instead of SIP NOTIFY method.
Symptom: Bursty shape rate on high bandwidth queue.
Conditions: When there are 2 vlans configured each with a single simple shape queue, one with a very high rate (ex. 400,000,000bps) and another with a very low rate (ex 128,000bps), the high rate queue's rate may be bursty and fluctuate - 10% of the configured rate.
Workaround: Configure a hierarchical policymap on the vlans where the shape is on the parent class, not on the queue.
Symptom: When configuring performance monitor, when registration to CFT fails, the router crashes.
Conditions: FAll tools avc config.
Workaround: There is no workaround.
Symptom: Router c2800 with CME9.1 crashes with signal 10 TLB (store) exception in CCSIP_SPI_CONTROL process.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Asymmetric Payload Inter-working was introduced in XE310. Hence adding HA support for asymmetric payload inter-working here to provide complete solution as requested by some customers.
Symptom: NAT translations could be stranded on the standby with NAT B2B and AR config.
Conditions: NAT translations could be stranded on the standby with timeout of zero.
Workaround: In a MW or downtime execute clear ip nat trans * on the active box.
Symptom: ICMP error packets having icmp message in the payload are being dropped when NAT64 and ZBFW are configured.
Conditions: The configuration should include nat64 and zbfw.
Workaround: There is no workaround.
Symptom: ip load-sharing per-packet is configurable while it is officially not supported.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptoms: Static routes injected through RRI (reverse-route static) are not getting removed.
Conditions: This symptom is observed when a static crypto map that has reverse-route static enabled is applied on two different interfaces with a local-address.
Workaround: Reload the Router.
Symptom: CUBE SBC does not forward mid-call Re-INVITE in a glare condition.
Conditions: This symptom is observed in a condition where both legs of a SIP call through the SBC sends in Re-INVITE within 100ms of each other. Instead of forwarding the first arriving Re-INVITE to the other leg and then rejecting the other with a 491 Request Pending response, SBC does not forward either of the Re-INVITE and gets into a deadlock condition leading to no audio and an eventual call tear down.
Workaround: There is no workaround.
Symptom: SBC SRTP ucode crash when doing srtp-rtp interworking.
Conditions: It seems this can happen in hairpined srtp calls, though not able to reproduce in lab. the test scenario is rtp----SBC-----SRTP--------SBC-------rtp
Workaround: There is no workaround.
Symptom: Incorrect statistic from SNMP OID 1.3.6.1.4.1.9.9.171.1.3.1.1, related to a number of IPSec tunnels after running clear crypto sa / session command.
Conditions: Configured DMVPN, running clear crypto sa / session command.
Workaround: Reloading of router helps to solve the issue.
Symptom: Inconsistent behavior when Phase1 rekey fails. Phase2 is deleted on one side but is kept on the remote end till IPSec SA expires.
Conditions: When DPDs are enabled.
Workaround: Clearing the IPSec SA manually.
Symptom: Looking at the output of show platform software process list r0 sort memory, the memory of fman_rp keeps increasing.
Conditions: This symptom is observed when this box is configured as PfR border router and enabled.
Workaround: There is no workaround.
Symptom: E1 R2 channels randomly get stuck in S_WAIT_RELEASE.
Sample output from "show voice call summary" : 0/1/0:0.14 g711ulaw n S_WAIT_RELEASE R2_Q421_WAIT_IDLE
Conditions: Outgoing calls that get Ring no answer (RNA) might get stuck when the Service provider clears the channel.
Workaround: Shutdown and un-shutdown the controller.
Symptom: The FTP ALG is on by default. The user should be allowed to disable the FTP ALG via configuration.
Conditions: FTP traffic will go through FTP ALG when the traffic is NATted.
Workaround: There is no workaround.
Symptom: The following error message on the console:
/usr/binos/conf/mdrfuncs.sh: line <line>: em_mdr_NODE_ISSU_SPA_WAIT: command not found
Conditions: SPA does not complete MDR when performing OneShot ISSU with MDR.
Workaround: Manually complete ISSU.
Symptom: Packets are lost on transmission to an MLP bundle. Lost packets show up in drop statistics as tail drops.
Conditions: Occurs after removal and re-insertion of SPA module which contains one or more links in the MLP bundle.
Workaround: After the SPA re-insertion, remove the serial link from the bundle and add it back.
Symptom: NAT timeout when used with port CLI doesn't work as expected.
Conditions: This symptom is observed when ip nat translation port-timeout tcp <port #> <timeout value> command is used with ip nat translation tcp-timeout <timeout value> command.
Workaround: Use only ip nat translation tcp-timeout <timeout value>
Symptom: NGVM will fail to boot, causing DSP to be in downloading state.
Conditions: This condition may occur on the first attempt to boot a new NGVM module.
Workaround: Use the NGVM boot loader to set the PID environment variable to match the PID as shown in the show diag subslot x/x eeprom command.
Symptom: UUT is crashing.
Conditions: After switching from default mode to CGN mode, Sending multiple sessions of PPTP.
Workaround: There is no workaround.
Symptom: Netconf features do not work when AAA is used for access control.
Conditions: Netconf features do not work when AAA is used for access control.
Workaround: Use local authentication instead of AAA. Or, use other XML interface such as WSMA features instead.
Symptom: Configured PPTP Timeout is not taking effect on Translations for PPTP ALG.
Conditions: Sending Traffic for PPTP-ALG.
Workaround: There is no workaround.
Symptom: High CPP_CP process CPU load on ESP100 caused by session counter collection.
Conditions: ESP100 and ISG scale.
Workaround: Reduce number of counters associated with ISG session.
Symptom: Crash seen on Primary RP due to Null Pointer send during Bulk Policy Map delete.
Conditions: Deleting Bulk Cos Policies.
Workaround: There is no workaround.
Symptom: When the ZBFW SYN cookie protection feature is enabled and is being triggered, the firewall will generate and send SYN packets to the server on behalf of the client. If the response from the server isn't received in time, the firewall will re-generate and resend the SYN packet. In this retransmitted SYN packet, the MSS option is missing and the sequence number is incorrect (it is one number bigger than the ISN).
Conditions: ZBFW SYN cookie protection is configured and is being triggered. Server doesn't respond in time and is causing the firewall to resend the SYN packet to the server.
Workaround: There is no workaround.
Symptom: The TCP RST packets generated by ZBFW are dropped by ZBFW on ASR box.
Conditions: TCP flow specific TCP RST packets generated by ASR to reset the connection to the client and server when TCP packet inspection is on.
Workaround: There is no workaround.
Symptom: Multicast RP-Announcement/RP-Advertisement packet is replicated more than one copy per incoming packet. The number of copies is equal to the number of interfaces/IO items with IC flag enabled (show ip mfib to get the number of IC interfaces).
Conditions: This symptom is observed when AUTO-RP filter is configured on PIM interfaces.
Workaround: There is no workaround.
Symptom: After ESP 100 reload, show policy-map interface counters does not populate results.
Conditions: With an egress service policy on SPA gige interface and sending high/low priority traffic.
Workaround: Reload the SPA after FP reload.
Symptom: If customer configured snmp server enable traps sbc sla-violation-rev1, csbSLAViolationRev1 trap is not sent.
Conditions: Normal operation.
Workaround: There is no workaround.
Symptom: fman-fp traceback: cgm begin batch error.
Conditions: While adding classes to the ZBFW policy.
Workaround: There is no workaround.
Symptom: Unable to import an ECDSA CA certificate.
Conditions: IOS router running any version of code up through 15.3(2)T.
Workaround: There is no workaround.
Symptom: 1 Local address can be mapped to multiple global address.
Conditions: With PAP configured.
Workaround:
Symptom: Fragmented PPTP ALG traffic may not be processed as expected.
Conditions: Fragmented PPTP ALG traffic may be dropped, with NAT PAT configuration.
Workaround: Turn off PPTP ALG if not required.
Symptom: crypto context show command display unknown authentication and confidentiality output.
Conditions: sha256, sha384, sha512, gmac and gcm.
Workaround: There is no workaround.
Symptom: ESP may reload in B2B NAT ZBFW setup.
Conditions: B2B NAT ZBFW setup with stateful traffic.
Workaround: There is no workaround.
Symptom: Exception to IOS Thread:UNIX-EXT-SIGNAL: Segmentation fault(11), Process = SBC main process.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: With IOS-XE 3.7.3S on ASR1K and global crypto ikev2 dpd configuration, all crypto sessions have dpd enabled as expected, after performing RP Switch-Over, the crypto ikev2 dpd configuration is missed, all crypto session are re-established with dpd disabled.
Conditions: DPD and RP Switch Over.
Workaround: There is no workaround.
Symptom: Issue seems to happen when we check the bridge-domain related platform command, first on the RP, then on the FP repeatedly.
Conditions: Usage of the show platform software bridge-domain rp active 11 mac-table followed by show platform software bridge-domain fp standby 11 mac-table <> multiple times results in this RP crash.
Workaround: There is no workaround.
Symptom: This issue happens when a previous bad call with impairment shows a low MOS 2.5 (as expected) and then the call is disconnected and the n/w impairment is removed, and when a subsequent new call is placed, the MOS does *not* start at 4.5(even though audio is perfect), instead it will be in the low 2's and take 10 minutes to get to 4.5 range even though audio is perfect for whole duration of the call.
Conditions: This symptom occurs when a bad call is started.
Workaround: Start with normal call.
Symptom: cpp_cp process crashes.
Conditions: Change to the parent class of a session which causes a rate update event to be performed in the QFP HW. At the same time, ANCP causes rate change on a VLAN shaper using mode-F QoS. The shaper rate change causes the shaper on the vlan to be removed and then re-applied. Depending upon RP and FP CPU utilization, these events can be processed on the ESP as one QoS transaction. where the sessions parent class has a rate change event and the session is also being moved to an aggregation schedule node on the GE from the VLAN shaper schedule node. And then the shaper is re-applied to the VLAN and the session is moved back to the VLAN shaper. This all occurs in the same QoS transaction/commit on the ESP, causing the ESP to crash.
Workaround: There is no workaround.
Symptom: The ASR1k does not reply to IPv6 ping packets sent to its LISP IPv6 EID address, when these are received over a LISP IPv4 RLOC space.
Conditions: This only applies to ICMPv6 echo reply packets, that are generated on the RP, and received over an IPv4 RLOC core.
Workaround: There is no workaround.
Symptom: The crypto session remains UP-ACTIVE after tunnels are brought down administratively.
Conditions: This symptom occurs in tunnels with the same IPsec profile with a shared keyword.
Workaround: There is no workaround.
Symptom: NAT pool exhaustion with addresses with 0 recount.
Conditions: when running NAT ALG when port allocation failure occurs.
Workaround: To recover, issue clear ip nat trans * in off hours (as this is disruptive operation).
Symptom: gtpv2 message with invalid imsi is not dropped.
Conditions: Invalid IMSI is used.
Workaround: There is no workaround.
Symptom: ESP crashed while removing policy-map from configuration. Issue is seen while removing the Qos configuration from standalone chassis and all the ports are down.
Conditions: ESP crashed because of object-pending issue. This issue can only be reproduced when the QoS config is from NVRAM, and not when it's added on a live box. This may be related to ordering issue.
Workaround: There is no workaround.
Symptom: ucode crash on clear ip nat translations.
Conditions: Very rarely with stateful traffic.
Workaround: Use clear ip nat translations vrf <vrf_name> to clear vrf aware translations.
Symptom: Callflow: Verizon ? SIP trunk ? CUBE (ASR 1000)? CUSP ? Genesys ? Interactions IVR. CUBE does not ACK and BYE (glare handling case) after sending Cancel and receiving 200 Ok for cancel from CUSP.
Conditions: Verizon cancelled the call 300 milliseconds (aprox) after sending the invite, it caused the 200Ok of the invite and the Cancel to cross wire between CUSP and Genesy. By that time CUSP had already sent 200 Ok for CANCEL to CUBE, thus CUBE did not respond to the following 200 OK (for Invite).
Workaround: There is no workaround.
Symptom: Call failure when supplementary services (hold/resume, transfer) is attempted on a call traversing a Cisco CUBE Enterprise gateway. Dead air will be heard and the call will timeout. output from debug ccsip error shows the following error.
SIP/Error/ccsip_api_response_answer: Media Negotiation failure in 200 OK
Conditions: Calls traversing a CUBE Enterprise gateway configured for SIP-SIP call-flow. IOS versions impacted vary. So far, all IOS between 15.1(1)T3 and 15.3(2)T is impacted. Failure is reproduced when a consult transfer is attempted on a call that's established with codec g729r8 in a CUCM environment but can occur when there is a codec mis-match during a mid-call event (RE-INVITE) where media is renegotiated.
Workaround: Resolve the codec mismatch. The most common one is when g729r8 is established as the codec. CUCM will, when acting as the UAS, send a 200 OK advertising g729r8 with no annexb= parameter to specify either yes or no. Per RFC 3555, section 4.1.9, this implies that the parameter is set to yes triggering CUBE to determine CUCM is advertising g729br8. If this is not configured on the dial-peers matched or voice-class codec configured, the call will fail to negotiate a codec and fail.
Symptom: With Suite-B configured (i.e. esp-gcm / esp-gmac transform) on a GETVPN Key Server (KS), Group Members (GM) will see the following un-gated error message on the console when the KS policy ACL is changed or edited and a rekey is sent from the KS using crypto gdoi ks rekey...
May 31 09:56:49.906 IST: *** SERIOUS ERROR: OVERLAPPING IV RANGES DETECTED ***
When the GM receives the rekey, the policy is installed successfully. However, after this the GM re-registers twice and then these errors are displayed.
Conditions: Suite-B is configured (i.e. esp-gcm / esp-gmac transform) on a GETVPN Key Server (KS), the KS policy ACL is changed or edited and a rekey is sent from the KS using crypto gdoi ks rekey This issue was seen with at least 50 Group Member (GM) instances using VRF-Lite on a ASR1K GM box and no more than 30 ACE's in the KS policy ACL, however this issue should also be seen on a ISRG2 GM box with less GM instances and less ACE's as well.
Workaround: If a Key Server (KS) policy ACL must be changed or edited while Group Members (GM) have already registered and downloaded GETVPN Suite-B policy (i.e. esp-gcm / esp-gmac transform), issue crypto gdoi ks rekey replace-now instead of crypto gdoi ks rekey after changing the KS policy ACL. (NOTE: a very small amount of traffic loss may be expected) If possible, do not change the KS policy ACL after a GETVPN network using Suite-B is up and running. NOTE: The fix requires both an upgrade of the KS and GM to properly work.
Symptom: IPSec tunnel is not programmed in data plane; but IPSec control plane may show tunnel is established.
Conditions: This symptom is observed on a Cisco ASR1000 series router when functions as an IP Security (IPSec) termination.
Workaround: There is no workaround.
Symptom: phone-proxy failed to attach to the second dial-peer.
Conditions: This symptom is observed when you configure two phone-proxy.
Workaround: Using one phone proxy.
Symptom: CPP core not generated when FP crash happen.
Conditions: Perform SPA OIR with Unicast/Multicast/Broadcast storm control on 32k EFPs.
Workaround: There is no workaround.
Symptom: A CUBE router may reload.
Conditions: This is only seen on a router processing voice traffic with CPA feature enabled.
Workaround: There is no workaround.
Symptom: icmp packet size 1439-1454 will be drop at next hop because the L2 frame size is bigger than 1518, 1500 MTU acceptable frame size.
Conditions: crypto map with NAT in between tunnel end point.
Workaround: There is no workaround.
Symptom: There will be more SIP phones register than what it is configured in max-pool in case max-ephones is not yet reached.
Conditions: ISR2921 IOS 15.1(4)M5.
Workaround: There is no workaround.
Symptom: Traceback observed when Interface Virtual-Access3(for ezVPN server) changed state to down on MCP_DEV(XE311).
Conditions: Interface Virtual-Access3(for ezVPN server) changed state to down.
Workaround: There is no workaround.
Symptom: CVLA memory is not released. Check FNF_AOR CVLA memory usage. show platform hardware qfp active infrastructure cvla client handles
<snip> Entity name: FNF_AOR Handle: 2344906752 Number of allocations: 176 Memory allocated: 14144 <snip> show platform hardware qfp active feature fnf datapath aor <snip> Extracted Field objects Alloc 1200 0 Free 100 <snip>
Conditions: AVC with IPv6 protocol.
Workaround: There is no workaround.
Symptom: Create an RRI route for deny ACL lines in the crypto map.
Conditions: 15.x code and L2L ipsec tunnel.
Workaround: There is no workaround.
Symptom: A call waiting beep is heard intermittently on incoming calls to an extension that has the no call-waiting beep command configured. This is seen on Cisco IOS Software 15.1(4)M5.
Conditions: The Cisco IOS Software version 15.1(4)M5 exhibits this behavior. So far, we don't know if the same issue is seen on lower IOS trains, but it is confirmed that Cisco IOS Software 15.0(1)M and lower don't exhibit the same symptoms.
Workaround: Downgrade to Cisco IOS Software 15.0(1)Mx or lower. There might be feature loss due to a change in the IOS version.
Symptom: ESP crashes.
Conditions: Subscriber session w/QoS over tunnel or shaped vlan.
Workaround: There is no workaround.
Symptom: - show crypto entropy stat, output, shows Status = Faulted - syslog message A pseudo-random number was generated twice in succession was logged two hours after boot.
Conditions: ISM 15.2(4)M Crypto features enabled.
Workaround: There is no workaround.
Symptom: ASR1K fails to initialize with cpp_driver held down message.
Conditions: ESP-100, ESP-200 or ASR1002-VE configured with 40MB or 80MB TCAM devices manufactured by Renesas may fail to initialize.
Workaround: There is no workaround.
Symptom: An ASR with zone-based firewall enabled may drop SIP INVITE packets with the following drop reason:
Router#show plat hardware qfp active feature firewall drop ------------------------------------------------------------------------------- Drop Reason Packets ------------------------------------------------------------------------------- L7 inspection returns drop 1
Conditions: This symptom is observed when the application (L7) inspection for SIP is be enabled for the flow.
Workaround: Any of the following workarounds are applicable:
– Disable the port-to-application mapping for SIP with the <CmdBold>no ip port-map sip port udp 5060<noCmdBold> command. This prevents ZBF from treating UDP/5060 as SIP. Instead, it is treated as simple UDP.
– Use the 'pass' action in both directions instead of 'inspect'. This disables all inspection (even L4) for the traffic. Symptom: An ASR with zone-based firewall enabled may drop SIP INVITE packets with the following drop reason:
Router#show plat hardware qfp active feature firewall drop ------------------------------------------------------------------------------- Drop Reason Packets ------------------------------------------------------------------------------- L7 inspection returns drop.
Symptom: Traffic fails to pass through the VPN tunnel intermittently on a router running 15.14M6 or 15.2(4)M3. The encrypts/encaps counter increments on the IPsec SA, but the encrypted packet does not egress the router.
Conditions:
– The IOS running on the router may be 15.1(4)M6 or 15.2(4)M3.
– The clear-text packet ingresses the router on the same interface on which the crypto map is applied.
Workaround: If we use acess-list on crypto interface with permit ip any any log or removing ip route-cache cef from crypto interface, it starts to work.
Symptom: Scenario : Expected conditional profiles not shown for Midcall update to re-Invite.
Conditions: Midcall update to re-Invite in conditional profiles.
Workaround: There is no workaround.
Symptom: Memory leak is seen when SDP pass through is configured.
Conditions: When SDP pass through is configured.
Workaround: There is no workaround.
Symptom: ASR1K CPP crashes and tracebacks.
Conditions: Reboot ASR1K DMVPN hub with image.
Workaround: There is no workaround.
Symptom: Changing modes in cgn and sending traffic results in ucode crash.
Conditions: Unconfiguring one mode and switching to another mode and sending traffic.
Workaround: There is no workaround.
Symptom: QFP reloads.
Conditions: Rarely occurs when issuing sh platform hard qfp active feature nat da stats. Most likely to occur in CGN mode specifically after switching from classic to CGN mode.
Workaround: There is no workaround.
Symptom: With Suite-B configured (i.e. esp-gcm / esp-gmac transform), GETVPN Key Sever (KS) shows TEK SPI's for deny ACE's when show crypto gdoi ks policy is issued while a Group Member (GM) does not show TEK SPI's for deny ACE's when show crypto gdoi is issued.
Conditions: The command show crypto gdoi ks policy is issued with Suite-B configured (i.e. esp-gcm / esp-gmac transform) deny ACE's in the policy ACL for GETVPN / GDOI.
Workaround: There is no workaround.
Symptom: PBHK update failure traceback from CPP-CP. AOM object download failure from FMAN-FP.
Conditions: ISG sessions have PBHK features and RP switch-over.
Workaround: There is no workaround.
Symptom: The Cisco ASR 1000 router sends a different Acct-Session-Id in the Access-Request and Accounting-Request for the same user.
Conditions: This symptom occurs when Flex VPN IPsec remote access is configured.
Workaround: There is no workaround.
Symptom: An IOS router may fail IKE Main Mode negotiation if the peer device sends both the seconds and kilobytes Life Type with their respective Life Duration attributes.
Conditions: This condition can occur when an IOS router is the responder for an IKE session, and the peer proposes both seconds and kilobytes Life Duration in its SA proposal.
Workaround: The workaround is to remove one of the Life Type attributes from the peer device configuration.
Symptom: Tunnel entry are deleted together.
Conditions: Primary pdp context and secondary pdp context. tear down ind is 0 in delete pdp context request.
Workaround: There is no workaround.
Symptom: Multiple NAT entries are created.
Conditions: UUT Configured with PAT with route-map.
Workaround: There is no workaround.
Symptom: Call legs are not seen.
Conditions: When Xcoder is needed for only Inband to NTE DTMF interworking.
Workaround: There is no workaround.
Symptom:ESP crashes.
Conditions: On ASR1002-X, ESP100 or ESP200 based platforms, ESP can crash when you have interfaces where the bandwidth can change dynamically and you have a hierarchical QoS policy-map applied.
Workaround: When applying a hierarchical QoS policy-map to ain interface that supports dynamic bandwidth changes, be sure to apply the QoS policy while there are no bandwidth changes to the interface as the same time.
Symptom: Traceback occur.
Conditions: Delete acl for IPSec with live traffic.
Workaround: There is no workaround.
Symptom: SNMP Trap Informs to monitor GETVPN service. In each Trap Informs customer wants the <CgmGdoiIdentificationValue> attribut to be in ASCII string (and not binary value) when they use <crypto isakmp identity hostname> However IOS always sends an IP address identity (type and value) in the trap. They should have type 2 and the FQDN of the KS which is not the case.
Conditions: GETVPN setup between KS and GM and crypto isakmp identity as hostname (FQDN).
Workaround: There is no workaround.
Symptom: Crypto Socket remains CLOSED on DmVPN setup.
Conditions: This symptom is observed when DmVPN with extended CLI mentions IKE profile as the ISAKMP profile.
Workaround: Remove the IKEv2 profile configuration from the IPSEC profile.
Symptom: One way audio after about 22 minutes with SRTP-RTP interworking.
Conditions: This symptom is observed in Cisco IOS Release 15.3.2T.
Workaround: Use one codec on the SRTP to RTP legs. (Make calls all G711 or all G729, not one leg G711 and the other G729).
Symptom: Bad ipcksum when tcp segment from inside.
Conditions: Send tcp segments from inside (sip ALG).
Workaround: There is no workaround.
Symptom: The router crashes from some heap memory exception, such as FREEFREE or BADMAGIC within the checkheaps process.
Conditions: The router has experienced heavy, likely prolonged voice traffic, especially CUBE (IP-IP gateway) calls.
Workaround: There is no workaround.
Symptom: The gateway sends the following NOTIFY message before receiving an unsubscribe request. Subscription-State Terminated
Conditions: This symptom occurs when the router is loaded with the c2900-universalk9-mz.SPA.153-2.25.M0.1 image.
Workaround: There is no workaround.
Symptom: ipsec:route-set=prefix av-pair is not pushed to the anyconnect client from the router.
Conditions: Radius server is used for AAA. IKEv2 is used. Anyconnect client 3.1. ASR version 3.10.00a.S.
Workaround: Use a split tunnel ACL on the router.
Symptom: Dedicated bearer is failed to be setup.
Conditions: Dedicated bearer.
Workaround: There is no workaround.
Symptom: After configure and then remove match access, the flow remains optimized.
Conditions: After configure and then remove match access, the flow remains optimized. It should be Pass-through.
Workaround: After following steps, it functions correctly.
1. no enable service context.
2. no service policy
3. add service policy back
4. enable service context
Symptom: ASR1000 router may crash when customer uses call-policy-set copy source XXX destination YYY command to create a new call-policy-set.
Conditions: there is na-src-address-table configured within the call-policy-set. enter this table with na-src-address-table XXX after it was created by call-policy-set copy command.
Workaround: instead of using call-policy-set copy source XXX destination YYY command, copy and paste the text into config terminal to create a new call-policy-set.
Symptom: ASR router crashes for media forking HA feature.
Conditions: This symptom is observed when media forking feature crashes in B2BHA standby router.
Workaround: There is no workaround.
Symptom: CUBE send 403 response for untrusted Requests by default. This request to make the TDOS feature enabled by default came from marketing for Ease-of-use to the customer.
Conditions: Request should come from untrusted host.
Workaround: Enable silent-discard explicitly.
Symptom: Router crash in automatic test. The trigger to the crash is the following show command: show flow monitor <name> cache format csv.
Conditions: No delay between configuration phase and show command execution.
Workaround: Delay of 10 seconds between configuration phase and show command execution.
Symptom: Router may crash when unconfiguring large (8k) redirect ACL list in MASK config.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: During IKE QM exchange, the IKE SA can be prematurely deleted without sufficient retransmission because the maximum IKE SA error count is reached during a transient network failure that causes the QM exchange to fail.
Conditions: This condition can occur if there are multiple simultaneous QM negotiations that are happening around the same time, and they are not successful.
Workaround: There is no workaround.
Symptom: Call failure or one way audio when 180 ringing is received by the CUBE.
Conditions: The call is failed by the LYNC because it then generates a new SIP URI using the updated contact header.
Workaround: Use sip-profiles on the CUBE to convert the number in the 'contact' header to the proper number on that call leg.
Symptom: When ingress-PE switch the encapsulation of multicast traffic from default MDT to data MDT, the first packets after switchover will be added two labels (including both default and data MDT labels).
Conditions: When the traffic rate exceeds the threshold, the ingress-PE will switch to data MDT (encapsulate multicast packets into data MDT, instead of default MDT).
Workaround: There is no workaround.
Symptom: KS not sending rekey to the registered GM.
Conditions: KS not sending rekey to the registered GM.
Workaround: If we enable retransmission on KS, rekey are received by the GMs.
Symptom: The router crashes during the display of history traces, that is during execution of command show monitor event-trace voip ccsip history all.
Conditions: When history buffer is set to 20 and total calls made is 50, that is buffer required is 100. In this case, history buffer is reused. The crash happens when history buffer is reused and show command is used to display the history traces.
Workaround: By increasing the limit of connections to 1000, this can be avoided.
Symptom: Following phrases are displayed in English irrespective of locale configured on CME. "Next" "Previous" "Please modify number" "Invalid speed dial number" "Invalid personal speed dial number" "Invalid blf speed dial number" "Personal speed dial number can not exceed 32 digits" "Personal speed dial label can not exceed 30 characters" "Speed dial number can not exceed 24 digits" "The record is full" "Please delete unuse entry" "Logging Out" "CME hardware conference" "CME software conference" "add party allowed" "add party not allowed" "Whisper" "CME group pickup" "CME pickup" "Access Mailbox (trnsfVM)" "Failed to send call to Mobile Phone" "Live Record is not enable" "Live Record already in progress" "Not conference creator" "Live Record has stopped" "Live Record timeout"
Conditions: This symptom is observed when you configure non-English user-locale.
Workaround: There is no workaround.
Symptom: In a DO-DO scenario, the CUBE is not able to send re-invite on other leg if the CUBE receives re-invite immediately followed by ACK.
Conditions:
SIP (PSTN) -- CUBE -- SIP -- CUCM -- IP phone transfers to another IP phone Message Sequence in CUBE CUCM --> reINVITE --> CUBE --> reINVITE --> Provider <-- 200OK 200OK <-- ACK --> reINVITE --> --> ACK reINVITE from CUCM is not forwarded to the provider.
Workaround: There is no workaround.
Symptom: Memory leak at Crypto session Element.
Conditions: Flapping flexvpn sessions.
Workaround: There is no workaround.
Symptom: Modify bearer response is dropped.
Conditions: Control plane teid in modify bearer request is changed from teid in create session request.
Workaround: There is no workaround.
Symptom: When inserting a SPA-4XT-SERIAL or after booting of a chassis containing SPA-4XT-SERIAL, the following messages are displayed:
*Jun 18 17:18:31.741 EDT: %IOSXE-4-PLATFORM: R0/0: kernel: ERROR: No thresholds defined for slot 1, BW 150 (mbps) *Jun 18 17:18:31.741 EDT: %IOSXE-4-PLATFORM: R0/0: kernel: ERROR: SPA 1: get buf 56 thresholds failed.
These are only messages and have no affect on SPA functionality.
Conditions: Occurs during reload/bootup of chassis which contains the SPA-4XT-SERIAL or during insertion of this SPA.
Workaround: There is no workaround.
Symptom: ASR1k With MAP-T Configs crashes.
Conditions: When Ping Initiated to public IPV4 Address, ASR1K crashes with Core dump, and the packet was translated but the packet causes an ICMP error message to be generated, and in some cases of ICMP error generation, the box could crash.
Workaround: There is no workaround.
Symptom: Dns response get dropped with no-payload configured and NAT FW.
Conditions: Configure nat FW (dns inspect) send dns query from inside, server then reply the response.
Workaround: There is no workaround.
Symptom: Super-package MDR ISSU fails with the following message:
MDR:FAILED: Insufficient memory available on harddisk: to support MDR Conditions: Super-package MDR ISSU operation is issued.
Workaround: Issue sub-package MDR ISSU.
Symptom: When subject name is used as secondary under truspoint for authorization without primary configured, it doesn’t pick the correct value.
Conditions: Only subject name is configured as secondary without primary.
Workaround: Configure subject name as primary.
Symptom: QFP reload occurs.
Conditions: When running NAT in CGN mode and doing a removal of a mapping.
Workaround: Switch to classic mode, to mapping removal, switch back to CGN mode.
Symptom: There is no known symptoms.
Conditions: Astro can require a core voltage of up to 1.00V. However, the voltage was defaulted to 0.9V for all Astro chips. If an Astro requires 1.0V is on a board, it is only operating at 0.9V and could fail to operate properly at speed.
Workaround: There is no workaround.
Symptom: MN-BITS IN stays in Locked state even when MN-BITS OUT is removed.
Conditions: MN-BITS IN stays in Locked state even when MN-BITS OUT is removed.
Workaround: There is no workaround.
Symptom: Erspan performance downgrade in FP160.
Conditions: Erspan under FP160.
Workaround: There is no workaround.
Symptom: Crash is happened on list_enqueue_default intermittent.
Conditions: After no voice class sip-options-keepalive <tag> to delete the sip options keepalive profile.
Workaround: Do not use no voice class sip-options-keepalive <tag>. Use shutdown command from the sip options keep alive profile instead to put the profile inactive state.
Symptom: NBAR doesn't activate.
Conditions: With NAT under SIP, DNS traffic.
Workaround: Disable alg.
Symptom: Traceback @cpp_alg_ipc_handler with msrpc traffic.
Conditions: No specific conditions with MSRPC traffic.
Workaround: There is no workaround.
Symptom: mplssetvrf bgp routes are not coming up along with multi-vrf PBR.
Conditions: The destination address of the packet is ASR local address.
Workaround: There is no workaround.
Symptom: The ESP goes down logging messages
Conditions: On issuing sh ip nat trans when there are a large number of static networks translations the ESP may reset with the above messages. The issue is caused by a calculation dealing with the number of static network translations that are configured. It is possible to avoid this issue by moving out of the impacted range of static network translations (see workaround).
Workaround: Use AAA/Authorization functionality to restrict show ip nat translations OR clear ip nat translation from being issued.
Symptom: Configured two APS groups (one for OC3/hdlc and other with OC12/PPP) between ASR1013 and ASR1006 using back to back connections. APS group 1 interfaces Inactive after RP-switchover.
Conditions: During ASR1013 Subpackage MDR.
Workaround: There is no workaround.
Symptom: Seeing PuntPerCausePolicerDrops on sending traffic through LISP router.
Conditions: No traffic drops associated.
Workaround: There is no workaround.
Symptom: Plim Ingress classification doesn't work on Clearchannel-SPAs.High priority traffic will continue to be treated as normal traffic and flows in Low Priority queue.
Conditions: With PLIM ingress classification, despite assigning map ip dscp 16 - 31 queue strict-priority traffic flows in Low Priority queue.
Workaround: There is no workaround.
Symptom: Directed Call Park FAC (Feature Access Codes) not working when CME SIP Phone uses ENBLOC dialing. If a SIP Phone dials a FAC code to retrieve a directed parked call, CME will not detect the FAC code, and will disconnect the call with cause value=1.
Conditions: The issue is observed with phones registered with SIP CME version 8.8 and later.
Workaround: Downgrade to an earlier CME version (8.6, 8.5, 8.1).
Symptom: QFP crash.
Conditions:
– Create normal GTPv1 session and primary PDP.
– Delete request with teardown false.
– Update QOS with different data TEID at both SGSN/GGSN, crashed.
Workaround: There is no workaround.
Symptom: Unable to authenticate to Root CA if already authenticated with Sub CA of the Root CA.
Conditions: When authentication with SubCA is already successful, authentication with Root CA fails.
Workaround: Authenticate Root CA first and then SubCA.
Symptom: VTCP is not robust enough when received tcp segments with abnormal sequence id. This may result FP crash. We observed a TCP packet much older than the current window on customer network.
Conditions: Abnormal sequenced tcp segments received when vtcp buffering current flow.
Workaround: There is no workaround.
Symptom: ucode crash seen on unconifugring nat with nbar.
Conditions: Seen during a script run.
Workaround: There is no workaround.
Symptom: When fax tones are detected in the early media phase of the call, the gateway does not initiate a fax mode switchover.
Conditions: The call must establish early media, and fax tones must be detected in this phase of the call.
Workaround: There is no workaround.
Symptom: show hw-module subslot <> sensor may show the rail-0 as Margined.
Conditions: The output may show up on normal boot up of the BUILT-IN SPA of Ethernet Line Card.
Workaround: There is no workaround.
Symptom: Certain sequence of config/unconfig of PLIM comands resulted in error.
Conditions:
– Add DSCP based Plim config.
– Mark certain DSCP value as high or low priority with PLIM config command.
– Delete the config added in step 1.
– Now try to add a TOS bases Plim config. It will through error stating "config done in step 2" must be deleted. But config in step 2 is a subset of config in step1. It should be enough if the config in step1 is removed to add any new plim config.
Workaround: Remove the DSCP based config completely before adding any new TOS based config.
Symptom: The Calling-Station-Id is not sent in the accounting-request.
Conditions: Easy VPN server or Flex VPN remote access is configured along with the radius-server attribute 31 remote-id command.
Workaround: There is no workaround.
Symptom: In a scenario where the same router is used as a CUBE and as an SRST router, a problem can occur where numbers registered with an ITSP via the credentials command will drop, and not show in show SIP-ua reg status after a failback from SRST.
Conditions: CUBE gateway registering numbers with their ITSP using the credentials command. SRST also in use on the same router.
Workaround:
– Remove and re-add the credentials commands under SIP-UA.
– Reload the gateway.
Symptom: ESP-100 may crash continuously on an ASR1K box with cpp_svr crashes causing the FP to go down.
Conditions: Numerous QoS sessions with a single queue being created on an interface in a per-session basis on a Yoda platform (ASR1002-X/ESP100/ESP200).
Workaround: There is no workaround.
Symptom: Hash table updated incorrectly when more than one interface assigned with ip address on wae.
Conditions: Apply ip and configs with uut and wae.
Workaround: Issue not seen when there is only one interface assigned with ip address on wae.
Symptom: Memory leak is seen in the below code path.
Conditions: While processing incoming SIP INVITE with Replaces header.
Workaround: There is no workaround.
Symptom: Router crashes when the command show voip rtp forking is issued during load.
Conditions: Media Forking Enabled.
Workaround: s how voip rtp forking CLI should not be used under load.
Symptom: Peer destination SIP trunk doesn't establish trunk due to option ping failover towards CUBE. This occurs when the peer to CUBE sends CUBE OPTION PINGS with max-forwards set to zero. The response from CUBE is to incorrectly respond back with a 483 message to many hops. Unified Communications Manager does accept that as a valid response but other User Agents might interpret it incorrectly and not consider the peer active unless receiving a 200OK.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: Under certain rare circumstance, ZBFW will not properly build the connection for the first packet of the flow. This causes subsequent packets to be dropped due to TCP state checking.
Conditions: This was first observed when NAT, ZBFW and HA were all enabled on the ASR platform. This only affects ASR platforms.
Workaround: Removing and re-adding the NAT configuration resolves the issue. Sometimes it requires re-adding the NAT configuration without any redundancy keywords before re-adding it with the redundancy keywords.
Symptom: Spurious Accesses messages on router.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: IFNF support a single L3 byte counter for a connection. There are no separate counter for the connection client and server. This fix adds client and server counters.
Conditions: Current supported CLI: flow record test collect counter bytes long end. With this fix, two additional counters can be collected: flow record test collect counter bytes long collect connection client counter bytes network long collect connection client counter bytes server long end.
Workaround: There is no workaround.
Symptom: ATM autovc padi timeout.
Conditions: This symptom is observed during autovc scaling.
Workaround: There is no workaround.
Symptom: FMAN-FP crash may occur while broadband sessions are torn down.
Conditions: This symptom is observed when a large number of broadband sessions are being torn down, there is a possibility of a crash in FMAN-FP.
Workaround: There is no workaround.
Symptom: There are two possible symptoms for this problem, one is related to the show CLI and one is related to configuration (functional).
– QoS Show CLI: Traceback on FP/ESP (in cpp_cp) when executing a s how plat hard qfp act feat qos... command. This is a non-functional problem.
– QoS Configuration Error: Traceback on FP/ESP (in cpp_sp) when configuring QoS features. This is a functional problem.
Conditions: This symptom is observed during specific sequences of events.
– QoS Show CLI (non-functional): Removing class(es) from attached service policies, attaching new targets, then issuing QoS platform show commands.
– QoS Configuration Error (functional): Removing class(es) from attached service policies, attaching new targets, detaching old targets, re-adding same class(es) back to policy-map.
Workaround: Detach service policy from all targets before removing classes from service policy. The non-functional traceback (1) is benign, no corrective action is needed. If the functional traceback (2) has occurred, FP/ESP must be rebooted/reloaded to clear the QoS configuration error.
Symptom: Cisco IOS router with WEBVPN and anyconnect client using DTLS is not working and the traffic gets dropped.
Conditions: This symptom is observed when WebVPN using DTLS is used.
Workaround: Disable DTLS.
Symptom: HA sync is not happening from active to standby.
Conditions: This symptom is observed when HA Sync-up is not happening for PKI Server on Cisco IOS Release 15.3(2.25)M0.1.
Workaround: There is no workaround.
Symptom: FP160 is not able to be brought up after router reload.
Conditions: Using latest development branch image, it is occasionally observed FP160 fails to be come up. On the ASR1003 router with dual FP160 setup, if you try to reload the box 10-20 times, FP fails at the initial state.
Workaround: There is no workaround.
Symptom: Creating 2000 GRE IPSEC tunnels (sample configuration shown below, repeated 2000 times) causes RP crash.
interface tunnel10001 bandwidth 1000 ipv6 address 1003:0:0:1::1/64 ipv6 enable tunnel source Loopback10001 tunnel dest 1004:0:1:1::1 tunnel mode gre ipv6 tunnel protection ipsec profile hub10001.
Conditions: This symptom is observed under the following conditions:
On ASR1K: Works fine when scaled up to 2500 sessions. At 4000, a crash is observed. The in between numbers are not available.
Workaround: Bring up the tunnels in staggered manner (booting with the configurations can also cause the issue) by shutting down the interface and the start them in batches.
Symptom: An FP crash and core file is generated.
Conditions: Use of the engineering/debug CLI sh pla ha qfp act datapath infra chunk basic <addr> with an invalid addr passed.
Workaround: Do not use this debug CLI with an invalid address.
Symptom: Initiator sends identity certificate based on ca trustpoint under the isakmp-profile. However, the responder does not do this. Instead it gets the identity certificate from the *first* trustpoint (out of the list of trustpoints) based on peer's cert_req payload in MM3.
Conditions: This symptom is observed under the following conditions:
– IKEv1 with RSA-SIg Authentication, where each Peer has two certificates issued by the same CA.
– Each Peer has isakmp profiles defined that match on certificate-map and have ca trustpoint statements with self-identity as fqdn.
Workaround: There is no workaround.
Symptom: When two routers attempt to build an IKE session and use PKI for authentication, if the CRL has expired the responding router crashes and reloads.
Conditions: This symptom is observed during PKI chain-validation, CRL check, expired CRL.
Workaround: Disable CRL check.
Symptom: RP_Crash is seen at _be_crypto_ipsec_key_engine_sa_req.
Conditions: This symptom is observed when unconfiguring the vrfs on spoke-side.
Workaround: There is no workaround.
Symptom: When provisioned, Fax CM tone is not suppressed on a receiving GW leading to G3 fax-relay failures.
Conditions: This symptom is observed when fax-relay sg3-to-g3 command is provisioned on a receiving gateway(TGW) and T.38 version 0 is provisioned, G3 fax failures are observed due to fax CM tone not being suppressed.
Workaround:
– Enable fax-relay sg3-to-g3 suppression on the emitting GW.
– Use NSE based modem pass through.
– Enable T.38 v3 on the emitting and receiving GWs to negotiate T.38 version 3.
Symptom: When E1 interface have both channel-group and ds0-group, some ds0-group may not come up on the remote side (suppose it's argot), and voice call cannot be made.
Conditions: This symptom is observed when both channel groups and ds0-groups are configured on the same Fortitude card.
Workaround: Configure ds0-group first, then configure channel-group or tdm-group.
Symptom: clear controller wanphy x/x/x command cannot clear counters of sh controller wanphy x/x/x. This issue is seen on ASR1006.
Conditions: This symptom is observed when you insert the SPA after the router is up.
Workaround: Reload the router with the SPA.
Symptom: OIR of Metronome-spa_BITSOUT results in QL-DNU at connected input source (Metronome-spa/Kingpin BITSIN).
Conditions: This symptom is observed during OIR of Metronome-spa_BITSOUT.
Workaround: Remove and Re-apply BITSOUT clocking configuration.
Symptom: QoS on Service instances using COS matching in the child level of a hierarchical policy-map may fail to properly match traffic. Traffic may be classified into an incorrect QoS class.
Conditions: This symptom is observed when using COS matching in the child level of a hierarchical QoS policy-map on a service instance.
Workaround: Use a flat policy-map if possible.
Symptom: FP may crash with HTTP and FTP traffic.
Conditions: This symptom is observed when you configure NAT, NBAR, and appnav over GRE tunnel and HTTP.
Workaround: There is no workaround.
Symptom: Named IP ACL does not work for Hash assignment.
Conditions: This symptom is observed when you apply IP and ACL configured on UUT.
Workaround: There is no workaround.
Symptom: Path confirmation failure in T.38 Fax call with re-invite.
Conditions: This symptom is observed when voice to fax switch over, T38 fax is not working.
Workaround: There is no workaround.
Symptom: Ucode crash seen.
Conditions: Crash observed when you perform cc_oir with scaled EVC-EOMPLS config.
Workaround: There is no workaround.
Symptom: During Sub package ISSU Upgrade is performed on ASR1002-X router after upgrading the standby RP (R0/1) with new RP subpackages, Switchover is forced from the active IOS process to the standby IOS process. During the switchover, new active performs configuration Bulk-Sync with the standby. During this Bulk Sync operation, the configuration related to the Interfaces is not synced to the standby due to Bulk Sync MCL failures.
Conditions: The symptom is observed after redundancy force-switchover step in ISSU upgrade procedure.
Workaround: Perform a standby IOS reload.
Symptom: Data rate for a QoS shaped MLPPPoA/MLPPPoEoA traffic class may exceed the configured QoS shape rate.
Conditions: This symptom is observed when a parent or child shaper is defined on the MLPPP bundle interface that is less than the configured PVC data rate.
Workaround: The user can explicitly tell the shaper to account for the ATM Cell Overhead by appending the account user-defined 0 atm configuration option to the shaper configuration.
Symptom: Call flow: Verizon -- CUBE -- CUSP -- Genesys/IVR, transfered with SIP Refer back to PSTN hair-pining the call on CUBE. When the call is put on hold to be transferred from IVR to PSTN, the codec negotiation fails, dropping the call with reason code 47 and hanging the UDP port used. All subsequent calls that try to re-use the same UDP port for RTP stream are dropped with reason code 47 and provisional RSP failure is logged on show voip fpi stats.
Conditions: This symptom is observed when Hair-pinned calls that received multiple Audio M-Lines on the SDP received from Verizon on the original SIP Invite
Workaround: There is no workaround.
Symptom: Currently, SIP profiles copy variables data is available only in CCB, but not in SCB.
Conditions: When sip profiles copy variables data is used along with in-dialog subscribe/notify.
Workaround: There is no workaround.
Symptom: when ASR1000 connect with ISO HDLC equipment, the ATOM PW traffic could not transparent successfully.
Conditions: in L2VPN ATOM PW configuration, AC on the PE is CISCO HDLC encapsulation, and CE equipment is ISO HDLC.
Workaround:
– CE configure CISCO HDLC.
– CE configure as the FR, and PE configure as HDLC.
Symptom: Tracebacks on sdby sup on reload of LC containing Pb free Patriot SPA Where we see vc number mismatch tracebacks on standby when we do an LC OIR with ct3 spas inserted
Conditions: Fix of CSCud67270 Traceback @ spa_choc_dsx_create_vcidb should be present and CT3 SPA should be there and its OIR should be done.
Workaround: There is no workaround.
Symptom: ASR1k CPP ucode crash
Conditions: This symptom is observed when very big DNS packet is processed.
Workaround: There is no workaround.
Symptom: High latency observed in customer network
Conditions: Under certain conditions, particularly under forced test conditions, it is possible to create scenarios where flow lock contention will be very high because of NAT gatekeeper failures.
Workaround: There is no workaround.
Symptom: The ESP crashes when updating a highly scaling configuration with a large number of flow-controllable nodes. The crash could be observed during dynamic reconfigurations such as changing the rates of a scheduling node, e.g. an ATM VC due to changing L2 shaping or QOS via MQC. The crash could also occur due to growing a scheduling node or moving an ATM VC from one class-of-service node to another. There are several other scenarios that could lead to a transformation of a hierarchy in order to lay out the tree correctly to meet the hardware requirements. One such example is applying a flat policy to or removing a child policy from a policy attached to an ATM VC.
Conditions: While transforming a hierarchy, there are hardware primitives used to execute the update logic safely. One of requirements for this procedure is to move flow-control from the old tree to the new tree in a particular order to prevent packets from getting out of order. The BQS resource manager had a bug that caused the update to deplete internal flow-control IDs.
Workaround: There is no workaround.
Symptom: With XFP OIR, TX Power is stuck at -40db sometime and the link fails to come up
Conditions: This symptom is observed with XFP OIR.
Workaround: Perform another XFP OIR.
Symptom: Call transfer using refer method on CUBE will fail, if end UA, which involved in transfer, tries to de-activate the media with "c=IN IP4 0.0.0.0 and a=recvonly".
Conditions: When a CUBE is trying to transfer the call using Refer method to a UA, and the UA responds with re-invite to de-activate the media with :
"c=IN IP4 0.0.0.0 and a=recvonly", then CUBE will respond with 491.
007326: Jul 26 19:48:02.028 UTC: //2336/171907168923/SIP/Error/sact_media_event_send_invite_response: Failure in media negotiation -- Sending 491 response
Workaround: There is no workaround.
Symptom: UDP tunnel header udp_len is definitely 0, not correctly fixedup
Conditions: The tunnel intf is changed from un-udp tunnel to udp tunnel mode.
– vxlan case, the nve will auto create a UDP tunnel. the tunnel interface also have the processing with tunnel mode updation, so cause the tun_mode is wrong saved in the uidb subblock
– pmip UDP tunnel case, the tunnel is created with UDP mode, not changed from other tunnel mode. so the tunnel mode saved in the uidb subblock is correct and the issue is not exposed.
Workaround: There is no workaround.
Symptom: Memory exhausted under load
Conditions: In a SIP-SIP call, when offer is with inband to nte and later in response it falls back to inband to inband resulting in memory leak.
Workaround: Don’t configure the NTE in outbound dial-peer where it will be inband.
Symptom: fman_fp crash seen with 1K tunnels and routemaps
Conditions: This symptom is observed when sending traffic with 1K tunnels and routemaps with ipv6 ACL.
Workaround: here is no workaround.
Symptom: Traceback seen at ace_crypto_free_hw_spi.
Conditions: This symptom is observed under load using static VTI.
Workaround: There is no workaround.
Symptom: Inconsistencies with addition and removal of debug crypto conditions
Conditions: This symptom is observed when using crypto debug conditions
Workaround: There is no workaround.
Symptom: Unable to configure interface Multilink greater than 65535. Previously able to configure Multilink interfaces in the range of 1 to 2147483647.
Conditions: Unable to configure interface Multilink greater than 65535.
Workaround: There is no workaround.
Symptom: packet lost over GRE tunnels
Conditions: This symptom is observed when ERSPAN is configured on the device, ping the gre tunnel address there are packets lost
Workaround: Disable ERSPAN
Symptom: Configure URL tool ezpm and run traffic. Following fields have wrong values: connection to server netw delay sum, connection to client netw delay sum, connection client, server netw delay sum, connection application delay sum, connection application delay max, connection client server resp delay sum, connection server packets counter, connection initiator octets, connection client packets counter
Conditions: This symptom is observed when url tool is configured alone.
Workaround: Enable other ezpm tool additionally.
Symptom: Callers receiving general voice-mail greeting when forwarded to CUE voice-mail.
Conditions: If one "voice register dn" is forward all, or, forward unregistered to another voice register DN that is also forward all or forward unregistered to CUE voice-mail, there is no Diversion header in the SIP INVITE to CUE. This results in CUE returning the general voice-mail greeting.
Workaround: There is no workaround.
Symptom: AToM(Ethernet over MPLS), FP crashes
Conditions: AToM(Ethernet over MPLS) is configured, link or protocol flapping causes timing issue. It is hard to hit.
Workaround: There is no workaround.
Symptom: VLAN Stats would not be displayed on RP
Conditions: When Scaled Vlans are configured and multiple times shut no shut or configure and unconfigure of vlans causes VLAN stats not collected to RP
Workaround: Reload of the line card.
Symptom: In CME, Transferred call will not be moved to Flow-around
Conditions: This seen during call transfer @ alert without 183 in CME
Workaround: There is no workaround.
Symptom: Link interfaces of multilink bundles may not report any packet or byte counts in either direction. This behaviour may be seen in "show interface Virtual-Access <if number>" outputs, and in "show pppoe session packets" outputs.
Conditions: This behaviour is observed on ASR1000 routers, on broadband link interfaces. Broadband link interfaces affected may include PPPoE, PPPoEoA, and possibly PPPoA.
Workaround: It may be possible to get similar stats through the show command "show platform hardware qfp active feature mlppp datapath bundle Virtual-Access <if number>".
Symptom: ASR crashes when running command "no crypto pki certificate pool"
Conditions: This has been seen on the ASR1004 running the following: asr1000rp2-advipservicesk9.03.07.03.S.152-4.S3 asr1000rp2-advipservicesk9.03.07.03.S.152-4.S2 asr1000rp2-advipservicesk9.03.07.03.S.152-4.S1
Workaround: Do not run the command "no crypto pki certificate pool".
Symptom: Fax relay is not used when t38 v3 were used for SG3 fax calls. Calls were processed with passthrough mode.
Conditions: This symptom is observed when SG3 fax on both end and GWs were configured with H323 protocol and T38 v3 fax relay.
Workaround: Use SIP protocol. Symptom: fax relay is not used when t38 v3 were used for SG3 fax calls. Calls were processed with passthrough mode.
Symptom: Crash seen during SSO.
Conditions: This symptom is seen in ISR G2 in HSRP HA configuration, and is not seen in ASR1K. It is also seen under a race condition when deleting a dial-peer/unconfiguring bind CLI's under dial-peer.
Workaround: Do not change configuration during SSO.
Symptom: While removing IPSEC configuration and unconfiguration, command no crypto pki server ra is issued followed by answer "yes", the router's CPU utilization reaches to 100% which degrades its performance badly, while the script keeps on running in background and finally this leads to failure/aborting of further listed test cases.
Conditions: This symptom is observed under no specific conditions. Workaround: There is no workaround.
Symptom: while removing ipsec configuration and unconfiguration, command "no crypto pki server ra" is issued followed by answer "yes",router's CPU utilization reaches to 100% which degrades its performance badly, whereas script keeps on running in background and finally this all leads to failure/aborting of further listed testcases.
Symptom: "Show plat soft flow fp active exporter name <name>" displays invalid source and destination addresses if using IPv6.
Conditions: This is simply a display issue. The addresses are displayed in an IPv4 format. This fix checks the address type before displaying the addresses in the correct IPv4 or IPv6 format.
Workaround: There is no workaround.
Symptom: FP crashes
Conditions: This symptom is observed when changing tunnel mode to cgn
Workaround: There is no workaround.
Symptom: If CUBE received a REFER without Refer-To header, CUBE crashed in some platforms and there were trace backs in others.
Conditions: When REFER without Refer-To heaer is received.
Workaround: Refer-To is mandatory header in REFER Request. Hence might not encounter this case.
Symptom: After an NHRP network spoke-spoke mapping entry refresh, the mapping entry is missing teh 'rib' or 'rib nho' flag settings and NHRP has cleared corresponding NHRP route or next-hop-override from route in the RIB. Data packets are forwarded via the spoke-hub-spoke tunnel path rather than the direct spoke-spoke tunnel path.
Conditions: This symptom is observed under the following conditions:
– Running DMVPN Phase 3 on ASR1k or with IOS code 15.2(1)T or later.
– Data traffic loading spoke routers using spoke-spoke tunnel.
– Multiple NHRP network mapping entries for different subnets using the same spoke-spoke tunnel.
Workaround: There is no workaround.
Symptom: no ip address trusted authenticate is configured, 403 for REGISTER failed to pass-through via cube.
Conditions: This symptom is observed when CUBE receives 403 for Register in Registration passthrough case while no ip address trusted authenticate under voice service voip and silent-discard untrusted under sip is configured.
Workaround: Disable silent discard "no silent-discard untrusted".
Symptom: cpp_cp_svr crash in LNS
Conditions: while tearing down PPPoX sessions. On ESP=100, ESP-200 or ASR1K 2RU VE systems, if more than 4000 sessiions are created on one interface and then all sessions on that interface are torn down, this leads to a cpp_cp_svr crash on the ESP.
Workaround: There is no workaround.
Symptom: ASR1002-x crashed with rtsp alg
Conditions: pa_remove fail, the memory will be double free in RTSP ALG, then cause ASR crash
Workaround: There is no workaround.
Symptom: The MLPPP bundle bandwidth is not updated which led to non-priority packet drops when traffic exceeds the current rate. A bundle rate is supposed to be set to 12M but it was instead set to 1.5M.
Conditions: The Bundle rate was not being updated when QoS events preceded the rate update from MLPPP. If the MLP event is processed before the QoS event then there is correct behavior, however if the QoS event is processed before the MLP rate update event then the MLP event is lost and never gets processed to update the bundle bandwidth. This results in tail drops when the interface becomes congested prematurely.
Workaround: The workaround is to apply QoS after all member links have been successfully added to the bundle.
Symptom: DMVPN spoke sometimes fails to replicate the multicast packet thereby not being able to send multicast packets to the hub (including the routing protocol updates)
Conditions: DMVPN Spokes where the NHS recovery feature is used.
Workaround: Shut - no shut of the tunnel interface clears this.
Symptom: Some WCCP issues are not easy to reproduce.
Conditions: There are no known conditions.
Workaround: There is no workaround.
Symptom: ESP crashes running 3.9.1 when NAT enabled
Conditions: NAT must be enabled.
Workaround: There is no workaround.
Symptom: Traffic counter shows higher than expected value.
Conditions: ISG policy templating ON and uni-directional TC in service policy
Workaround: Use bi-directional TC in service policy
Symptom: Sometime there will not be any output for the command "show sbc global sbe sip subscribers filter <prefix>".
Conditions: Observed on a Cisco ASR1k platform configured as CUBE using the Service Provider (SP) feature set running IOS-XE version 15.3(1)S2.
Workaround: The command output is not granular enough. For example: If we execute command like this then it works:
#v1-z11#show sbc global sbe sip subscribers filter sip:1037@a.b.c.d #SBC Service "global" # #There are currently 2060 subscribers registered on this SBC. # #SIP subscribers: # #AOR: sip:1037@a.b.c.d #Subscriber Location[s]: sip:1037@x.x.x.x:5063 -> ENDPOINTS/PUBNET # Fast register active, fast time remaining 58 sec #Registrar adj: SIPCORE #Time left: 163 secs #Subscriber Category[s]: VRF Global IPv4 a.b.x.y then we see expected information about "sip:1037@a.b.c.d" subscriber.
But if we execute:
#v1-z11#show sbc global sbe sip subscribers filter sip:1037 #SBC Service "global"
we donot see anything. Use the first option.
Symptom: show platform software memory qfp-control-process qfp active command is not working.
Conditions: Execution of the show command.
Workaround: There is no workaround.
Symptom: On the ASR1000 platform, if ip tcp adjust-mss is configured on an interface with a crypto map, then the TCP MSS value is not adjusted for egress TCP flows that are encrypted.
Conditions: This is only a problem when there is a crypto map configured on the same interface ip tcp adjust-mss is enabled.
Workaround: Configure ip tcp adjust-mss on the ingress LAN interface when crypto map is configured on the egress interface.
Symptom: Sending a PING to an IPv6 EID from a Proxy ITR without specifying the source interface can cause a crash which resets the FO.
Conditions: When sending an ICMPv6 packet, we try to set the source UDP port, and depend on the source interface supplied in the exec command to do that. When the source interface is not included in the ping command, the source UDP port is invalid, and a crash ensues when LISP attempts to use it.
Workaround: Include 'source <interface>' to ping commands on the Proxy ITR
Symptom:The output of the following command shows that the QM CPP DRAM increases but does not decrease when fair-queue is removed from a class before it is active in HW. show plat hard qfp act inf exmem stat user | incl QM Over time the system runs out resource DRAM causing subsequent configuration events that require CPP DRAM objects to fail. The impact could be the system being unable to process new configuration events or the data plane being unable to allocate resource DRAM during packet processing.
Conditions:When fair-queue is removed from a class before it is activated in the hardware, the BQS RM was not freeing the WRED DRAM object used to store the fair-queue configuration. Over time, the system runs out of CPP resource DRAM. The error message described in the description is displayed and all configurations start failing. This conditions impacts the whole system as opposed to just queueing features.
Workaround: There is no workaround.
Symptom: Packet trace showing incorrect ICMP type for ping terminated on router.
Conditions: When using packet trace with IOS-XE and ICMP traffic is traced.
Workaround: There is no workaround.
Symptom: RP is again fragmenting it.
Conditions: Giant pkts are sent from SPA after LAF.
Workaround: There is no workaround.
Symptom: Transfer is failing with midcall invite.
Conditions: This symptom is observed when CUBE is not able to send out DO invite on to other leg in RE-INVITE based transfer.
Workaround: This issue has been fixed.
Symptom: In video forking call CUBE always choose video packetization mode as "0" for H264 codec while passing across any request or response if the cLI to select preferred packetization mode is not configured.
Conditions: When video forking is enabled,CUBE always choose packetization mode=0 for H264 codec when the CLI to set preferred packetization mode is not configured..
Workaround: By using the existing CLI,media profile video 1/
Symptom: EIGRP over IKEV2 DMVPN is not coming UP between ISR Spoke and ASR Hub
Conditions: This is seen with IKEv2 Configs
Workaround: Downgrade ASR image to XE3.8.
Symptom:QinQ inner vlan configuration on Native Asr1k Ethernet Linecard traffic would not pass
Conditions:QinQ Sub interface configuration with inner vlan as ANY, Native Asr1k Ethernet Linecard traffic to that sub interface will be dropped in the linecard.
Workaround: There is no workaround.
Symptom: The CPP process could while adding fair-queue on the fly. This does not require scaling to occur.
Conditions: When fair-queue is added on the fly while a default parent schedule is being deleted, a crash could occur because the RM cleanup code is destroying a wrong tree.
Workaround: There is no workaround.
Symptom: When new flows are established through an ASR configured with PAP; PAP does not allocate the new flows to GA that may have existing flows mapped it but their LA to GA mapping have not reached the limit as configured via the ip nat setting pap limit command, this causes an exhaustion of the pool and flows that require a translation are eventually dropped.
Conditions: ASR running NAT PAP
Workaround: There is no workaround.
Symptom: vrf-mismatch is seen under "show service-insertion statistics connection summary" after ESP Switch over in same box
Conditions: - Multiple ACs - At least 1 AC with dual FP - VRF configured - 1 VRF flows alive while reloading standby FP - Standby FP will come up with vrf mismatches
Workaround: Ignore the error
Symptom: When configuring following commands on ASR1k platform: exception memory ignore overflow io frequency 30 maxcount 5 exception memory ignore overflow processor frequency 30 maxcount 5 Get following error:
F340.09.25-ASR1000-1(config)#$re overflow processor frequency 30 maxcount 5 F340.09.25-ASR1000-1(config)# *Aug 22 12:54:24.920: exception configuration not implemented *Aug 22 12:54:24.920: PARSE_RC-4-PRC_NON_COMPLIANCE< http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&links=reference&index=all&query=PARSE_RC-4-PRC_NON_COMPLIANCE> ; `exception memory ignore overflow processor frequency 30 maxcount 5'
Conditions: HW/SW: ASR1k/All IOS Non zero values in following commands:
exception memory ignore overflow io
exception memory ignore overflow processor
exception memory ignore overflow io frequency 30 maxcount 5
exception memory ignore overflow processor frequency 30 maxcount 5
Workaround: There is no workaround.
Symptom: sis neigh can not be setup and stuck at "init" status
Conditions: when configured the MTU bigger than default value
Workaround: There is no workaround.
Symptom: On a Cisco ASR1k running the Cisco CUBE SP (Service Provider) feature set, IOS-XE version 15.1(3)S1, it is sometimes observed that a specific call transfer will have no way audio (dead air) upon the transfer completion.
Conditions: The CUBE SP has at least three physical interfaces that terminate three different SIP trunks (for example to ITSP, SIP based IVR and to a Cisco Callmanager) and the problematic transfer call flow signaling traverses all three SIP trunks on the same CUBE.
Workaround: If you have more than one CUBE available and if one of the transfer call leg traverses this second CUBE then the problem is not observed.
Symptom: CUBE fails to send INVITE with credentials when ITSP sends 401 Unauthorized. CUBE instead sends 503 Service Unavailable
Conditions: "error-passthru" is configured under voice service voip
Workaround: Disable "error-passthru"
Symptom: While testing "default_zone_basic_vrf_lite.tcl" script with latest mcp_dev "BLD-BLD_MCP_DEV_LATEST_20130821_003026" iam observing connectivity failure
Conditions: Firewall and PBR interworking after CSCuh98033
Workaround: There is no workaround.
Symptom: ATM PVC gets stuck in "IN" state when SPA-24CHT1-CE-ATM is reloaded.
Conditions: Occurs during SPA reload or SPA OIR
Workaround: Reload router
Symptom: Hung sessions for protocol vilolations
Conditions: CUBE handling of unsupported flows and violations/attacks
Workaround: There is no workaround.
Symptom: CUBE crashes during T38 fax call.
Conditions: This symptom is observed in an enclosed configuration.
Workaround: There is no workaround.
Symptom: ESP ucode crash observed with a SIPvicious packet observed
%CPPHA-3-FAULT: F0: cpp_ha: CPP:0.0 desc:INFP_INF_SWASSIST_LEAF_INT_INT_EVENT0 det:DRVR(interrupt) class:OTHER sev:FATAL id:2121 cppstate:RUNNING res:UNKNOWN flags:0x7 cdmflags:0x8
Conditions: The crashes are seen with SIPvicious packets
Workaround: Disable the SIP ALG for this port using no ip nat service sip udp port 5060 no ip nat service sip tcp port 5060
Symptom: Chunk memory leak in Crypto Proxy
Conditions: This is only seen with IPSEC HA configured
Workaround: There is no workaround.
Symptom: permit error all is not working
Conditions: log dropped message is enabled
Workaround: log dropped message is disabled.
Symptom: show platform hardware slot r0 led status may cause ASR1002X reload.
Conditions: show platform hardware slot r0 led status command on standalone ASR1002X.
Workaround: Do not use the command.
Symptom: On-demand dpd triggered
Conditions: Configure on-demand dpd on peer3. Keep receiving the traffic from peer1
Workaround: There is no workaround.
Symptom: ASR1k crashed with error message
CPPHA-3-FAULT F0: cpp_ha: CPP:0.0 desc:INFP_INF_SWASSIST_LEAF_INT_INT_EVENT0 det:DRVR(interrupt) class:OTHER sev:FATAL id:2121 cppstate:RUNNING res:UNKNOWN flags:0x7 cdmflags:0x8
Conditions: ASR1k running 03.10.00.S with configured zone based firewall
Workaround: There is no workaround.
Symptom: ASR crashed with CGN NAT configuration.
Conditions: Seen with CGN BPA feature configured.
Workaround: Removing the CGN BPA configuration, the router stops crashing.
Symptom: Crash with Unexpected exception to CPU: vector 400, PC = 0x6B09EF1C, LR = 0x8B78034
Conditions: Interface is "no shut", and SIP bindings are in place on that interface: sip bind control source-interface GigabitEthernet0/0 bind media source-interface GigabitEthernet0/0
Workaround: Unknown, may need bindings configured, so removal of them should keep the crash from occurring.
Symptom: unexpected logs are printed.
Conditions: run show platform hardware qfp active feature alg statistics
Workaround: There is no workaround.
Symptom: Customer has some VG350 and phones. They have FAC configured and all users need to enter the FAC code before make an external call. Customer are not able to hear the zipzip tone they used have before enter the FAC. User has cptone tw configured under voice-port.
Conditions: On all stcapp voice-port.
Workaround: under voice-port, change "cptone tw" to "cptone us"
Symptom: TDL meta file compat check issue
Conditions: There are no known conditions
Workaround: There is no workaround.
Symptom: Standby SBC ASR1k seeing "SNMP-3-INPUT_QFULL_ERR". SNMP input queue never drops, it continues to increase until it gets stuck at 1000, causing SNMP unresponsiveness to the device.
Conditions: When polling ciscoSbcCallStatsMIB on Standby-RP ASR1k
Workaround: "default snmp-server" to soft reset the SNMP Engine to make the ASR1K respond again (refresh the input queue); then apply SNMPVIEW configuration to block the MIB.
******************************************** snmp-server view cutdown iso included snmp-server view cutdown ciscoSbcCallStatsMIB excluded snmp-server community <insert_your_community_string_here> view cutdown RO snmp-server community <insert_your_community_string_here> view cutdown RW ********************************************
Symptom: ESP reload using packet-trace tool.
Conditions: debug platform packet-trace enable debug platform packet-trace packet 16 show platform packet-trace packet all
Workaround: Display packets individually rather than all at once: show platform packet-trace packet <0-8191>
Symptom: There is a field that was not displayed
Conditions: show sip-ua registration passthrough status detail
Workaround: sip-ua registration passthrough status
Symptom: modify bearer request is dropped.
Conditions: handoff from gtpv1 to gtpv2
Workaround: SGW recreate session
Symptom: Egress TCAM Look up failure for Vlan Scale on 6 Port 10G ELC.
Conditions: 24k vlan scale across ELC & interface reset.
Workaround: There is no workaround.
Symptom: Lite session related traceback in CPP client.
Conditions: ESP100, very high scale.
Workaround: Reduce number of sessions.
Symptom: GetVPN GM gdoi policy installation fails.
Conditions: This symptom is observed after reboot.
Workaround: Issue the command clear crypto gdoi after the reboot.
Symptom: show run only shows 191 na-dst-prefix-table out of 200
Conditions: configured a lot of na-dst-prefix-table, specially, more than 191
Workaround: There is no workaround.
Symptom: Traceback appeasrs in UUT
Conditions: Unconfiguring firewall configs from UUT
Workaround: There is no workaround.
Symptom: The ESP may crash in cpp_mcplo
%CPPHA-3-FAULT: F0: cpp_ha: CPP:0.0 desc:INFP_INF_SWASSIST_LEAF_INT_INT_EVENT0 det:DRVR(interrupt) class:OTHER sev:FATAL id:2121 cppstate:RUNNING res:UNKNOWN flags:0x7 cdmflags:0x8
Conditions: NAT is enabled and mode has been changed between "Classic"/default and CGN
Workaround: There is no workaround.
Symptom: Flow entries are created with "no ip nat create flow-entries" command.
Conditions: UUT is configured more than 3 static mappings
Workaround: There is no workaround.
Symptom: The ESP-100 and ASR1K-2X crash when flat policies are applied on both the tunnel and the destination sub-interface. This issue is observed when QOS is applied first on the tunnel then on the sub-interface as follows:
policy-map tunnel-shaper class class-default shape aver per 20 policy-map sub-int-shaper class class-default shape ave per 90 Be sure the tunnel is active and pointing to the sub-interface with QoS applied before applying the sub-interface policy. See the attached repro-steps for details. int tunnel1 service-policy out tunnel-shaper int g2/3/0.100 service-policy out sub-int-shaper
Conditions: When a sub-interface policy is applied after QoS is active on a tunnel, the tunnel is reparented from the current aggregation node to the sub-interface node. Since reparenting a leaf node requires adding a temporary node in the hierarchy to be able to move flow-control gracefully, the logic to detach the source leaf node from the temporary node was missing. As a result, the code generated a fatal error while attempting to free the temporary node before it is empty.
Workaround: There is no workaround.
Symptom: FP Crash during Multiple PPP(PTA/LNS) Session Flaps
Conditions: "subscriber accounting accuracy" is enabled
Workaround: There is no workaround.
Symptom: FP100 test CPLD image with version 13012900 is added in hw-programmable package.
Conditions: The FP100 test CPLD will be installed when the CPLD is upgraded.
Workaround: Do not upgrade FP100 CPLD.
Symptom: Waas and pfr features don't interoperate
Conditions: When both Appnav-waas and pbr/pfr are turned on
Workaround: There is no workaround.
Symptom: For VC type 4 PW, Ethernet VLAN, with single dot1q header packet, if one configure rewrite pop 1, expected situation is to copy COS from this header into dummy tag. In reality, we hit a bug, when COS 0 is copied into dummy tag into CORE.
Conditions: When transported traffic has outer vlan tag only, packet in MPLS core does NOT have copied priority field from dot1q header into MPLS EXP bits. Instead there is 0. When transported traffic has outer vlan tag and some vlan tags (QinQ), packet in MPLS core DOES have copied priority field from outer dot1q header into MPLS EXP bits.
Workaround: Configure input policy-map under service-instance, where each class match dot1Q COS and impose EXP bits.
Symptom: ASR100x running IOS XE version 15.3(1)S configured as a CUBE Ent has been seen to have segmentation fault in certain rare circumstances. CUBE(Ent) on ASR has gone through really hard performance testing and this bug was not seen. Exception to IOS:
Frame pointer 0x7F98F04FB980, PC = 0x3A534E6 IOS Thread backtrace: UNIX-EXT-SIGNAL: Segmentation fault(11), Process = IOSXE-RP Punt Service Process -Traceback= 1#9821b08208133f5124c039ddebb8173b :400000 36534E6 :400000 203F6E8 :400000 1A9972F :400000 1A2C3B4 :400000 1A52F50 :400000 6487473 :400000 6486359
Conditions: Trigger of the issue is unknown.
Workaround: Since the crash is reported when port 26132 was used, by not using this port (udp port 26132 which was corresponding to the index 4874 in port_array). crash can be avoided. This can be done by changing the port range to something like 26134 to 32767 (currently it is 16384 to 32767) but this will reduce the number of CUBE calls from 4000 to around 1600 calls. In Cisco IOS XE3.10.1, this port range is 8000 to 48199 by default, so we will have a bigger port range to start with, and in this case the port corresponding to index 4874 is 17748, so we will have to change the port range to 18000 ? 48199 using the configuration. In addition Cisco IOS XE3.10.1 also allows configuration where the packets can be dropped in DP if no session exists in DP. This will not cause any one way audio as the IOSd is not really meant to process the media on ASR, and if there are any media issues those need to be addressed differently.
Symptom: When configuring Input MPLS aware FNF (under interrface config --- mpls flow mon MON_NAME in) it can happen that FNF will cease to function due to cache entry leak/exhaustion.
Conditions: This can only occur with Input MPLS FNF and moreover only will occur with certain labels. In particular it will occur for MPLS labels for which the output of show plat hard qfp active feature cef-mpls prefix mpls <LABEL NUM> does *not* have an IPV4 adjacency.
Workaround: There is no workaround
Symptom: Crash with "ip nat settings mode cgn" in teh config
Conditions: There are no known conditions.
Workaround: Reload after changing settings.
Symptom: When a flat policy is applied to a MLPPP, MFR or GEC aggregation bundle, the current leaf schedule object is replaced with a new one. The code was not updating the cached object which resulted in accessing invalid memory when the bundle bandwidth is updated. The bandwidth is updated when a member link is added to or removed from the bundle. Configuration example: policy-map foo class prec1 bandwidth percent 10 interface Port-channel1 aggregate ip address 8.0.0.1 255.255.255.0 no negotiation auto lacp min-bundle 2 service-policy output foo
Conditions: When a bundle schedule is replaced, the cached object was not being updated leading to interface bandwidth update event to access invalid memory. The problem is not easy to recreate as would require the QOS event for processing the flat policy to be interleaved with an interface bandwidth update event.
Workaround: There is no workaround.
Symptom: The msg, %SMC-2-BAD_ID_HW: SIP0/0: Failed Identification Test in 0/0 [2/0] appears.
Conditions: This symptom is observed after bootup
Workaround: There is no workaround
Symptom: Wrong traffic distribution after adding new class with fair-queue and bandwidth percent 15 to the existing policy on fly
Conditions: After adding new class with fair-queue and bandwidth percent 15 to the existing policy on fly
Workaround: There is no workaround.
Symptom: echo request is dropped.
Conditions: echo request without private extension IE
Workaround: There is no workaround.
Symptom: Both ESP may crash
Conditions: while disabling flow entries with running traffic
Workaround: There is no workaround.
Symptom: ucode crash on clear nat translations
Conditions: ucode crashes when doing clear ip nat translations * on a scaled setup
Workaround: There is no workaround.
Symptom: Standby FP crashes
Conditions: standby fp continuously crashes on configuring pap with NAT,NAT64 on same box
Workaround: There is now workaround.
Symptom: ESP crashed with error message: %CPPHA-3-FAULT: F0: cpp_ha: CPP:0.0 desc:INFP_INF_SWASSIST_LEAF_INT_INT_EVENT0 det:DRVR(interrupt) class:OTHER sev:FATAL id:2121 cppstate:RUNNING res:UNKNOWN flags:0x7 cdmflags:0x8
Conditions: The crash is caused by a defect in BFD though no BFD is configured on any interface
Workaround: There is now workaround.
Symptom: SCCM phone registration on CCM via ASR1k is not happening
Conditions: ASR1k is configured with NAT configuration
Workaround: There is now workaround.
Symptom: The CP process crashes when reparenting more than 128 entries from one tree to the other. A reparenting event could be stimulated by either an internal or external event but this issue is more likely to caused by an internal reparenting. An internal reparenting could occur when a leaf node is transformed into a hierarchy layer node or when de-aggregating an aggregation node after the schedule size is below the 4000 threshold.
Conditions: When reparenting either a leaf or hierarchy layer entries, the resource manager was not clearing the counter that tracks the number of entries that need to be flushed after processing the first batch. This caused the code to run incorrectly to a point of completing the request prior to reprogramming the HW correctly. As a result some entries may be left in the source parent which cause a crash when the tree is freed before it is empty.
Workaround: There is now workaround.
Symptom: Active NAT tables in a VRF are cleared unexpectedly when unconfiguring a static NAT belonged to other VRF.
Conditions: The problem happens when following conditions are met. - 'network' option is used in the NAT rule. - The NAT rule which is to be unconfigured has overlapped local/global addresses with other NAT rules.
Workaround: There is no workaround.
Symptom: Trace back is seen while testing 2 and 3-way voice Xgcp calls in NAT environment
Conditions: UUT's are running with 15.4(0.26)T0.1
Workaround: There is now workaround.
Symptom: Crash after adding the ACL with the ttl option to QoS policy
Conditions: Create a policy with ACL containing ttl option. AND Attach this policy to an interface AND Send non-ip traffic (mpls or l2) to this interface. This has been seen on ASR1002 running asr1000rp1-advipservicesk9.03.06.00.S.152-2.S after adding the following: permit icmp host x.x.x.x host x.x.x.x ttl gt 20
Workaround: Don’t use an ACL with ttl option in QoS policy. OR -Add IPv6 class-map also to QoS policy
Ipv6 access-list v6_acl Permit ipv6 any Class-map match-any v6_class <---< Add this class to QoS policy Match access-group name v6_class
Symptom: Call Forward all/Blind Transfer to Ephone Hunt group scenarios fail from 15.4(0.21)T. The issue is seen only when:
– There is a SIP trunk between two CMEs.(i.e incoming call to the CME is via SIP trunk)
– There is a call-forward all to ephone hunt-pilot and none of the list members pick up the call and the final number has to pick up the call.(i.e When Incoming call is forwarded to the ephone hunt-pilot and none of the list members picks up the call, the call is not made to the final number rather a 302 response is sent to the caller)
The issue does not occur for:
– The h323 trunk.
– voice hunt groups
– Direct call to the ephone hunt-pilot.
Conditions: 15.4(0.21)T & ephone-hunt group
Workaround: Local handling of 302 with below CLI: voice service voip no supplementary-service sip moved-temporarily.
Symptom: ESP crash after entering "debug platform condition stop" on an ASR1k with ISG feature set enabled and active subscribers.
Conditions:
ASR1k(config)#ip access-list extended SMTP ASR1k(config-ext-nacl)#permi ASR1k(config-ext-nacl)#permit tcp ASR1k(config-ext-nacl)#permit tcp any any eq 25 ASR1k(config-ext-nacl)#end
debug platform condition ipv4 access-list SMTP
debug platform packet-trace packet 8192
debug platform condition start
debug platform packet-trace enable
show platform packet-trace summary
debug platform condition stop
Workaround: There is no workaround
Symptom: The original issue fails silently and it is only detected via traffic or inspecting the hierarchy via the CLI, show plat hard qfp act feat qos que out int <ifname> hier detail. The QoS rates are in accurate due to a bad hierarchy. Subsequent crashes and the issue that is documented in this DDTS were regression from the original fix intended to build the hierarchy on ESP-100 correctly. All issues involved fair-queue in a flat or hierarchical policy when applied on the fly.
Conditions: Applying fair-queue on the fly resulted in the bad hierarchy. As a result the provisioned services could not be guaranteed.
Workaround: There is no workaround.
Symptom: ASR1002x or ASR1000 with an ESP100 may crash when Broadband MLPPP sessions with QoS applied are brought up or the sessions flap.
Conditions: This issues causes a ASR1K crash (cpp_cp_svr) when a Broadband MLPPP bundle with QoS is applied is brought up or the session flaps. Problem is most prevalent on MLPPP Bundles with two or more member links. Affects MLPPPoE, MLPPPoA, MLPPPoEoA, and MLPPPoLNS.
Workaround: There is no workaround.