Release Notes for Cisco 8200 Series Secure Routers, Release 17.18.x

Cisco 8200 Series Secure Routers

From Cisco IOS XE17.18.1a, Cisco 8200 Series Secure Routers are available in these models:

◦    C8231-G2

◦    C8235-G2

◦    C8231-E-G2

◦    C8235-E-G2

Security

Resilient Infrastructure

Starting with the Cisco IOS XE 17.18.2 release and in future releases, Cisco software will display warning messages when configuring features or protocols that do not provide sufficient security such as those transmitting sensitive data without encryption or using outdated encryption mechanisms. Warnings will also appear when security best practices are not followed, along with suggestions for secure alternatives. This list is subject to change, but the following is a list of features and protocols that are planned to generate warnings in releases beyond the version Cisco IOS XE 17.18.1. Release notes for each release will describe exact changes for that release:

● Plain-text and weak credential storage: Type 0 (plain text), 5 (MD5), or 7 (Vigenère cipher) in configuration files.

Recommendation: Use Type 6 (AES) for reversible credentials, and Type 8 (PBKDF2-SHA-256) or Type 9 (Scrypt) for non-reversible credentials.

● SSHv1

 Recommendation: Use SSHv2.

● SNMPv1 and SNMPv2, or SNMPv3 without authentication and encryption

Recommendation: Use SNMPv3 with authentication and encryption (authPriv).

● MD5 (authentication) and 3DES (encryption) in SNMPv3

Recommendation: Use SHA1 or, preferably, SHA2 for authentication, and AES for encryption.

● IP source routing based on IP header options

Recommendation: Do not use this legacy feature.

● TLS 1.0 and TLS 1.1

Recommendation: Use TLS 1.2 or later.

● TLS ciphers using SHA1 for digital signatures

Recommendation: Use ciphers with SHA256 or stronger digital signatures.

● HTTP

Recommendation: Use HTTPS.

 ● Telnet

Recommendation: Use SSH for remote access.

● FTP and TFTP

Recommendation: Use SFTP or HTTPS for file transfers.

● On-Demand Routing (ODR)

Recommendation: Use a standard routing protocol in place of CDP-based routing information exchange.

● BootP server

Recommendation: Use DHCP or secure boot features such as Secure ZTP.

 ● TCP and UDP small servers (echo, chargen, discard, daytime)

Recommendation: Do not use these services on network devices.

 ● IP finger

Recommendation: Do not use this protocol on network devices.

● NTP control messages

Recommendation: Do not use this feature.

● TACACS+ using pre-shared keys and MD5

 Recommendation: Use TACACS+ over TLS 1.3, introduced in release Cisco IOS XE 17.18.1

Ease of Setup

IPv6 Rule and Rule Set Support in Security Policies

From Cisco IOS XE 17.18.2, you can configure IPv6 data prefix lists, rule with rule sets, and object groups in security policy using Cisco SD-WAN Manager.

Upgrade

IPv6 GRE-TP tunnel as protected link support for SRv6 TI-LFA with IS-IS

From Cisco IOS XE 17.18.2, this feature extends IPv6 GRE-TP tunnel as protected link support for SRv6 TILFA with ISIS.

Upgrade

IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with OSPFv2

From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with OSPFv2.

Upgrade

IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with IS-IS

From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with ISIS.

Ease of use

Configure vDSP

Configure vDSP to enable voice processing functions such as transcoding, conferencing and hardware media termination point services.

Licensing Process

Cisco 8200 Series Secure Routers licensing

Cisco 8200 Series Secure Routers supports platform-based licensing, a way of grouping licenses and devices based on platform-classes. A platform class is a hierarchical categorization based on the product family and place in the network. In this platform-based licensing model, Essentials and Advantage licenses are available. License portability is supported across devices within the same platform class and usage of the same license across different modes is also possible.

Ease of Use

Tamper Detection notification

From Cisco IOS XE 17.18.1a, you can identify potential tampering on the Cisco 8200 Series Secure routers by using the platform tamper detection command in config mode.

CSCwr42950

Device On-Demand Tunnels do not expire when UMTS is enabled.

CSCwq51935

NAT64 static entry removed when command to delete non-existent entry is applied.

CSCwe19394

Device may boot up into prev_packages.conf due to power outage.

CSCwr77958

NWPI not capturing self-generated syslog traffic.

CSCwj61730

Device crash when removing SGT caching on an interface.

CSCwq77322

Device sending a 2 Byte packet of FLOW_SAMPLER_RANDOM_INTERVAL instead of a 4-Byte packet.

CSCwr24031

After upgrade to earlier releases sd-wan service-tracker in vrf selects source IP address from GRT when MPLS Inter-AS VPN option B configured.

CSCwr49794

Device exporters with ETA enabled are generating invalid template data errors in SNA.

CSCwq98206

EPBR set interface action get missing after reboot.

CSCwr25077

Device crash when initializing DNS channels.

CSCws30834

Device ignore the keepalive command under the SIG tunnel interface pushed by the vmanage.

CSCws13857

Incorrect NAT translation from service-vrf to global for self-generated ICMP 11 (Time Exceeded) packets.

CSCwq77458

fman crash after fnf config changes.

CSCwr87083

Device not able to onboard sd-routing devices using generic bootstrap file stored in USB.

CSCws12946

Device port forward issue with multiple ISP.

CSCws18137

Out of sync when CLI Template was attached (missing element: authentication in /ios:native/ios:line/ios:vty[ios:first='0']/ios:login/ios:authentication).

CSCwr76580

Strange behavior with the Cisco Umbrella SIG tunnels configured from vManage to Umbrella.

CSCwr30573

TLOC Extension unable to program due to module boot up timing.

CSCws25557

Cipher Suites TLS 1.2 for control connections.

CSCwr95551

Device crashes when configuring SSL VPN with Policy-Based Routing (PBR) and NAT.

CSCwr08462

There seems to be an issue where the NAT router is not responding to ARP requests.

CSCwr44921

Device Crashes - CPU Usage due to Memory Pressure exceeds threshold.

CSCwr97784

Slow performance on Netconf RPC on stateless static NAT translation.

CSCwr88206

FIB table routes: Next Hop (NH) ID 0 is getting corrupted and assigned to a value other than Blackhole.

CSCwr84985

dmiauthd process crashes, due to which the configuration does not sync between startup-config and the running-config.

CSCwq24119

Traceback seen when detaching the CN railways customer configs.

CSCwm97460

Control Connection to vManage is only Attempted over Highest Priority TLOC.

CSCwr00088

Add CLI to change per MPLS label CEF statistics query interval on FMAN FP.

CSCwr55240

Device experienced Critical process ompd fault on rp_0_0.

CSCwr72709

Device crash in TDM-TDM call when debug voip fpi enabled.

CSCwq98154

Multicast traffic not forwarded over P2P DMVPN phase 1 tunnel.

CSCwr49475

BFD sessions flapping and not recovering - SYMNAT port not updating to data-plane.

CSCwo42664

Periodic Service Restart May Generate Crash Files.

CSCwr64257

Unexpected reload on ftmd SDWAN device.

CSCws26373

Device experiences an unexpected reboot due to NAT in the data-plane after a policy push.

CSCwp97178

Flapping nat will casue bfd session down with ipsec session shown.

CSCwr76176

PMTU Converges Unexpectedly to 970 Bytes After dbg2:1 Event.

CSCwr77083

Device crashed in crypto library.

CSCwo53342

Device: bfd may be flapping when save configuration with write cmd.

CSCwq00263

ipv6 ipsec tunnel, ping failed with specific size.

CSCwk74329

Counters are cleared after shut/no shut gi0 interface.

CSCwo44899

selinux: vmanage failed to factory reset device caused by selinux deny.

CSCwq58084

Device: POE module insert time incorrect if reloading with future time and then sync back to correct time source.

CSCwo62154

Crash Encountered During PIM Swap quickly on device.

C8231-G2

17.18.1a

17.18(1.5r).s1.cp 

Not applicable

C8235-G2

17.18.1a

17.18(1.5r).s1.cp 

Not applicable

C8231-E-G2

17.18.1a

17.18(1.12r).s1.cp      

Not applicable

C8235-E-G2

17.18.1a

17.18(1.12r).s1.cp      

Not applicable