Release Notes for Cisco 8300 Series Secure Routers, Release 17.18.x
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- US/Canada 800-553-2447
- Worldwide Support Phone Numbers
- All Tools
Feedback
Feedback
Cisco 8300 Series Secure Routers, Release 17.18.x
Cisco 8300 Series Secure Routers, Release 17.18.x
Cisco 17.18.1a is the first release for Cisco 8300 Series Secure Routers in the Cisco IOS XE 17.18.x release series.
The key highlights of this release include these features and enhancements:
● Monitoring & Observability
● Cellular, IPv6, Voice, Virtualization
● SRv6 Enhancements
● Security and SASE enhancements
For information on the hardware features supported on the Cisco 8300 Series Secure Routers, refer to the Cisco 8300 Series Secure Routers datasheet.
This section provides a brief description of the new hardware features introduced in this release.
New hardware features for Cisco IOS XE 17.18.1a
Table 1. New hardware features for Cisco 8300 Series Secure Routers, Release 17.18.1a
| Feature |
Description |
| Cisco 8300 Series Secure Routers |
From Cisco IOS XE 17.18.1a, Cisco Secure Series Routers introduces C8355-G2 routers. |
| C-NIM-WAN-2X and C-NIM-WAN-4S |
The Cisco C-NIM-WAN-2X and C-NIM-WAN-4S are the next generation Form-factor WAN NIM modules that provide enhanced security, reliability, and performance. |
This section provides a brief description of the new software features introduced in this release.
New software features for Cisco IOS XE 17.18.2
Table 2. New software features for Cisco 8300 Series Secure Routers, Release 17.18.2
| Product impact |
Feature |
Description |
| Security |
Starting with the Cisco IOS XE 17.18.2 release and in future releases, Cisco software will display warning messages when configuring features or protocols that do not provide sufficient security such as those transmitting sensitive data without encryption or using outdated encryption mechanisms. Warnings will also appear when security best practices are not followed, along with suggestions for secure alternatives. This list is subject to change, but the following is a list of features and protocols that are planned to generate warnings in releases beyond the version Cisco IOS XE 17.18.1. Release notes for each release will describe exact changes for that release: ● Plain-text and weak credential storage: Type 0 (plain text), 5 (MD5), or 7 (Vigenère cipher) in configuration files. Recommendation: Use Type 6 (AES) for reversible credentials, and Type 8 (PBKDF2-SHA-256) or Type 9 (Scrypt) for non-reversible credentials. ● SSHv1 Recommendation: Use SSHv2. ● SNMPv1 and SNMPv2, or SNMPv3 without authentication and encryption Recommendation: Use SNMPv3 with authentication and encryption (authPriv). ● MD5 (authentication) and 3DES (encryption) in SNMPv3 Recommendation: Use SHA1 or, preferably, SHA2 for authentication, and AES for encryption. ● IP source routing based on IP header options Recommendation: Do not use this legacy feature. ● TLS 1.0 and TLS 1.1 Recommendation: Use TLS 1.2 or later. ● TLS ciphers using SHA1 for digital signatures Recommendation: Use ciphers with SHA256 or stronger digital signatures. ● HTTP Recommendation: Use HTTPS. ● Telnet Recommendation: Use SSH for remote access. ● FTP and TFTP Recommendation: Use SFTP or HTTPS for file transfers. ● On-Demand Routing (ODR) Recommendation: Use a standard routing protocol in place of CDP-based routing information exchange. ● BootP server Recommendation: Use DHCP or secure boot features such as Secure ZTP. ● TCP and UDP small servers (echo, chargen, discard, daytime) Recommendation: Do not use these services on network devices. ● IP finger Recommendation: Do not use this protocol on network devices. ● NTP control messages Recommendation: Do not use this feature. ● TACACS+ using pre-shared keys and MD5 Recommendation: Use TACACS+ over TLS 1.3, introduced in release Cisco IOS XE 17.18.1 |
|
| Ease of Setup |
From Cisco IOS XE 17.18.2, you can configure IPv6 data prefix lists, rule with rule sets, and object groups in security policy using Cisco SD-WAN Manager. |
|
| Upgrade |
IPv6 GRE-TP tunnel as protected link support for SRv6 TI-LFA with IS-IS |
From Cisco IOS XE 17.18.2, this feature extends IPv6 GRE-TP tunnel as protected link support for SRv6 TILFA with ISIS. |
| Upgrade |
IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with OSPFv2 |
From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with OSPFv2. |
| Upgrade |
IPv4 GRE-TP tunnel as protected link support for SR-MPLS TI-LFA with IS-IS |
From Cisco IOS XE 17.18.2 this feature extends IPv4 GRE-TP tunnel as protected link support for SR-MPLS TILFA with ISIS. |
| Ease of use |
Configure vDSP to enable voice processing functions such as transcoding, conferencing and hardware media termination point services. |
|
| CUBE |
||
| Hardware Reliability |
CUBE and SRST applications support on C8375-E-G2 router platform |
From Cisco IOS XE 17.18.2 onwards, UC applications are supported on C8375-E-G2 router platform. |
New software features for Cisco IOS XE 17.18.1a
Table 3. New software features for Cisco 8300 Series Secure Routers, Release 17.18.1a
| Product impact |
Feature |
Description |
| Ease of Use
|
From Cisco IOS XE 17.18.1a release, you can now upgrade the firmware image for cellular module, LTE module, or Wi-Fi module of supported devices using Cisco Catalyst SD-WAN Manager, without configuring and managing multiple commands for each device and its associated modules. |
|
| Licensing Process
|
Cisco 8300 Series Secure Routers supports platform-based licensing, a way of grouping licenses and devices based on platform-classes. A platform class is a hierarchical categorization based on the product family and place in the network. In this platform-based licensing model, Essentials and Advantage licenses are available. License portability is supported across devices within the same platform class and usage of the same license across different modes is also possible.
|
|
| Ease of Use |
From Cisco IOS XE 17.18.1a, you can identify potential tampering on the Cisco 8300 Series Secure routers by using the platform tamper detection command in config mode. |
|
| Ease of Use |
From Cisco IOS XE 17.18.1a, you can enable or disable the Port LEDs on the Cisco 8300 Series Secure routers using the hw-module auto-off led command in config mode. This feature is disabled by default. |
|
| Ease of Use |
From Cisco IOS XE 17.18.1a, you can enable the Blue Beacon LED on the Cisco 8300 Series Secure routers using the hw-module beacon R0 command, to identify a specific device in environments where multiple devices are installed. |
|
| Ease of Use |
Security Cloud Control is a cloud-based multi-device manager that facilitates management of security policies to achieve consistent policy implementation. Security Cloud Control helps optimize your security policies by identifying inconsistencies with them and by giving you tools to fix the inconsistencies. From Cisco IOS XE 17.18.1a release, you can integrate Cisco SD-WAN Manager with Security Cloud Control, which allows you to import existing NGFW policies, security objects, and security profiles into Security Cloud Control. With this integration, you can share objects and policies as well as make configuration templates to promote policy consistency across devices. |
|
| Ease of Use
|
From Cisco IOS XE 17.18.1a release, Cisco Catalyst SD-WAN Manager supports deployment of IOx applications such as Cyber Vision, Thousand Eyes, UTD, and so on. The support to monitor these applications is introduced through Hosted Edge Services monitoring dashboard which offers a simplified user experience for overseeing IOx container applications across multiple devices. The Hosted Edge Services monitoring dashboard is introduced on Cisco Catalyst SD-WAN Manager version 20.18. x. |
|
| Ease of setup
|
Cisco Secure Routers Swim and Onboarding Tool
|
Cisco IOS XE 17.18.1a introduces the Cisco Secure Routers Swim and Onboarding tool that helps customers upgrade and onboard autonomous hardware devices to cloud-hosted or on-premises Catalyst Cisco SD-WAN Manager. |
| Licensing Process
|
Licensing compliance, reporting, and notification enhancements
|
From Cisco IOS XE 17.18.1a release, you can view additional information in your licensing report such as out of compliance and the reason for out of compliance, the number of licenses that have been assigned in the network, how many devices have been assigned licenses, per-device license details, and so on. In addition, you can now connect to the Enterprise Agreement (EA) portal directly from the Cisco SD-WAN Manager with your Smart Account credentials. This helps you to generate the required quantities of licenses for the selected Commerce SKU of EA and deposit them to your desired CSSM Virtual Accounts (VA). |
| Ease of use
|
Security Cloud Control (SCC) is a cloud-based multi-device manager that facilitates management of security policies to achieve consistent policy implementation. SCC helps optimize your security policies by identifying inconsistencies with them and by giving you tools to fix the inconsistencies. From Cisco IOS XE 17.18.1a release, you can integrate Cisco SD-WAN Manager with SCC, which allows you to import existing NGFW policies, security objects, and security profiles into SCC. With this integration, you can share objects and policies as well as make configuration templates to promote policy consistency across devices. |
|
| Security
|
From Cisco IOS XE 17.18.1a release, Custom IPS signature sets are supported in Cisco SD-WAN Manager, which allows you to create and deploy personalized Snort3 IPS signature sets. This feature allows direct modification of actions for existing IPS rules within profiles and supports building custom rules using rule groups or existing rules. With Custom IPS signature sets, organizations can gain greater control and precision in tailoring threat detection to their specific security needs. |
|
| Ease of Use
|
This feature introduces a new certificate authorization setting, Enterprise Certificate Settings, which unifies certificate configurations for SD-Routing devices. Cisco SD-WAN Manager automates certificate management by leveraging protocols like EST (Enrolment over Secure Transport) and SCEP (Simple Certificate Enrolment Protocol). The feature automates the enrolment, and renewal of certificates. |
|
| Ease of use
|
Configure cellular band select for cellular interfaces on SD-Routing devices |
You can select specific frequency bands to which the device can connect to, allowing optimized connection depending on location and network availability. This configuration can be done using Feature Parcels in Catalyst Cisco SD-WAN Manager. |
| Ease of use
|
Configure logging of crash dump events for cellular interfaces on SD-Routing devices |
You can configure the device to collect the crash dump logs by enabling the boot-and-hold mode on the device using the lte modem crash-action boot-and-hold command. |
| Ease of use
|
Reset cellular profile for cellular interfaces on SD-Routing devices |
You can reset the cellular network profile settings on a specific interface to a factory default state using the cellular<slot> lte profile reset command. |
| Ease of use
|
You can enable diagnostic monitoring log capture for devices with cellular interfaces using Catalyst Cisco SD-WAN Manager. |
|
| Ease of Use
|
Show drops command
|
The *show drops* command is introduced in Cisco IOS XE 17.18.1a. This command consolidates multiple platform and protocol-specific debugging tools into a single, user-friendly interface, enabling network operators to efficiently identify the root causes of packet drops. By streamlining the troubleshooting process, this feature significantly improves operational efficiency and network performance. |
| Upgrade
|
This feature enables the transport of IPv4 MVPN traffic across an SRv6 network. It simplifies multicast deployment by using the existing SRv6 unicast infrastructure as the underlay. With this feature, the ingress PE router receives multicast traffic and creates a separate unicast SRv6-encapsulated copy for each egress PE router in the multicast group. |
|
| Upgrade
|
This feature introduces a mechanism to determine the maximum transmission unit (MTU) for packets traversing an SRv6 underlay network. It ensures efficient packet forwarding by preventing fragmentation and packet drops, thereby allowing network devices to dynamically adjust packet sizes to avoid exceeding link MTU limits. The system relays ICMP Packet Too Big (PTB) messages from the SRv6 underlay to the IPv6/IPv4 overlay network, supporting both Transit-node and Headend-node PTB relay methods. |
|
| Upgrade
|
From Cisco IOS XE 17.18.1a, Flexible Algorithm enhances SRv6 by including functions like Topology Independent Loop-Free Alternate (TI-LFA) and microloop (uLoop) avoidance. This feature improves network resilience and efficiency. |
|
| Licensing Process
|
Product Analytics refers to the collection of product telemetry such as product performance and resource usage information directly from IOS-XE-based routing platforms. From Cisco IOS XE 17.18.1a release, Product Analytics is enabled by default when. Use this functionality to gain data insights such as product performance, feature consumption, and the licensing types that suit your requirements best. |
|
| Ease of use |
|
Starting with Cisco IOS XE 17.18.1a, network administrators can monitor and manage crypto throughput drops on Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms. This feature sends syslog messages to notify you when crypto throughput drops, offering better visibility and management.
|
| CUBE Features |
||
| Ease of use |
From Cisco IOS XE 17.18.1a onwards, serviceability is enhanced to display consolidated information on forked and associated anchor call legs. |
|
| Upgrade |
Third-Party GUID capture for correlation between call transfers and SIP-based recording |
From Cisco IOS XE 17.18.1a onwards, the Third-Party GUID capture for correlation between calls and SIP-based recording is extended to support transmission of globally unique identifiers (GUIDs) to the recording server during call transfers. |
| Upgrade |
IOS UC apps reports smart licensing flex subscription entitlement tag |
From Cisco IOS XE 17.18.1a onwards, CUBE and SRST smart licensing reports flex subscription entitlement tag on all the supported platforms. |
This table lists the resolved issues in this specific software release.
Note: This software release may contain open bugs first identified in other releases. To see additional information, click the bug ID to access the Cisco Bug Search Tool. To search for a documented Cisco product issue, type in the browser: <bug_number> site:cisco.com.
Resolved issues in Cisco IOS XE 17.18.2
Table 4. Resolved issues for Cisco 8300 Series Secure Routers, Release 17.18.2
| Bug ID |
Description |
| On-Demand Tunnels do not expire when UMTS Is enabled. |
|
| Static entry removed when command to delete non-existent entry is applied. |
|
| Device may boot up into prev_packages.conf due to power outage. |
|
| NWPI not capturing self-generated syslog traffic. |
|
| Device crash when removing SGT caching on an interface. |
|
| Device sending a 2 Byte packet of FLOW_SAMPLER_RANDOM_INTERVAL instead of a 4-Byte packet. |
|
| After upgrade for earlier releases sd-wan service-tracker in vrf selects source IP address from GRT when MPLS Inter-AS VPN option B configured. |
|
| Device exporters with ETA enabled are generating invalid template data errors in SNA. |
|
| EPBR set interface action get missing after reboot. |
|
| Device crash when initializing DNS channels. |
Resolved issues in Cisco IOS XE 17.18.1a
Table 5. Resolved issues for Cisco 8300 Series Secure Routers, Release 17.18.1a
| Bug ID |
Description |
| VFR is not dynamically disabled after ZBFW removal. |
|
| BFD sessions via TLOC-Ext do not come up when IPv6 is dynamically changed. |
|
| Memory leak under vdaemon process with DTLS on SNMP polling. |
|
| Speed test download / Throughput issue on device seen with IPSEC ESP-NULL transform using Zscaler. |
|
| Maximum control connection not equal to maximum omp sessions. |
|
| Module stays down without hw slot reload. |
|
| CXP with Data Policy redirect-DNS via Overlay causes Blackhole. |
|
| Unable to come up control connections with controllers after controllers added and down/up. |
|
| Devices reload after vpn config changes. |
|
| Encore crashed @bfd_send_and_detect_sleep_time during soak run. |
|
| All BFD sessions for dialer interfaces are down. SA ID is 0 for all of them. |
|
| FTMD cero pointer deference leading to crash. |
Open issues
This table lists the open issues in this specific software release.
Note: This software release may contain open bugs first identified in other releases. To see additional information, click the bug ID to access the Cisco Bug Search Tool. To search for a documented Cisco product issue, type in the browser: <bug_number> site:cisco.com.
Open issues in Cisco IOS XE 17.18.2
Table 6. Open issues for Cisco 8300 Series Secure Routers, Release 17.18.2
| Bug ID |
Description |
| Device ignore the keepalive command under the SIG tunnel interface pushed by the vmanage. |
|
| Incorrect NAT translation from service-vrf to global for self-generated ICMP 11 (Time Exceeded) packets. |
|
| fman crash after fnf config changes. |
|
| Not able to onboard sd-routing devices using generic bootstrap file stored in USB. |
|
| Device port forward issue with multiple ISP. |
|
| Out of sync when CLI Template was attached (missing element: authentication in /ios:native/ios:line/ios:vty[ios:first='0']/ios:login/ios:authentication). |
|
| Strange behavior with the Cisco Umbrella SIG tunnels configured from vManage to Umbrella. |
|
| TLOC Extension unable to program due to module boot up timing. |
|
| Cipher Suites TLS 1.2 for control connections. |
|
| Device crashes when configuring SSL VPN with Policy-Based Routing (PBR) and NAT. |
|
| There seems to be an issue where the NAT router is not responding to ARP requests. |
|
| Device Crashes - CPU Usage due to Memory Pressure exceeds threshold. |
|
| Slow performance on Netconf RPC on stateless static NAT translation. |
|
| FIB table device: Next Hop (NH) ID 0 is getting corrupted and assigned to a value other than Blackhole. |
|
| dmiauthd process crashes, due to which the configuration does not sync between startup-config and the running-config. |
|
| Traceback seen when detaching the CN railways customer configs. |
|
| Device - Control Connection to vManage is only Attempted over Highest Priority TLOC. |
|
| Add CLI to change per MPLS label CEF statistics query interval on FMAN FP. |
|
| Device experienced Critical process ompd fault on rp_0_0. |
|
| Device crash in TDM-TDM call when debug voip fpi enabled. |
|
| Multicast traffic not forwarded over P2P DMVPN phase 1 tunnel. |
|
| BFD sessions flapping and not recovering - SYMNAT port not updating to data-plane. |
|
| Device: Periodic service restart may generate crash files. |
|
| Unexpected reload on ftmd device. |
|
| Device experiences an unexpected reboot due to NAT in the data-plane after a policy push. |
|
| Flapping nat will casue bfd session down with ipsec session shown. |
|
| BFD SD-WAN PMTUD: PMTU converges unexpectedly to 970 bytes after dbg2:1 event. |
|
| Device crashed in crypto library. |
Open issues in Cisco IOS XE 17.18.1a
Table 7. Open issues for Cisco 8300 Series Secure Routers, Release 17.18.1a
| Bug ID |
Description |
| Unexpected Reboot due to Process FTMD. |
|
| Device does not install service-side static route to CEF after upgrade. |
|
| Device may boot up into prev_packages.conf due to power outage. |
|
| Keyman core files on device. |
|
| EPFR-High latency times are observed on the hub device. |
|
| Device unexpectedly reloads due to memory corruption on a notification queue in FTMd. |
|
| BFD session down due to unencrypted outbound BFD packets despite active IPsec SA. |
|
| TLOC Disabled After Link Down No Automatic Tunnel Recovery After Link Restores and TLOC State Is Up. |
|
| Device takes more than 20s for rekey in sdwan ipsec scale setup |
ROMMON compatibility matrix
The table lists the ROMMON releases supported in Cisco IOS XE 17.18.x releases.
| Platforms |
Cisco IOS XE Release |
Minimum ROMMON Release supported for IOS XE |
Recommended ROMMON Release supported for IOS XE |
| C8375-E-G2 |
17.18.1a |
17.15(3.2r).s2.cp |
Not applicable |
| C8355-G2 |
17.18.1a |
17.15(3.2r).s2.cp |
Not applicable |
● Hardware Installation Guide for Cisco 8300 Series Secure routers
● Smart Licensing Using Policy for Cisco Enterprise Routing Platforms
● Cisco 8300 Series Secure Routers Software Configuration Guide
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2025 Cisco Systems, Inc. All rights reserved.