 Feedback
|
Table Of Contents
Release Notes for Cisco 3200 Series Routers with Cisco IOS Release 12.4(11)XW
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.4(11)XW10
New Software Features in Cisco IOS Release 12.4(11)XW10
New Hardware Features in Cisco IOS Release 12.4(11)XW9
New Software Features in Cisco IOS Release 12.4(11)XW9
New Software Features in Cisco IOS Release 12.4T
Open Caveats - Cisco IOS Release 12.4(11)XW10
Resolved Caveats - Cisco IOS Release 12.4(11)XW10
Open Caveats - Cisco IOS Release 12.4(11)XW9
Resolved Caveats - Cisco IOS Release 12.4(11)XW9
Open Caveats - Cisco IOS Release 12.4(11)XW7
Resolved Caveats - Cisco IOS Release 12.4(11)XW7
Cisco IOS Software Documentation Set
Release Notes for Cisco 3200 Series Routers with Cisco IOS Release 12.4(11)XW
First Released: August 12, 2008Last Revised: February 5, 2009Cisco IOS Release 12.4(11)XW10OL-17636-02 Second ReleaseThese release notes describe new features and significant software components for the Cisco 3200 series routers in the Cisco IOS Release12.4(11)XW releases. These release notes are updated as needed. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.4T and About Cisco IOS Release Notes.
For a list of the software caveats that apply to the Release 12.4(11)XW releases, see the "Caveats" section, and the online Caveats for Cisco IOS Release 12.4T. The caveats document is updated for every 12.4T maintenance release.
Contents
System Requirements
This section describes system requirements for Cisco IOS Release 12.4(11)XW and includes the following sections:
•
Determining the Software Version
•
Memory Requirements
Table 1 lists memory requirements for Cisco IOS feature sets supported by Cisco IOS Release 12.4(11)XW on Cisco 3200 series routers.
Hardware Supported
Cisco IOS Release 12.4(11)XW supports the following Cisco 3200 series routers:
•
•
•
For descriptions of existing hardware features and supported modules, see the hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 3200 series routers, which are available at
http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.html
Determining the Software Version
To determine the version of Cisco IOS software currently running on your Cisco 3200 series router, see About Cisco IOS Release Notes located at http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
Upgrading to a New Software Release
For general information about upgrading to a new software release, see About Cisco IOS Release Notes located at http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
Feature Set Tables
For information about feature set tables, see About Cisco IOS Release Notes located at http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
New and Changed Information
The following sections describe new features supported by Cisco 3200 series routers in Cisco IOS Release 12.4(11)XW:
•
•
•
•
•
New Hardware Features in Cisco IOS Release 12.4(11)XW10
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.4(11)XW10
There are no new software features in this release.
New Hardware Features in Cisco IOS Release 12.4(11)XW9
There are no new hardware features in this release.
New Software Features in Cisco IOS Release 12.4(11)XW9
There are no new software features in this release.
New Software Features in Cisco IOS Release 12.4T
For information regarding the features supported in Cisco IOS Release 12.4T, see the Cross-Platform Release Notes links at: http://www.cisco.com/en/US/products/ps6441/prod_release_notes_list.html
Limitations and Restrictions
There are no known limitations or restrictions in this release.
Caveats
For general information on caveats and the bug toolkit, see About Cisco IOS Release Notes located at http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html.
This section contains the following caveat information:
•
•
•
•
•
•
Open Caveats - Cisco IOS Release 12.4(11)XW10
There are no open caveats in this release.
Resolved Caveats - Cisco IOS Release 12.4(11)XW10
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
•
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
•
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability that could allow authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files, even if the CLI view attached to the user does not allow it. This configuration file may include passwords or other sensitive information.
The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
Cisco has released free software updates that address this vulnerability.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or the CLI view feature if these services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml.
•
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
•
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1.
2.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
CSCin76666 H.245 listener socket closed before H.245 connection is established.Symptom Intermittent outbound call failures using CallManager and Outbound Fast Start.
Conditions
Workaround
CSCse59336 Three way call conferencing is not working properly.Symptom MGCP three-way call conferencing may fail because of an abrupt onhook event at the originating endpoint.
Conditions
Workaround
CSCsg35148 Interim record is sent with stop-only acct-list from RADIUS.Symptom Interim record is seen.
Conditions
Workaround
CSCsi95862 3250 router crashes with traceback while verifying gre feature.Symptom Router crashes when the <CmdBold> mobile router-service roam priority <noCmdBold> command is entered.
Conditions
Workaround
CSCsj04758 Wrong codec bytes on the SIP leg of ipipgw for SIP--->H323 (g726).Symptom Wrong codec bytes are displayed on the SIP leg of ipipgw for SIP--->H323 interworking.
Conditions
Workaround
CSCsj75250 crafted SCTP packet reloads router.Symptom Crafted SCTP packet may reset router.
Conditions
Workaround
CSCsk40676 C1812 12.4.15.T / certain packet sizes block inside interface of ezvpn conn.Symptom The inside interface of a Cisco router running EZVPN may become unresponsive when sending ICMP messages from a remote VPN client connection.
Conditions
Workaround
CSCsm45113 RIB installs duplicate routes for the same prefixSymptom Router may install duplicate routes or incorrect route netmask into routing table. It could happen on any routing protocol. Additionally, for OSPF, crash was observed.
Conditions
Workaround
Further Problem Description: The <CmdBold>clear ip route *<noCmdBold> command can correct the routing table until the next poll of ipRouteTable MIB.
CSCsm49826 c7206VXR/NPE400 reloaded due to bus error running 12.4(15)T2 and T3.Symptom H323 gateways crash under load.
Conditions
Workaround
c2691-15(config)#voice service voip
c2691-15(conf-voi-serv)#h323
c2691-15(conf-serv-h323)#no h245 simultaneous-connection-handle
CSCso47738 No Voice Path For SIP to H323 calls.Symptom Gateway sends 200 OK with media direction as SENDRECV for a reINVITE with offer having media direction INACTIVE.
Conditions
Workaround
CSCso80830 W button should be lit on for undefined primary ephone.Symptom The Watch button is not lit on if no watched phone for this watched DN. Ring back tone is heard when calling to this DN.
Conditions
Workaround
CSCsq04046 GUI: IOS SYSfeature undefined" error seen on help->about.Symptom Error when accessing CME GUI Help->About page.
Conditions
Workaround
CSCsr27960 Traceback observed after configuring credential under sip-ua.Symptom Traceback observed when configuring credentials CLI under sip-ua.
Conditions
Workaround
CSCsr78883 Router console displays messages "Data corruption Data Inconsistency.Symptom There will be traceback on configuring mls qos cos pass-through dscp in supporting interface mode.
Conditions
Workaround
Further Problem Description: Due to the buffer overflow, there will be traceback when configuring the QoS in the supporting interface. Currently, the CLI is not supported in most network modules, and thus,is invisible to the users.
CSCsu36827 CUE clock does not sync up with the CME using NTP.Symptom The CUE clock does not synch up with the CME using NTP.
Conditions
Workaround
CSCsu59847 The Content-Type used by T.37 should use a mutipart subtype of "mixed".Symptom Certain mail clients may experience problems viewing the TIFF attachments sent by a Cisco T.37 OnRamp gateway because they do not support the Content-Type of multipart/fax-message that Cisco uses in it's T.37 Store-and_forward Fax implementation.
Conditions
Workaround
CSCsw50802 Smart Init Fails to recognize HWICs with smart cookie.Symptom No extra I/O mem is allocated for some HWICs.
Conditions
Workaround
Open Caveats - Cisco IOS Release 12.4(11)XW9
There are no open caveats in this release.
Resolved Caveats - Cisco IOS Release 12.4(11)XW9
CSCek52673 Single crafted udp packet reloads router with dhcp serverSymptom A router that has DHCP server enabled could reload after receiving a malformed UDP packet.
Workaround
CSCek71149 Error message when dir is issuedSymptom "Error getting file system status (Unknown error 0) or (Bad file number)" was observed when dir <archive/system/tmpsys:> was issued. The rest of the file systems have no problem (i.e. dir nvram/flash/usbtoken0:... etc)
Conditions
Workaround
CSCsg42546 Reload when MGCP CRCX has sRTP and V150 params in LCOSymptom An MGCP gateway reloads when receiving Secure Real-Time Transport Protocol (SRTP) and V.150 parameters in the local connection options of a Create Connection (CRCX) message.
Conditions
Workaround
CSCsj32422 CBWFQ:Unable to reconfigure the policy map after exceeding the bandwidthSymptom Once policy map is configured and bandwidth is exceeded while dividing amongst the classes, re-configuration of the policy map is not possible.
Conditions
Workaround
CSCsj50773 High cpu when querying ipRouteTable MIBSymptom Performing the snmpwalk on the ipRouteTable MIB may cause high CPU and reloads.
Conditions
Workaround
snmp-server view cutdown 1.3.6.1.2.1.4.21 exclude
snmp-server view cutdown internet included
snmp-server community <comm> view cutdown RO
This view restricts the objects that the NMS can poll. It excludes access to the ipRouteTable, but allows access to the other MIBs.
CSCsj82622 Crash editing ACL cce_dp_named_db_ip_access_list_impureSymptom A router may crash when you configure an access control list (ACL) that has at least 50-60 ACEs (about 100 nodes) that is used in policy maps that are already applied to an interface or when you boot the router after having made the configuration change. When the crash occurs, the following error message is generated: %ALIGN-1-FATAL: Corrupted program counter pc=0x0 , ra=0x0 , sp=0x66EFB8A0
Conditions
Workaround
CSCsk27147 SNMP stops responding while polling from CISCO-MEMORYPOOL-MIBSymptom The following SNMP is incorrectly generated:"%SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full". This issue is affecting the CISCO-MEMORYPOOL-MIB instead.
Conditions
Workaround
snmp-server view public-view iso included
snmp-server view public-view ciscoMemoryPoolMIB excluded.
Apply this view to the RW community string. This view will exclude only ciscoMemoryPoolMib, all other MIBs will be available.
CSCsk39642 router crash when copying saved config to running configSymptom A router crashes.
Conditions
Workaround
CSCsk94676 dlsw with tbridge, COMMON_FIB-4-FIBIDBMISMATCHSymptom Transparent bridging into DLSw does not work.The following messages are displayed:
*Jan 29 19:00:50.727: %COMMON_FIB-4-FIBHWIDBMISMATCH: Mis-match between hwidb DLSw Port0 (ifindex 5) and fibhwidb GigabitEthernet2/3 (ifindex 5)-Traceback= 407C7004 407C8A38 407C7CEC 407C7EE4 413C9900 41BCE138 41BCCD54 41BCCFA8 41BCA330 413C0128 413C0114
*Jan 29 19:00:50.727: %COMMON_FIB-4-FIBMISSINGHWIDB: No fibhwidb while initializing fibidb for DLSw Port0 (if_number 5)
-Traceback= 407C83D4 407C8A9C 407C7CEC 407C7EE4 413C9900 41BCE138 41BCCD54 41BCCFA8 41BCA330 413C0128 413C0114
Conditions
Workaround
i.e.
As global command:
no dlsw bridge-group X
and on the interface:
no bridge-group X
on the interface replace it with:
dlsw transparent redundancy-enable 9999.9999.9999
CSCsl70722 Router crash polling rttmon mib with active IP SLA probesSymptom A router running Cisco IOS may crash due to watchdog timeout.
Conditions
Workaround
CSCsm17281 Router crashes when adding ACL line to Service PolicySymptom Device running 12.4(17.6)T will crash after adding line to an access-list attached to a service policy
Workaround
CSCsm77199 DATACORRUPTION-1-DATAINCONSISTENCY HTTP_FIND_FLASH_FILESymptom If the HTTP secure server capability is present, Switch shows the error message "%DATACORRUPTION-1-DATAINCONSISTENCY: copy error" with tracebacks after initializing the supervisor. This error message can be verified in show logging output.
Conditions
Workaround
CSCso09539 ACK not sent to 200 OK from CUE during h323 slowstart -- sip delayed medSymptom Incoming H323 slow start call to CME when forwarded to voicemail in CUE may result in no audio.
Conditions
Workaround
•
and H323 slowstart using voice-class h323.
•
H323 faststart using voice-class h323.
CSCsq42134 JPN: 7921 XML Services are displayed as squaresSymptom 7921 directories are displayed as squires in CME Userlocale: JP environment.
Conditions
CME: 4.2 (IOS 12.4(11)XW7)
Locale File : CME-locale-jp_JP-4.1.0.1.tar
Workaround
CSCsq44013 View used twice with logging enabledSymptom The CPE does not reply to the DNS query from the client for the first try, first response is being dropped.
Conditions
The view is used twice rather than once.
Workaround
CSCsq64715 EM login credential could be set to stack junk in error conditionSymptom EM login username and password may be set to random values in process stack in case the actual input from the phone is in an invalid format. And if both string picked up from the stack happen to match a username/password pair in a configured user profile, EM will login the user accidentally.
Workaround
CSCsq67163 IPSLA RTP operation crashes the routerSymptom Scheduling of IP SLA RTP operation crashes the router.
Conditions
Workaround
CSCsq74999 SCCP FXS ports connected to FAX machines lock upSymptom FXS that have fax/modems connected intermittently fail. Once they are in this stuck state, an incoming call to them will not ring the line, there will be no output in debug vpm sig. Outbound calls/faxes typically still work.
FXS port must be SCCP controlled. The problem is likely to occur when the pots leg is disconnected before the voip leg. If this occurs the port can go into this "stuck" state. Any subsequent calls will not ring the fax machine on this port.
Workaround
voice service voip
fax protocol none
will prevent the problem from happening. Removing the SCCP config from the ports will also prevent it from happening.
CSCsr01058 SPLIT_DNS: Debug msg Forwarding back reply is missingSymptom An IOS device configured as a DNS server is vulnerable to forged answer attacks. In this type of attack, a malicious user can cause the IOS DNS server to accept a forged answer that associates a name with an IP address chosen by the malicious user. This answer ends up in the cache of the DNS server. This attack can be made more difficult by randomizing both the DNS transaction ID and the UDP source port number that the DNS server (the IOS device) uses to relay DNS queries for domain it is not authorized for.
Conditions
Workaround
This is a security issue. The problem, however, only exists for customers who are running the IOS DNS Server/Forwarder and this is presumed to not be the usual case.
CSCsr18200 busy tone issue when receiving a 183 MessageSymptom A busy tone is not heard when a 183 message is received before a 4xx busy message.
Conditions
Workaround
CSCsr71715 Call display missing when park or xfer HW conference callSymptom Caller ID and Call bubble missing when a HW conference call is parked or Xfere
Open Caveats - Cisco IOS Release 12.4(11)XW7
There are no open caveats in this release.
Resolved Caveats - Cisco IOS Release 12.4(11)XW7
•
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1.
2.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Additional References
Use this release note with the documents and websites in this release note and the documents listed in the following sections:
Release-Specific Documents
The following documents are specific to Release 12.4 and apply to Release 12.4(11)XW.
•
•
•
Platform-Specific Documents
Hardware installation guides, configuration and command reference guides, and additional documents specific to the Cisco 3200 series routers are at
http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.html
Cisco IOS Software Documentation Set
The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents.
Documentation Modules
Each module in the Cisco IOS documentation set consists of one or more configuration guides and one or more corresponding command references. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality, and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Use each configuration guide with its corresponding command reference. Cisco IOS Software Documentation is available in html or pdf form.
Select your release and click the command references, configuration guides, or any other Cisco IOS documentation you need.
Notices
See the "Notices" section in About Cisco IOS Release Notes located at
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4xy15/ReleaseNote.html
Use this document in conjunction with the documents listed in the "Additional References" section.
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.