 Feedback
|
Table Of Contents
Caveats for 12.4(9)T3 through 12.4(15)T8
Resolved Caveats—Cisco IOS Release 12.4(15)T8
Resolved Caveats—Cisco IOS Release 12.4(15)T7
Resolved Caveats—Cisco IOS Release 12.4(15)T6
Resolved Caveats—Cisco IOS Release 12.4(15)T5
Resolved Caveats—Cisco IOS Release 12.4(15)T4
Resolved Caveats—Cisco IOS Release 12.4(15)T3
Resolved Caveats—Cisco IOS Release 12.4(15)T2
Resolved Caveats—Cisco IOS Release 12.4(15)T1
Resolved Caveats—Cisco IOS Release 12.4(15)T
Resolved Caveats—Cisco IOS Release 12.4(11)T4
Resolved Caveats—Cisco IOS Release 12.4(11)T3
Resolved Caveats—Cisco IOS Release 12.4(11)T2
Resolved Caveats—Cisco IOS Release 12.4(11)T1
Resolved Caveats—Cisco IOS Release 12.4(11)T
Resolved Caveats—Cisco IOS Release 12.4(9)T7
Resolved Caveats—Cisco IOS Release 12.4(9)T6
Resolved Caveats—Cisco IOS Release 12.4(9)T5
Resolved Caveats—Cisco IOS Release 12.4(9)T4
Resolved Caveats—Cisco IOS Release 12.4(9)T3
Caveats for 12.4(9)T3 through 12.4(15)T8
•
Resolved Caveats—Cisco IOS Release 12.4(15)T8
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.4(15)T8
Cisco IOS Release 12.4(15)T8 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T8 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: Fragmented packets might be dropped by the router.
Conditions: This symptom is observed with non-initial fragments, when a reflexive ACL is configured on the router and the return traffic supposed to be allowed by the reflexive ACL is fragmented.
Workaround: There is no workaround. However, normal ACLs are not known to exhibit this behavior.
•
Symptoms: Filtering BGP routes by means of the distribute-list prefix MARTIAN in command applied to address-family IPv4 actually filters out M-BGP routes in address-family VPNv4.
Conditions: This symptom occurs when MPLS-VPNs are configured.
Workaround: Use route maps to filter routes inbound.
Further Problem Description: The show ip bgp neighbors command can be used to check whether the prefixes are actually being filtered out from updates for address-family VPNv4, and not for IPv4, as it is configured.
•
Symptoms: It may take a long time for the IPSec router to detect that the CA server is down while trying to reach it for CRL retrieval.
Conditions: This symptom is observed on a LAN-to-LAN IPSec tunnel between two routers, where one router is configured for CRL checking.
Workaround: The situation may be slightly improved by lowering the "tcp synwait" value, for example: ip tcp synwait-time 5.
•
Symptoms: A router may crash when a privilege-level 15 user logs in with the callback or callback-dialstring attribute.
Conditions: This symptom is observed on a Cisco 805 that runs Cisco IOS Release 12.3(15) and on a Cisco 7600 series that has an RSP720 and that runs Release 12.2(33)SRB1 when the following conditions are present:
–
–
–
Workaround: Do not configure the callback or callback-dialstring attribute for the user.
Alternate Workaround: If the callback-dialstring attribute is used in the TACACS+ profile, ensure that the NULL value is not configured for the callback-dialstring attribute.
•
Symptoms: A CPUHOG may occur.
Conditions: This symptom is observed with various routing commands, including the clear ip route command, in cases where more than 300,000 routes were learned via a single subnet.
Workaround: There is no workaround.
•
Symptoms: The PRE3 may not parse the startup configuration.
Conditions: This symptom is observed on a Cisco router that has dual RPs.
Workaround: There is no workaround.
•
Symptoms: A Cisco 181x router may crash when ipsec_cs script is tested.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(13.5)PI6.
Workaround: There is no workaround.
•
Symptoms: When you enter the protocol ip protocol-address broadcast command on an ISP termination point, the command may not be applied to a connected CPE, preventing the CPE from populating its ARP cache and from properly forwarding traffic.
Conditions: This symptom is observed on a Cisco router that functions as an ISP termination point and that is configured for point-to-point ATM connections when a connected CPE is configured for multipoint-to-point ATM connections.
Reason: Command is not applied until VC recreated or bounced.
Workaround: Configure the protocol ip protocol-address broadcast command as part of a PVC configuration on the CPE.
Alternate Workaround: Configure the connection between the ISP termination point and the CPE as a multipoint-to-point ATM connection.
•
Symptoms: A router that is running Cisco IOS Release 12.4T may reload unexpectedly.
Conditions: Occurs when BFD is configured and active.
Workaround: Disable the BFD feature.
•
Symptoms: With MLPoATM configured, a router crashes when using the show ppp multilink command after disabling the PA by the hw-module slot slot-number stop command.
Conditions: This symptom has been observed on a Cisco 7200 NPE-G1 loaded with Cisco IOS interim Release 12.4(13.13)T2.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.4(13b) might unexpectedly reload with a bus error.
Conditions: This symptom happens during normal operation with NAT configured.
Workaround: There is no workaround.
•
Symptoms: A short CPU hog seen in the ATM PA Helper process when an interface flaps and the framing configuration is modified on the interface.
Conditions: This symptom is observed on a Cisco 7200 with a PA-A3-T3 adapter that is running Cisco IOS Release 12.2(25)S or 12.2(31)SB (and possibly other Cisco IOS releases).
Workaround: There is no workaround.
Further Problem Description: The CPU hog is enough to cause OSPF adjacencies (with fast hello) to go down on other unrelated interfaces. The same problem is seen if BFD is configured.
•
Symptoms: A router that is configured with ATM PVCs may generate the following type of error messages:
%COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. Virtual- Access2.1 linked to wrong idb Virtual-Access2.1Conditions: This symptom is observed on a Cisco router that has virtual-template subinterfaces.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the no virtual-template subinterface command, save the configuration to the startup configuration, and reload the router.
•
Symptoms: Bundle master should have PVC bundle adjacency length of zero and adjacency should be complete. However, the bundle master is showing an encapsulation length of 12.
Conditions: The symptoms are observed on a Cisco 7600 series router and other distributed platforms.
Workaround: There is no workaround.
•
Symptoms: Memory corruption, possibly leading to a crash or other undesired behavior, can occur when the no default-information originate command is entered in router RIP configuration mode.
Conditions: This symptom occurs only if both the RIP routing protocol and the OSPF routing protocol are configured on a router.
Workaround: There is no workaround.
•
Symptoms: Ping/telnet may fail with VRF configurations.
Conditions: This symptom is observed on a Cisco router that is configured for NAT with VRF configurations.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the "Crypto" process.
Conditions: These leaks are independent of any HW accelerator. This bug is not platform dependant.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS VoIP gateway configured for IPIPGW (CUBE) functionality may crash.
Conditions: A gateway configured for IPIPGW functionality with the allow-connections command under voice service voip will crash under rare conditions while processing VoIP calls.
This has been found to occur in some scenarios where a single voip call loops (meaning the call is from the IPIPGW back to the same IPIPGW) through the IPIPGW.
When this occurs, the following error message may be noticed:
%SYS-6-STACKLOW: Stack for level Network interfaces running low, 0/9000Workaround: The workaround is to track down the source of the call looping and correct the problem there.
The other possible workaround is to introduce another termination point in the RTP packet flow beside the IPIPGW. For example, if interworking with Cisco Unified Communications Manager (Callmanager), an MTP resource may be used to prevent this loop.
•
Symptoms: Entering the crypto key zeroize rsa command causes traceback.
Conditions: This symptom is observed in router loaded with the Cisco IOS software image.
Workaround: There is no workaround.
•
Symptoms: Crashinfo collection to a disk filesystem will fail and generate the following error message:
File disk#:crashinfo_20070418-172833-UTC open failed (-1): Directory entries are corrupted, please format the diskOr the crashinfo file will be stored as CRASHI~1.
Conditions: This symptom is observed with normal crashinfo collection to a disk filesystem.
Workaround: Configure the crashinfo collection either to a network filesystem (such as tftp or ftp) or to a local filesystem of type "flash". Configuring to a local filesystem is a preferable option.
Further Problem Description: This happens every time, but there is no major negative impact to operation.
•
Symptoms: A Cisco router that is configured for RIPv2 may not delete a path from the routing table when it should do so.
Conditions: This symptom is observed after the router has learned multiple paths for a prefix with different next hops from one neighboring router and after the neighboring router stops advertising one of the paths.
Workaround: Enter the clear ip route * command.
•
Symptoms: When a switch port is configured with voice VLAN and spanning tree port fast is configured, and the router is reloaded, the port loses the connection. By failing to ping the SVI, any other protocol such as DHCP is also failing.
Conditions: Occurs on a router configured with switch port, voice VLAN, and spanning-tree portfast. This occurs on routers running releases after 12.4(9)T.
Workaround: Remove spanning-tree portfast or configure the voice VLAN as an access VLAN. Do not use portfast on an MVAP port.
•
Symptoms: The show pppoe throttled mac command may display no or Invalid output.
Conditions: The problem may be seen when the show pppoe throttled mac command is issued.
Workaround: There is no workaround.
•
Symptoms: An RP crashes in IFS code when an SSH or Telnet session is established while the switch is attempting to download a configuration.
Conditions: This symptom occurs on a Cisco Catalyst 6509.
Workaround: There is no workaround.
•
Symptoms: Some E1 channels may remain down after you have reloaded a router.
Conditions: This symptom is observed on a Cisco 7200 series that function as a PE router and that connects to a CE router. Both routers are connected through 1-port multichannel STM-1 (PA-MC-STM-1) port adapters and the framing no-crc4 command is enabled on all interfaces of both routers.
Workaround: Enter the shutdown command followed by the no shutdown command on the SONET controller of the PA-MC-STM-1 at the PE side to enable all interfaces to come up.
•
Symptoms: Cisco MWAM processor reloads when all the VTY lines are used up and command is executed on the Supervisor remotely using the Remote Console and Logging feature of the MWAM. The output of the command is not displayed on the Supervisor console. Instead it is printed on the MWAM processor console and after the display is finished, the MWAM processor reloads.
Conditions: This problem happens when all the VTY lines are in use. If only a few are in use, then the Remote Console and Logging feature works fine and the output is displayed on the Supervisor console as expected.
Workaround: Currently there is no workaround for this problem. If there are enough VTY lines supported, the chance of encountering this issue is low.
•
Symptoms: A traceback may be generated during the "ipmcast_ipv6_rpf_lookup" function.
Conditions: This symptom is observed on a Cisco router that functions as a PE router when you configure IPv6 multicast routing on both the PE router and a connected CE router, add an IPv6 address to the connected interfaces, and configure PIM sparse or PIM sparse-dense mode on both routers. The traceback is generated when the neighborship comes up after you have configured one of the interfaces as a PIM-RP.
Workaround: There is no workaround.
•
Symptoms: A device crashes with a bus error when the show ip bgp dampening dampened-paths command is used.
Conditions: This symptom is observed when the show ip bgp dampening dampened-paths command is used and the device is at the "More" prompt to continue with remaining output, if the BGP session goes down at that time (for example, receiving a notification) or because of a clear ip bgp command from another vty.
Workaround: There is no workaround.
If dampening is configured, do not run "sh ip bgp neighbors <x.x.x.x> dampened-routes" "sh ip bgp dampening dampened-paths" which can cause this problem.
•
Symptoms: Static NAT may have a memory leak when "vrf route-map reversible extendable" is configured. The router memory decreases dramatically due to creation of multiple child entries for similar flow every time a new packet hits the corresponding NAT static entry.
Conditions: The symptom is observed with Cisco IOS Release 12.4(9)T2 and Release 12.4(11)T1. The problem only occurs when "vrf route-map reversible" is configured (normal static VRF NAT does not have this issue).
Workaround: There is no workaround.
•
Symptoms: Devices running Cisco IOS may reload with the error message "System returned to ROM by abort at PC 0x0" when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.
Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with "ssh" removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end.
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
More information on configuring ACLs can be found on the Cisco public website:
http://www.cisco.com/warp/public/707/confaccesslists.html
•
Symptoms: Routers that have the ability to use the optional 802.11 b/g card, such as the Cisco ISR series routers, do not pass multicast traffic across the wireless interface.
Conditions: Cisco routers that have the 802.11 b/g HWIC card do not pass multicast traffic across the wireless interface, even though multicast routing is enabled and is otherwise configured normally. Wireless hosts cannot pass multicast traffic between each other, and multicast traffic from the wired network will not be transmitted out the wireless interface.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when using a CA that does not support the GetCAPS exchange (part of SCEP), because of a bus error crash after entering the crypto ca authenticate command.
Any response other than a real GetCAPS reply will cause the crash. Before the router crashes, the following error messages and traceback are generated:
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Crypto CA. -Traceback= 0x42AB7410 0x424A6E18 0x42469B7C 0x424651E0 %Software-forced reloadPreparing to dump core... %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xx.xx.x has no SA and is not an initialization offerConditions: This symptom is observed on a Cisco 2821 that runs Cisco IOS Release 12.4(10b) but may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: A router may reload with the message "Unexpected exception to CPU".
Conditions: The symptom is observed when EzVPN remote using client mode is configured on the router. It is seen when an IP address is being removed from one of the EzVPN inside interfaces while having active NAT translations.
Workaround: There is no workaround.
•
Symptoms: ARP requests to an HSRP virtual IP address may fail.
Conditions: This symptom is observed when the same HSRP IP address is used alternatively on different interfaces, and when one of these interfaces has the switchport command configured and unconfigured several times.
Workaround: Remove the HSRP configuration from the interface before you enter the switchport command on the interface.
•
Symptoms: PPP may crash when an snmpwalk command is executed on the cbQosSetStatsTable object.
Conditions: This symptom is observed when a service policy with a child policy that contains marking ("set") actions is applied to an interface before the snmpwalk command is executed on the cbQosSetStatsTable object of the CISCO-CLASS-BASED-QOS-MIB.
Workaround: There is no workaround.
•
Symptoms: The configuration of a deleted subinterface may show up on a new subinterface and may cause a traffic outage.
Conditions: This symptom is observed on a Cisco router that has IP interface commands enabled when a script adds and deletes ATM subinterfaces on a regular basis.
Workaround: Verify the subinterface configuration. When the configuration of a subinterface cannot be deleted, delete the subinterface, and then create a dummy subinterface that will pull the configuration that could not be deleted. Then recreate the first subinterface with a new configuration.
•
Symptom: After a reload, the following error message may be displayed if an OSPFv3 router redistributes large numbers of the external routes:
%OSPFv3-3-DBEXIST: DB already existNo impact to the operation of the router has been observed.
Conditions: Redistribution is configured, and then the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: When you configure SNMPv3 group access to contexts, each context may need to be configured with a separate CLI command. For large configurations, thousands of CLI command may need to be entered, which is not acceptable.
Conditions: This symptom is observed, for example, when the snmp-server group group-name v3 auth context context-name command must be entered for each group and each context. If there are many VLANs, the command must be entered for each group that is given access to each VLAN, which may mean that thousands of CLI command must be entered.
Workaround: SNMP allows you to specify that a context name is a prefix, and match any context that starts with that name. Use SNMP to create rows in the vacmAccessTable and ensure that the vacmAccessContextMatch object is set to a prefix instead of match. Note that after you reboot the router, you must reconfigure this workaround.
•
Symptoms: A router that is running Cisco IOS may crash due to a software forced crash.
Conditions: This problem is specific to a DLSW configuration with SDLC attached controllers. At the time of the crash, on one SDLC interface, the encapsulation SDLC was removed.
Workaround: There is no workaround.
•
Symptoms: Two dialer interfaces belong to the same dialer pool and each of them is watching different routes. The route watched by one dialer (Dialer 1) is brought down and the call on the other dialer (Dialer 2) is brought up. Dialer 2 mistakenly watches Dialer 1's route and since the route is down, Dialer 1 does not come down at idle timeout.
Conditions: The symptoms are observed with the following conditions:
–
–
–
Workaround: There is no workaround.
•
Symptoms: A PE that is part of a confederation and that has received a VPNv4 prefix from an internal and an external confederation peer, may assign a local label to the prefix despite the fact that the prefix is not local to this PE and that the PE is not changing the BGP next-hop.
Conditions: The symptoms are observed when receiving the prefix via two paths from confederation peers.
Workaround: There is no workaround.
Further Problem Description: Whether or not the PE will chose to allocate a local label depends on the order that the multiple paths for this VPNv4 prefix are learned. The immediate impact is that the local label allocated takes up memory in the router as the router will populate the LFIB with the labels.
•
Symptoms: A router running EIGRP may crash when removing an EIGRP process.
Conditions: The symptom is observed where there are 30 IP routing protocol processes created and the last one is EIGRP. (Note that this does not include VRFs.) When the 31st routing protocol process is attempted, an error message will be issued stating "too many IP routing processes." If an attempt is then made to remove an EIGRP routing process by using the no router eigrp <as> command, the router will crash.
Workaround: Do not define over 30 IP routing protocol processes.
•
Symptoms: A BFD session does not transition from Init to Up state when it receives a packet from the adjacent router in Init state.
Conditions: The symptom is observed during a BFD three-way handshake when the session transitions to an Init state and it receives a packet from the adjacent router in Init state.
Workaround: There is no workaround.
•
Symptoms: A router may reload during SASL authentication.
Conditions: This symptom is observed when SASL authentication is performed while the sasl command is changed. For example, the symptom may occur when a BEEP session that uses SASL is performing authentication while the sasl command is being unconfigured.
Workaround: Do not configure or unconfigure SASL when SASL authentication is being performed.
•
Symptoms: The following error message is displayed on the console:
%ALIGN-3-SPURIOUS T/B ipv6fib_gre_ipv6_classifiedConditions: Occurs when an IPv6 tunnel transport endpoint receives fragmented IPv6 packets.
Workaround: Use a smaller tunnel MTU on the remote end of the tunnel to prevent fragmentation.
•
Symptoms: A Cisco 851 router may crash with the following message:
Unexpected exception to CPU: vector 300Conditions: The symptom is observed on a Cisco 851 router that is running Cisco IOS Release 12.4(11)T1. The crash will occur if you do not specify the pw-class in the pseudowire on interface Virtual-PPP1.
Workaround: Specify the pw-class in the pseudowire.
Further Problem Description: This issue only occurs when you try to do encapsulation l2tpv2 (not applicable to l2tpv3) under the Virtual-PPP interface for the very first VC. If there are other VC being configured already, this issue will not show up. If you do pw- class for the first VC instead of encapsulation l2tpv2, then it will be fine for the rest of the configuration.
•
Symptoms: Alignment errors drive the router to crash due to a bus error (TLB exception). These reloads occur about two or three times a day.
Conditions: The symptom is observed on a Cisco 3745 router with module NM- 8AM that is running Cisco IOS Release 12.3(7)T11 or Release 12.4(13a). It is seen when there is great volume of traffic through module NM-8AM. Replacement of all the HW equipment does not solve the issue.
Workaround: Reduce traffic through the NM module or install Cisco IOS Release 12.3 (not T train or 12.4 image).
•
Symptoms: OSPFv3 installs a reachability path without checking that the discard route is already there. As a result, the RIB has a route that load- balances between reachability and drop paths.
Conditions: This symptom may be observed if the summary-address command is configured with exactly the same address as one of the external routes received from a different router.
Workaround: There is no workaround.
•
Symptoms: A PDSN member reloads at find_elt.
Conditions: This symptom is observed on a PDSN using Cisco IOS Release 12.3 (14)YX8.
Workaround: There is no workaround.
•
Symptoms: The show interface command used on HWIC-1FE and HWIC-2FE has an inconsistent count of "input" packets. The input count is greater than the correctly displayed output packet count.
Conditions: The symptom is observed when using show interface packet input count.
Workaround: There is no workaround.
Further Problem Description: There is no actual packet loss, only the "packet input" count is not correct.
•
Symptoms: A multicast source address may not get translated if the Network Address Translation (NAT) outside the interface is a GRE tunnel.
Conditions: The symptom is observed when using NAT to translate a multicast source address for multicast traffic over a tunnel interface. The static NAT translation of the multicast source address does not work.
Workaround: Turn off CEF globally on the router.
Alternate workaround: Turn off the mroute-cache on the NAT inside the interface.
•
Symptoms: When an IXIA-simulated BGP neighbor is not up, BGP is forced to delete the ARP entry for the IXIA host for a while. During that period, the router has to send ARP, and traffic is lost for a while.
Conditions: While observed with other protocols, this symptom was noticed with a typical BGP configuration in which the peers are nonexistent. This would cause the SYN to be retransmitted multiple times, and after some threshold, the ARP entry would be purged.
The ARP entries gets flushed out when the TCP retransmission timer expires. This causes the CEF adjacency to be lost, and performance can drop for packets going to that destination until the ARP is resolved again. This problem is not specific to BGP and is applicable to anything that rides over TCP.
Workaround: There is no workaround.
•
Symptoms: A router may eventually experience depletion in the small buffer pool, leading to MALLOCs and Cisco IOS software crashing.
Conditions: This symptom is observed on a router running STUN SDLC with local- ack and having multiple SDLC primary stations connected and regularly polling (SNRM) router while the remote STUN peers are disconnected (no IP connectivity to the remote STUN peers).
Workaround: There is no workaround.
•
Symptoms: A Cisco 12000 series router may crash unexpectedly.
Conditions: This symptom occurs only in Cisco IOS Release 12.0(32)SY0f.
Workaround: There is no workaround.
•
Symptoms: Router displays following error message and reloads:
Jun 18 06:12:23.008: event flooding: code 10 arg0 0 arg1 0 arg2 0%SYS-3-OVERRUN: Block overrun at E5D8310 (red zone 00000000) -Traceback= 0x6080CEB0 0x60982108 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-BLKINFO: Corrupted redzone blk E5D8310, words 6088, alloc 61FE2638, InUse, dealloc 80000000, rfcnt 1 -Traceback= 0x6080CEB0 0x609681D4 0x6098211C 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MEMDUMP: 0xE5D8310: 0xAB1234CD 0xFFFE0000 0x0 0x63894208 %SYS-6-MEMDUMP: 0xE5D8320: 0x61FE2638 0xE5DB2D0 0xE5D8144 0x800017C8 %SYS-6-MEMDUMP: 0xE5D8330: 0x1 0x0 0x1 0x64B53478%Software-forced reloadConditions: Occurred on a Cisco 7200 running the c7200-ik9s-mz.124-7a.bin image.
Workaround: There is no workaround.
•
Symptoms: All E1 interfaces on a PA-MC-E3 port adapter may flap continuously even after the traffic has been stopped.
Conditions: This symptom is observed on a Cisco Catalyst 6500 series switch and Cisco 7600 series router that have a PA-MC-E3 port adapter when you configure 16 or 128 channel groups on each time slot (that is, time slots 1-31) and then generate traffic just above line rate traffic through all the channel groups. Note that the symptom is not platform-specific.
Workaround: Stop the traffic and reset the E3 controller of the PA-MC-E3 port adapter.
•
Symptoms: An accounting record may indicate that the NAS-Port-Id has an adapter number of 1 when the correct adapter number is greater than 1.
Conditions: This symptom is observed when AAA accounting is configured and a PPP interface that is used as a NAS port has more than two adapters.
Workaround: There is no workaround.
•
Symptoms: A router may crash.
Conditions: The symptom is observed when there are multiple HTTPS requests sent in quick succession to an HTTPS server that is up and running but the service or application processing the requests is unavailable.
Workaround: There is no workaround.
Further Problem Description: The crash will not occur if the HTTPS server and the service handling the request are operating normally.
•
Symptoms: Inherit peer-policy does not work after router reload.
Workaround: There is no workaround.
•
This Cisco Bug ID identifies a vulnerability in Cisco's implementation of Extensible Authentication Protocol (EAP) that exists when processing a crafted EAP Response Identity packet. This vulnerability affects several Cisco products that have support for wired or wireless EAP implementations.
This vulnerability is documented in the following Cisco bug IDs:
* Wireless EAP - CSCsj56438 * Wired EAP - CSCsb45696 and CSCsc55249
This Cisco Security Response is available at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20071019-eap.shtml
•
Symptoms: While polling the ifStackTable (1.3.6.1.2.1.31.1.2), in some cases the following MIBs contain wrong/missing information:
–
–
Conditions: The symptom is observed on some CMTSs if the number of LowerLayer interfaces for the HigherLayer interface is equal to or more than 30.
Workaround: There is no workaround.
•
Symptoms: The "match ip rtp" configuration is accepted by CLI but is not showing up when using the show run command. In addition, the traffic classification is not occurring.
Conditions: The symptom only occurs under certain conditions: max_port = "lower bound of UDP destination port" + "Range of UDP ports" min_port = "lower bound of UDP destination port". This issue will only take effect when the sum of min_port and max_port reaches/exceeds 65535.
Workaround: Avoid using big ports; that is, limit the configuration to satisfy (min_port + max_port) < 65535.
•
Symptoms: A router may crash or report an error message similar to the following:
%SYS-6-STACKLOW: Stack for process draco-oir-process running low, 0/6000This can be seen for a process other than the "draco-oir" process.
Conditions: This symptom is observed on a Cisco 7600 series when HSRP is configured. The symptom occurs when there is an event that requires the HSRP configuration to be removed, for example, when you perform an OIR of a module while the module clear-config command is enabled. The interface with HSRP does not have to be up for the symptom to occur.
Workaround: Remove the HSRP configuration before you perform an OIR.
Alternate workaround: Enter the no module clear-config command. (The module clear-config command is enabled by default. You must enter no form of the command to disable it.)
•
Symptoms: A router may crash when applying Dynamic Bandwidth Selection (DBS) parameters to a PPPoE session.
Conditions: This issue arises only when the dbs enable command is configured on an ATM PVC and QoS parameters are applied from RADIUS. This can be reproduced only with one PPPoE PTA session. If the dbs enable command is not configured, the crash is not seen.
Workaround: Disable DBS.
Further Problem Description: Operational impact.
•
Symptoms: A bus error may occur on an MSFC when ISAKMP is enabled, and the following error message may be generated in the logs:
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x41579EB0Conditions: This symptom is observed on a Cisco 7600 series that has a Supervisor Engine 720 and that runs Cisco IOS Release 12.2(33)SRA2.
Trigger: Executing the crypto map cm redundancy public command.
Impact: This crash prevent customer to configure their crypto, as they do not want to have the box crashing again.
Workaround: There is no workaround.
Further Problem Description: Cisco IOS Release 12.2(33)SRAs is developed for and intended to run on Cisco 7600 series routers. We do not encourage you to run this release on Cisco Catalyst 6500 series switches. However, if you do run Cisco IOS Release 12.2(33)SRA2 on a Cisco Catalyst 6500 series switch, the symptom may occur.
•
Symptoms: High CPU is observed on SNMP Engine while polling dsx1FracIfIndex for DS3s.
Conditions: This has been observed on a Cisco 7206 VXR platform having NPE-G1 that is running Cisco IOS Release 12.4(14).
Workaround: Applying a view on DS1 MIB prevents such high CPU usage. This prevents the user to monitor those entries.
Further Problem Description: The SNMP Engine comes into a loop and Get-NEXT always reports the same values. This happens while coming to the first interface channelized E3 card. Deleting this interface created the problem on the channelized E3 one.
•
Symptoms: With some VPN configurations, such as configurations with a multipath import or an import map, the CPU usage of the router may be very high for a long time, even after BGP convergence has occurred.
Conditions: This symptom is observed on a Cisco router that functions in a highly scaled environment involving several hundred VRFs and occurs after the router has been reloaded or after a switchover has occurred.
Workaround: There is no workaround.
•
Symptoms: The aaa group server radius subcommand ip radius source-interface will cause the standby to fail to sync.
c10k-6(config)# aaa group server radius RSIM c10k-6(config-sg-radius)# ip radius source-interface GigabitEthernet6/0/0 c10k-6# hw-module standby-cpu resetc10k-6#Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_NOT_PRESENT) Aug 13 14:49:31.793 PDT: %C10K_ALARM-6-INFO: ASSERT MAJOR RP A Secondary removed Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_DOWN) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_REDUNDANCY_STATE_CHANGE) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_NOT_PRESENT) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_DOWN) Aug 13 14:49:31.813 PDT: %REDUNDANCY-3-IPC: cannot open standby port no such port Aug 13 14:49:32.117 PDT: %RED-5-REDCHANGE: PRE B now Non-participant(0x1C11 => 0x1421) Aug 13 14:49:32.117 PDT: %REDUNDANCY-5-PEER_MONITOR_EVENT: Active detected a standby insertion (raw-event=PEER_REDUNDANCY_STATE_CHANGE(5))Aug 13 14:50:52.617 PDT: %RED-5-REDCHANGE: PRE B now Standby(0x1421 => 0x1411) Aug 13 14:50:54.113 PDT: %C10K_ALARM-6-INFO: CLEAR MAJOR RP A Secondary removed Aug 13 14:51:33.822 PDT: -Traceback= 415C75D8 4019FB1C 40694770 4069475C Aug 13 14:51:33.822 PDT: CONFIG SYNC: Images are same and incompatibleAug 13 14:51:33.822 PDT: %ISSU-3-INCOMPATIBLE_PEER_UID: Image running on peer uid (2) is the same -Traceback= 415CCC2C 415C75FC 4019FB1C 40694770 4069475C Aug 13 14:51:33.822 PDT: Config Sync: Bulk-sync failure due to Servicing Incompatibility. Please check full list of mismatched commands via: show issu config-sync failures mclAug 13 14:51:33.822 PDT: Config Sync: Starting lines from MCL file: aaa group server radius RSIM ! <submode> "sg-radius" - ip radius source-interface GigabitEthernet6/0/0Conditions: This symptom is observed if the aaa group server radius subcommand ip radius source-interface CLI is configured on a box with dual PREs.
Workaround: If the customer does not use the aaa group server radius subcommand ip radius source-interface interface, this will not be a problem.
If they use the aaa group server radius subcommand ip radius source-interface interface on a Cisco 10000 router in simplex mode (a single PRE), this will not be a problem.
If they run with dual PREs, then they will need to remove the aaa group server radius subcommand ip radius source- interface interface from the configuration as a workaround.
Removing the aaa group server radius subcommand ip radius source-interface interface from the configuration could cause problems for the customer. The radius server may be expecting the request to come from a specific source address. The router will now use the address of the interface the packet egresses the router from, which may change over time as routes fluctuate.
•
Symptoms: The configured max-threshold/minimum-threshold option on Selective Packet Discard (SPD) is lost after reloading the router.
Conditions: If the configured minimum threshold value is greater than default maximum threshold value or the maximum threshold value is less than default minimum threshold value, the router will report "min-threshold must be less than default max-threshold" or "max-threshold must be greater than min-threshold" while doing the system reload.
Workaround: Reconfigure the appropriate ip spd threshold command.
•
Symptoms: A packet sent by the responder may not be received by the initiator with an ipsec-gre tunnel.
Conditions: This symptom is observed when process switching is configured.
Workaround: Use CEF switching at the tunnel interfaces.
•
Symptoms: A crash occurs when iosca enrolls with itself.
Conditions: This symptom is observed when the client and server are on the same device.
Workaround: Upgrade to Cisco IOS Release 12.4(20)T. The problem was fixed in Cisco IOS Release 12.4(18.4)T1.
•
Symptoms: For a policy applied to an interface with an ifindex of 14, the corresponding entry will not appear in cbQosServicePolicyTable. This is impacting device monitoring.
Conditions: The following two conditions are required for the issue to exist:
–
–
Workaround: Remove the policy on the control plane.
•
Symptoms: A router may crash because of a bus error.
Conditions: The router must be configured for L2TP.
Workaround: There is no workaround.
•
Symptom: When an IMA group subinterface (atm1/ima1.14016) is configured before a no shut is done on the IMA group interface, the maximum value VBR-NRT peak cell rate (PCR) option is displayed as 1536/1920(T1/E1) instead of 1523/1904.
Conditions: Occurs when IMA group subinterface is configured before assigning ATM interface to the IMA group.
Workaround: Configure the IMA group interface first and then configure image group sub- interface.
•
Symptoms: A Cisco router may experience a bus error crash preceded by the following error message:
%HMM_ASYNC-4-NO_MODEMS_PRESENT: HMM Digital Modem Card 1 contains no active modemsConditions: This symptom is seen if the router contains a Digital Modem Network module that contains no SIMMs.
Workaround: Remove the card or install an NM-xDM card with valid SIMM modules.
•
Symptoms: A router reloads by address error after registering to a key server.
Conditions: The symptom is observed under normal conditions. The trigger is when the router is used as GDOI hub.
Workaround: There is no workaround.
•
Symptoms: Router was forced to reload when the no router ospf <#> command is entered.
Conditions: The problem happens when "memory record" was also configured.
Workaround: There is a work around. Disable memory lite (using "no memory lite" configuration command) in which case crash will not be seen.
•
Symptoms: The ip nat inside source static network command does not have the <cr> option.
Conditions: This symptom is observed on a Cisco 7200 router that is loaded with Cisco IOS Release 12.4 or 12.4T.
Workaround: There is no workaround.
•
Symptoms: CPUHOG messages may be generated when an "snmpwalk" is performed on the cpwVcMplsNonTeMappingTable object.
Conditions: This symptom is observed on a Cisco router that has a large number (about 30,000) of pseudowires configured.
Workaround: Reduce the number of pseudowires that are configured on the router.
•
Symptoms: The show flash and dir commands cause an error message.
Conditions: This symptom is observed only on Cisco AS5400XM and Cisco AS5350XM products that are running a Cisco IOS Release 12.4(17.7) image.
Workaround: To upgrade to a newer Cisco IOS version, we must do a netboot because we cannot do a copy tftp flash:.
•
Symptoms: Several features within Cisco IOS software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
•
Symptoms: A Cisco 7600 router running Cisco IOS Release 12.2(18)SFX6 may encounter a condition such that when intermediate system-to-intermediate system (IS-IS) and traffic engineering (TE) are configured, IS-IS should remove the native path from its local RIB and call RIB code to remove the path from global RIB but fails by either not passing the "delete" msg to RIB properly or RIB does not react when it received the "delete" call.
Conditions: The show mpls traffic-engineering tunnel command output may indicate "Removal Trigger: setup timed out" status.
Workaround: Perform a shut/no shut on the interface or change the metric temporarily to force an update with the tunnel mpls traffic-eng autoroute metric 1 command.
•
Symptoms: PVC does not come up after removing vc-class from it.
Conditions: This issue happens only when vc-class with constant bit rate (CBR) is configured on the main interface, and another vc-class is applied to the VC. This occurs under the following scenario:
1. Boot the router afresh.
2. Apply a vc-class (class1) to the ATM interface.
3. Configure PVCs with the range command.
4. Apply another vc-class (class2) under the range-pvc configuration.
5. Remove the vc-class (class2) from under the range-pvc configuration.
After this step the PVCs are expected to come up having attributes of vc-class class1. The PVCs do not come up and stay in inactive mode.
Workaround: There is no workaround.
•
Symptoms: The Interfaces Multilink are down, and the following error message is seen:
ATMPA-3-BADTXPACKET: Switch1: bad tx packet on vcd 9 size 0 -Traceback= 0x60391080 0x60100024 0x6085BC6C 0x6090EF0C 0x6090F858 0x6030691C 0x60306CD4 0x611F7748 0x611DFF70 0x611E0174 0x602A34BC 0x606E57D8 0x603077F4 0x60307E14 0x60863A18 0x60118294$fConditions: This symptom occurs only when:
1. RTP packets are switched from one PPPoA interface to another PPPoA interface, and IP Header Compression is configured on both interfaces. That is, frames are decompressed, switched, and then recompressed.
2. Traffic that is being pumped has no RTP payload. The RPM has configured RTP, and RTP traffic starts to be sent.
Workaround: Enable the ip rtp coalesce command.
•
Symptoms: A memory leak occurs in "Crypto IKMP" and "IPSEC key engine."
Conditions: Occurs on a WS-C6509-E running internal image s72033-advipservicesk9_wan-mz.NAT-D- 5.
Workaround: There is no workaround.
•
Symptoms: Traceback may be seen while testing L2TP scaling 32k functionality on a Cisco 10000 series router.
Conditions: The symptom is seen with scaling scenarios and with a Cisco 10000 series router.
Workaround: There is no workaround.
•
Symptoms: A router may crash.
Conditions: The symptoms are very rare, but if it occurs it will be seen during ISSU runversion.
Workaround: There is no workaround.
•
Symptoms: A Cisco router unexpectedly reloads with memory corruption after showing multiple "%SYS-2-INPUT_GETBUF: Bad getbuffer" messages.
Conditions: Occurs during normal operation.
Workaround: There is no workaround.
•
Symptoms: When a GD vIPer attempts to establish a secure call across a T1 with one-way delay exceeding 188ms, the DSP will crash and reset.
Conditions: The crash occurs when there is a high delay (>185ms one way) placed between two connected interfaces of a T1.
Workaround: There is no workaround.
Further Problem Description: Set-up of equipment showing the problem is as follows:
Secure IP phone (IP) <-connect to->(IP) 3745GW (T1) <== connect with 185ms delay to==>(T1) Switch <-connect to-> Secure analog phoneAn unsecured phone call operates without problems when there is a high delay, but when either side of the call initiates secure, the T1 interface on the Cisco 3745 Gateway will crash, and the call will fail.
•
Symptoms: Router may crash when a sequence of commands is executed in quick succession.
Conditions: Occurs when a Border Gateway Protocol (BGP) neighbor belongs to a particular peer group and when the following commands are entered in quick succession:
–
–
If these commands executed quickly, such as when they are pasted into the interface, the router may crash.
Workaround: Use the no neighbor a.b.c.d peer-group pgroup-name command to remove the neighbor. This command removes the neighbor and eliminates the need for the second command.
•
Symptoms: Router reloads due to a bus error. This occurs with the following messages:
%ALIGN-1-FATAL: Illegal access to a low address 08:32:13 AEST Tue Nov 20 2007 addr=0xB8, pc=0x40099888 , ra=0x44020000 , sp=0x465870E808:32:13 AEST Tue Nov 20 2007: TLB (store) exception, CPU signal 10, PC = 0x40099888-Traceback= 0x40099888 0x402F6358 0x415102F4 0x41510C7C 0x402FF5C4 0x414F1140 0x402FF7B8 0x41C8B8E0 0x41C8EFC0 0x41C8F0640x41C85260 0x421EA0C4 0x421EA224Conditions: This occurs after applying a Modular Quality of Service Command-Line Interface (MQC) class on a PVC.
Workaround: Use frame relay traffic shaping (FRTS) instead of MQC under the PVC.
Further Problem Description: MQC policy is not a supported configuration for MLPoFR connections. The above configuration is not valid. Currently, the MQC policies are configurable under MLPoFR PVCs and this results in router reload. However, the router should not crash even under those circumstances. This fix prevents MQC QOS policy from being configured on MLPoFR connections at config time when MLP may not yet be active. So, in effect, the config is blocked both if MLP is active or if MLP is just configured.
•
Symptoms: When sf/ami/56 are configured, the protocol interface is down at both ends.
Conditions: These symptoms are observed when we configure speed 56, framing sf, and linecode ami at both ends, as follows:
service-module t1 timeslots all speed 56
service-module t1 framing sf
service-module t1 linecode amiThis causes the protocol to be down and an increased error count at both ends.
Workaround: Change the speed to 64 and then configure again to 56. The protocol will then be up and ping is OK.
•
Symptoms: Tracebacks may be observed while rebooting the device.
Conditions: The symptoms are observed when there are no other SNMP CLI and SNMP-server manager is the first CLI to be configured.
Workaround: There is no workaround.
•
Symptoms: A memory leak may be observed on the standby node.
Conditions: The symptom is observed only when broadcast accounting is configured in the standby node. The memory leak is verified by using the show processes memory | i AAA ACCT command.
Workaround: There is no workaround.
•
Symptoms: Router crashes when a command is entered from the aux console to remove an interface.
Conditions: Occurs when a show command for that interface is presently paused at the "more" prompt on the main console. The show commands are show controllers serial and show interface serial.
Workaround: Avoid configuration while show commands are being run on the router.
•
Symptoms: AAA server does not count active user sessions correctly. User authentication may be denied by the AAA server because max session limit has been reached.
Conditions: This may occur with AAA authentication, when max session limit is configured on Cisco Secure ACS server (may happen with other AAA servers too). When user initiates X.25,ssh,rsh,rlogin or telnet sessions and later disconnects them, AAA server does not decrement active sessions counter due to wrong attributes present in the accounting records sent by the device. Eventually, the misbehaving counter may reach max session limit, and user will be denied a login.
Workaround: Removing max session limit can be considered.
•
Symptoms: Low memory leak may occur on VoIP gateway in VTSP process, which may cause router to reload.
Conditions: The issue is specific to the C549 DSPs on Cisco 3700 series routers. The leak occurs when a call is disconnected due to non-availability of the circuit (cause code 0x22).
Workaround: There is no workaround.
•
Symptoms: Router may experience mwheel CPUHOG condition.
Conditions: This condition is observed on Cisco router while clearing all L2TP sessions when there are more than 2500 sessions with multicast traffic flowing on the sessions.
Workaround: There is no workaround.
•
Symptoms: A router may crash while unconfiguring a policy-map attached to a PPPoA session.
Conditions: The symptoms occur with the following scenario:
–
–
–
–
–
Workaround: There is no workaround.
•
Symptoms: The X.25 PVC experiences window closed on both the sides.
Conditions: The problem is seen under heavy traffic conditions. The testing scenario passes 1000 packets containing 2000 bytes of data.
Workaround: Reset the connection.
•
Symptoms: The standby fails to come up in SSO. The following message is displayed on the active:
%FILESYS-4-RCSF: Active running config access failure (0) <file size>Conditions: This symptom is observed when the router has a configuration greater than 0.5 megabytes.
Workaround: There is no workaround.
•
Symptoms: A router may crash while parsing "x28 profile <profile name>". This occurs when x28 mode is configured. The crashinfo file will show:
%SYS-2-FREEFREE: Attempted to free unassigned memory at [...]Conditions: This symptom is observed on a Cisco AS5400 gateway that is running Cisco IOS Release 12.4(1c) and Release 12.4(18).
Workaround: There is no workaround.
•
Symptoms: The router may crash with a bus error while executing the show ip arp interface-name command.
Conditions: This symptom occurs when two executive processes are initiated by two different telnet sessions. One process is doing show ip arp interface while the other process is doing no ip address or ip address ip-address under the configuration mode. Both commands are accessing the same interface. There is a chance that the show ip arp command will cause the system crash.
Workaround: Configure the show ip arp interface command and the ip address command sequentially.
•
Symptoms: A memory leak may occur with the chunk manager process.
Conditions: The symptom is observed when SIP-to-TDM (PRI) calls are terminated by a Cisco 3845 gateway. This issue occurs for transcoding calls and is found during stress tests.
Workaround: There is no workaround.
•
Symptoms: A router crashes and automatically reloads.
Conditions: The problem occurs when a large number of GLBP IPv6 groups are configured.
Workaround: The only workaround is to reduce the number of GLBP IPv6 groups that span a full hardware interface. Any groups that are configured on a subinterface contribute to the total for the full interface.
•
Symptoms: Kron occurrences are not rescheduled properly when the clock is set near the end of a calendar year.
Conditions: A kron occurrence is scheduled daily or hourly. The clock is reset near the end of the year such that the next occurrence of the kron policy would happen in the next year.
Workaround: After clock reset, remove/restore kron occurrences to cause them to be scheduled properly.
•
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
–
–
–
–
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory. The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
•
Symptoms: When dlsw timer explorer-wait-time is set, Ethernet redundancy could not establish DLSW circuit sometimes with the following message in the debug:
Jan 15 15:32:22.643 JST: DLSW-ER:(CSM):startdl_pend timer expired for transparent circuitConditions: The symptom only occurs when the router is configured for dlsw timer explorer- wait-time with DLSw Ethernet Redundancy and dlsw transparent switch-support.
Workaround: There is no workaround.
•
Symptoms: After upgrading a Cisco 7600 to Cisco IOS Release 12.2(33)SRC, SSO does not come up and router stays in RPR.
Conditions: Occurs only if the passive-interface default command is configured under OSPF.
Workaround: After upgrade, unconfigure and configure again the passive-interface default.
•
Symptoms: CPU utilization goes to 99%. It stays there for few seconds, then reduces to around 50%, then 2%. After few seconds, CPU utilization reaches 99%, and this cycle continues.
Router# show proce cpu sorted CPU utilization for five seconds: 99%/0%; one minute: 47%; five minutes: 25%
Conditions: This symptom is observed when around 2000 PPPOE sessions are initiated.
Workaround: There is no workaround.
•
Symptoms: There may be a system crash while trying to configure router isis or router iso-igrp.
Conditions: The symptom is observed when router isis or router iso-igrp is already configured without a tag.
Workaround: Use a tag in router isis and router iso-igrp configurations.
•
Symptoms: When FlexWAN card configured for Frame Relay over MPLS (FRoMPLS) is subjected to online insertion and removal (OIR), the standby will crash when FRoMPLS is unconfigured.
Conditions: Occurs when FRoMPLS is unconfigured following an OIR
Workaround: There is no workaround.
•
Symptoms: When a non-DC router is removed from a DC enabled area and the area becomes DC enabled, some of the LSAs are not refreshed correctly with DoNotAge (DNA) bits set. Crash may happen when customer deploys iptivia probes in the network. Fixed in CRS.
Conditions: The symptom is observed when a router without DC capability is removed from a DC enabled area.
Workaround: Use the clear ip ospf command.
•
Symptoms: When configuring ATM PVCs, under the PVC syntax you can provide a handle to describe the PVC. If this handle starts with "00" (zero zero) then the command will fail.
Conditions: The symptom is observed when configuring ATM PVCs and where the PVC handle starts with "00".
Workaround: Do not use handles that start with "00".
•
Symptoms: A Cisco router may reload unexpectedly when the DMVPN tunnel is bounced.
Conditions: The symptom is observed with Cisco IOS Release 12.4(11)T2. The information points to an SW issue when upon bouncing the DMVPN GRE tunnel the NHRP is automatically cleared which triggers the bus error crash.
Workaround: Clear the DMVPN session only using the following command (note: the static must be used to clear the individual session or all will be cleared): clear dmvpn session [peer {nbma | tunnel ip- address] [interface tunnel number] [vrf vrf- name] [static]
•
Symptoms: Class maps are not seen is show running output after executing show auto qos. This is a display issue with no functional impact. However, when the router is reloaded, the policy-map and the QoS configuration gets rejected as the class-maps are not present.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(15)T3 and all releases prior to that. Occurs when the router is configured for Auto QoS. This is also observed in Cisco IOS Release 12.4(21).
Workaround: There is no workaround.
•
Symptoms: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel.
Condition: A soft OIR over E3:POS impacts complete traffic with a biscuit tunnel configured. In OIR "test mbus power 6 off" and "test mbus power 6 on" are performed followed by a microcode reload on slot 6.
Workaround: There is no workaround.
•
Symptoms: The router crashes when a kron policy-list is modified from the console after that kron policy-list has been deleted by another user on a different vty.
Conditions: This symptom can be observed on a Cisco router when the kron policy-list word is issued from the console and removed from the VTY. Using the command cli abcd in the console, while still in the kron policy-list word mode, causes the router to crash.
Workaround. There is no workaround.
•
Symptoms: A route map that is configured with both IPv4 and IPv6 for a BGP peer does not work as expected.
Conditions: This symptom is observed after the route map is modified to delete a sequence.
Workaround: Apply a fresh route map.
•
Symptoms: Router will crash.
Conditions: Occurs with high traffic conditions where NetFlow has no free flows and multicast egress NetFlow is configured.
Workaround: Disable multicast egress NetFlow.
•
Symptoms: After switchover, DHCP relay is unable to forward the DHCP REQUEST received from client during RENEW to the server.
Conditions: Occurs when unnumbered DHCP relay with server address configured under class submode in relay pool config mode.
Workaround: Configure the server address directly under relay pool mode (rather than class submode) or under the interface (helper address).
•
Symptoms: The list command under ephone-hunt cannot have 20 numbers configured if the number is 8 digits each.
Conditions: The following configuration example shows the issue:
Router(config)# ephone-hunt 1Router(config)# list 17465301, 17465302, 17465303, 17465304, 17465305, 17465306, 17465307, 17465308, 17465309, 17465310, 17465311, 17465312, 17465313, 17465314, 17465315, 17465316, 17465317, 17465318, 17465319, 17465320Number 1746531 is not a normal ephone-dn or a *. The maximum numbers of ephone-dn we can input is 14 for 8 digits ephone-dn.
However, it is okay to have 20 ephone-dn in the list if the ephone-dn is of 4 digits each, as an example:
ephone-hunt 1 longest-idle pilot 17465711 list 5301, 5302, 5303, 5304, 5305, 5306, 5307, 5308, 5309, 5310, 5311, 5312, 5313, 5314,5315, 5316, 5317, 5318, 5319, 5320Workaround: There is no workaround.
•
Symptoms: Cisco router may experience bus crash when the show crypto sessions command is entered.
Conditions: Occurred on a Cisco 7301 router configured as an VRF-aware IPSEC EzVPN server with clients using RADIUS x-authentication.
Workaround: There is no workaround.
•
Symptoms: The router keeps reloading and complaining about unavailability of memory.
Conditions: This symptom is observed if the router is directly connected to a DHCP server or if an attack is made by flooding DHCP replies.
Workaround: There is no workaround.
•
Symptoms: A router may crash when a range of interfaces is set to default configurations.
Conditions: The crash occurs when a range of interfaces is configured in a console connection to belong to a bridge group and when the same set of configurations is removed simultaneously from a vty connection.
Workaround: Avoid simultaneous tasks (configuring/unconfiguring) through the console and vty.
•
Symptoms: The no ip next-hop-self eigrp command does not work after mutual redistribution with BGP (either iBGP or eBGP).
Conditions: This has been observed on any platform. The combination RIP/EIGRP or OSPF/EIGRP works instead.
Workaround: There is no workaround.
•
Symptoms: You may observe a problem which the OSPF neighbor is down after switch-over in spite of using OSPF Non-Stop Forwarding (NSF).
Conditions: This occurs with the following conditions:
–
–
–
Workaround: Change the OSPF config to "nsf ietf" and change the OSPF interface to "broadcast".
•
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
•
Symptoms: On a Cisco router configured for NAT VPN routing/forwarding (VRF), ip nat inside source commands might get corrupted at boot up time in running config even though they are perfectly fine in startup config. The corruption could be observed in the following form (but not only):
ip nat inside source list [ACL] pool[pool-name] vrf [vrf-name] match-in-vrf overload vrf [vrf-name]
The "vrf [vrf-name]" after overload should not be there.
Conditions: This was observed on a Cisco 3845 running Cisco IOS Release 12.4(18.3)T configured with NAT VRF but it could be observed on other platforms and IOS versions.
Workaround: Remove and re-configure the affected VRFs. The problem might reappear after bootup.
•
Symptoms: Polling cvpdnSessionAttrDevicePhyId from the CISCO-VPDN-MGMT MIB may show that multiple users are mapped to the same Virtual-Access SNMP ifIndex. This affects statistics collection or billing using IF-MIB counters.
Conditions: This symptom is observed when PPP renegotiates an existing PPP connection on a Virtual-Access interface.
Workaround: When possible, use RADIUS accounting for gathering statistics or billing.
•
Symptoms: The "set metric" clause in the continue route-map sequence is not setting metric correctly in some particular conditions. This is also applicable in case where the nexthop setting is done via route-map with a continue clause.
Conditions: The symptom is observed on a Cisco 12000 series router that is running Cisco IOS Release 12.0(32)SY4. This is platform independent. This symptom occurs if the route-map has a continue clause and the match condition does not allow the continue clause to be executed. The following route-map sequence which has to be executed will not execute properly if the metric or nexthop of the prefix are to be modified via the route-map.
Workaround: Avoid using "continue" in a route-map and modifying metric or nexthop via the following route-map sequence.
•
Symptoms: Tracebacks are seen after unconfiguration when using the clear ip nat translation * command.
Conditions: Cisco device with NAT configured. Not platform dependant.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS CA shows incorrect renew date (Jan 1 1979). Example:
Before restart Start Date: 1 Jan 2008 10:00:00 End Date : 1 Jan 2011 10:00:00 Renew Date : 1 Jan 2008 09:58:00
After restart Start Date: 1 Jan 2008 10:00:00 End Date : 1 Jan 2011 10:00:00 Renew Date : 1 Jan 1970 08:00:00
Conditions: Occurs when auto-enroll is enabled and the router is reloaded.
Workaround: There is no workaround.
•
Symptoms: A Cisco 871 router may crash with error %SYS-2-NOTQ with Process="DNS Resolver" after loading an image.
Conditions: Firewall application inspection for IM protocols is configured. Protocol-info parameter-map is configured to resolve the IM server host names and is associated to IM protocols in firewall class-map.
Trigger: Issue is caused when router uses "parameter-map protocol-info" which has a list of IM server host names, to resolve list of IM servers.
Workaround: Do not associate the protocol-type parameter-map to IM protocol in firewall class-map.
•
Symptoms: When using Group Encrypted Transport VPN (GET VPN) feature, the df-bit override (on IPSec packets) feature is not working. This means that crypto ipsec df-bit set|clear commands have no effect, both on a global or per-interface basis.
Conditions: The bug is only seen when GETVPN is used. Legacy IPSec tunnels are not affected.
Workaround: There is no workaround.
•
Symptoms: Configuring the passive-interface default command in ISIS when existing interfaces exceed 255, or loading/reloading the router when interfaces exceeding 255 exist in the startup-configuration, may generate the following error message: ISIS: Maximum circuit limit (255) has reached. Subsequent interfaces are not advertised into ISIS as expected.
Conditions: The symptom is observed on a Cisco router that is running Cisco IOS Release 12.2(33)SXH1 and where interfaces exceeding the 255 limitation exist in the startup-configuration and the router is loaded/reloaded. It is also observed when interfaces exceeding the 255 limitation are configured after the command passive-interface default is used.
Workaround: Use the passive interface command to manually configure all interfaces.
•
Symptoms: Router may crash due to memory corruption:
*Apr 7 12:32:14: %SEC-6-IPACCESSLOGRP: list 111 denied pim 0.0.0.0 -> <removed>, 1 packet*Apr 7 12:32:29: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 680A5374 data 680A79A4 chunkmagic FFFFFFFF chunk_freemagic 0 - Process= "Mwheel Process", ipl= 0, pid= 274, -Traceback= 0x6169C450 0x60102E78 0x601031E4 0x61D418E4 0x61D4230C 0x61CF1A48 0x61D1280C 0x61D05FE4 0x61D0E9FCchunk_diagnose, code = 1chunk name is PIM JP GroupQConditions: This symptom occurs when PIM is enabled on an interface and access-list logging is enabled.
ip pim sparse-dense-mode access-list 98 deny any logWorkaround: Remove access-list logging.
•
Symptoms: An L2TPv3 tunnel fails to establish between Cisco routers when one is running Cisco IOS Release 12.4(T) and the other is running Cisco IOS Release 12.2(33)SRC.
Conditions: This issue is only seen when the L2TPv3 tunnel terminates on Cisco routers running Cisco IOS Release 12.4(T) on one side and Cisco IOS Release 12.2(33)SRC on the other. Other combinations of IOS versions allow the L2TPv3 to establish successfully.
Workaround: There is no workaround.
•
Symptoms: A Catalyst 6500 or a Cisco 7600 may reload unexpectedly.
Conditions: Occurs when NetFlow is configured on one of the following:
–
–
Workaround: Disable NetFlow. This is done with the following commands:
no ip flow ingress
no ip flow egress
no ip route-cache flowEnter the appropriate command for each subinterface for which NetFlow is currently configured.
Other Notes:
Only the 12.2SRC and 12.2SXH code trains are affected. The specific versions affected are 12.2(33)SXH, 12.2(33)SXH1, 12.2(33)SXH2, 12.2(33)SXH2a, 12.2(33)SRC, and 12.2(33)SRC1.
The issue is fixed in the two affected code trains from the 12.2SXH3 and 12.2SRC2 releases onwards.
The following release trains do not have this issue: 12.2(18)SXF, 12.2(33)SRA, 12.2(33)SRB, 12.2(33)SXI, and all other release trains after those affected.
•
Symptoms: A router may display the following error:
%LINK-2-INTVULN: In critical region with interrupt level=0, intfc=ATM0 -Process= "IGMP Snooping Receiving Process"Conditions: The symptom is observed when bridged traffic is passing to an MLPP interface.
Workaround: Disable IGMP snooping with the no ip igmp snooping command.
•
Symptoms: Spurious access may be seen on a Cisco 7200 series router.
Conditions: The symptom is observed when LFIoFR is configured on a Cisco 7200 series router and when attaching a QoS policy to a Virtual-Template.
Workaround: There is no workaround.
•
Symptoms: GET VPN group members may fail to register to the key server.
Conditions: The problem is found under these two conditions:
1. GDOI crypto map (with local address) is applied to multiple interfaces; and
2. One of these applied interfaces is down.
Workaround: There is no workaround.
•
Symptoms: Fax fails when the supervisory disconnect command is applied on a voice port. The default fax detect script, app_fax_detect.2.1.2.2.tcl, is being used.
voice-port 2/0/20 supervisory disconnect dualtone mid-call
When the supervisory disconnect dualtone mid-call command is removed, fax works.
Conditions: This symptom is observed with Cisco IOS Release 12.4(15)T4.
Workaround: There is no workaround.
•
Symptoms: The PIM configuration may be missing and the following traceback is seen:
%SYS-3-MGDTIMER: Running timer, init, timer = 895661C. -Process= "Exec", ipl= 0, pid= 80, -Traceback= 0x14C0F30 0x31DA638 0x31DA7C8 0x31DA914 0x1E019B4 0x1E35634 0x1E34AD0 0x15160F8 0x1515234 0x1542208 0x695548Conditions: The symptom is observed symptom is observed after performing an OIR of the PA-T3+ serial port adapter. The symptom occurs twice.
Workaround: Reconfigure the PIM mode.
•
Symptoms: User can only configure a maximum of 500 SWMTP sessions per profile.
Conditions: This symptom is observed when using SWMTP.
Workaround: Configure multiple SWMTP profiles.
•
Symptoms: If the WAN connection is DOWN on the VGW, the Media Gateway Control Protocol (MGCP) fallback mode may not load. The gateway remains in "MGCP Fallback mode: Enabled/OFF" mode.
Conditions: This symptom is observed with Cisco IOS Release 12.4(16).
Workaround: Shut down the interface.
Further Problem Description: It is possible that the link goes up and down frequently. The call manager application tries to download the XML file from CCM+TFTP even when the link is down. This sets a flag. The flag prevents the fallback.
•
Symptoms: Low CPS may be observed.
Conditions: The symptoms are seen with PPPoA and PPPoE sessions.
Workaround: There is no workaround.
•
Symptoms: Memory leak was found after voice stress testing on a Cisco 3845.
Conditions: Occurred on router configured for E1, Direct Inward Dial (DID), G.711, and voice activity detection (VAD). Testing was performed for 2 hours, and call duration was 60 seconds.
Workaround: There is no workaround.
•
Symptoms: A switch reloads when the distance bgp command is configured under IPv6 address family.
Conditions: This symptom is observed on a Cisco 3560 that is running Cisco IOS Release 12.2(44)SE2. The same symptom is also seen on a Cisco 3750. The following commands are issued:
router bgp <>
address-family ipv6 unicast
distance bgp <> <>The router subsequently reloads because of an Instruction access Exception.
Workaround: There is no workaround. BGP/IPv6 is not supported on such platforms.
•
Symptoms: Packets being sent towards a Cisco 7200 that are group domain of interpretation (GDOI) encapsulated but which in fact the router wants to send out through the same interface (due to a routing problem) will not leave the router with the TTL decreased by one, but increased by one.
As it is likely that the upstream router will send the packet again to the GDOI endpoint this will lead to a never-stopping flow of packets that will overwhelm the router.
Conditions: Occurs when using GDOI on a Cisco 7200 and having a routing issue where the upstream router forwards packets towards the GDOI router, but the GDOI router wants to send the same traffic towards the upstream router.
Workaround: There is no workaround.
•
Symptoms: When the PIX initiates a phase 2 rekey, it sends the QM1 and the router responds with QM2 and immediately after that it sends IKE delete notify for the previous inbound SPI before receiving the QM3 from the PIX. The PIX after that sends the QM3 and the tunnel is rekeyed, but this causes the VPN tunnel to flap a bit and then PIX drops all TCP connections associated with that VPN tunnel.
Conditions: Occurs when PIX initiates a phase 2 rekey.
Workaround: There is no workaround.
•
Symptoms: Radio transmissions from LMR voice ports to PMCs may intermittently drop packets in the router.
Conditions: The symptom is seen where multiple PMC users monitoring the same stream cause more than three simultaneous RTP streams to be present on the LMR router.
Workaround: If customer is running PMC, turn off the keepalive on the PMCs.
•
Symptoms: SCCP and SIP registration fails with EzVPN and NAT configured. Only Voice traffic is affected.
Condition: Occurs when SCCP registration traffic is passing through the NAT router.
Workaround: There is no workaround.
•
Symptoms: An MWAM processor Gigabit Ethernet interface stops processing traffic.
Conditions: This symptom is observed at a high rate of incoming traffic.
Workaround: Restart the interface (enter the shutdown command followed by the no shutdown command) to restore traffic forwarding.
•
Symptoms: Unable to create sessions and ACLs.
Conditions: The symptom is observed when testing with DACL.
Workaround: There is no workaround.
•
Symptoms: Cannot enable AutoQoS on ATM subinterface.
Conditions: This happens on a Cisco 3800 router running Cisco IOS Release 12.4(15)T06.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS device configured for an Embedded Event Manager (EEM) Tool Command Language (TCL) policy that uses the TCL CLI library may have the policy hang if the devices hostname is longer than 20 characters long.
Conditions: If the device is configured with a TCL policy that uses the cli_open TCL command and that device has a hostname longer than 20 characters the policy may hang.
Workaround: Reduce the size of the hostname.
•
Symptoms: Router crashes while configuring more than 256 channel-groups in PA-MC-2T3-EC.
Conditions: The crash is seen after configuring more than 256 channel-groups in PA-MC-2T3-EC.
Workaround: Do not configure more than 256 channel-groups.
•
Symptoms: A router may reload due to a crash after configuring the no multi-path command or the shut command.
Conditions: This symptom occurs when the router is configured with Mobile IP, Mobile Router, and the multi-path command on Cisco IOS Release 12.4(9)T.
Workaround: There is no workaround.
•
Symptoms: Secure Real-Time Transfer protocol (SRTP) calls failing.
Conditions: Occurs with the following topology:
OGW---srtp,sip-----TGW
When SRTP is disabled, calls are passed.
Workaround: Fall back to RTP.
•
Symptoms: Causes router to reload following a SNMP get operation.
Conditions: Only occurs when a DHCP operation is configured with option-82 parameters.
Workaround: Do not query MIB objects relating to the DHCP operation configured with option-82
•
Symptoms: A router may crash.
Conditions: The router will crash with IO memory corruption when the memory reserve critical [1-5] command is executed.
Workaround: Configure the memory reserve critical command with a much greater size.
Further Problem Description: This issue occurs only when the ratio of free processor memory and free IO memory is high (say greater than 90).
•
Symptoms: Memory chunk allocated for LDP-IGP Sync may leak.
Conditions: The symptom is observed on a router with a dual link to its neighbor. LDP and LDP Graceful Restart are enabled on both routers. When LDP is disabled and re-enabled globally on the neighbor router, a small memory leak occurs on this router.
To verify the memory leak, on Router 1, enable memory leak debug with the set memory debug incremental starting-time command. On Router 2, disable LDP globally with the no mpls ip. Wait for LDP session go down, then re-enable LDP. On Router 1, the memory chunk leak for LDP should be seen with the sh mem debug leaks chunks command.
Workaround: There is no workaround.
•
Symptoms: A crash may be observed from name_age_cache API.
Conditions: There is no specific situation under which this crash is seen.
Workaround: There is no workaround.
•
Symptoms: A router crashes if the zone cluster local command is configured with a cluster ID that is an empty string.
Conditions: This symptom is observed when the local cluster ID and the local zone associated with the cluster are an empty string and when the no service alignment detection command is configured.
Workaround: Configure the local cluster ID and the local zone associated with the cluster with a nonempty string. Also, configure the service alignment detection command to prevent the crash.
•
Symptoms: A router may log SCHED-3-STUCKMTMR for Dampening process, after which point all dampened interfaces will be permanently dampened from a routing-protocol viewpoint.
Conditions: This symptom is observed when multiple interfaces are configured with dampening feature.
Workaround: There is no workaround.
•
Symptoms: Build breakage with -Wuninitialized flag in ips_base.c and ips_sme_service_smb.c.
Conditions: The symptom is observed when the -Wuninitialized flag is used.
Workaround: Use -Wno-uninitialized.
•
Symptoms: A Cisco 1801 router withdraws power to Polycom 430 IP phone and phone power cycles continuously.
Conditions: The symptom is observed with a Cisco 1801 router with POE-180x daughter card and external power module with default switchport configuration that powers a Polycom 430 IP phone. CDP is enabled so that phone can detect Voice VLAN. The phone requests 4.5W of power and the router is only giving 4W.
Workaround: Turn off CDP on switchport.
Further Problem Description: The same Polycom IP phone works correctly on any DSBU POE switch.
•
Symptoms: A Cisco router may display the following traceback:
%SYS-2-GETBUFConditions: The symptom occurs when ACLs are configured on the WAN interfaces of the router. When outbound packets fail and are dropped on an outbound ACL, a traceback is generated. If the packets are stopped or the ACLs removed, the tracebacks stop. The problem is seen with the VSA accelerator, but not seen when software crypto is used.
Workaround: There is no workaround.
•
Symptoms: A crash happens when the show ipv6 rpf x:x:x::x command is given.
Conditions: This symptom is observed only when there are more than 16 adjacencies for a single static route. The crash happens when the show ipv6 rpf command is given for this particular static route.
Workaround: There is no workaround. This problem occurs as long as there are more than 16 adjacencies for single static route even if some of them are not active.
•
Symptoms: A router may crash when a PAD call is made after unconfiguring "xot access-group".
Conditions: The symptom is observed with a router that is running Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: A router may crash when removing policy-map configuration with policy-map still in use (with traffic through).
Conditions: The symptom is observed if a policy-map is removed from configuration and that policy-map is still referenced by an interface service-policy statement (with traffic through).
Workaround: Stop traffic before removing policies.
•
Symptoms: Fast switching of multicast packets may not occur on the interface of a PE router. All multicast packets are forwarded in process switching.
Conditions: The symptom is observed after the interface is changed from a forwarding interface of one VRF to another VRF.
Workaround: There is no workaround.
•
Symptoms: A crash occurs.
Conditions: The crash is caused by a ping across an ISATAP tunnel. The symptom is observed only in Cisco IOS Release 12.4(15)T7 on the Cisco 7200 (it is not known to affect other platforms), since the crash is dependent on the Cisco IOS memory map (which varies with each image).
Workaround: There is no workaround.
•
Symptoms: EIGRP may lose some routes from stub neighbors in a DMVPN setup.
Conditions: If EIGRP graceful restart happens on an interface and the interface update queue is busy, then it may lose some routes from the stub neighbors on that interface.
For example, issuing the below commands can trigger this issue:
clear ip eigrp vrf abc as-number neighbors interface Wait 30 seconds clear ip eigrp vrf abc as-number neighbors interface soft
Workaround: Use the clear ip eigrp vrf abc neighbors command to fix the problem.
Another workaround is that graceful restart can be turned off by the no eigrp graceful-restart command under the router or the address-family command. This will cause the symptom to go away but will revert back to hard resetting peers on configuration changes or the clear ip eigrp neighbor soft command.
•
Symptoms: WIC-2AM-V2 and WIC-1AM-V2 card is recognized but the ping functionality may be broken.
Conditions: The symptoms are observed with a back-to-back connection of WIC-2AM-V2 and WIC-1AM-V2 modules with a third-party vendor connector.
Workaround: There is no workaround.
Further Problem Description: The problem is due to a prior checkin, which made the state of the device dependent on the physical connection of the cable. This code was interfering with the software state machine, which internally maintains the state of the machine.
•
Symptoms: Router hangs when online insertion and removal (OIR) is performed.
Conditions: Occurs after changing the interface bandwidth followed by an OIR operation.
Workaround: Stop traffic before making these changes.
•
Symptoms: IPv6 traffic is classified as IPv4 traffic.
Conditions: The symptom is observed on a Cisco 7200 series router that is running Cisco IOS Release 12.4(20)T.
Workaround: There is no workaround.
•
Symptoms: A router may experience %SYS-3-CPUHOG: errors and then a watchdog crash in the FR LMI process.
Conditions: The symptoms are observed when ISDN is configured on the router.
Workaround: There is no workaround.
•
Symptoms: A router running Dynamic Multipoint VPN (DMVPN) may crash.
Conditions: The symptom is observed when trying to unconfigure an MGRE tunnel interface running Next Hop Resolution Protocol (NHRP).
Workaround: There is no workaround.
•
Symptoms: The network is not converged after initial configuration. A BGP session will not be established between Route Reflector 2 and Route Reflector 1.
Conditions: The symptoms are observed with a Cisco 7200 series router that is running Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
Further Problem Description: This issue is not seen with Cisco IOS Release 12.4(15)T6.
•
Symptoms: When a router has many PPPoE sessions and the router is configured as an RP-mapping agent, the router crashes following a switchover.
Conditions: The symptom is observed when the router has 8000 PPPoE sessions and it is configured as an RP-mapping agent. Following a switchover, the issue is seen.
Workaround: Another router that does not have as many interfaces in the network should be configured as the RP-mapping agent.
•
Symptoms: After an IP SLA operation finishes, all status variables that are expected to be conserved until the next operation become "Unknown."
Conditions:
–
–
Workaround: Schedule the operation so that it starts on the UTC date and the local date configured by the clock timezone command becomes the same.
•
Symptoms: Callers that use a caller-ID length of 15 characters or greater cannot call out of analog MGCP ports.
Example:
MGCP Packet received from ---> CRCX 132 AALN/S0/SU1/0@nicmatth-ipipgw MGCP 0.1 C: A000000001000026000000F5 X: 23 L: p:20, a:PCMU, s:off, t:b8 M: recvonly R: L/hd S: L/rg, L/ci(08/08/15/44,1002,This is my long name) Q: process,loop <---
MGCP Packet sent to ---> 510 132 unsupported caller id length
Conditions: The BELLCORE standards support only 15 characters, and the MGCP gateway disconnects the call because of unsupported caller-ID length and displays the following message:
510 unsupported caller id length.Workaround: Configure a caller ID less then 15 character, or use the port with SCCP or H323 to prevent this. Also, the following cptones are not affected: FR, DE, NO, IT, ES, ZA, TR, GB, AT.
•
Symptoms: An outgoing INVITE from the Cisco IOS sip stack with SDP and authorization configured over the SIP trunk is failing because of an incorrect Response field generated within the Proxy Authorization header when the auth-int method is used as QOP. The Cisco IOS sip stack does not include SDP message body in the md5 hash calculation.
Conditions: This symptom is observed under the following conditions:
–
–
–
Workaround: Potential workarounds are to:
–
–
•
Symptoms: Service policy is missing from the running configuration after a device is reloaded.
Conditions: The symptom is observed when the service policy contains a "police rate percent" that is 13 percent or less and is applied to an MLPPP interface. It is observed with Cisco IOS Release 12.4(8c) and Release 12.4T.
Workaround: Use any one of the following:
1. Re-apply service policy each time after rebooting.
2. Change service policy to use "police rate XXXX bps".
3. Configure bandwidth XXXX on the MLPPP interface.
4. Change service policy to use more than 13 percent for the policing.
•
Symptoms: An MSDP peer may flap randomly.
Conditions: The symptom is observed when the device is configured with logging host ip-address ... or logging host ip-address.
Workaround: It has been observed that removing the "logging host" configuration helps in preventing the peer-flap: no logging host ip-address no logging ip-address.
•
Symptoms: The following crash is observed after configuring a policy-map.
SegV exception, PC 0x2142818 at 10:04:23Conditions: Occurred on a Cisco 7206VXR (NPE-G2) running Cisco IOS Release 12.4(15)T5.
Workaround: There is no workaround.
•
Symptoms: A Cisco router that is running a PfR Master Controller crashes under stress.
Conditions: This symptom is observed when traffic with more than 2000 prefixes with about 500 unreachable prefixes is flowing through the router.
Workaround: Minimize the number of prefixes learned during an interval. The default of 100 should be sufficient.
oer master learn prefixes 100•
Symptoms: T.38 fax call not terminating audio properly.
Conditions: RE-INVITE from SIP Fax application changes connection IP address in SDP. PGW sends changed IP address in MDCX to GW. GW responds with 200 acknowledging this change. GW still sends audio to IP address where original call terminated.
Workaround: There is no workaround.
•
Symptoms: cdpCacheAddress(OID:1.3.6.1.4.1.9.9.23.1.2.1.1.4) MIB is not showing GLOBAL_UNICAST address.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: A device crashes with the following error message:
Breakpoint exception, CPU signal 23, PC =0x606CE1B4Conditions: The symptom is observed during Online Certificate Status Protocol (OCSP) use.
Workaround: There is no workaround.
•
Symptoms: A Cisco router configured with WCCP may unexpectedly reload due to a bus error or generate spurious access when an interface used to communicate with a WCCP client goes down.
Conditions: The symptoms are observed when the router is configured with WCCP and traffic is redirected to the WCCP client at the time, or shortly after the time, when the line protocol on the interface goes down.
Workaround: There is no workaround.
•
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS software that can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml.
•
Symptoms: When a port becomes active the endpoints stay in "Not Ready" state and the RSIP message is not sent.
Conditions: The symptoms are observed when a new E1/T1 is configured with new DS0 groups controlled by MGCP. It is observed only during initial configuration.
Workaround: Remove the entire configuration under the controller before reloading/configuring a new set. After the problem occurs, the only workaround is to reload router.
•
Symptoms: When the router is running with an on-board VPN module, the module driver should update the maximum IKE SA limit to support more tunnels than software encryption. However, the on-board driver may not update the limit when Cisco IOS Release 12.4(11)T or later is used. Therefore, only 100 IKE SA are supported with the on-board module.
Conditions: The symptom is observed with a Cisco 2811 or 2821 router that is running Cisco IOS Release 12.4(11)T or later.
Workaround: Use Cisco IOS Release 12.4(9)T.
•
Symptoms: An ISR router may crash with the following error message:
%ALIGN-1-FATAL: Corrupted program counterConditions: The symptoms are observed on a Cisco 2811 and 2801 router. The trigger has not yet been identified.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1800 series router may stop passing traffic on FastEthernet interface 0/1 when FastEthernet interface 0/0 is administratively shut down using the interface configuration command shutdown. When FastEthernet 0/0 is shutdown, the following message is displayed:
%GT96K_FE-5-LATECOLL: Late Collision on int FastEthernet0/0Conditions: The symptoms are observed with FastEthernet 0/0 on a Cisco 1841 router and when the device at the far end of interface FastEthernet 0/0 is configured manually to speed 10 or 100.
Workaround: Configure the far-end device to auto-negotiate the speed with the 1800 router.
Further Problem Description: This problem does not occur when pulling out cable and re-inserting in FastEthernet 0/0. It also does not occur when FastEthernet 0/1 is reversed to FastEthernet 0/0.
•
Symptoms: A BR continuously displays errors messages on the console.
Router#%Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000OER jitter probes are not created because of this error.
Conditions: This symptom is observed with the jitter probe configuration below for VOIP optimization:
oer-map BRANCH 20 match traffic-class access-list Optimize_Voice_Traffic set mode route control set mode monitor fast set resolve mos priority 1 variance 30 set resolve delay priority 2 variance 30 set active-probe jitter 10.100.10.1 target-port 1025 codec g729a << set probe frequency 4Workaround: Set higher probe frequency (higher than 5).
•
Symptoms: A router reloads.
Conditions: Under certain crypto configurations with NetFlow also configured, the router will reload when required to fragment CEF-switched traffic on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: A PRE-3 that is running Cisco IOS Release 12.2(31)SB code may encounter a Redzone overrun memory corruption crash.
Conditions: Unknown at this time.
Workaround: Turn off Auto IP SLA MPLS by entering the auto ip sla mpls reset command.
•
Symptoms: Calls through an MGCP-controlled FXS may fail to complete. The user will hear fast-busy signal when attempting to make inbound or outbound calls from or to that port. Outbound calls to the port in this state may return a 400 error "Previous message in-progress" in response to the CRCX.
Conditions: The symptom is observed under rare conditions with an MGCP-controlled FXS port on a Cisco IOS Voice over IP (VoIP) gateway.
To verify that a port is in this state, compare the output of show mgcp connection to the output of show voice call summary. If a call appears with the mgcp show command output for a port but that port appears idle (FXLS_ONHOOK) in the voice call output, this would indicate the problem being seen.
An example of such output is here showing port 2/1 in this state:
VG224# sh voice call summ PORT CODEC VAD VTSP STATE VPM STATE ============== ========= === ==================== ====================== 2/0 - - - FXSLS_ONHOOK 2/1 - - - FXSLS_ONHOOKVG224# sh mgcp conn Endpoint Call_ID(C) Conn_ID(I) (P)ort (M)ode (S)tate (CO)dec (E)vent [SIFL] (R)esult[EA (ME)dia (COM)Addr:Port 1. aaln/S2/1 C=,34,-1 I=0x0 P=0,0 M=0 S=9,0 CO=0 E=3,10,10,10 R=41,0 ME=0 COM=0.0.0.0:0Workaround: Reload the gateway to recover a port once it is in this state. Attempting to restart the MGCP service on the gateway by removing and adding the mgcp command in the configuration has been shown at times to be ineffective once in this state.
Alternate workaround: Use of H323/SIP signaling instead of MGCP will prevent ports from getting into this state.
Further Problem Description: Changes applied through CSCsq97697 have been found to greatly reduce the instances of this issue from occurring. If using H323/SIP instead of MGCP is not an option, it is recommended to use a Cisco IOS Release that contains the changes in CSCsq97697 (for example, Cisco IOS Release 12.4(15)T7).
The changes applied to CSCsu32154 introduce a new MGCP CLI command which is not enabled by default. If upgrading to obtain a fix for this issue, configure mgcp disconnect-delay.
•
Symptoms: IPIPGW/CUBE will not respond to a H.245 EmptyCapabilitySet (ECS) (i.e. TerminalCapabilitySet(TCS)=0) message from Cisco Voice Portal (CVP) with a CloseLogicalChannel (CLC) message. This will result in call failure.
Conditions: The symptom occurs when IPIPGW is deployed in H.323-H.323 mode, running Cisco IOS Release 12.4(20)T and interacting with CVP.
Workaround: There is no workaround.
•
Symptoms: TCL scripts and policies attempting to work with open files and sockets simultaneously may not operate properly. One symptom is the vwait command may fail by reporting "would wait forever."
Conditions: Occurs when a TCL script opens both a file and a client or server socket simultaneously.
Workaround: Open and close files and sockets separately. Avoid having them open simultaneously.
•
Symptoms: Label Forwarding Information Base (LFIB) shows incorrect information for Global BGP prefix after route flap. LFIB/FIB shows prefix as having a tag when it should be not. Routing table is correct.
Conditions: Occurred on a Cisco 12000 router running Cisco IOS Release 12.0(33)S1.
Workaround: Enter the clear ip route command.
•
Symptoms: A router may crash under low memory conditions.
Conditions: The symptom is observed with a router running GetVPN and Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: A Cisco 10000 series router may crash every several minutes.
Conditions: The symptom is observed with a Cisco 10000 series router that is running Cisco IOS Release 12.2(31)SB13.
Workaround: Use Cisco IOS Release 12.2(31)SB11.
•
Symptoms: If connected routes are optimized using PfR, there will be a routing loop.
Conditions: This symptom can occur if, for some reason, PfR is learning connected routes or if the user has configured them.
Workaround: Create an oer-map with a prefix-list that contains the prefixes with the IP addresses of the connected routes (the next hops). Set the set observe mode in the oer-map.
•
Symptoms: In rare cases, a router will crash upon removing a trustpoint in global configuration mode.
Conditions: This defect will occur in all Cisco IOS platforms; however the symptoms observed may differ. Many platforms will handle this gracefully, while others do not, due to different hardware handling of memory errors. The only platforms that have reported intermittent crashes to date are the Cisco 831, Cisco 871, and Cisco 3845.
Workaround: Reload the router and use a version with the fix.
•
Symptoms: NAT CIE contains the invalid NBMA address of "0.0.0.0" when a spoke sends out a resolution request or resolution reply.
Conditions: The symptom is observed when NHRP fetches the NBMA address (i.e., tunnel source interface address) during bootup and whenever the tunnel source address is changed to a new address.
Workaround: There is no workaround. However, once the issue is seen it can be rectified by changing the tunnel source interface to some other interface and then change it back to the same interface.
Further Problem Description: As a result of the NBMA address being 0.0.0.0, the spoke might incorrectly think that it is behind NAT and might add the NAT CIE (with 0.0.0.0) when resolving other spokes. As a result spoke-spoke tunnels might not come up.
•
Symptoms: A Cisco router may unexpectedly reload when running IPS.
Conditions: The symptom is observed when either the "deny-attacker-inline" or the "deny-connection-inline" event actions are configured on at least some of the IPS signatures. The default event action is always just to alarm, so additional configuration is required to cause this particular crash.
When the "deny" event actions are configured, the router may crash if a "shun acl" is applied on an interface where IPS is NOT configured.
This can happen in a situation such as in the following example, if IPS is configured on E0 but not E1:
E0 (packet triggering the alarm) --> ROUTER <-- (attacker) E1
IPS is configured on E0 and a packet which triggers an alarm comes in on E0. This packet matches a signature which has the "swap-attacker-victim" parameter in its signature definition. Therefore, if a "deny" event action has been configured, the ACL will be created on E1. If IPS is NOT configured on E1, this scenario can trigger the crash.
Workaround: If the "deny" actions are being used, a workaround would be to configure IPS on all affected interfaces.
•
Symptoms: The lsp ping command is missing.
Conditions: This issue is specific to the Cisco 7301 router.
Workaround: There is no workaround.
•
Symptoms: %SYS-2-BADSHARE tracebacks are reported. Eventually the router will stop passing all traffic over the interface.
Conditions: Occurs when sending traffic over xDSL interfaces that have QoS configured.
Workaround: Remove the service-policy from the xDSL interface.
•
Symptoms: If router is configured as follows:
router ospf 1
...
passive-interface Loopback0And later LDP/IGP synchronization is enabled using the following commands:
Router(config)# router ospf 1
Router(config-router)# mpls ldp sync
Router(config-router)# ^ZMPLS LDP/IGP synchronization will be allowed on interface loopback too.
Router# sh ip ospf mpls ldp in Loopback0 Process ID 1, Area 0 LDP is not configured through LDP autoconfig LDP-IGP Synchronization : Required < ---- NOK Holddown timer is not configured Interface is up
If the clear ip ospf proc command is entered, LDP will keep the interface down. Down interface is not included in the router LSA, therefore IP address configured on loopback is not propagated. If some application like BGP or LDP use the loopback IP address for the communication, application will go down too.
Conditions: Occurs when interface configured as passive. Note: all interface types configured as passive are affected, not only loopbacks.
Workaround: Do not configure passive loopback under OSPF. Problem only occurs during reconfiguration.
The problem will not occur if LDP/IGP sync is already in place and:
–
–
•
Symptoms: MTP is not able to handle G729a codec and G729 codec on both call legs at same time.
Conditions: The symptoms are observed with Cisco IOS Release 12.4T.
Workaround: There is no workaround.
Further Problem Description: If enabling "debug sccp all", the debug output indicates that it is an "Unsupported mtp req".
•
Symptoms: Transfer calls are failing due to the fact that the router does not have anything for "Replaces:" and "Referred-By:" fields.
Conditions: Occurs in routers running Cisco IOS Release 12.4(15)T6 and Cisco IOS Release 12.4(15)T7.
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: Occurs when large number of remote end points try to connect to the gateway at the same time. The router may crash if "rsa-sig" is used as authentication method.
Workaround: There is no workaround.
•
Symptoms: EIGRP routes are not tagged with matching distribute-list source of route-map.
Conditions: Problem is observed where the route-map is applied to a specific interface. When the route-map is applied globally without the specific interface things appear to work fine.
Workaround: There is no workaround.
•
Symptoms: Performance Routing (PfR) echo probe shows 0 completes, even when the debug icmp command shows that the reply was correctly received.
Conditions: The symptom is observed when using the command sh oer border active-probes, which shows the active probes as incomplete even if the reply was correctly received.
Workaround: There is no workaround.
Further Problem Description: IP SLA code invoked by OER sets the completions to zero.
•
Symptoms: Router crashes.
Conditions: This issue occurs on a Cisco 870 router that is running Cisco IOS Release 12.4(15)T7 and 12.4(20)T and that has an EEM configuration like the following:
event manager applet RTR-MYPRIVATE_DOWN trap event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down" action Mail mail server "mailaddress@cisco.com" to "mailaddress@cisco.com" from "mailaddress@cisco.com" subject "rtr-myprivate - down" body "Sorry, I'm Down" event manager applet RTR-MYPRIVATE_UP trap event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up" action Mail mail server "mailaddress@cisco.com" to "mailaddress@cisco.com" from "mailaddress@cisco.com" subject "rtr-myprivate - up" body "Hi, I'm Active now"When Virtual-Access1 interface flaps, the router crashes.
Workaround: Remove the EEM action mail configuration.
•
Symptoms: Igmp-proxy reports for some of the groups are not forwarded to the helper. This causes members not to receive the multicast traffic for those groups.
Conditions: The problem is seen when the igmp-proxy router is receiving UDP control traffic. That is, the router is receiving any UDP control-plane traffic on any interface.
Workaround: There is no workaround.
•
Symptoms: After removing one of "ip name-server xxxx" entries, the command show ip dns view displays broken output.
Conditions: The symptoms are observed with the following steps:
1. Add several "ip name-server xxxx".
2. Remove one of the middle entries.
3. Use the show ip dns view command.
Workaround: There is no workaround.
Further Problem Description: This issue has been recreated with Cisco IOS Releases 12.4(15)T5, 12.4(15)T7, and 12.4(20)T.
•
Symptoms: NPE-G1 is crashing with "pppoe_sss_holdq_enqueue" as one of the last functions.
Conditions: Unknown.
Workaround: Entering the deb pppoe error command will stop the crashing.
•
Symptoms: Junk values are being displayed on the router when characters/commands are inputted. For example, enter "enable", it shows "na^@^@"; enter "show version", it shows "h ^v^@e^@^r^@^@^@^@^@".
Conditions: The symptoms are observed with Cisco IOS Release 12.4(23.2)T.
Workaround: There is no workaround.
Further Problem Description: The CLI function is not affected by the junk values.
•
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
•
Symptoms: SXP is set up between two devices but fails to initialize.
Conditions: This symptom is observed when SXP is set up between two devices.
Workaround: There is no workaround.
•
Symptoms: An EasyVPN tunnel may get stuck in an IPSEC_Active state after a dialer interface flap. The ISAKMP SA can get stuck in Config_XAuth state after the dialer interface flaps: show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.10.10.10 10.10.10.11 CONF_XAUTH 2090 0 ACTIVE
Conditions: The symptoms are observed when EasyVPN is configured on a router and where a dialer interface flaps often.
Workaround: There is no workaround.
•
Symptoms: Some applications do not work properly when VSA is used as the crypto engine in the hub router. In the trace, you might observe TCP checksum corruption. This is not true in all cases. However, it might be a symptom if in the sniffer trace taken on the application client server, the last packet received before terminating the application is around 56 to 64 bytes.
Conditions: This symptom might happen in a very specific scenario. As a condition, you need to have a VSA on the hub router, and the client and server application needs to be in two different remote locations connected via a VPN tunnel through the hub. In addition, the issue has been verified with a tunnel that is configured with a static crypto map. This issue has also been verified with Fast Ethernet ports only.
Workaround: Disable the crypto engine or use VAM2+.
•
Symptoms: A Cisco router may report exit link out of policy (OOP) when the 32- bit interface utilization counter wraps. At 100 Mbps traffic rate, this can happen once every 6 minutes.
Conditions: The symptom is observed on a Cisco router running Performance Routing (PfR) and when the 32-bit interface utilization counter wraps.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload due to a bus error.
Conditions: This symptom has been experienced on a Cisco router that is running Cisco IOS Release 12.4(15)T7 and that is configured with NAT.
Workaround: There is no workaround.
•
Symptoms: VIC2 BRI Layer 2 will not come up after boot up.
Conditions: The symptom is observed with VIC2-2BRI-NT/TE cards.
Workaround: There is no workaround.
•
Symptoms: A flow exporter that is configured for v9 may export corrupt data.
Conditions: This symptom occurs under the following configuration sequence:
–
–
–
–
Workaround: Configure the destination of the exporter before applying it to any flow monitors. Alternatively, remove the flow monitor from all interfaces and reapply it, which causes correct export packets to be sent.
•
Symptoms: While lrq forward-queries is configured, the gatekeeper blasting does not work as expected.
Conditions: This symptom is observed when lrq forward-queries is configured.
Workaround: There is no workaround.
•
Symptoms: A router reloads when DTMF digits are dialed out while making an MGCP call.
Conditions: This symptom is observed on a Cisco AS5400 that is running Cisco IOS Release 12.4(23.5).
Workaround: No workaround is known.
•
Symptoms: A Cisco device that is running Cisco IOS Release 12.3(7)T or later Cisco IOS code may see an increase in CPU usage when upgrading from a previous image.
Conditions: NAT must be enabled for the contributing factor described here to be applicable. RTSP and MGCP NAT ALG support was added, which requires NBAR. However, there is no way to disable it if that feature code is not needed.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(15)T7
Cisco IOS Release 12.4(15)T7 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T7 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: The router may display CPUHOG errors and/or reload when you enter the no ipv6 multicast-routing global configuration command.
Conditions: This symptom is observed with configurations that include large numbers of dot1q subinterfaces.
Workaround: There is no workaround.
•
Symptoms: A Cisco Gigabit Ethernet Interface goes down when set to speed 100 / Full Duplex and when the remote end is third party LAN extension service equipment.
Conditions: This symptom has been observed on Cisco 3800 Gigabit Ethernet interface. A Cisco 2811 FastEthernet interface or Cisco 2821 Gigabit Ethernet do not show the problem. The symptom is also not seen if a Cisco Catalyst 4506 is used in place of the third party equipment.
Workaround: Use hardware other than Cisco 3800 Gigabit Ethernet when connecting to third party equipment.
•
Symptoms: DHCP Relay crashes while sending a DHCP offer to the client with binding as relay binding. (0.0.0.0).
Conditions:
1. Client is either not sending the client-id option or sending the MAC address as the client-id option in all the DHCP messages toward DHCP Relay.
2. Either smart relay is configured on the relay or relay is unnumbered so that relay bindings get created on the router.
Workaround: Disable smart-relay functionality if enabled. Use numbered relay instead of unnumbered relay.
•
Symptoms: Compared to other Cisco IOS software releases, unusually high CPU usage may occur in the BGP router process on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRB1.
Conditions: This symptom is observed when BGP is learning routes from the RIB, even if redistribution is not directly configured under BGP. (Redistribution from other routing protocols to BGP can exacerbate the CPU usage.)
Workaround: There is no workaround.
•
Symptoms: ASL Rollback was not able to remove ASL configuration configuration mode exclusive auto lock-show from the running configuration.
Conditions: Failure is seen using ASL Rollback on a Cisco 7600.
Workaround: There is no workaround.
•
Symptoms: Under stress conditions, an L2TP multihop node may crash.
Conditions: This symptom is observed when a session is being disconnected.
Workaround: There is no workaround.
•
Symptoms: PIM dense mode interoperability issues are seen with Cisco and third party boxes.
Conditions: This symptom is observed when PIM dense mode is in operation. After the multicast forwarder is decided, based on the assert mechanism, a prune is erroneously sent. Multicast stream ceases to flow.
Workaround: There is no workaround.
•
Symptoms: When you modify an ATM PVC by entering the pvc vpi/vci command, any subsequent modifications in the VC class that is assigned to this PVC do not take effect.
Conditions: This symptom is observed when the PVC is preconfigured with a VC class when the following events occur:
1) You make a configuration change in the PVC.
2) You change the configuration in the VC class.
The configuration change in the VC class does not take effect.
Workaround: First complete the configuration changes in the VC class. Then, change the configuration in the PVC.
•
Symptoms: In the connect command, the ATM option is either coming twice or not coming at all in different platforms.
Conditions: When local switching-related connect command is configured.
Workaround: There is no workaround.
•
Symptoms: When IPsec SAs flap, traffic loss may occur during the IPsec and IKE rekey.
Conditions: This symptom is observed on a Cisco 7600 series that runs Cisco IOS Release 12.2(33)SRA when there is a large number of IKE and IPsec SAs (that is, more than 2000 IKE SAs and 4000 IPsec SAs) and when RSA signature authentication is configured.
Workaround: Reduce the number of IKE and IPsec SAs.
•
Symptoms: Not all the NetMeeting sessions (h323) are obtained in the firewall when enabling the h323 protocol inspection.
Conditions: This is observed when inspection is done with double ACL configured.
Workaround: This workaround applies to the following versions of NetMeeting:
–
–
–
–
–
–
–
–
–
–
–
–
–
(http://support.microsoft.com/kb/158623#appliesto)
NetMeeting uses the following IP ports to communicate with other meeting participants:
Port Purpose
----------------------
389 Internet Locator Server (TCP)
522 User Location Server (TCP)
1503 T.120 (TCP)
1720 H.323 call setup (TCP)
1731 Audio call control (TCP)
Dynamic H.323 call control (TCP)
Dynamic H.323 streaming (RTP over UDP)To enable NetMeeting traffic, you must open a pinhole for these fixed TCP ports also with h323 inspection on the interface.
So the workaround for this is as follows:
1. Create the port-map as:
ip port-map user-NMAUX port tcp 522 1731 1503 description `Port-map configuration for NetMeeting'
2. Configure inspection rule as:
ip inspect name test h323 ip inspect name test user-NMAUX ip inspect name test ldap
(Here ldap (Lightweight Directory Access Protocol) is included for port 389).
3. Apply this inspection rule `test' on the interface where NetMeeting inspection is required.
Example configuration:
Router# show running-configBuilding configuration...Current configuration : 2700 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname fwodc1-2 ! boot-start-marker boot-end-marker ! no logging console enable password lab ! no aaa new-model ! ! ip cef ! ! no ip domain lookup ip inspect name test tcp ip inspect name test udp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! frame-relay switching ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! no crypto engine onboard 0 ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key letmein address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set test esp-des ! crypto map test 10 ipsec-isakmp set peer 10.0.0.1 set transform-set test match address ipsec_acl ! ! ! ! interface GigabitEthernet0/1 ip address 192.168.101.2 255.255.255.0 ip access-group 102 in ip virtual-reassembly duplex auto speed auto ! interface Serial0/0/0 no ip address shutdown clock rate 2000000 ! interface Serial0/0/1 no ip address encapsulation frame-relay clock rate 128000 no frame-relay inverse-arp frame-relay intf-type dce ! interface Serial0/0/1.587 point-to-point ip address 10.0.0.2 255.0.0.0 ip access-group 101 out ip inspect test in ip virtual-reassembly snmp trap link-status frame-relay interface-dlci 587 crypto map test ! router eigrp 100 network 10.0.0.0 network 192.168.101.0 no auto-summary no eigrp log-neighbor-changes no eigrp log-neighbor-warnings ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ip access-list extended ipsec_acl permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 ! access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 permit icmp any any access-list 101 permit eigrp any any access-list 101 deny ip any any access-list 102 permit udp any any eq isakmp access-list 102 permit esp any any access-list 102 permit ahp any any access-list 102 permit icmp any any access-list 102 permit eigrp any any access-list 102 deny ip any any access-list 110 permit tcp any any fragments access-list 110 permit udp any any fragments access-list 110 deny tcp any any access-list 110 deny udp any any access-list 110 permit ip any any ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 exec-timeout 0 0 speed 115200 line vty 0 4 login ! scheduler allocate 20000 1000 ! end•
Symptoms: When the ATM Software Segmentation and Reassembly (SAR) feature is enabled, VBR-rt PVCs may be deactivated before VBR-nrt PVCs in an over-subscription scenario.
Conditions: This symptom is observed on a Cisco 2600 series and Cisco MC3810 that have oversubscribed ATM PVCs with a VBR-rt and VBR-nrt class of service.
Workaround: Configure all PVCs with an SCR of less than or equal to the line rate.
•
Symptoms: The voice path between already connected secure analog VG224 phones is broken when a new call is made to one of the party.
Conditions: PhoneA calls PhoneB. PhoneA and PhoneB are connected, and the voice path confirmation is established. PhoneC calls PhoneB. Once PhoneB hears the call-waiting tone, the voice path from PhoneB to PhoneA is lost. But when PhoneA talks, PhoneB can hear it.
Workaround: The only workaround is to block call-waiting or use non-secure phones.
Further Problem Description: This symptom occurs only when both the analog phones are secure endpoints. Non-secure phones work fine.
•
Symptoms: SIP may not pass the correct calling number in the header when an e164 address is used. SIP should block the population of the calling party number if the user portion of the "From" header is not an e164 address, preventing the calling party number IE from being populated when ISDN sends the SETUP message. However, this does not occur, and SIP may pass an incorrect number.
Conditions: This symptom is observed on a Cisco gateway that sends Microsoft Communicator SIP calls to the PSTN.
Workaround: There is no workaround.
•
Symptoms: With a DMVPN setup running OSPF, tracebacks are seen.
*Feb 9 12:20:34.147: %SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x605270B0, alignment 32 Pool: I/O Free: 396512 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate poolConditions: With an mGRE tunnel with tunnel protection configured and OSPF running, the symptom can occur if there is a route for a tunnel transport destination address for a spoke through the tunnel itself.
Workaround: The symptom is seen with a DMVPN setup that is misconfigured so that a tunnel transport destination address is through the tunnel. The symptom will be avoided if there are no routes for tunnel destination addresses through the tunnel.
•
Symptoms: Disk access causes router to crash.
Conditions: Occurs after fsck execution.
Workaround: Format disk, which causes the data loss on the affected disk.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 will show TCP connections that are hung in CLOSEWAIT state. These connections will not time out, and if enough accumulate, the router will become unresponsive and need to be reloaded.
Conditions: This symptom occurs on a Cisco router that is running Cisco IOS Release 12.2, Release 12.3, or Release 12.4 when a copy source-url ftp: command is executed and the FTP server fails to initiate the FTP layer (no banner) but does set up a TCP connection. This may occur when the FTP server is misconfigured or overloaded.
The CLI command will time out, but will not close the TCP connection or clean up associated resources. The FTP server will eventually answer and time itself out, and close the TCP connection, but the router will not clean up the TCP resources at this time.
Workaround: Manually clear TCP resources using the clear tcp command, referencing the show tcp brief command output.
•
Symptoms: High CPU usage may occur when IPCP is being renegotiated. Eventually, the high CPU usage may cause buffers to be backed up, may cause error message to be generated, and may cause L2TP tunnels to be dropped.
Conditions: This symptom is observed on a Cisco router when clients renegotiate IPCP unnecessarily. You can verify this situation by enabling the debug ppp negotiation command or by configuring RADIUS authorization and then checking the virtual-access interface for the phrase "cloned from: AAA, AAA, ..." (that is, multiple instances of AAA) as identification.
Workaround: There is no workaround.
Further Problem Description: You can alleviate the situation somewhat by configuring the NCP Timeout to 15 seconds to disconnect clients that take a long time to renegotiate IPCP. You can also do the following:
–
–
–
–
•
Symptoms: The ip ospf prefix-suppression [disable] command might get lost on a loopback interface when the router is reloaded.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(13.13)T1.
Workaround: There is no workaround.
•
Symptoms: Plugging a V.35 DTE cable into an HWIC-4T serial port in a "shutdown" state may result in the shutdown command being removed and the interface coming up/up.
Conditions: This symptom is observed on a Cisco 3845 HWIC-4T that is using the c3845-advsecurityk9-mz.124-13b image.
Workaround: Manually re-add the shutdown command to the serial interface.
•
Symptoms: The show IMA interface IMA X/Y command displays the wrong timing reference link after the clock source is changed.
Conditions: After the network clock priority is changed to be the source clock, IMA still shows the previous clock source. The previous interface was also shut down and brought back up.
Workaround: There is no workaround.
•
Symptoms: With IKE accounting enabled, memory leaks are found when IKE sessions are terminated abnormally.
Conditions: This symptom is observed only when IKE sessions are terminated abnormally (for example, by removing a crypto map from the interface).
Workaround: There is no workaround.
Further Problem Description: The leak is caused by "uncommon" termination of IKE sessions. Basically, there are two code paths to clean up the (IKE) accounting data structure. One (1) does a good job of freeing everything and can be taken most of the time in a normal call's setup/teardown sequence (for example, IPsec tunnel and IKE are both brought down in sequence). The second one (2) is taken due to a racing condition of termination causes which the IKE peer gets notified first and cleans its accounting structure (partially). It might be said that the leak is "slow" as the second path is not regularly taken. It does not affect the actual functionality.
•
Symptoms: Using dsapp on dial peers with FXS ports to use hookflash transfer with IVR system. After a series of calls, the FXS calls will no longer accept calls, and debugs show an error:
May 22 13:57:44.340 edt: //5690//Devi:/DS_ContactingDest_SetupDone: Unable to Register moduleConditions: This symptom is observed when using dsapp on a dial peer with an FXS port.
Workaround: FXS will no longer accept incoming calls, so the workaround is to reload the gateway.
•
Symptoms: A Cisco IOS router performing Cisco Performance Routing (PfR) Optimized Edge Routing (OER) Master Controller function crashes due to internal timing issue. The traceback may be similar to:
__udivmoddi4 __udivdi3 oer_br_update_iface_counters oer_br_recv_iface_configured oer_br_cc_tlv_process oer_cc_read_tcp oer_br_cc_process_socket_event oer_br_processor
oer_br_update_iface_counters oer_pep_iface_update_timer_handler oer_br_process_timer_event tw_timer_tick oer_br_processor
__udivmoddi4 __udivdi3 oer_br_update_iface_counters oer_pep_iface_update_timer_handler tw_notify tw_timer_tick oer_br_processConditions:
1) PfR/OER border router configuration mode is accessed or modified on the master controller.
2) OER external interface goes UP/DOWN on the border router.
Workaround: There is no workaround.
•
Symptoms: The interface output rate (214 Mb/s) is greater than the interface line rate (155 Mb/s).
Conditions: This symptom is observed with a Cisco 7600/7500/7200-NPE400 and below. That is, PA-POS-2OC3/1OC3 (PULL mode).
Workaround: There is no workaround.
Further Problem Description: From the Ixia, packets are transmitted at 320 Mb/s. On the UUT (Cisco 7600), the outgoing interface (POS-Enhanced Flexwan) shows the output rate as 200 Mb/s. But the interface bandwidth is 155 Mb/s.
•
Symptoms: When running double auth crypto (ah encap and esp encap auth together) configurations and passing large packet data that requires fragmentation, errored packets can be observed.
Conditions: This defect affects only routers with AIM-VPN-SSL AIM cards installed. Routers that support this AIM are Cisco 1800, 2600, 2800, 3700, and 3800.
Workaround: Do not use ESP and AH double authentication, or use the no crypto engine accel command in the configuration to run encryption in the SW engine.
•
Symptoms: On certain specific router platforms, if multiple subinterfaces are configured on a Gigabit Ethernet motherboard interface and if these subinterfaces are configured with HSRP and the same VMAC, then whenever the router becomes HSRP standby for at least one of these subinterfaces, the router drops all traffic that is directed to the same VMAC on other subinterfaces.
The following is a sample configuration that would be exposed to this issue:
interface GigabitEthernet0/0.1 encapsulation dot1Q 1 native ip address 10.1.0.100 255.255.0.0 standby 1 ip 10.1.0.1 standby 1 mac-address 0000.0000.0001 ! interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address 10.2.0.100 255.255.0.0 standby 2 ip 10.2.0.1 standby 2 mac-address 0000.0000.0001Conditions: This symptom is observed only on Cisco 3800 (both 3825 and 3845), 7200/NPE-G1 and 7301 motherboard Gigabit Ethernet interfaces. It is not observed on Fast Ethernet/WAN modules or on other router platforms.
Workaround: The problem does not occur if different VMAC addresses are configured on different subinterfaces or if static VMACs are not used.
If the problem is encountered in a production environment, a quick workaround is to shut down the Gigabit Ethernet interface of the other router in order to make one router HSRP active in all VLANs.
•
Symptoms: DTMF digits are not recognized by the remote side.
Conditions: Occurs on a Cisco MGW using MGCP configured for DTMF RFC2833 standard under control of Cisco PGW2200. When the first digit is pressed it contains a wrong synchronization source identifier in an RTP header.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of a bus error when you perform an OIR of a PA-MC-8TE1+ port adapter or when you enter the hw-module slot slot-number stop command for the slot in which the PA-MC-8TE1+ port adapter is installed.
Conditions: This symptom is observed on a Cisco 7200 series.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly due to a bus error crash.
Conditions: The symptoms can be observed when the router is running Voice XML.
Workaround: There is no workaround.
•
Symptoms: Spurious access or a router crash may be seen when a crytpo key is removed.
Conditions: The crypto key was not generated in the router. When we try to remove the unconfigured crypto key, the spurious access may be seen.
Workaround: There is no workaround.
•
Symptoms: A router running an IOS image may stop accepting incoming TELNET connections.
Conditions: Occurs when 20 or more VRFs are configured and they have incoming TCP connections arriving at the host for non-existing services from different VRFs.
Workaround: Use the show tcp brief all command to view TCB that have local and foreign addresses as "*.*". Clear those entries using the clear tcp tcb address-of-the-TCB command.
Further Problem Description: When an incoming SYN is received for a non-existing service, for example to BGP port with BGP not configured, TCP leaks a TCB that has laddr and faddr as *.*. This TCB is usually reused for the next incoming connection.
However when VRFs are configured, such TCB can be reused only for that VRF. If there are several VRFs configured in the box, one TCB per VRF will be leaked. And there is a limit of 20 such "wild TCBs" in the system. So, once we reach the limit of 20, because we leak one per each different VRF, any connection request coming in will be denied.
•
Symptoms: After upgrading router code to Cisco IOS Release 12.4.13a, the CLI will not allow any changes to an ATM PVC. The following error appears:
Possibly multiple users configuring IOS simultaneously.Conditions: This symptom is observed with a Cisco 7206vxr router with an npe-g1, when an IMA interface is configured with a bandwidth value higher than the allowed value before the "ima-group" has been added on the ATM interface.
When the no shutdown command is configured on the IMA interface, the PVC cannot be deleted.
Workaround: Reload the router.
Further Problem Description:
RouterA (config)# interface atm 1/ima1.14016RouterA (config-subif)# no pvc innac 20/14018Unable to delete PVC 20/14018 on ATM1/ima1.14016. Possibly multiple users configuring IOS simultaneously.•
Symptoms: The Ethernet interface flaps after configuring QoS on the interface.
Conditions: Occurs on PA-2FE-TX port adapter after applying QoS to the interface.
Workaround: There is no workaround.
•
Symptoms: The help returned by the ? in the "crypto pki certificate storage on with-keypair" CLI is incomplete.
Conditions: This issue is seen while loading Cisco IOS Release 124-17.4.T1 and 124-12.9.PI6.
Workaround: There is no workaround.
•
Symptoms: Shape average percentage calculations seem to be wrong, and the configured shape average percentage cannot be changed.
Conditions: This symptom is observed on a Cisco router that is configured with the MQC-Based Frame Relay Traffic Shaping feature.
Workaround: There is no workaround.
•
Symptoms: A Media Gateway Control Protocol (MGCP) gateway may return a 524 or 510 error code with the reason as "invalid local connection option" for a valid "L:" parameter in a CRCX message.
Conditions: The symptoms can be observed on a router that is running Cisco IOS Interim Release 12.4(17.4)T1 or later, when the debug mgcp parser command with verbose tracelevel is disabled.
Workaround: Enable the debug mgcp parser command with verbose tracelevel.
•
Symptoms: When using route-map to redirect the traffic from one physical interface to be rerouted to the loopback interface, the traffic is not redirected.
Conditions: Occurs when router is configured for "EZvpn client on stick" 1interface inside/outside, loop being the inside.
Workaround: Configure interface vlan1.
•
Symptoms: Spurious Access is seen while configuring Instant Messenger Application Firewall Inspection.
Conditions: This failure is seen in Cisco IOS image c7200-adventerprisek9- mz.124-11.T4.
Workaround: There is no workaround.
•
Symptoms: A router crashes with an Unexpected exception to CPUvector traceback.
Conditions: Issuing the modemui command with a large input parameter in the [modem-commands], such as:
host> modemui ATZaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa OK OK OK Host:00:05:30 UTC Mon Mar 1 1993: Unexpected exception to CPUvector 1200, PC = 804829C4 -Traceback= 804829C4 8049E4B0 8049E798 80492924 803CAE9C 803CB7E0 803CB6D8 803CDE88 80574D04 805759 78 803A6CC8 80CA1B60 80CA2008 80CA21FC 80CA21FC 80CA21FCMore information about the Cisco Modem User Interface feature is available at the following URL:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftcmodui.html
Workaround: There is no workaround.
•
Symptoms: OSPF may generate traceback when interface of router goes down or shut down administratively.
Conditions: Affects Cisco IOS Release 12.4(15)T and later and Cisco IOS Release 12.2SRC.
Workaround: There is no workaround.
•
Symptoms: Routers that are running Cisco IOS Release 12.4(13b) and Release 12.4(16) may crash when the show crypto pki timers command is executed.
Conditions: This symptom is observed under a narrow set of conditions. Offending conditions occur when certificates are issued Certificate Distribution Point formatted in URL format. Certain other unknown circumstances must also occur.
Workaround: Avoid using the show crypto pki timers command.
•
Symptoms: Recursive static routes are not being resolved. The show ipv6 rpf command does not show the recursion count in the RPF recursion count field.
Conditions: This symptom occurs when nonlooping recursive IPv6 static mroutes are configured. This symptom is triggered when IPv6 is configured with PIM Sparse-Mode. The impact of this symptom is that Multicast traffic flow is affected.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with an IPSLA RTP operation crashes intermittently.
Conditions: No particular scenario has been identified so far. Sometimes the crash does not occur for several days.
Trigger: Configuration of IPSLA.
Impact: The router crashes with tracebacks.
-Traceback= 0x62236E18 $0 : 00000000, AT : 64AB0000, v0 : 66A57B74, v1 : 65263668 a0 : 66A57B74, a1 : 65200000, a2 : 00000000, a3 : 00000000 t0 : 00000000, t1 : 3400FF01, t2 : 00000000, t3 : FFFF00FF t4 : 60D265D8, t5 : 00000001, t6 : 0D0D0D0D, t7 : 3400FF00 s0 : 00000000, s1 : 00000000, s2 : 651FD7C8, s3 : 649D0000 s4 : 641B0000, s5 : 651FD7C8, s6 : 65200000, s7 : 00000000 t8 : 00000003, t9 : 6419234C, k0 : 30408001, k1 : B0020000 gp : 64AB27C0, sp : 653B1298, s8 : 00000000, ra : 62236E0C EPC : 62236E18, ErrorEPC : BFC05CFC, SREG : 3400FF03 MDLO : 00000000, MDHI : 00000000, BadVaddr : 0D0D0D3D DATA_START : 0x62891060 Cause 00000010 (Code 0x4): Address Error (load or instruction fetch) exceptionWorkaround: Remove the IPSLA RTP operation configuration.
•
Symptoms: Prefixes are allowed by the outbound route-map even though the match condition is met and the action is set to deny.
Conditions: Occurs in the following scenario:
1. The iteration with the deny action contains a match community.
2. The continue statement is used in one of the previous iterations.
Workaround: If there is single match clause based on NLRI, the condition is avoided.
Further Problem Description: Route-maps can be used without continue to avoid the problem.
•
Symptoms: VPN client users using a certificate to connect to a Catalyst 6000 or Cisco 7600 with VPN blade fail to connect. IPSec negotiation fails during mode configuration.
Conditions: Conditions are unknown at this time.
Workaround: Preshared key authenticated VPN clients can connect without problem.
•
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with `Bad getbuffer' error may also be reported.
Conditions: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
•
Symptoms: Router crashes due to IPv6 multicast routing.
Conditions: This happens after applying multicast routing configurations, and again while unconfiguring.
Workaround: There is no workaround.
•
Symptoms: A router that is configured to be an EZVPN client in Network Extension Mode fails to rekey the phase 2 SAs.
Conditions: The conditions under which this symptom is observed are unknown.
Workaround: Any one of the following workarounds will get the tunnel up.
1. Clear the crypto SAs.
2. Pass interesting traffic from the EZVPN client.
3. Reload the router.
•
Symptoms: 100 percent CPU utilization at the interrupt level is observed on a Cisco router following an upgrade from Cisco IOS Release 12.3(8)YG5 to Release 12.3(8)YG6.
Conditions: The symptom is observed on a Cisco 837 router.
Workaround: The only workaround is to not upgrade to Cisco IOS Release 12.3(8)YG6 from Release 12.3(8)YG5.
•
Symptoms: A Cisco 2950 switch or any Cisco router may crash unexpectedly.
Conditions: Occurs under the following scenario:
–
–
–
–
Workaround: Disable CDP.
•
Symptoms: L2TP network server (LNS) router crashes while establishing virtual private dial-up network (VPDN) and shutting down client interface.
Conditions: Occurs while making call from client to LNS with specific configurations.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2851 router continuously crashes after booting up.
Conditions: Misconfigurations could be the trigger for this symptom.
Workaround: There is no workaround.
Further Problem Description: This defect is triggered when PVDMs are present in the platform. Also, this defect appears every time the router is rebooted.
•
Symptoms: When adding a static NAT translation, a permanent ARP entry is added. When configuring multiple translations for the same address and removing one, the ARP entry is removed even though there may be a NAT translation that still requires it.
Conditions: The symptoms are observed when there are multiple translations with the same addresses, for example: ip nat inside source static tcp 192.168.2.1 20 192.168.4.5 20 extendable ip nat inside source static tcp 192.168.2.1 21 192.168.4.5 21 extendable
Workaround: Remove and re-add the NAT configuration lines for the IP address.
•
Symptoms: L2TP tunnels are not getting established.
Conditions: Occurs on a router running Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
•
Symptoms: A router may reload when malformed packets are sent to the TFTP UDP port.
Conditions: This symptom is observed when malformed traffic is sent to the router's TFTP UDP port 69 (TFTP). The TFTP server port must be listening within Cisco IOS software.
TFTP port 69 is opened in Cisco IOS software under the following circumstances:
–
For further information on the TFTP Server functionality, see:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/ffun_c.html
–
If Cisco Unified Communications Express (CME) is being used and ephones are configured, port UDP 69 (TFTP) will be opened within Cisco IOS software. If the configuration contains ephone-dn arguments .., then port 69 is opened.
For further information on the CME ephone functionality, see:
Workaround: There is no workaround; however the following mitigation may be suitable for some customer environments:
Infrastructure ACLs (iACL)
----------------------------------
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. iACLs are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range:
!--- Permit TFTP (UDP port 69) packets !--- from trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq tftp !--- Deny TFTP (UDP port 69) packets !--- from all other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq tftp !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any any interface serial 2/0 ip access-group 150 inThe white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
•
Symptoms: A CPUHOG message may be seen.
Conditions: This symptom is observed when the following three conditions are met:
1. HSRP debugs are enabled.
2. The router is logging to console.
3. An interface with more than 50 HSRP groups is shut down.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS VG224 voice gateway may reload unexpectedly if an FXS voice port configured with the caller-id enable command, receives a call where the calling number (ANI) is greater than 32 digits.
Conditions: The symptom is observed when caller-id is enabled and the ANI is greater than 32 characters in length.
Workaround: The workaround is to disable caller-id in the FXS voice port and restrict the ANI to less than 32 digits.
•
Symptoms: A router crashes when a service policy with FPM is configured, removed, and reconfigured on an interface.
Conditions: This symptom is seen only when the service policy is configured, then removed, and reconfigured on the same or a different interface.
Workaround: There is no workaround.
•
Symptoms: AAL2 trunk alarm is not generated for a resource availability indication (RAI) condition when a T1 is disconnected from a VWIC module.
Conditions: This issue is seen when AAL2 trunking is configured on a Cisco 2811 running Cisco IOS Release 12.4(17a).
Workaround: There is no workaround.
Further Problem Description: This issue is not seen on non-ISR platforms running Cisco IOS Release 12.3.
•
Symptoms: When the cm-manager config server ip-address command is used, the router fails to configure or misconfigures the gateway voice ports. This results in non-functional voice ports.
Conditions: Occurred on a Cisco 3845 running the c3845-advipservicesk9-mz.124-13d.bin image. Example of the errors follow:
voice-port 1/0/0 signal unknown <--- should have been default loop start ring frequency unknown <--- should have been default ring freq timing hookflash-in 400 20 shutdown <--- should have been no shut
In addition, PRI E1 trunks fail with no dial tone yet there is no indication why. The Cisco IOS configuration looks okay.
Workaround: Do not use these commands. Configure the MGCP gateway manually.
•
Symptoms: Voice calls are not successful.
Conditions: Call flow is through a NAT-SBC router, which crashes when the call is initiated.
Workaround: There is no workaround.
•
Symptoms: A router crashes with "Address Error (load or instruction fetch) exception" when the show ip vrf vrf-name command is used.
Conditions: On one vty session, enter the show ip route vrf vrf-name command and leave it in the "more" condition. From other user interface session, go to configuration mode, and then enter the no ip vrf vrf-name command using the same VRF name. After at least 5 minutes, the router will crash after hitting the any key on the session that is doing the show ip vrf command.
Workaround: Make sure that there is no show ip route vrf command pending before entering the no ip vrf command.
•
Symptoms: Router crashed during stress test of 5000-6000 56-byte UDP packets per second.
Conditions: Occurred on a Cisco 878 router running 12.4(15)T1.
Workaround: There is no workaround.
•
Symptoms: TCP ports may not show open as required during port scanning using NMAP.
Conditions: This symptom is observed on a Cisco 7200 router.
Workaround: There is no workaround.
•
Symptoms: PPTP connection does not get established properly. Users are stuck in authentication phase
Conditions: Occurs when PPTP server is behind a NAT router configured with a static NAT entry.
Workaround: There is no workaround.
•
Symptoms: Memory fragmentation and tracebacks occur after an uptime of 10 days of handling calls related to AA, ICD, and conference.
Conditions: This is seen on a Cisco 1861 configured for Cisco Unified CallManager Express (CME) and interacting with Unified Contact Center Express (UCCX).
Workaround: There is no workaround.
•
Symptoms: An H.323 gateway may crash with memory corruption.
Conditions: The symptom is observed on a Cisco platform that functions as an H.323 gateway and that is running Cisco IOS Release 12.4(7e) and 12.4(13e). It may be observed in other releases as well. It occurs whenever the H.323 gateway wants to connect to a remote host and there are no free sockets available for this process.
Workaround: There is no workaround.
•
Symptoms: High CPU load due to VTEMPLATE Backgr process.
Conditions: Occurs when the ip multicast boundary command is used on many interfaces (8000 or more).
Workaround: There is no workaround.
•
Symptoms: Cisco Unified Border Element (CUBE) crashes.
Conditions: CUBE crashes when Org. transferred to party (also on terminating side) answers the call. Call flow is as follows:
Org.--(SIP Trk)--CSPS--(SIP Trk)--CUBE1--(SIP Trk)--CUBE2--(H323 Trk)--Term.
Workaround: There is no workaround.
•
Symptoms: Mobile IP (MoIP) tunnel never comes up on a mobile router when roaming to the cellular interface. This is because the HWIC-3G-GSM never receives or accepts the registration reply from the Home Agent.
Conditions: Occurred on a Cisco 3845 router.
Workaround: There is no workaround.
•
Symptoms: An HSRP IPv6 address may become :: if the IP address of an interface is changed.
Conditions: At least one HSRP IPv4 group should exist on the interface.
Workaround: Delete the group completely from the configuration, and then reconfigure it.
Once the problem occurs, the HSRP IPv6 group must be deleted and re-added.
•
Symptoms: A router running Cisco IOS may crash with a bus error.
Conditions: This is seen on the Cisco 2800 series platform when one or both of the onboard ethernet ports are configured as part of an etherchannel. Under low to medium traffic loads, the device may crash when executing show run or write mem commands. It also might crash without user intervention under high traffic loads.
Workaround: Do not use the etherchannel feature for onboard ethernet ports on the Cisco 2821.
•
Symptoms: Modifying the aggregation-type prefix-length under Optimized Edge Routing (OER)/learning, along with the ACL used by oer-map for traffic matching can lead to router crash.
Conditions: The router crash was observed when aggregation-type prefix-length and the ACL used by OER-MAP was changed. The aggregation-type prefix-length can be configured as:
oer master learn aggregation-type prefix-length 16The OER-MAP can be configured as follows: (in this case, oer-map is used to set monitor mode to active for the traffic matching the ACL) ! oer-map BRANCH 10 match traffic-class access-list OerMapAclHttp set mode route control set mode monitor active set unreachable threshold 10 set active-probe echo 10.1.6.254 set probe frequency 10
Workaround: After making the configuration changes, if the configuration is saved right away, and then the router is reloaded, the crash was not observed. This can be used as a workaround for this crash.
•
Symptoms: After receiving disconnect message from ISDN, the actual call disconnection is delayed by 64 seconds.
Conditions: The symptom is observed when the disconnect is received from the incoming ISDN call leg for a TDM-hairpin, DSPless call.
Workaround: There is no workaround.
•
Symptoms: On a Hot Standby Router Protocol (HSRP) standby router, all accounting records for aaa accounting commands and aaa accounting system on the standby router of the HSRP pair are only available if those two commands are applied.
Conditions: AAA accounting is configured on a router pair running HSRP.
Workaround: Change the router to the active state before making changes that are to be logged.
Further Problem Description: The following message will appear when the debug aaa accounting command is executed and a record is suppressed: *<time/date>: AAA/ACCT/CMD(00000003): Suppressed record
•
This is an enhancement request to add more description to the OER fields. Right now it is very hard to follow unless you are familiar with the command.
•
Symptoms: The multilink interfaces stop forwarding traffic, and the serial interfaces out of the multilink start to flap.
Conditions: This symptom is observed when the E3 controller is saturated.
Workaround: Enter the shutdown command followed by the no shutdown command on the controller.
•
Symptoms: Configuring a QoS policy, including Control Plane Protection (CPPr) and Control Plane Policing (CoPP), using ACLs with overlapping ACEs can cause ACEs to be skipped or processed out of order.
Conditions: When ACLs are used with CPPr, CoPP, or standard QoS policies, ACEs may be skipped when examining traffic that may match more than one ACE.
For example, the following ACL is used with a CPPr configuration that is applied to the aggregate control-plane interface.
access-list 110 deny icmp host 192.168.100.1 any access-list 110 permit icmp host 192.168.100.1 any access-list 110 deny icmp any any access-list 110 permit icmp any anySending pings from 192.168.100.1 to 10.255.255.102 results in the following show access-list output, and the incoming pings are in fact dropped.
Router# show access-listExtended IP access list 11010 deny icmp host 192.168.100.1 any 20 permit icmp host 192.168.100.1 any (11 matches) 30 deny icmp any any 40 permit icmp any any (5 matches)Workaround: Remove overlapping ACE entries or rework the ACL.
•
Symptoms: A Cisco router may experience a memory leak in the VTSP process. The router appears to lose its free memory until it starts to display "SYS-2-MALLOCFAIL" messages in the log and finally crashes per low memory condition.
Conditions: The symptoms occur only when a call fails before it reaches the connect state.
Workaround: The only workaround is to schedule router manual reloads at regular intervals, so that the outages occur at the lowest-impacting moments.
•
Symptoms: Router may spontaneously reload.
Conditions: Occurs on routers configured with iSPF computation algorithm in OSPF.
Workaround: Disable iSPF.
•
Symptoms: A Cisco 2811 router running as voice gateway may crash after enabling the debug voip vtsp event command.
Conditions: The symptom can be seen when 2-stage dialing is enabled and SETUP_ACK with a Progress Indicator is received on the outbound leg of the router.
Workaround: Disable the debug voip vtsp event command.
•
Symptoms: Ping fails from reflector during internal testing.
Conditions: The goal of the test is to verify the successful termination of PPP/PPPoE over ATM sessions on router's ATM interface using auto sensing. It is performed with auth_pap, process switch, and keepalive disabled. This has a functional impact as the virtual access entry is not getting added to the routing table after doing clear ip route.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload when unconfiguring ccm-manager.
Conditions: This is seen on MGCP gateway running Cisco IOS Release 12.4(15)T4 while entering the no ccm-manager config command.
Workaround: There is no workaround.
•
Symptoms: When issuing media play command to play media in TCL IVR, it does not play. Script itself is working.
Conditions: This problem is observed in the following conditions:
–
–
–
Workaround: Type the debug voip app kadis_togg in the router enable mode. The prompt play will start working on Cisco 1700 series router.
•
Symptoms: Attempt fails while placing analog dial-in call to as5400 router. Ping fails in caller by throwing error as Timeout expecting: CONNECT.
Conditions: Occurs on a Cisco AS5400 running Cisco IOS Release 12.4(19.9)T1.
Workaround: There is no workaround.
•
Symptoms: A router crashes when PPPoE sessions are coming up.
Conditions: This symptom is observed on a Cisco 7301 router when QoS policing is applied to the PPPoE sessions.
Workaround: There is no workaround.
•
Symptoms: A router may crash with the following error message:
%SYS-2-CHUNKBADFREEMAGIC: Bad free magic number in chunk header, chunk 6DF6E48 data 6DF7B48 chunk_freemagic EF430000 -Process= "Check heaps", ipl= 0, pid= 5,-Traceback= 0x140C170 0x1E878 0x1EA24 0x1B4AC 0x717DB8 chunk_diagnose, code = 2 chunk name is PPTP: pptp_swicurrent chunk header = 0x06DF7B38 data check, ptr = 0x06DF7B48next chunk header = 0x06DF7B70 data check, ptr = 0x06DF7B80previous chunk header = 0x06DF7B00 data check, ptr = 0x06DF7B10Conditions: Issue has been seen on Cisco 7200 router with NPE-G2 configured for L2TP and running Cisco IOS Release 12.4(15)T3 and Cisco IOS Release 12.4(15)T4.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash while doing a simultaneous operation in pvc-in-range 0/32 and vc-class atm word.
Conditions: This symptom is observed while configuring simultaneously in pvc-in-range 0/32 and vc-class atm word.
Workaround. There is no workaround.
•
Symptoms: Gateway sends 200 OK with media direction as SENDRECV for a reINVITE with offer having media direction INACTIVE.
Conditions: This is seen for the supplementary services when the call is put on HOLD and then RESUMED.
Workaround: There is no workaround.
•
Symptoms: Customer initially running a 6xT1 MLP bundle using three VWIC-2MFT-T1 modules on same slot 0 of a Cisco 3825 router. The Customer is running both voice and data over this MLP link with QoS (LLQ/CBWFQ) applied to the multilink. The MLP circuit is connected to an MPLS network. The customer has fragmentation disabled on the multilink.
The issue occurs when customer adds a 7th and/or 8th T1 to the MLP bundle, which is connected on slot 2 (VWIC2-2MFT-T1/E1). The customer sees increased latency and jitter using extended pings over the MLP bundle.
Conditions: Occurs on a Cisco 3825 running the c3825-spservicesk9-mz.124-7b Cisco IOS image and using a VWIC2-2MFT-T1/E1 module installed in slot 2 (NM-HDV2-2T1/E1).
Workaround: Manually configure tx-ring-limit 2under serial interfaces residing on the VWIC2-2MFT-T1/E1.
•
Symptoms: An MLPP call receiving preemption for reuse on unanswered call from the PBX fails to complete.
Conditions: This symptom is observed on all platforms.
Workaround: There is no workaround.
•
Symptoms: Router crashes while unconfiguring debug condition all on L2TP network server (LNS).
Conditions: This symptom occurs when no debug condition all is configured to remove the condition that was initially set.
Workaround: There is no workaround.
•
Symptoms: L2TP Start-Control-Connection-Reply (SCCRQ) and Start-Control-Connection-Reply (SCCRP) messages have incorrect setting of mandatory-bit for the receive window Size attribute-value pair (AVP). This may cause L2TP/VPDN sessions to fail to connect.
Conditions: Occurs in VPDN environments where the peer requires tight protocol adherence.
Workaround: There is no workaround.
•
Symptoms: Router crashes when the no password pass is issued from the console while configuring "dot1x credentials" in configuration mode.
Conditions: Occurs only when the no password pass1 command is entered.
Workaround: There is no workaround.
•
Symptoms: Router forwards Bridge Protocol Data Unit (BPDU) after disabling spanning-tree. But after reload, it blocks the BPDU.
Conditions: Occurs when switch-port is configured.
Workaround: Enable spanning-tree. You may then disable it again if it is not desired.
•
Symptoms: A router may crash. The log file before the crash indicates:
%SYS-3-CPUHOG: Task is running for (44004)msecs, more than (2000)msecs (1/1),process = IP NAT Ager. -Traceback= 0x61F9B630 0x61FA31BC 0x61F6B9F8 0x62E47F04 0x62E48048 0x61F6BDF4Conditions: The symptom is observed on a router configured for NAT and running SIP calls.
Workaround: There is no workaround.
•
Symptoms: A router may crash after applying the configurations related to PA- MC-2T3-EC immediately after the router reloads.
Conditions: The symptom is observed on Cisco 7200 series and a 7301 router.
Workaround: Do not configure PA-MC-2T3-EC immediately after the router reloads.
•
Symptoms: Jitter or voice quality issues may occur.
Conditions: The symptoms are observed when there is more than one ephone monitoring the same Park DN. This causes more than one of the same SCCP message to be sent to the phone in a few milliseconds.
Workaround: There is no workaround.
•
Symptoms: A router log contains the following error message, and its performance becomes severely degraded:
%SYS-3-CPUHOG: Task is running for (2004)msecs, more than (2000)msecs 4/3),process = DNS Server.Conditions: This symptom is observed on a Cisco router that performs many DNS lookups.
Trigger: This symptom occurs when there are many DNS lookups, but it may also occur otherwise.
Impact: This bug impacts performance.
Workaround: Configure the router in such a way to prevent it from performing many DNS lookups, and do not configure the router as a DNS server for other devices.
Further Problem Description: Note that CSCsg64586 can produce very similar symptoms, even in the absence of a large number of DNS queries.
•
Symptoms: If the dialing process is interrupted with a Carrier Drop message, it is not possible to attempt a new call for that remote site.
Conditions: After receiving a Carrier Drop message, the dialer is not cleared. The show dialer session command reports status 6 for that call. Traffic directed to the remote site is dropped. The dialer map is still active. All the traffic is still routed to the dialer and dropped.
Workaround: Clear the dialer session.
Further Problem Description: This will impact traffic forwarding.
•
Symptoms: A router may crash when the user moves from one segment to another and attempts to log in to SSG.
Conditions: The symptom is observed in the following situation:
1. Open a user known to SSG through accounting-start, with an IP address of "IP1."
2. User then logs in to SSG.
3. User moves to another segment that generates another accounting-start for the same MAC address but a different IP address, IP2.
4. The SSG then crashes.
Workaround: There is no workaround.
•
Symptoms: The RTP ports are being opened at H323 and the SSRC for the SRTP call is being updated before the PROCEEDING/ALERTING indication is received on the ISDN end. This may result in a "%DSM-3-INTERNAL" error message.
Conditions: The symptoms are observed on a Cisco 2811 series and an AS5xxx router.
Workaround: Disable the SRTP configuration and initiate normal RTP calls.
•
Symptoms: Traceback is seen after unconfiguring the tunnel interface.
Conditions: The symptom is seen when using Ipv4 multicast PIM tunnels where the route to the Rendez-Vous Point (RP) is via another tunnel interface. If this tunnel interface was unconfigured, then there is a race condition between: 1. learning about the new route to the RP via another interface; and 2. periodic update of the PIM tunnel adjacency. If the latter occurs first the traceback is seen
Workaround: There is no workaround.
•
Symptoms: A Cisco 870 router will process and forward packets received with a multicast MAC address even though it should not, such as when the interface controller does not own the multicast MAC address.
Conditions: This was observed on a Cisco 878 Router running Cisco IOS Release 12.4(15)T4.
Workaround: Make sure the switch connecting to the Cisco 870 does not send packets with multicast MAC addresses that should not be received by the Cisco 870.
•
Symptoms: The value of AOC is missing for the Release Message.
Conditions: The symptom is seen for switch type basic-net3. It occurs when configuring OGW and TGW with the isdn global-disconnect command.
Workaround: There is no workaround.
•
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.
This security advisory is being published simultaneously with announcements from other affected organizations.
•
Symptoms: Certain reserved characters (for example, the ampersand character: "&") may get lost if they are used in the http submit URL.
Conditions: The symptom is observed on an IVR Voice Browser that is running Cisco IOS Release 12.4(15)T.
Workaround: There is no workaround.
•
Symptoms: E1R2 channels remain up/up/idle/idle even though the call has finished.
Conditions: The conditions under which this symptom occurs are unknown.
Workaround: Shut down the interface and bring it back up again.
•
Symptoms: A Cisco IAD2430 may reload unexpectedly due to a bus error (Sig=10).
Conditions: The symptom is seen on a Cisco IAD2430 that is running Cisco IOS Release 12.4(15)T4.
Workaround: There is no workaround.
•
Symptoms: Config replace used to fail with TFTP.
Conditions: No special conditions.
Workaround: TFTP copy worked fine. The workaround is to copy it and then do a config replace from the disk.
•
Symptoms: An H320 GW2 may crash when a call is made from an H323 endpoint.
Conditions: The symptom is observed when an H323 endpoint that sends the audio codecs G.729, G.711 u-law, G.711 A-law, G.728, G.722 64k, G.722 56k, G.722 48k in the TCS to the H320 GW.
Workaround: Configure a single audio codec under the VOIP dial-peer.
•
Symptoms: A router configured with ccm-manager config may crash.
Conditions: The symptom is observed on a router that is configured with ccm- manager config. If there is an interface with a configuration line longer than 100 bytes, the problem will be seen when Call Manager tries to configure the router.
Workaround: Remove any lines of configuration longer than 100 bytes from controllers, interfaces and voice ports.
Further Problem Description: This issue has been seen most often with a long description on either T1/E1 controller, or corresponding serial interface, but any long configuration line would cause the problem.
•
Symptoms: A Cisco Communication Media Module (CMM) with an Adhoc Conferencing and Transcoding (ACT) port adaptor module configured for MTP/XCODING may get into a state where further attempts to utilize DSP resources in a transcoding profile may fail.
Conditions: Under rare conditions, a CMM module used for MTP/XCODING may see the DSP resource on the module become unresponsive. When this occurs, a DSP recovery algorithm on the CMM module will be invoked to attempt to recover the DSP resource.
This algorithm may in some circumstances leave the associated transcoding resource in a state where further calls to invoke these resources will fail.
When the DSP recovery mechanism is invoked, the following message at debug level will be logged:
ac_mtrDsp_ev(slot 2 dspId 1 heartBeat 0000058D) reset[hbErr 0]If the recovery mechanism fails to properly recover the resources, there will be hung calls seen in the output of the show mediacard connection command (0 packets tx/rx will be displayed).
Further calls that attempt to use this resource will see OpenReceiveChannel failures as displayed in the output of the show sccp statistics command.
An example of this is below:
CMM-01# show mediacard connectionId Type Slot/ RPort SPort RxPkts TxPkts Remote-IpDSP/Ch25 xcode 2/4/23 18300 22684 0 0 172.16.175.16026 xcode 2/4/24 16710 22540 0 0 172.16.175.116CMM-01# show sccp statisticsSCCP Application Service(s) Statistics: Profile Identifier: 1, Service Type: Transcoding TCP packets rx 1676, tx 443 Unsupported pkts rx 0, Unrecognized pkts rx 0 Register tx 1, successful 1, rejected 0, failed 0 KeepAlive tx 25, successful 25, failed 0 OpenReceiveChannel rx 412, successful 398, failed 24 CloseReceiveChannel rx 412, successful 398, failed 14 StartMediaTransmission rx 412, successful 398, failed 14 StopMediaTransmission rx 412, successful 380, failed 0 Reset rx 0, successful 0, failed 0 MediaStreamingFailure rx 0 Switchover 0, Switchback 0Workaround: Work to prevent the DSP from becoming unresponsive.
•
Symptoms: The following error messages may appear in the log file multiple times:
%ARP-3-ARPINT: ARP table accessed at interrupt level 1, -Traceback= 0x61013944 0x60B61F80 0x60B5A2A4 0x6019DDAC 0x600FA37C 0x600FCC6CBecause the message is generated frequently, the log file may fill up too soon.
Conditions: The symptom is observed because a Cisco IOS component is accessing the ARP cache table in the interrupt context, which goes against the design of the Cisco IOS module. The error message indicates that the software is in danger of causing the router to crash.
Workaround: There is no workaround.
•
Symptoms: The following error message will be seen now and then (when sending traffic):
%SYS-2-NULLCHUNK: Memory requested from Null Chunk -Process= "<interrupt level>", ipl= 1, -TracebackThis will not cause any problems in the network.
Conditions: Occurs when VSA/crypto is enabled with process switching.
Workaround: Configure a dummy CM with qos-preclassify enabled, such as in the following example:
crypto map dummy 10 ipsec-isakmp qos pre-classify•
Symptoms: The router is black-holing traffic that is going to be encrypted. The crypto-counters are not showing an increase.
Conditions: The symptoms are observed when service-policy is configured on the main interface and crypto map is configured on a subinterface and when IP CEF is enabled.
Workaround: Redesign the configuration to apply service policy on the subinterface. Disable CEF globally.
Further Problem Description: Clear text-traffic is effectively received by the router. It triggers the creation of Phase I/Phase II. However, it then appears to be blackholed:
interface Ethernet0/0 no ip address service-policy output shape ! interface Ethernet0/0.10 encapsulation dot1Q 10 ip address 10.0.0.1 255.255.255.252 crypto map mymap•
Symptoms: 1. For some 3660 platform images, the connect command is not working and as a result local switching does not work. 2. For some images, the no connect command is not working to remove an existing connection.
Conditions: The symptoms are observed with 3660 platform images where both ac_atm and atm_switching subsystems are responsible for local switching.
Workaround: Remove ac_atm and use only atm_switching for local switching.
Further Problem Description: Problems may arise for other 3660 platform images having both ac_atm and atm_switching.
•
Symptoms: NM-CEM-4TE1 modules installed in Cisco 3845 routers running 12.411T or 12.4.15T3 codes with nine TS CEM groups configured have alignment issues. When the issue occurs, all show cem commands do not show any problems with the cards or CEM groups.
Conditions: This symptom is observed on an NM-CEM-4TE1 module installed in Cisco 3845 routers with nine TS groups configured and connected to another vendor's PBX.
Workaround:
1. Shut/no shut the CEM group on either side. This fixes the issue temporally.
2. Change the CEM group configuration to have one TS per CEM group.
Further Problem Description: The issue can be observed with more details using a WAN analyzer between the CEM card and the PBX. There you can see that the traffic is entering through a specific TS and leaving through a different TS.
•
Symptoms: A Cisco router may display the following messages after enabling the advanced signature set in IOS-IPS: Too many UUIDs in pdu type 0x0E Too many UUIDs in pdu type 0x0B Too many UUIDs in pdu type 0x0E Too many UUIDs in pdu type 0x0B
Conditions: The symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(15)T, that is utilizing IOS IPS v5 feature, and is running with the advanced signature set (MSRPC). Symptom occurs when incoming MSRPC packets are malformed or do not comply with protocol.
Workaround: There is no workaround. The message is informational (cosmetic).
•
Symptoms: Crashes may be caused by the code which uses "strncpy" and "sprintf".
Conditions: The symptoms are observed when accessing a specific string.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash when the no mgcp and the no mgcp profile profile-name commands are issued from the VTY, and the command call- agent ip-address is configured through the console in "config- mgcp-profile" mode.
Conditions: The symptom is observed when there is simultaneous operation between the console line and the VTY line.
Workaround: Configure using a single telnet connection instead of two.
•
The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.
NOTE: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks. Cisco Systems has published a Cisco Security Advisory for that vulnerability, which can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml.
•
Symptoms: The router may crash when the multilink interface goes down.
Conditions: The symptoms are observed when the multilink interface has interleave configured.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), the router may reload if BGP show commands are executed while the BGP configuration is being removed.
Conditions: This problem may happen only if the BGP show command is started and suspended by auto-more before the BGP-related configuration is removed, and if the BGP show command is continued (for example by pressing the SPACE bar) after the configuration has been removed. This bug affects BGP show commands related to VPNv4 address family. In each case the problem only happens if the deconfiguration removes objects that are being utilized by the show command. Removing unrelated BGP configuration has no effect.
This bug is specific to MPLS-VPN scenarios (CSCsj22187 fixes this issue for other address-families).
Workaround: Terminate any paused BGP show commands before beginning operations to remove BGP-related configuration. Pressing "q" to abort suspended show commands, rather SPACE to continue them, may avoid problems in some scenarios.
•
Symptoms: In creating a multi-party video conference by calling into a Cisco IPVC MCU device, a call may intermittently suffer from one-way video.
Conditions: The symptom is seen with a multi-party video conference which calls into a Cisco IPVC MCU device and where a local CME video endpoints calls the MCU via a gatekeeper over H323. This is a timing issue in the H.323 state machine. In a call flow, two sets of OLCs (for audio and video) are exchanged. BRQ is sent for audio OLC. Before BCF is received, GW gets video OLC. This updates the total channel bandwidth and checks if it is less then the approved BW. As it is not so, OLC is rejected resulting in one-way video.
Workaround: There is no workaround.
Further Problem Description: This scenario works fine with third party H323 endpoints with their own H323 stacks working with the same gatekeeper and MCU. A more heavily loaded (for instance, with debugs) CME gateway will experience the problem less often.
•
Symptoms: A VXML gateway may stop handling calls due to lack of memory. The memory leak occurs in Chunk Manager process.
Conditions: The symptom is observed on a VXML gateway that is running Cisco IOS Release 12.4(15)T and when the SIP Take back application is configured to initiate a REFER-based call transfer in a CVP scenario.
Workaround: There is no workaround.
Further Problem Description: Page 374 of this configuration and administration guide states how this configuration must be set up:
•
Symptoms: Sometimes WebVPN login page may not come up when a client browser connects to the gateway. Sometimes, login page may come up, but after entering the login credentials portal page does not come up. The following syslog messages are seen.
1) We are able to enter the webvpn login page, but after entering the username and password, the page returns the error message "Internal Error" and does not let us login. Also, the traceback below is seen.
May 10 06:15:19.183 PDT: %SYS-2-CHUNKINVALIDHDR: Invalid chunk header type 0 for chunk 0, data 0 -Process= "SSLVPN_PROCESS", ipl= 0, pid= 265, -Traceback= 0x61898E8C 0x6002DFC4 0x63D802FC 0x63D70C64 0x63D78A5C 0x63D79054 0x63D7986C 0x63D736A82) The webvpn login page is not thrown up at all when we try to connect to the webvpn gateway. The "Page is not displayed" due to the following traceback:
May 10 21:57:30.963 PDT: %SYS-2-CHUNKINVALIDHDR: Invalid chunk header type 0 for chunk 0, data 0 -Process= "IP Input", ipl= 0, pid= 120, -Traceback= 0x61898E8C 0x6002DFC4 0x63D6D564 0x63D72F48 0x63D5C804 0x62285B20 0x62288158 0x61F81940 0x61F83264 0x61F8367C 0x61F83738 0x61F83980Conditions: This can happen if WebVPN configuration is being removed and a client tries to connect.
Workaround: Avoid removing WebVPN configuration once it is configured.
•
Symptoms: All CAS voice calls fail on a Cisco AS5850 box. This failure is not seen on PRI calls.
Conditions: This symptom is observed for CAS calls but not for PRI calls.
Workaround: There is no workaround.
•
Symptoms: A call through CUBE may not establish for a Re-Invite-based call flow. The call may drop.
Conditions: This symptom is observed if the endpoint to which the CUBE is communicating sends a Re-INVITE for a call before it has received an ACK from the other call leg for the original INVITE. CUBE may not forward this Re-Invite to the other call leg, and the call will disconnect.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5350 or Cisco AS5350XM that is running Cisco IOS Release 12.4(15)T5 will drop incoming VPN traffic larger than 512 bytes when the traffic is destined for a dialer interface.
Conditions where problem is seen:
–
–
–
Conditions where problem is not seen:
–
–
–
Workaround: There is no workaround.
•
Symptoms: A NPE-G1 resets due to a hardware watchdog timeout. This is indicated in the show version output with "Last reset from watchdog reset".
Conditions: The Cisco 7200 must have an enabled PA-MC-2T3-EC with channelized T1s.
Workaround: Disable the PA-MC-2T3-EC.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: In a network with redundant topology, an Open Shortest Path First (OSPF) external route may remain stuck in the routing table after a link flap.
Conditions: Problem observed in Cisco IOS Release 12.4T. Not present in Cisco IOS Release 12.3T.
Workaround: The issue can be cleared by entering the clear ip route command for the affected route.
•
Symptoms: MCP rejecting Start-Control-Connection-Reply (SCCRP) with receive window size missing.
Conditions: Occurs with peers that use or expect the default handling of RxWindowSize of (4) and do not include the attribute-value pair (AVP) in the SCCRQ/SCCRP messages.
Workaround: Force peer to send AVP.
•
Symptoms: The caller ID transmission may fail from FXS port to FXO port.
Conditions: The symptoms are observed when the sub-command caller-id is configured under "voice-port x/y".
Workaround: There is no workaround.
•
Symptoms: A router may crash due to a corrupted Program Counter.
Conditions: The symptom is seen with Zone-based Firewall and IPS, along with VRF and IPSec tunnel configured.
Workaround: There is no workaround.
•
Symptoms: Card is crashing while entries are being added to the access list.
Conditions: Occurs when additional entries are being added to an access list that is already attached to an interface. The card is crashing with memory corruption.
Workaround: There is no workaround.
•
Symptoms: Shortly after upgrade, the router shows the following error:
May 22 09:05:53.109 METDST: %SYS-2-MALLOCFAIL: Memory allocation of 261116 bytes failed from 0x61A37948, alignment 0 Pool: Processor Free: 6427012 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "Virtual Exec", ipl= 0, pid= 234, -Traceback= 0x61452110 0x6000A7FC 0x60010638 0x60010C2C 0x634CB644 0x61A37950 0x61461910 0x 614BD940 0x6149E000 0x614C1B08 0x62AA2494 0x62AA2478Traffic is affected, and the router unable to display output from the show run.
Conditions: Occurs on a Cisco 7200 router running the c7200-adventerprisek9-mz.124-15.T3.bin. Service Selection Gateway (SSG) and RADIUS are involved.
Workaround: There is no workaround.
•
Symptoms: When a session is cleared from the CPE and when it reconnects instantaneously, a ping fails to the CPE.
Conditions: This symptom is observed under the following conditions:
–
–
–
–
Workaround: Clear the VAI interface from the LNS. The session will reconnect and will work fine.
•
Symptoms: Under certain conditions with IPv6 for EIGRP, the router may log error messages such as the following:
00:00:09: %DUAL-3-INTERNAL: IPv6-EIGRP(0) 80: Internal ErrorConditions: The error message is currently not causing a operational impact.
Workaround: There is no workaround.
•
Symptoms: SIP gateway crashes when a 302 response contains a contact header with the same IP address as that of SIP gateway.
Conditions: The crash occurs only when the 302 response contains a contact header with an IP address the same as that of the gateway IP address. The crash also occurs only when the IP address is mapped to a domain name exceeding the length of the IP address received in the contact header.
Workaround: Ensure that the IP address that is received in the 302 response is mapped to a domain name not exceeding the length of the IP address.
•
Symptoms: The "IP SLAs: RTP VoIP Operation" feature was introduced in Cisco IOS Release 12.4(4)T to allow users to obtain some realistic VoIP Round Trip Time (RTT), Jitter, Packet Loss, and Mean Opinion Score (MOS) measurements from a live VoIP call over a real IP cloud and using a bonafide voice codec supported over voice DSPs. It has been found that in certain versions of the Cisco IOS 12.4T release train this feature is not functioning at all. The output of the show ip sla statistics N EXEC prompt command, where N is the IP SLA probe tag number, returns something similar to the following output reporting all zeroed-out measurements:
VoiceGateWay# show ip sla statistics 3 IPSLAs Latest Operation StatisticsIPSLA operation id: 3 Type of operation: rtp Latest operation start time: 11:35:15.606 EST Tue May 27 2008 Latest operation return code: No connection Latest RTT (milliseconds): 0 Source to Destination Path Measurements: Interarrival Jitter: 0 Packets Sent: 0 Packets Lost: 0 Estimated R-factor: 0 MOS-CQ: 0.00 Destination to Source Path Measurements: Interarrival Jitter: 0 Packets Sent: 0 Packets Lost: 0 Estimated R-factor: 0 MOS-CQ: 0.00 Operation time to live: 72083 sec Operational state of entry: Active Last time this entry was reset: NeverConditions: This behavior is observed on Cisco 1700, 2600, 3700, 7200, 7500, 2800, and 3800 voice platforms installed with Cisco IOS 12.4(19.18)T or newer in the Cisco IOS 12.4T release family, and configured with the RTP VoIP IP SLA feature.
Workaround: There is no workaround.
•
Symptoms: A crash may occur when creating a Bridge-Group Virtual Interface (BVI) while traffic is flowing.
Conditions: The crash could occur when a BVI interface is first created with the command interface BVI and traffic is being process-switched by a physical interface in the same bridge-group. Once the BVI interface is created, subsequent interface BVI commands to configure that interface will not cause the crash.
Workaround: Remove the physical interface from the bridge-group, or prevent traffic from being process-switched by the interface when the BVI interface is first created.
•
Symptoms: A hierarchical policy cannot be attached.
Conditions: This symptom is observed with a Cisco 7200 router that is running Cisco IOS Release 12.4(19.18)T2.
Workaround: There is no workaround.
•
Symptoms: Removal of last class-map before the qos-group class-map causes the router to crash.
Conditions: Happens every time when the class-maps change from type(Mix) to type(Un-Mix), such as the following:
Mix: dscp precedence qos-group
Un-Mix: qos-group qos-group qos-group
Workaround: There is no workaround.
•
Symptoms: Adding a service policy to a PVC under switch subinterface with PPP multilink configured will cause PXF queue size to become misprogrammed.
Conditions: Occurs when policy-map with priority class is attached to a MLP PVC under switch sub-interface and the MLP bundle is down. The PXF switch1 queue will be misprogrammed.
Workaround: Such a configuration is not allowed and has to be avoided.
•
Symptoms: When a call is placed between secure phone from SIP gateway to secure Cisco Unified CallManager (CCM) phone call is established as SRTP call. After hold/resume the call becomes non-secure.
Conditions: All supplementary services are affected (hold/resume of a secure call, call transfer, conferencing, etc.).
Workaround: There is no workaround.
•
Symptoms: Router crashed while running show vpdn tunnel all command.
Conditions: When there are thousands of L2TP tunnels coming up, going down, running show vpdn tunnel all may result in crash.
Workaround: There is no workaround.
•
Symptoms: Connection establishment failed with the event agent.
Conditions: Occurs when the Event Gateway is killed and restarted on a Cisco 1812 router while running Cisco IOS Release 12.4(19.18)T2.
Workaround: There is no workaround.
•
Symptoms: When a OCSP (Online Certificate Status Protocol) request is made for checking the revocation status for a certificate to the OCSP server, if under some circumstances the TCP connection for the OCSP request goes into a stalled state, then the IKMP process can get blocked. This can cause the router to be unable to process any further IKE packets, and can stop any new tunnel negotiations/rekeys/DPDs from occurring. Existing IPSEC SAs will continue to work until a rekey or DPD is triggered.
Conditions: Occurs on a Cisco IOS router with IPSec VPN and certificates and configured for revocation checking.
Workaround: Perform the following steps:
1) Disable revocation checking and then reload.
2) Reload the router.
•
Symptoms: Router crashes after entering a long RSA key string.
Conditions: Occurs when a very long hex string is entered.
Workaround: Break the entry into shorter strings.
•
Symptoms: "Net Input" process can cause Cisco 2800 and Cisco 2811 routers to crash.
Conditions: Occurs on the Cisco 2800 and Cisco 2811 routers when loaded with Cisco IOS Release 12.4(19.18)T2.
Workaround: There is no workaround.
•
Symptoms: L2TP/IPSec connections fail between Cisco 1800 clients and the Cisco 7200 server when the server is configured for hardware encryption.
Conditions: Occurs with the following topology:
User---1811 (LAC) F0/0 ------- Router--ASA---G0/1 c7200 (LNS)
Occurs when Cisco 1800 routers are L2TP-over-IPsec clients, terminating their connection to a Cisco 7200. The problem exists in Cisco IOS Release 12.4(15)T3 and Cisco IOS Release 12.4(15)T4.
Workarounds: Disable fast switching/CEF on the Cisco 7200. By entering the no ip route-cache command under both interface gigx/y and virtual-template xx of the Cisco 7200, the L2TP connection is stable.
int Gig Ethernet X/Y no ip route-cache int virtual-template XX no ip route-cache•
Symptoms: If a Cisco 3270 has no startup configuration, it will crash if the "autoinstall" option is selected.
Conditions: Occurs when there is no startup configuration and the router is using the c3270-adventerprisek9-mz.124-15.XZ.bin image.
Workaround: Execute tftpdnld -r in rommon to boot c3270-entbase-mz.124-15.XZ.bin. Do not allow the "autoinstall" option to run. Save the default configuration and reboot it with the c3270-adventerprisek9-mz.124-15.XZ.bin image.
•
Symptoms: If either the command vlan-id dot1aq vlan-id or the command vlan-range dot1aq start-vlan-id end-vlan-id is configured on a main interface which is also configured for routing, and an ARP packet is sent to the router on the configured VLAN, then the router may send an ARP reply with a VLAN ID of zero.
Conditions: The symptoms are seen on a Cisco 2800 series and a Cisco 7200 series router when the command vlan-dot1q vlan-id is configured on the GigabitEthernet interface of a Cisco 2800 series router and encapsulation dot1q vlan- id is configured on the FastEthernet 2/1/2.1 interface.
Workaround: Change the Cisco 2800 series router's (CE) configuration to use a sub-interface for the vlan-id instead of using the vlan- dot1q vlan-id command on the main interface. With a sub-interface configured on the 2800, we can verify that the ARP packets are sent with proper VLAN ID.
•
Symptoms: SSL connection over L2TP IPSec tunnel does not work. Checksum errors on the Change Cipher Spec messages coming from the server.
Conditions: This has been seen on a Cisco 7200 running Cisco IOS Release 12.4(15)T5 and the ADVENTERPRISEK9-M image. A Cisco 2821 with the same version and feature set was not affected.
Workaround: Use a router other than the Cisco 7200 for this task, or disable IPSec and only use SSL over L2TP.
•
Symptoms: A Cisco Catalyst switch may reload with an address error.
Conditions: The symptoms are most likely to occur when the TACACS+ server (ACS) sends an "authentication error" when ACS is configured, or when a request timeout occurs. There may be other AAA or TACACS related conditions that cause the symptom.
Workaround: There is no workaround.
•
Symptoms: When DNS forwarding source interface is configured in a split DNS environment, the source address being populated in the packet while forwarding the DNS query is wrong. It always takes the first interface in the VPN routing/forwarding (VRF) view even when the DNS forwarding source interface is changed. DNS query fails.
Conditions: The above symptom is seen on a router running Cisco IOS Release 12.4(15)T6.
Workaround: There is no workaround.
•
Symptoms: Call across SIP trunk takes around 10 seconds to resume after called party goes on hold.
Conditions: Occurs during normal operating conditions.
Workaround: There is no workaround.
•
Symptoms: The router is crashing during start up when NTP update is received from SUP.
Conditions: Occurs when there is an NTP update and a Cisco Multi-Processor WAN Application Module (MWAM) is present.
Workaround: There is no workaround.
•
Symptoms: MGX RPM-XF backcard is reset when the test rpm ecc 1bit command is entered.
Conditions: Occurs on an MGX with two-port gigabit Ethernet and two-port POS backcards.
Workaround: There is no workaround.
•
Symptoms: Router may reload when Optimized Edge Routing (OER) master configuration is shut/no shut.
Conditions: Only occurs when OER master controller goes down and then rarely.
Workaround: There is no workaround.
•
Symptoms: There may be a memory leak when applying the command no pppoe enable.
Conditions: The symptom is observed on a Cisco 831 router that is running Cisco IOS Release 12.4(19).
Workaround: There is no workaround.
•
Symptoms: Router will crash while configuring match access-group name with longer string.
Conditions: Occurs when match access-group name is configured with string length greater than 122 characters.
Workaround: There is no workaround.
•
Symptoms: Cisco 7206VXR with NPE-G1, SA-VAM2+, and PA-A3-OC3MM may generate spurious memory accesses.
Conditions: One possible trigger may be ATM link instability.
Workaround: There is no workaround.
•
Symptoms: A router crashes.
Conditions: Clicking an application Citrix Server, for example a calculator, and, within a short period of time, clicking another application causes the router to crash.
Workaround: There is no workaround.
Further Problem Description: The router is crashing when a Citrix application is clicked and before it is launched another application is clicked. For the first application, the Cisco IOS gateway is waiting for a DNS resolution, and meanwhile TCP is closed, which is causing the appl_out_buffer of the corresponding context to be freed. Later, when the DNS resolution has come through, some data is attempted to be written to the server-side appl_out_buffer, and because it is null, the router is crashing.
buffer==NULL check was missed in the function sslvpn_http_write_start_chunk before filling some data into it.Buffer NULL check is added in sslvpn_http_write_start_chunk function before accessing the buffer.•
Symptoms: The packets decrypted with VSA hardware encryption and with CEF enabled while using L2TP protected by IPsec are not switched correctly.
Conditions:
1. Using the router as an L2TP termination hub.
2. Using hardware encryption, specifically the VSA hardware engine.
3. Using CEF switching.
Workaround: There are several possible workarounds:
–
–
–
–
Further Problem Description: If this issue is reproduced in lab conditions, and the debug ip packet detail command is enabled, the following can be seen in the debugs:
*Jul 1 04:43:49.183: CEF: Try to CEF switch 10.175.135.48 from Virtual- Access2The address in this message is "bogus" and corresponds to the data within the packet before the decryption, which essentially contains random bytes, so it can be anything.
•
Symptoms: A router loses its default gateway during autoinstall.
Conditions: This issue was seen on Cisco IOS Release 12.4(15)T5, but should affect every Cisco IOS version.
Workaround:
1. Manually do a shut followed by a no shut on the interface.
2. Create an EEM script, for example:
event manager applet Check-Default-Route event syslog pattern "CNS-3-TRANSPORT: CNS_HTTP_CONNECTION_FAILED" action 1.0 cli command enable action 1.1 cli command config term action 1.2 cli command interface GigabitEthernet0/0 action 1.3 cli command shut action 1.4 cli command no shut action 1.5 cli command end action 1.6 cli command write ! end
3. In network-confg, configure "ip address dhcp" for the interface which is supposed to get the default gateway from DHCP.
interface interface_name ip address dhcp end
•
Symptoms: The ingress decrypted packets do not get through with L2TP/IPSEC, even though they show up in the "decrypted" counter of the show crypto ipsec sa command output.
Conditions: This symptom is observed when the set nat demux command is configured under the crypto map entry and when L2TP over IPSEC termination is used. VSA is used as the crypto engine.
Workaround: There is no workaround.
•
Symptoms: A busy tone is not heard when a 183 message is received before a 4xx busy message.
Conditions: SIP trunk architecture with soft switch. This bug affects both 12.4(15)T and 12.4(11)XW software releases.
Workaround: A patch is required, forcing the media off when a busy message is received.
•
Symptoms: A router crashes when a serial interface is shut down and subsequently brought back up.
Conditions: This symptom is observed when the shut command, followed by the no shut command, is entered on the serial interface.
Workaround: There is no workaround.
•
Symptoms: The memory of the router may become corrupted, which can lead to a crash.
Conditions: This symptom is observed when Flexible NetFlow is configured with a record that has a large packet section in it, and it is applied to capture traffic.
Workaround: Configure Flexible NetFlow with a flow record that does not have a packet section in it.
Further Problem Description: Tracebacks are observed when the following commands are issued, which leads to a Flexible NetFlow crash.
configure terminal flow monitor mm_1 record netflow ipv4 as interface Ethernet1/0 ip flow monitor mm_1 input end•
Symptoms: A router may crash when ARP hits through interrupt level.
Conditions: This symptom is observed when bridging is configured, but it may also be observed when the ARP code hits by interrupt context, which is unpredictable.
Workaround: There is no workaround.
Further Problem Description: This defect was introduced via CSCsq05997. Cisco IOS Release 12.4 and 12.4T are not affected by this defect, but Cisco IOS Release 12.2S may be affected by this defect.
Resolved Caveats—Cisco IOS Release 12.4(15)T6
Cisco IOS Release 12.4(15)T6 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T6 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: A Cisco IOS router performing Cisco Performance Routing (PfR) Optimized Edge Routing (OER) Master Controller function crashes due to internal timing issue. The traceback may be similar to:
__udivmoddi4__udivdi3oer_br_update_iface_counters oer_br_recv_iface_configured oer_br_cc_tlv_process oer_cc_read_tcp oer_br_cc_process_socket_event oer_br_processor
oer_br_update_iface_countersoer_pep_iface_update_timer_handleroer_br_process_timer_event tw_timer_tickoer_br_processor
__udivmoddi4__udivdi3oer_br_update_iface_countersoer_pep_iface_update_timer_handler tw_notify tw_timer_tickoer_br_processConditions:
–
–
Workaround: There is no workaround.
•
Symptoms: When using route-map to redirect the traffic from one physical interface to be rerouted to the loopback interface, the traffic is not redirected.
Conditions: Occurs when router is configured for "EZvpn client on stick" 1interface inside/outside, loop being the inside.
Workaround: Configure interface vlan1.
•
Symptoms: An ISR router may crash during start up.
Conditions: Occurs when USB Flash drives are connected to the router. If drives are removed, there is no crash.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience a memory leak in the VTSP process. The router appears to lose its free memory until it starts to display "SYS-2-MALLOCFAIL" messages in the log and finally crashes per low memory condition.
Conditions: The symptoms occur only when a call fails before it reaches the connect state.
Workaround: The only workaround is to schedule router manual reloads at regular intervals, so that the outages occur at the lowest-impacting moments.
•
Symptoms: The router crashes giving bus error when ip inspect WAAS is enabled globally and voice traffic is intercepted.
Conditions: Occurs when ip inspect WAAS is enabled globally and a voice call is made.
Workaround: Disable or remove ip inspect WAAS.
•
Symptoms: Device crashes while debugging Border Gateway Protocol (BGP) IPv6 unicast updates entering the clear bgp ipv6 uni * command.
Conditions: Debugging must be on to see the crash
Workaround: Use the no debug bgp ipv6 unicast update command to turn off BGP IPv6 unicast updates debugging.
•
Symptoms: A voice gateway is crashing at ccsip_apply_sip_to_pstn_calling_policy with a TLB (store) exception.
Conditions: This symptom is observed on a Cisco AS5400XM that is running either Cisco IOS Release 12.4(19) or Cisco IOS Release 12.3(14)T6.
Workaround: There is no workaround.
•
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is not allowed, are not affected.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.
This security advisory is being published simultaneously with announcements from other affected organizations.
•
Symptoms: Router crashes with bus error exception.
Conditions: This happens when qos service-policy is unconfigured or reconfigured on a virtual-template interface.
Workaround: There is no workaround.
•
Symptoms: The following error message will be seen now and then (when sending traffic):
%SYS-2-NULLCHUNK: Memory requested from Null Chunk -Process= "<interrupt level>", ipl= 1, -TracebackThis will not cause any problems in the network.
Conditions: Occurs when VSA/crypto is enabled with process switching.
Workaround: Configure a dummy CM with qos-preclassify enabled, such as in the following example:
crypto map dummy 10 ipsec-isakmp qos pre-classify•
The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.
NOTE: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks. Cisco Systems has published a Cisco Security Advisory for that vulnerability, which can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml.
•
Symptoms: A numbered access-group does not match traffic when configured under a class-map unless another matching criteria is added to the same class-map, which must be a non-numbered access-group match statement.
Conditions: This has been observed for Gigabit ethernet on an NPE-G1, frame-relay encapsulated serial interface, and POS interfaces on a NPE-G2.
Workaround:
1.
2.
•
Symptoms: Router crashes while configuring match access-group name with long string.
Conditions: Occurs when string length greater than 77 characters.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(15)T5
Cisco IOS Release 12.4(15)T5 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T5 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The output of the show ipv6 eigrp neighbor command indicates that an IPv6 EIGRP process is in SHUTDOWN state when it was previously configured with a no shutdown command to activate the routing process.
Conditions: Occurs after configuring redistribute eigrp number under an IPv6 routing protocol instance, such as RIP or another EIGRP instance. The new IPv6 EIGRP process appears in the running configuration but does not create a functioning routing process.
Workaround: Enter the interface configuration mode and configure the ipv6 eigrp num command. Then enter into the IPv6 EIGRP routing process using ipv6 router eigrp num and configure no shutdown.
The problem does not occur if the IPv6 EIGRP process is configured first at interface configuration level instead of entering the redisttribute eigrp num command.
•
Symptoms: A router crashes because of a block overrun (overwriting the memory block).
Conditions: This symptom is observed only when templates are exported in the export pak, which is used only in version 9 version of exporting.
Workaround: Version 5 could be used for exporting.
•
Symptoms: Cisco IOS does not handle packet fragments for port specific NAT rules like:
ip nat inside source static udp 192.168.21.2 500 interface FastEthernet0/0 500 ip nat inside source static udp 192.168.21.2 4500 interface FastEthernet0/0 4500Only first fragment is being translated, others are not. This symptom remains even if the ip virtual-reassembly command is active on interfaces.
Conditions: This symptom has been observed on Cisco IOS Release 12.4 and Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: Cisco 2801 router crashes when the no crypto engine aim 0 command is entered.
Conditions: Occurs when shutting down the AIM-VPN/EPII-Plus card on a Cisco 2801 when there is an active IPSec tunnel.
Workaround: Disable the onboard crypto engine before using AIM/VPN/EPII-Plus card.
•
Symptoms: After addition/deletion/modification of a VRF and the re-addition of associated configuration, it becomes apparent that the RIB is not being updated by BGP after reconvergence, and LDP neighborship is reestablished. As the RIB is not updated, neither is CEF. While BGP VPNv4 has the correct information, the RIB is empty of remote PE VRF subnets, and CEF has a default entry.
Conditions: This symptom is observed on Cisco 12000 series router that is running Cisco IOS Release 12.0(32)S6.
Workaround: Can be recovered by clearing BGP session.
•
Symptoms: A router that is configured for Dynamic DNS (DDNS) may reload unexpectedly.
Conditions: This symptom is observed when you manually change the IP address of an interface that has DDNS configured.
Trigger: Changing the ip address.
Impact: Router reloads.
Workaround: There is no workaround.
•
Symptoms: A PVC that is shut down by OAM may continue to receive and forward traffic. This situation causes problems in an APS 1+1 redundancy configuration in which the standby router has a PVC that is shut down by OAM but continues to receive all traffic.
Conditions: This symptom is observed on a Cisco router that has an ATM port adapter.
Workaround: In an IPv4 configuration, shut down the subinterface manually or enter the ip verify unicast reverse-path command. In an MPLS configuration, shut down the subinterface manually.
•
Symptoms: Router configured for NAT traversal for SIP call using Cisco IOS SBS may experience a bus error crash.
Conditions: Occurs on router running Cisco IOS Release 12.4(11)T1 while forwarding user traffic.
Workaround: There is no workaround.
•
Symptoms: Router crashes when auto qos voip is configured on ATM-PVCs. It does not crash when auto qos voip trust or auto qos voip are configured on any interface.
Conditions: Occurs when auto qos voip is configured the first time on any ATM-PVC.
Workaround: Configure auto qos voip on any interface, such as a serial interface, and then configure auto qos voip on the ATM-PVC. Use auto qos voip trust if it is suitable for the network.
Further Problem Description: If auto qos exists in the startup configuration then the issue is not seen. It is seen only when it is configured on a ATM interface of a router which is up and running.
•
Symptoms: Online insertion and removal (OIR) of PA-MC-T3 PA with Multilink Frame Relay (MFR) configuration may cause a router to crash.
Conditions: Crash is observed only when PA is removed while MFR bundle switching from software to hardware mode or vice-versa.
Workaround: There is no workaround.
•
Symptom: Entering the snmpget of an object identifier (OID) using the interface index (ifIndex) value of an interface for its index will result in an error:
snmpget -c <community> -v1 <device> IF-MIB::ifDescr.92Error in packet Reason: (noSuchName) There is no such variable name in this MIB. Failed object: IF-MIB::ifDescr.92Conditions: This can occur after port adapters (PA) have been swapped, such as replacing a 4-port PA with an 8-port PA.
Workaround: Use the snmpwalk command to retrieve the IF-MIB values.
•
Symptoms: The following message can be seen after executing the write memory command, even though the version has not been changed.
Router# write memoryWarning: Attempting to overwrite an NVRAM configuration previously written by a different version of the system image. Overwrite the previous NVRAM configuration?[confirm]The router then restarts with the following traceback:-Traceback= 6067F3DC 6067FB38 605E3FE8 60686384 605E3FE8 605188BC 60518830 605444D4 60539164 6054719C 605AB65C 605AB648Conditions: This symptom is observed on a Cisco 7206 VXR (NPE-400) with C7200-IO-FE-MII/RJ45= or C7200-I/O= running the Cisco IOS Release 12.2(24a) interim build.
Workaround: There is no workaround.
•
Symptoms: A Traffic Engineering (TE) tunnel does not re-optimize to explicit path after an MTU change.
Conditions: The TE tunnel is operating via explicit path. The MTU on outgoing interface is changed. OSPF is flapped, and it does not come up as there is MTU mismatch (MTU is not changed on peer router). Meanwhile the TE re- optimizes to a dynamic path-option as expected. Now the MTU is reverted back to the previous value, and the OSPF adjacency comes up. The TE tunnel does not re-optimize to explicit path. Manual re-optimization of the TE tunnel fails as well, and the TE tunnel sticks to the dynamic path.
Workaround: Enter the shutdown command followed by the no shutdown command on the particular interface.
•
Symptoms: A router may crash with an exception while updating OSPF routes.
Conditions: Occurs on a router running an Cisco IOS Release 12.4(15)T releases. No other versions are susceptible to this crash
Workaround: Possible workaround is to disable ISPF under router OSPF. Use with caution, as disabling ISPF has caused a router to crash as well.
•
Symptoms: Display IE contained in connect message is not passing through ISDN- to-H323 interworking at Originating Gateway (OGW).
Conditions: This happens when call Initiator makes a voice call to Path Terminating Equipment (PTE) (PC simulating remote-device) passing through VGW and OGW having Cisco IOS interim Release 12.4(16.9) images.
Workaround: There is no workaround.
•
Symptoms: A Cisco Route Switch Processor can unexpectedly reload and experience a switchover when a Versatile Interface Processor in the same router containing an ATM Port Adapter fails.
Conditions: Conditions are unknown at this time.
Workaround: There is no workaround.
•
Symptoms: A static address may have an aggregate out label in the BGP and MPLS forwarding entry.
Conditions: This symptom is observed when there is a static route in a VRF, a directly connected network is added, and both the static and connected routes are redistributed to BGP. The BGP table will then have the connected prefix, and both the BGP and forwarding entries will match and have the aggregate out label. But when the connected network is shut down, BGP gets the static route, but the out label remains "aggregate."
Workaround: There is no workaround.
•
Symptoms: Policy is not reactivated after adding new members.
Conditions: Occurs on a Cisco 7200 router when LFIoLL and QoS are configured and service policy is in suspend mode.
Workaround: There is no workaround.
•
Symptoms: Memory allocation failed atm_vpivci_to_vc error occurs and device crashes.
Conditions: Occurs while configuring for ATM-AutoVC or with incoming ATM traffic.
Workaround: There is no workaround.
•
Symptoms: Link-state advertisement (LSA Type 3) may not get flushed from the database when the route is suppose to be included as LSA Type 5.
Conditions: This symptom is observed when an LSA is changed from type 3 to type 5 on a Cisco router. This is a timing problem between OSPF and BGP. Routes redistributed into OSPF are shown as Type 3 LSAs when the sh ip ospf <process-id> database command is entered, even after the removal of the network command under the router which is advertising these routes. These routes are to be learned via Type 5 LSAs. This problem exists in all branches except Cisco IOS Release 12.2S.
Workaround: Configuring the PE routers in different domains using the domain-id A.B.C.D command can solve the issue.
•
Symptoms: AFW application IVR is causing memory leak in Chunk Manager.
Conditions: Occurred on a Cisco AS5400XM running Cisco IOS Release 12.4(15)T1 and Cisco IOS Release 12.4(11)T2.
Workaround: Reload the router.
•
Symptoms: A Catalyst 6000 running Cisco IOS Release 12.2(33)SXH might crash with an address error (load or instruction fetch) exception, CPU signal 10.
Conditions: The crash is observed when crypto is configured on the switch.
Workaround: There is no workaround.
•
Symptoms: About once every 1 or 2 minutes, the value of the delta time found in the responding router in an IP SLA setup is 1 second behind the value it should have. This is causing false timeout as the RTT is then considered as being around 24 hours. The following output illustrates this problem:
IP SLAs(100) jitter operation: Timed out arrival (rtt=86399012)
For 3 consecutive probes:
ST: 75656998, RT: 75657005, DT: 0, CT: 75657014 => correct ST: 75658006, RT: 75658009, DT: 0, CT: 75657018 => should be 75658018 ST: 75659006, RT: 75659009, DT: 0, CT: 75658018 => should be 75659018 ST: 75659998, RT: 75660005, DT: 0, CT: 75660014 => correctConditions: This has been seen on a Cisco 1812 running Cisco IOS Release 12.4(6)T7.
Workaround: There is no workaround.
•
Symptoms: When EIGRP goes down, BGP installs the major network in the routing table. When EIGRP comes up again, it installs the subnet routes in the routing table, while the BGP major network remains in the routing table. Also, the BGP local source route is not installed in BGP table.
Conditions: Occurs on routers running Cisco IOS Release 12.4(10b) and 12.4(13c) Enterprise Services images.
Workaround: Reconfigure the network command
•
Symptoms: Traceback below is seen when NAT port-map feature is used:
%SYS-3-INVMEMINT: Invalid memory action (free) at interrupt level, -Traceback= 0x60DCF214 0x600DE678 0x62444240 0x61400E0C 0x61423574 0x60162C2C 0x601411B8 0x6012EE48 0x60125008 0x60873574 0x60876730 0x6086F158 0x6030A9B0 0x60947FB8 0x60950810Conditions: This traceback is seen when packets match port-map configuration.
Workaround: Disable CEF on the inside interface with the no ip route-cache cef command.
•
Symptom:
The following error messages are seen Memory allocation failed atm_vpivci_to_vc with subsequent device crash.
Conditions: Observed with incoming ATM traffic.
Workaround: None.
•
Symptoms: WebVPN hangs after a few days of working. When this happens, no WebVPN connections are active and no new connections can be established. The debug ip tcp transaction command shows connection queue limit reached: port 443 errors. The show tcp brief command displays many sessions in SYNRCVD and TIMEWAIT states. Problem is recovered either by reload or by entering the clear tcp tcb * command. There are few stale sessions in CLOSED state left after clearing TCP.
Conditions: Issue seen in Cisco IOS Release 12.4.15T and Cisco IOS Release 12.4.15T1 when WebVPN is configured. The issue is intermittent and happens after few days or weeks of working.
Workaround: To restore TCP connectivity, issue clear tcp tcb * or reload the router. Note that this will clear all TCP sessions on the router.
•
Symptoms: When the WAN is restored between a MGCP/SRST gateway and CallManager, MGCP gateway intermittently fails to register back with CallManager.
Conditions: Connectivity to the CallManager from Gateway is stopped. When gateway goes in SRST, a PSTN call is placed to a phone that registers with the gateway. Then WAN connectivity is restored. MGCP has one primary call-agent and two redundant hosts configured.
Workaround: Reload the gateway.
Further Problem Description: When the gateway is in this "stuck" state of not registering with the CallManager, if "no ccm-manager mgcp" is configured, it does not take effect, and "no ccm-manager redundant-host ..." also does not take effect. The following error message is displayed: "cmapp_service_emptying_redun_hostlist: Error: cannot execute CCM host change -- must configure again!"
•
Symptoms: AnyConnect does not work on Cisco 870 and Cisco 1800 routers. The client gets downloaded, and dialog states that the connection has been established. Nevertheless, the IP address has not been assigned, and the connection is actually not established. WebVPN works fine, as well as configuration with SCV.
Conditions: Occurs when SSL VPN is configured with AnyConnect on Cisco 871 and Cisco 1800 routers running Cisco IOS Release 12.4(15)T1.
Workaround: Either disable hardware crypto and use only the software crypto, or change the SSL encryption in the "webvpn gateway" configuration as follows.:
webvpn gateway gateway_1 ssl encryption rc4-md5
•
Symptoms: After executing the following CLI (steps mentioned alphabetically) via a script (not reproducible manually), the router sometimes crashes:
Test10 :a. clear ip bgp 10.0.101.46 ipv4 multicast outb. clear ip bgp 10.0.101.47 ipv4 multicast outTest 1:c. show ip bgp ipv4 multicast nei 10.0.101.2d. show ip bgp ipv4 multicast [<prefix>]e. config tCrash does not happen for each of the following cases: 1. if same CLI is cut-paste manually, there is no crash. 2. if clear cli is not executed, there is no crash. 2. if config term is not entered, there is no crash.
Conditions: The symptom occurs after executing the above CLI.
Workaround: There is no workaround.
•
Symptoms: CNS Zero Touch Frame Relay functionality is broken.
Conditions: The configuration command discover dlci is unable to return a list of active DLCIs.
Workaround: There is no workaround.
•
Symptoms: Delete an interface which has ip summary-address rip configured. The router crashes.
Conditions: In the scenario where different summary addresses are configured for different interfaces, if we delete an interface that has a summary-address configuration which is the last one for that summary-address that it leads to.
Workaround: Remove the ip summary-address rip configuration from an interface which is going to be deleted.
•
Symptoms: Router crashes when IP flow ingress is enabled under interfaces.
Conditions: The crash happens on routers running a pre-release version of Cisco IOS Release 12.4T.
Workaround: Disabling netflow prevents the router from crashing.
•
Symptoms: Virtual access interfaces flap, and the following error message is displayed: %SYS-2-BADSHARE: Bad refcount in datagram_done.Conditions:Occurs on a Cisco 7206VXR with NPE-G2 and running Cisco IOS Release 12.4.(11)T1.
Workaround: There is no workaround.
•
Symptoms: Negative number is displayed in the output for the show ip nat translation command and in rate limiting. This limit entry option fails due to the huge number of entries shown in ip nat statistics.
Conditions: In some situations show ip nat statistic calculation falls negative, which shows as huge number by the NAT. Limit entry looks into this number for stop NAT translation. When this is negative limit entry stops NAT from doing translations.
Workaround: There is no workaround.
•
Symptoms: When setting the "FlipAddr" attribute in an IPS signature, one expects the attacker and victim TCP/IP addresses to be swapped. This is not occurring as expected and signature actions will be created against the improper TCP/IP address.
Conditions: Edit an IPS signature and set the "FlipAddr" attribute to True. Receive traffic that should cause the edited signature to fire. If a deny action is configured, the destination/victim TCP/IP address will be used instead of the expected source/attacker TCP/IP address.
Workaround: There is no workaround.
•
Symptoms: After putting the onboard GE0/0-1 interfaces into promiscuous mode, they still will not accept packets with destination MAC other than the broadcast and the interface MAC.
Conditions: This affects the onboard GE interfaces only.
Workaround: Use FE/GE ports from a module to achieve this, if available.
•
Symptoms: When removing a subinterface from the configuration that contains an IP address that falls into the major net of the static route, the static route is no longer injected into the BGP table. Since the route is not in the BGP table, it is not advertised to any peers.
Conditions: This symptom is observed with auto-summary enabled in BGP. A static summary route is configured to null0 and is injected into the BGP table with a network statement.
Workaround: There are four possible workarounds:
1.
2.
3.
4.
•
Symptoms: Router with QoS policer applied on the physical interface crashed after traffic starts. The crash causes subsequent crashes even after router is reloaded and when traffic rate is very low.
Conditions: Occurs when 1000 IPSec tunnels are built on the same physical interface configured with the policer. This is specific to Cisco 7200 routers with NPE-G2 processors. This issue is not seen with cisco 7200s with NPE-G1s or NPE-400s.
Workaround: There is no workaround.
•
Symptoms: P-IP GW acting as a SBC to route SIP traffic does not handle SIP REFER properly if configured to handle the SIP REFER locally.
Conditions: Occurs on a Cisco AS5400Xm configured as an IP-IP gateway to route traffic from a SIP trunk to the MeetingPlace network. By default it forwards the REFER towards the other peer (SIP trunk) which is not supported by the peer. However if configured to handle the SIP REFER locally (by adding a no supplementary-service sip refer in the voice service voip section), then it:
1.
2.
This causes RSNA transfers in the MeetingPlace environment involving multiple MeetingPlace servers to fail.
Workaround: There is no workaround.
•
Symptoms: Embedded Event Manager (EEM) rules may not trigger properly when performing SIP OIR.
Conditions: EEM policies that interact with the IOS CLI through the command action command and EEM TCL policies that use the CLI library may not interact properly when triggered. Incorrect sequencing with the IOS CLI may result when the policies are triggered resulting in the IOS CLI commands not being invoked.
This problem exists on all shipped versions of IOS XE.
Workaround: There is no workaround.
Further Problem Description: This can impact customers that use the Embedded Event Manager with EEM applets or policies that interact with the CLI.
It was seen on the ASR platform and other platforms when "sched heapchecks process" was enabled. A timing issue can cause EEM action CLI commands to not coordinate with the IOS exec properly.
The SIP2 is probably related to the ASR platform. An OIR event is used to trigger the specific EEM policy. This should occur with any EEM type policy however.
SXF is not impacted by this bug.
•
Symptoms: The router can crash due to bus error. The crash is seen after repeatedly after removing virtual-template interfaces under ATM.
Conditions: The crash is seen under the following conditions. 1) Bring up nearly 3000 PPPoE and PPPoEoA sessions. 2) Configure no interface virtual-template<no> under ATM interfaces
Repeating Step 2 continuously will cause a crash.
Workaround: There is no workaround.
•
Symptoms: IVR prompt playback is garbled.
Conditions: Occurred after the audio-prompt load command was used to load a file from flash into memory.
Workaround: A router reload will correctly load the prompt file.
•
Symptoms: CPUHOG messages due to watchdog timeout when empty ACL's are configured:
Feb 10 04:37:04.242: %SYS-3-CPUHOG: Task is running for (124000)msecs, more than (2000)msecs (7/1),process = CEF Reloader. -Traceback= 0x21E6D0D0 0x21CF1324 0x203353AC 0x20335390 Feb 10 04:37:06.242: %SYS-3-CPUHOG: Task is running for (126000)msecs, more than (2000)msecs (7/1),process = CEF Reloader. -Traceback= 0x21E6D0C0 0x21CF1324 0x203353AC 0x20335390 Feb 10 04:37:08.242: %SYS-3-CPUHOG: Task is running for (128000)msecs, more than (2000)msecs (7/1),process = CEF Reloader. -Traceback= 0x21E6D0C0 0x21CF1324 0x203353AC 0x20335390Conditions: This issue is seen when ACL are configured but do not have any statements.
Workaround: Remove ACLs that are empty
•
Symptoms: When a client connects to the router's web page, authentication and authorization are successful, and then ACS starts accounting. When the user logs in, the router sends a correct start accounting request, but when the user is disconnected, the stop accounting request does not include the username field. The router sends the radius information to ACS, but in the request there is no user- name parameter. On the ACS the disconnection is logged as "user=.."
Conditions: Occurred on a router configured with SSLVPN and when performing AAA with ACS via RADIUS. If the user is connecting via telnet, the stop-accounting works as expected.
Workaround: There is no workaround.
•
Symptoms: Router may crash during certain types of traffic when IPS is enabled.
Conditions: Occurs on routers running IOS IPS with traffic requiring TCP resets to be sent.
Workaround: There is no workaround.
•
Symptoms: A router may crash when a multicast packet is forwarded on a tunnel interface.
Conditions: Occurred when multicast routing and egress netflow are enabled. This is a platform- independent bug.
Workaround: Disable egress netflow on the tunnel interface.
•
Symptoms: Intermittent hung calls are seen in large numbers on a Cisco AS5400XM with AS5X-FC that handles a large volume of calls.
Conditions: Occurs with calls which are requested as a DSP-less hairpin. This is because DSP-less TDM hairpin calls are not supported on the Cisco AS5400XM with AS5X-FC.
Workaround: Block this type of call at the software level.
•
Symptoms: After tuning IOS IPS signatures via CSM or SDM and deploying changes, IOS IPS show commands display change, but newly-applicable traffic is not detected.
If three separate updates to service-ports and regular expressions are applied successively, the device may crash.
Conditions: Occurs when user tunes IOS IPS signatures, modifying the service-ports parameter. User deploys change. To confirm change, user issues show ip ips sig sig SIG_ID subid SUB_ID command on the IOS device. The command output will contain the new value; however, newly-applicable traffic that should now cause this signature to fire, will not. Any originally applicable traffic that would match original values, will still cause the signatures to fire.
This behavior will continue until the device is reloaded.
Workaround: Retiring and un-retiring the altered signature will causes the changes to take effect. To prevent crashes, apply the delta updates in one update rather than multiple ones.
You can also remove IOS IPS configuration from all interfaces, then re-apply IOS IPS configuration back to interfaces.
•
Symptoms: Group member (GM) goes into re-registration loop.
Conditions: Occurs when only deny ACLs exist in a security association (SA) in a group.
Workaround: Add at least one permit ACL in all SAs in a group.
•
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation (NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result in a blocked interface.
Cisco has released free software updates that address these vulnerabilities.
This advisory is posted at the following link http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
•
Symptoms: When clearing the first entry of local domain lists with similar entries, the router crashes if show run is entered.
Conditions: Occurs with routers configured with a domain list similar to this example:
ip urlfilter exclusive-domain permit www.cisco112.comip urlfilter exclusive-domain permit www.cisco186.comip urlfilter exclusive-domain permit www.cisco173.comip urlfilter exclusive-domain permit www.cisco21.comip urlfilter exclusive-domain permit www.cisco194.comip urlfilter exclusive-domain permit www.cisco78.comip urlfilter exclusive-domain permit www.cisco124.comIf the following command is entered: no ip urlfilter exclusive-domain permit www.cisco112.com
The router crashes when show run is entered.
Workaround: Do not delete the first entry in similar domain lists.
•
Symptoms: Call drops if both IPPhone1 and IPPhone2, with CUBE (IPIPGW) in between, are put on hold and then Resume.
Conditions: Occurs when CUBE (IPIPGW) interworking with CallManager or CVP, in H323-H323 is configured. If phones from both ends are put on hold and then resume, CUBE sends TCS Reject and drops the call.
Workaround: Configure the h245 passthru all command under "voice service voip" as follows:
#voice service voip h323 h245 passthru all
•
Symptoms: Users cannot tune IPS signatures that start with 61.
Conditions: Occurs when the following steps are performed: 1. Configure IPS 5.x on a router. 2. Edit an event action for a signature where signature id starts with 61 and it has more than one subsignature-id. 3. Generate IPS XML files using SDM/CP. 4. The updated event action is missing in the XML file for the corresponding signatures. 5. <var name="event-action">xxxxx</var> tag is missed for the signature id.
Workaround: There is no workaround.
•
Symptoms: A buffer leak may occur when a router is configured with the combination of NAT, multicast and encryption. Occurs when multicast subsequently flows out a crypto-enabled interface.
Conditions: This bug will effect only those users whose routers are part of a multicast group. They must also have NAT and crypto configured on one or more of the interfaces in the multicast group.
Workaround: Multicast traffic can be forwarded via a GRE tunnel instead of in the clear.
•
Symptoms: Router fails to send out secondary DNS requests when the primary DNS server is down.
Conditions: Occurred on a Cisco 1841 running 12.4(15)T3. The router forwards DNS requests to the primary server as expected. However, the router fails to send requests to the secondary server after the primary DNS goes down.
Workaround: Configure the router to act as a DNS fowarder as follows:
1841(config)#ip dns view default 1841(cfg-dns-view)# dns forwarder <primary dns ip> 1841(cfg-dns-view)# dns forwarder <secondary dns ip>Then configure PCs to send DNS requests to the affected router for forwarding.
•
Symptoms: Device crashes due to memory allocation issue.
Conditions: Observed on Cisco 7200, but this is not a platform-specific bug.
Workaround: There is no workaround.
•
Symptoms: Bytes value in show policy-map session output is zero on LAC router.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(19.9)T1.
Workaround: There is no workaround.
•
Symptoms: Router crashes while removing the match criteria for class-map.
Conditions: Occurs on a Cisco 7200 router loaded with Cisco IOS Release 12.4(19.10)T IOS.
Workaround: There is no workaround.
•
Symptoms: The router hangs when attempts are made to modify pure ACL configuration while traffic is still flowing.
Conditions: Occurs on routers running Cisco IOS Release 12.4(15)T4. The router returns back to normal if the traffic is stopped.
Workaround: There is no workaround.
•
Symptoms: Router crashes while accessing non-functional Common Internet File System (CIFS) server that is configured in WebVPN NetBIOS Name Service (NBNS) list.
Conditions: Occurs only with a non-functional CIFS server.
Workaround: Configure functional NBNS servers.
•
Symptoms: A router with VSA may crash while booting.
Conditions: Occurs when the startup configuration has group domain of interpretation (GDOI) crypto map applied on the interface.
Workaround: Copy the configuration after the router is booted.
•
Symptoms: Fragmented multicast rekeys and pings are not acknowledged by a multicast receiver.
Conditions: Occurs when fragmented multicast packets are received on a multicast receiver interface with crypto map attached.
Workaround: There is no workaround.
•
Symptoms: Customer initially running a 6xT1 MLP bundle using three VWIC-2MFT-T1 modules on same slot 0 of a Cisco 3825 router. The Customer is running both voice and data over this MLP link with QoS (LLQ/CBWFQ) applied to the multilink. The MLP circuit is connected to an MPLS network. The customer has fragmentation disabled on the multilink.
The issue occurs when customer adds a 7th and/or 8th T1 to the MLP bundle, which is connected on slot 2 (VWIC2-2MFT-T1/E1). The customer sees increased latency and jitter using extended pings over the MLP bundle.
Conditions: Occurs on a Cisco 3825 running the c3825-spservicesk9-mz.124-7b Cisco IOS image and using a VWIC2-2MFT-T1/E1 module installed in slot 2 (NM-HDV2-2T1/E1).
Workaround: Manually configure tx-ring-limit 2under serial interfaces residing on the VWIC2-2MFT-T1/E1.
•
Symptoms: Router crashes when stcapp is disabled, stcapp ccm-group is removed from configuration, and then stcapp is re-enabled.
Conditions: Occurred on Cisco 2691 and Cisco 3745 routers running Cisco IOS Release 12.4(15)T05. Can also occur on other platforms running this Cisco IOS release. Can also occur if stcapp is disabled and the user attempts to enable stcapp but stcapp fails to start for any reason.
Workaround: There is no workaround.
•
Symptoms: Numerous bad enqueue errors on the console resulting in the reload of the Cisco 2800 or Cisco 1800 routers.
Conditions: Occurs when the router has IPSec and GRE configuration with tunnel route-via Serial0/0/0 mandatory command on the tunnel interface.
Workaround: Avoid using tunnel route-via command.
•
Symptoms: Group member crashes after running for 8-10 hours.
Conditions: Occurs in the rare condition that a re-registration happens at the same time as the re-key is being processed.
Workaround: There is no workaround.
•
Symptoms: Router crashes due to bus error. The crash is seen after repeatedly removing virtual-template interfaces under ATM.
Conditions: The crash is seen under the following conditions.
1.
2.
Repeating Step 2 continuously will cause a crash.
Workaround: There is no workaround.
•
Symptoms: Shape peak percent and absolute value calculations are wrong while attaching policy-map to interface.
Conditions: Occurs when policy-map is attached to interface.
Workaround: There is no workaround.
•
Symptoms: QOS police statistics add encryption header to the packet even if pre-classify is configured.
Conditions: Seen with QOS preclassify and VSA. In this case the police counters indicate the wrong byte counts.
Workaround: Disable QOS preclassify, since classification is done after encryption.
•
Symptoms: Router crashes after changing matching criteria, as shown in the following example:
config terminal Enter configuration commands, one per line. End with CNTL/Z. 7301D(config)#class-map myclass6 7301D(config-cmap)#no match ip prec 6 7301D(config-cmap)#match ip dscp cs6%ALIGN-1-FATAL: Corrupted program counter 20:48:36 UTC Wed Apr 23 2008 pc=0x6CFFFFB0 , ra=0x625BBA54 , sp=0x66270000%ALIGN-1-FATAL: Corrupted program counter 20:48:36 UTC Wed Apr 23 2008 pc=0x6CFFFFB0 , ra=0x625BBA54 , sp=0x6627000020:48:36 UTC Wed Apr 23 2008: TLB (load or instruction fetch) exception, CPU signal 10, PC = 0x6CFFFFB0Conditions: The above symptom is observed on Cisco 7200 and Cisco 7301 routers.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(15)T4
Cisco IOS Release 12.4(15)T4 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T4 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: High CPU usage occurs on a Cisco 7301, and the following error message and traceback are generated:
%TCP-2-INVALIDTCPENCAPS: Invalid TCB encaps pointer: 0x0 -Process= "L2X SSS manager", ipl= 0, pid= 69 -Traceback= 0x606E43DC 0x60B9FAC8 0x60BA11C4 0x619F502C 0x619F4A2C 0x619F4D34 0x619F35C4 0x619F4FF4 0x619F6820 0x619F5ED8 0x619F6350 0x619CA1F4 0x619CA6C4 0x619D2524 0x619CABB4 0x619CAFA0Conditions: This symptom is observed on a Cisco 7301 that runs Cisco IOS Release 12.4(5b) with PPTP/VPDN connections after, on a connected platform, rate limiting is changed to MQC policy-based limiting of the bandwidth. Note that the symptom may be release-independent.
Workaround: There is no workaround.
•
Symptoms: Inbound calls on a MGCP controlled CAS trunk may experience symptoms where the call does not complete and the calling party hears dead air. When this occurs, it will be experienced at that particular timeslot on the digital trunk until some manual intervention take place to correct this.
Conditions: This has been found to occur at times on Cisco IOS VoIP gateways with CAS trunks configured from MGCP back to Cisco Unified CallManager (CUCM/CCM). An inbound call on a timeslot that is in this state will show the vtsp state in show voice call summary as S_DIGIT_COLLECT and will not progress past this point.
Once source of this issue has been when the status of the timeslot on the CallManager and the gateway are not the same. For example, the CallManager may indicate that the channel is out of service (OOS) while the gateway has the status of this timeslot as in-service (idle). Please refer to CSCef58219 which has seen to lead to this state. If this issue is being seen because of this difference in status between the CallManager and the IOS gateway, the recommended action is to upgrade the CallManager with a release that contains the fix for CSCef58219.
Workaround: The only known workaround to prevent this issue from occurring is to use H323 instead of MGCP with CAS trunks.
Once in this state, to recover the timeslots you can: 1. Enter the shutdown command and the no shutdown command on the voice port. 2. When there are multiple channels stuck enter no mgcp and then mgcp.
•
Symptoms: A router may reload when Border Gateway Protocol (BGP) neighbor statements are removed from the configuration.
Conditions: This symptom is observed in rare circumstances on a Cisco router when BGP neighbors are removed very quickly by a script at a much faster rate than manually possible and when a large BGP table is already present on the router before the script adds and removes the BGP neighbors.
Workaround: There is no workaround.
Further Problem Description: If you manually remove the BGP neighbors, it is less likely that the symptom occurs.
•
Symptoms: CPU HOG messages are displayed, and phones are deregistered.
Conditions: This symptom is observed very rarely when music on hold (MoH) is configured to be played from flash. Specifically, this symptom is observed under either of the following two conditions:
1. When polling ciscoFlashMIB.
2. When playing MoH for more than 30 minutes and also once during a h/w conference.
Workaround: The system will recover by itself after some time. Formatting flash: will also solve the issue temporarily.
•
Symptoms: Incomplete HAPI bundle warning message occurs when removing tunnel-protection profile from tunnel interface.
Conditions: Occurred when after adding tunnel protection to a tunnel interface and then removing it.
Workaround: There is no workaround.
•
Symptoms: EIGRP neighbor relationship fails to establish between two routers connected directly.
Condition: Occurs on a Cisco 2800 series router configured for Dynamic Multipoint VPN (DMVPN).
Workaround: Choose one the following options: 1. Disable CEF. 2. Disable on-board crypto engine and use either software crypto or AIM crypto engine.
•
Symptoms: Softkey label is corrupted on Cisco 7905 and Cisco 7960 IP phones.
Conditions: Occurs with Cisco Unified Communications CallManager Express 4.2(1) and when IP phone is configured for Japanese language.
Workaround: There is no workaround.
•
Symptoms: Cisco 870 router is missing usbflash commands.
Conditions: Occurs on a Cisco 870 router running Cisco IOS Release 12.4(16) and Cisco IOS Release 12.4(16)T.
Workaround: There is no workaround.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptom: On a 1841/WIC-1/WIC-1B-U-V2/c1841-adventerprisek9-mz.124-13c combo [hereafter UUT], 180s after BRI interface successfully dials HUB PRI, 1/2 PING packets FAIL from HUB routers destined through UUT to a device on FastEthernet of the UUT, through the CEF switching path.
180 seconds after the ISDN Call from UUT successfully dials HUB PRI, "show adj vi1 internal" changed from point2point(21) to point2point(20) (incomplete) which coincides exactly with the PING failure. It also coincides with the CEF refresh timer triggering.
The direction of the failure is UUT--->HUB router with packets being dropped as "encapsulation failed" in "show ip traffic".
Conditions: Issue's been reproduced on 1841/WIC-1/WIC-1B-U-V2 using legacy DDR on BRI interface. Issue also reproducible in 124-16.14 IOS
Issue is NOT reproducible on 1720/WIC-1B-U/c1700-sy-mz.122-40 combo.
Workaround: Disable CEF switching by configuring "no ip route-cache cef" on BRI0/1/0 and Fa0/1 on "nhtest2".
•
Symptoms: Cisco 2811 router acting as a Dynamic Multipoint VPN (DMVPN) hub will corrupt multicast packets sent from spoke to spoke through the hub.
Conditions: The symptom is seen when there are at least three spoke sites with receivers and senders on the same multicast group.
Workaround: Disable hardware encryption on the Cisco 2811.
•
Symptoms: A Cisco router may experience the following errors:
Jan 11 07:06:58: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x476292F0 -Process= "Skinny Socket Server", ipl= 0, pid= 260 -Traceback= 0x41259724 0x41A50418 0x41A54754 0x41A28134 0x41A2AFA4 0x41A2F30C 0x4095AB80 0x4095B5F4 0x423CD6E4 0x423CD6C8 Jan 11 07:06:58: %TCP-2-INVALIDTCB: Invalid TCB pointer: 0x476292F0 -Process= "Skinny Socket Server", ipl= 0, pid= 260 -Traceback= 0x41259724 0x41A50418 0x41A54754 0x41A28134 0x41A2AF24 0x41A2F30C 0x4095ABA4 0x4095B5F4 0x423CD6E4 0x423CD6C8Phones running over secure channels will have registration problems.
Conditions: Occurs on a Cisco 2821 router running Cisco IOS Release 12.4(18).
Workaround: There is no workaround.
•
Symptoms: Optimized Edge Routing (OER) feature may choose an exit with a lower Mean Opinion Score (MOS) when current exit has a better MOS. It does not consider the current exit when it selects the best exit based on MOS.
Conditions: Occurs when MOS is configured as Priority 1 in the OER policy rules for a certain application.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 router with PA-VXC/B may go into "hang" state and fail to respond to console.
Conditions: Occurs on a Cisco 7200 router with PA-VXC/B and configured for active calls over the PA.
Workaround: There is no workaround.
•
Symptoms: Router crashes after Network Based Application Recognition (NBAR) configuration has been changed with a command like ip nbar custom. The following error message is displayed:
%SYS-3-CPUHOG: %SYS-2-WATCHDOG: Process aborted on watchdog timeoutConditions: Occurred on a Cisco 2811 router running the c2800nm-advipservicesk9-mz.124-11.T3.bin image.
Workaround: There is no workaround.
•
Symptoms: After several thousand virtual private dial-up network (VPDN) sessions are created and torn down successfully, the router cannot create any new sessions. Either the L2TP Access Concentrator (LAC) or the L2TP Network Server (LNS) may fail with error message "VPDN Failed to obtain session handle." This error message will be seen only when you enable the debug l2tp error command.
Conditions: The maximum number of successful sessions before failure varies by platform.
Workaround: Reload the router.
•
Symptoms: Certain prompts will not play properly. Dead air is heard and call disconnects.
Conditions: Occurs on a Cisco AS5350 acting as a VXML gateway in an IPCC environment and running Cisco IOS Release 12.4(7)b using streaming prompts.
Workaround: Turn off streaming mode. Reloading the gateway temporarily fixes the issue.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptoms: Under heavy traffic, ISDN calls may be rejected due to high CPU usage with the following messages seen in the log (with tracebacks):
%IVR-3-LOW_CPU_RESOURCE: IVR: System experiencing high cpu utilization (98/100). Call (callID=23524) is rejected.%SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (32/18),process = ISDN.Conditions: This problem occurs only under heavy traffic.
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS may crash due to watchdog timeout.
Conditions: Occurs when IP SLA probes are configured and active for a period of 72 weeks. After this much time has passed, polling the rttmon mib for the probe statistics will cause the router to reload. Then the problem will not be seen again for another 72 weeks.
Workaround: There is no workaround.
•
Symptoms: The clear crypto isakmp command deletes SA with connection ID from 0 to 32766. The SA created with the VPN SPA has a connection ID higher than 32766, and cannot be singularly deleted.
Conditions: This symptom occurs when SA is established using the VPN SPA.
Workaround: There is no workaround.
•
Symptoms: H323 setup message is malformed after NAT translation
Conditions: Setup message includes the neededFeatures, desiredFeatures, supportedFeatures extensions.
Workaround: Do not use the extensions listed above.
•
Symptoms: Bidirectional Forwarding Detection (BFD) sessions do not scale. This symptom is especially visible with OSPF client when one of the peers is rebooted after configuring maximum number of BFD sessions.
Conditions: Occurs when configuring maximum BFD sessions or total number of BFD sessions too close to maximum limit.
Workaround: Configure 90% of maximum allowed BFD sessions.
•
Symptoms: Initialization of the encryption card causes traceback on the router.
Conditions: Occurs after installing a Cisco IOS Release 12.4(18.4)T image on the Cisco 7200. The NPE G2 causes the router to crash with a traceback. Shutting down the internal encryption module also causes the traceback.
Workaround: There is no workaround.
•
Symptoms: Router at ROMmon prompt fails to recognize image in slot.
Conditions: Occurred on a router that was upgraded to an internal version of 12.4T.
Workaround: There is no workaround.
•
Symptoms: During performance testing, expected throughput is not achieved when doing QoS marking based on ACL classification.
Conditions: Occurred on a router running Cisco IOS Release 12.4(15)T.
Workaround: There is no workaround.
•
Symptoms: A router may experience a large buffer leak
Conditions: Occurs when WebVPN is configured.
Workaround: There is no workaround.
•
Symptoms: When prompts are being played, the barge-in type-ahead feature works intermittently. During the menu playout, user will make a selection that should stop the rest of the menu from being played. The user is not able to stop the menu playout despite making a selection. Once the menu finishes the prompt accepts the correct digit.
Conditions: Occurred in the Cisco Customer Voice Portal (CVP) VXML application running on Cisco IOS Release 12.4(15)T1. CVP version was 3.1 SR2. CVP VXML Server and Studio 3.1. ICM 7.0 SR4 ES42.
Workaround: Combine two prompts into one.
•
Symptoms: On a gateway configured for ISDN Non-Facility Associated Signaling (NFAS) with a primary and backup D channel, both the primary and backup D channel interfaces may be marked "OUT OF SERVICE" if the gateway sends the first "in-service" message during a D channel switchover.
Conditions: This only occurs when the gateway sends the first ISDN service messaging indicating that it is bringing the backup D channel in service. If the peer sends the message first, the switchover is completed successfully.
Workaround: There is no workaround.
•
Symptoms: Recordings are not saved and a VXML server port is hung until timeout.
Conditions: This occurs when an input element is used prior to the recording element, and the user hangs up during recording. Occurs in CVP 4.0(2) using Cisco IOS Release 12.4.(15)T. The problem is not seen in Cisco IOS Release 12.4(6)XT.
Workaround: There is no workaround.
•
Symptoms: Static virtual tunnel interface (VTI) IPv6 failed to create IPsec security associations during quick mode (QM) negotiation. It reports that the IPSec local address is incorrect, but in fact that local address is correct.
Conditions: Occurs when static VTI IPv6 is configured on the router and IPv6 address has been used as local IPSec endpoint address.
Workaround: There is no workaround.
•
Symptoms: On a PowerPC router the startup configuration size becomes zero and router goes to startup configuration on reboot. As a result the contents of the NVRAM are erased on a reload. The bug is hardware dependent.
Conditions: Occurs only on routers equipped with PowerPC processors and 2MB or more of NVRAM. This issue is caused by large configuration files over 500KB. Likelihood of encountering the issue can be checked by entering the dir nvram: command and looking for startup configuration file size of zero.
Workaround: There is no workaround.
•
Symptoms: Router may install duplicate routes or incorrect route netmask into route table. It could happen on any routing protocol. The problem is introduced by CSCsj50773. See the Integrated-in field of CSCsj50773 for affected images.
Conditions: The problem is triggered by SNMP polling of ipRouteTable MIB. The clear ip route * command can restore the route table until next polling of ipRouteTable MIB.
Workaround: Do not poll ipRouteTable MIB. Instead poll newer replacement MIB, ipForward MIB. The ipRouteTable MIB was replaced by ipForward MIB in RFC 1354.
•
Symptoms: High CPU usage occurs when setting up IPSec tunnels using signature authentication.
Conditions: Occurs on a Cisco 7200 with a VSA accelerator used to perform a large number of signature (RSA) operations.
Workaround: Switch to a pre-shared key method for IKE authentication.
Further Problem Description: Occurs because the VSA card is not used to accelerate RSA operations. Instead those operations are performed in software, which increases CPU usage.
•
Symptoms: Cisco 3845 may crash when there is an incoming trunk call.
Conditions: Occurs if the shared trunk DN is monitored by a FXO port and it is call-forwarded to another trunk DN with "call-forward all".
Workaround: There is no workaround.
•
Symptoms: Cisco Customer Voice Portal (CVP) does not release the port if a user hangs up during database look up.
Conditions: Occurs with the following software configurations: - CVP 3.0 and Cisco IOS Release 12.4.(3g) - CVP 4.1 and Cisco IOS Release 12.4(15)T
Workaround: There is no workaround.
•
Symptoms: PA links do not come up, and the following errors are seen: : %T3E3_EC-3-PA_SW_ERR: T3E3_EC on 1: Invalid Link Record anyphy number Software error was encountered. : %T3E3_EC-3-PA_CMD_RETURN_ERR: T3E3_EC command T3E3_EC_SCMD_VC_MTU return error 2,Conditions: Occurs on Cisco 7206VXR with NPE-G2, SA-VAM2+, and PA-T3/E3-EC and using the c7200p-advsecurityk9-mz.124-15.T3.bin image.
Workaround: Choose one of the following: - Boot the router without any configuration on PA-T3/E3-EC. Configure card type once the router boots up completely. -Remove the VAM2+ module. -Use a PA-2T3 as an alternate to the PA-T3/E3-EC.
•
Symptoms: During normal operation of Gateway Load Balancing Protocol (GLBP), when state changes from active to listen, the router stops forwarding traffic destined to the virtual MAC. Router still responds to the interface MAC.
Conditions: Occurs on Cisco 1700 routers running Cisco IOS Release 12.4.
Workaround: There is no workaround.
•
Symptoms: All counters stay at zero when the sh policy-map session command is entered and when the forwarding sessions on the LAC router are being terminated on a remote router
Conditions: Occurs on routers running Cisco IOS Release 12.4(15)T3 and earlier releases.
Workaround: There is no workaround.
•
Symptoms: When error.noresource due to a missing audio source occurs in an input state, it will cause handoff to fail.
Conditions: Occurs on Cisco Voice XML Gateway running Cisco IOS Release 12.4T. The handoff failure occurs only in an input state, not in a transition state.
Workaround: There is no workaround.
•
Symptoms: MGDtimer traceback occurs and GM might reregister.
Conditions: Occurs on a Cisco 7200 router when COOP & unicast key is used.
Workaround: There is no workaround.
•
Symptoms: Dynamic NAT using route-map with reversible fails to allow outside-inside traffic when router-map has deny statement first.
Conditions: Occurs when route-map is configured.
Workaround: Remove route-map deny or use ACL.
•
Symptoms: Device may crash due to watchdog timeout or may hang.
Conditions: Occurs when turbo-ACL is enabled, which means that "ip access-list compiled" or "ip access-list compiled reuse" is enabled. The QoS and/or ACL configuration is modified.
Workaround: Remove either "ip access-list compiled" or "ip access-list compiled reuse".
•
Symptoms: Router crashing when attaching a policy-map to an interface.
Conditions: Occurs on a Cisco 2811 running Cisco IOS Release 12.4(15)T2 and 12.4(15)T3. Does not occur in 12.4(15)T1. The router crashes whenever the following policy-map is attached to a multilink bundle interface:
policy-map QOS class af31 priority percent 70 set dscp af31 class af21 bandwidth remaining percent 5 random-detect set dscp af21 class ef set dscp ef bandwidth remaining percent 5 class be bandwidth remaining percent 5 random-detect set dscp default class class-default fair-queue random-detect
The issue also affects other devices and other interfaces.
Workaround: There is no workaround.
•
Symptoms: H.323 process fails to release memory.
Conditions: Occurs on a Cisco IPIPGW configured for PSTN and VXML and running Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
•
Symptoms: Console flooded by syslog messages. User might have to reboot the machine to get back. Problem may persist until KS interfaces are shut down.
Conditions: Occurs when there are misconfigurations in an ACL, such as lack of Traffic Encryption key (TEK)
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(15)T3
Cisco IOS Release 12.4(15)T3 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T3 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Wide-Area Networking
•
Symptoms: After a secondary image is loaded by Standby, "NVRAM Verification Failed" messages show up on Standby console resulting in lost startup and private configuration.
Conditions: The problem is seen only on a Cisco RSP platform that is running Cisco IOS 12.2SB versions.
Workaround: Issue the write memory command as soon as slave comes up.
•
On a Cisco IOS router with both NAT and IOS Firewall configured, if a TCP RST packet is received for a given TCP session, and the RST does not contain the correct next expected sequence number, then NAT will tear down the translation without validating it while the firewall will drop the RST due to the more strict TCP state checking and keep the session. This may cause new TCP sessions to fail to establish due to the inconsistent session state between the two features.
It may be possible to work around this issue by increasing the NAT translation first-timeout to a long enough value such that the existing NAT translation does not get torn down before the client attempts to establish new connections.
•
Symptoms: Malformed UDP packets may cause a router with the radius-server local command to reload.
Conditions: This symptom occurs under the following conditions:
1.
2.
3.
Workaround:
1.
2.
Further Problem Description: When router tries to display contents of a UDP packet sent to its RADIUS server process, the malformed structure of packet may cause the router to freeze and then crash.
•
Symptoms: An alignment error may occur.
Conditions: This symptom is observed when using the v9 export protocol with Flexible Netflow.
Workaround: There is no workaround.
•
Symptoms: Ping causes router to crash when running MPLS and LDP.
Conditions: This symptom occurs on the Cisco 3270 router that is running MPLS and LDP. The router will crash if a ping packet is attempted. In this environment the router will respond if it is pinged directly, but it will crash if the ping is destined for location known via MPLS.
Workaround: There is no workaround.
•
Symptoms: A router configured with MPLS TE tunnel crashes when the tunnel interfaces are made active.
Conditions: This problem is observed on a router that is running Cisco IOS interim Release 12.4(17.9)T.
Workaround: There is no workaround.
•
Symptoms: Incoming ISDN calls fail with the following error after the SETUP message is received:
ISDN **ERROR**: Module-CCPRI Function-CCPCC_CallIdle Error-Unknown event received in message from L3 or Host: 90Another SETUP may be sent by the carrier due to no response, which generates this error:
ISDN Se0/0/0:23 **ERROR**: L3_GetUser_NLCB: DUPLICATE SETUP, message ignored.Conditions: This symptom is observed when running Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(15)T2
Cisco IOS Release 12.4(15)T2 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T2 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Miscellaneous
•
Symptoms: A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.
Conditions: This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C00000000011111111111222222222333^12345678901234567890123456789012||PROBLEM(Variable Overflowed).Workaround: Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.
•
Symptoms: A Cisco 10000 series may lose the PVC configurations for several subinterfaces and high CPU usage may occur. When you attempt to reconfigure the PVCs, error messages similar to the following may be generated:
Router#pvc 35/134 Unable to create PVC 35/134 on ATM1/0/0.10350134. Possibly multiple users configuring IOS simultaneously Further info about other user: Process id: 42, Process: Slot 1/0 CMD Process, TTY: 0, Location: Console Router(config-subif)#Conditions: This symptom is observed on a Cisco 10000 series that runs Cisco IOS Release 12.2(7)XI1 or Release 12.2(27)SBB.
Workaround: Reload the router.
•
Symptoms: The ip auth-proxy command may not take effect when it is configured on VLAN interfaces, and the following error message may be generated:
"Auth-Proxy not configured on interface FastEthernet0/0/0".
(This error message is generated when an IP phone is connected to port Fa0/0/0.)
Conditions: This symptom is observed only on a router that is configured with switchport interfaces.
Workaround: Configure the ip auth-proxy command on the ingress interface. If this is not an option because the ip auth-proxy command must be configured on VLAN interfaces, there is no workaround.
•
Symptoms: If a default metric and a redistribution metric are configured under EIGRP, the redistributed routes are sometimes removed from the EIGRP topology table. Occurs with the following configuration:
router eigrp 1 redistribute ospf 100 metric 1544 10 255 1 1000 network 1.0.0.0 network 4.0.0.0 default-metric 100 100 100 100 100 auto-summary eigrp event-logging
Conditions: Occurs after the default metric statement is removed.
Workaround: Add the default metric statement back into the configuration, or remove and re-apply the explicit redistribute statement for the donor protocol (OSPF in the above example).
•
Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast * command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but is not release-specific.
Workaround: There is no workaround.
•
Symptoms: A router crashes when you unconfigure and then reconfigure MLPoFR.
Conditions: This symptom is observed on a Cisco router that has a QoS service policy with traffic shaping.
Workaround: There is no workaround.
•
Symptoms: A router that has DHCP server enabled could reload after receiving a malformed UDP packet.
Conditions: Affects routers running Cisco IOS Release 12.2(31)SB, 12.2(31)XN and 12.2(31)XN1. No other releases are affected.
Workaround: There is no workaround.
•
Symptoms: Type of Service (ToS) reflected in a L2TP header is not working in Cisco IOS interim Release 12.4(10.8)T2 after configuring the ip tos reflect command on L2TP.
Conditions: This symptom has been observed with Cisco IOS interim Release 12.4 (10.8)T2.
Workaround: There is no workaround.
•
Symptoms: The internet key exchange (IKE) lifetime negotiated between the two IKE peers is set to a very large value on the responder, which is larger than the default value of 24 hours.
Conditions: This problem is seen on IOS with IPsec configuration. When an IKE initiator sends its IKE peer an IKE lifetime of 0x70 0x80, the responder will set the lifetime of the IKE SA to be a very large value of 5 days and 18 hours.
Workaround: Use the default value of 24 hours on both peers.
•
Symptoms: IPv6 pings are not working when the atm route-bridged ipv6 command is configured on the UUT.
Conditions: This symptom is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(13.5)T images.
Workaround: There is no workaround.
•
Symptoms: When the radius-server attribute 87 circuit-id command is enabled on an LNS, the "nas-port-id" should be overwritten with the "circuit-id" VSA in the RADIUS access request packets. However, this does not occur.
Conditions: This symptom is observed on a Cisco router that functions as an LNS when the L2TP Forwarding of PPPoE Tag Information feature is enabled.
Workaround: There is no workaround.
•
Symptoms: Site of Origin (SoO) filtering appears broken and allows unexpected entries.
Conditions: This symptom is seen during normal use.
Workaround: There is no workaround.
•
Symptoms: A router may crash when you attach a service policy to range of PVCs.
Conditions: This symptom is observed when a policy map has a bandwidth configured and when the service policy is attached in the ingress direction.
Workaround: There is no workaround.
•
Symptoms: The configuration of a deleted subinterface may show up on a new subinterface and may cause a traffic outage.
Conditions: This symptom is observed on a Cisco router that has IP interface commands enabled when a script adds and deletes ATM subinterfaces on a regular basis.
Workaround: Verify the subinterface configuration. When the configuration of a subinterface cannot be deleted, delete the subinterface, and then create a dummy subinterface that will pull the configuration that could not be deleted. Then recreate the first subinterface with a new configuration.
•
Symptoms: A router may crash when you configure an ATM PVC on an ATM point-to-point subinterface.
Conditions: This symptom is observed on a Cisco router when the ATM point-to-point subinterface is already part of a bundle.
Workaround: Configure the ATM PVC on an ATM multipoint subinterface.
•
Symptoms: Spurious access error occurs after configuring the tms-class command. This command is used when configuring the Threat Information Distribution Protocol (TIDP).
Conditions: The error is found on the Cisco 7200 router in Cisco IOS Release 12.4(13.13)T4.
Workaround: Configure with a short name with the tms-class.
•
Symptoms: A Cisco 3660 series router emits tracebacks and unexpectedly reloads software.
Conditions: This symptom is observed on a Cisco 3660 router that is loaded with Cisco IOS interim Release 12.4(13.13)T4.
Workaround: There is no workaround.
•
Symptoms: With redundancy configured for GETVPN, group members (GMs) fail to register with the secondary.
Conditions: This symptom happens only when redundancy is configured and when GMs try to register with the secondary
Workaround: GMs could still register with the primary.
•
Symptoms: HTTP client cache entry is not updated.
Conditions: Occurs when VXML application scripts do not specify the "maxage" attribute. The cached entries in the HTTP client are not refreshed until they expire. If any of the files are modified on the HTTP server, you must perform one of the workarounds below.
Workaround: Choose one of the following options: 1) Change the "maxage" attribute of the VXML application scripts. 2) Reload the router. 3) Use the audio-prompt load URL command on the router console for each file that needs to be refreshed.
•
Symptoms: Incorrect URI base is seen after HTTP Redirect.
Conditions: This symptom occurs in a voice browser when a VXML downloads document A from an HTTP server but gets an HTTP Redirect response from the server. As a result, document B from another location is fetched. If document B has a reference to another document C using "relative" URI base, the final URL for C is not resolved correctly. This is because URI base is calculated based on the URI base for A instead of B.
Workaround: Place "absolute" URI base in the redirected document, for example, instead of using: <audio src="welcome.au"/>, use <audio src="http://server/path/welcome.au"/>.
•
Symptoms: Output from snmpwalk command on entPhysicalChildIndex is decreasing:
.iso.3.6.1.2.1.47.1.3.3.1.1.19.29 = 29.iso.3.6.1.2.1.47.1.3.3.1.1.20.21 = 21.iso.3.6.1.2.1.47.1.3.3.1.1.21.22 = 22.iso.3.6.1.2.1.47.1.3.3.1.1.21.23 = 23.iso.3.6.1.2.1.47.1.3.3.1.1.21.28 = 28.iso.3.6.1.2.1.47.1.3.3.1.1.21.24 = 24Error: OID not increasing: .iso.3.6.1.2.1.47.1.3.3.1.1.21.28 >= .iso.3.6.1.2.1.47.1.3.3.1.1.21.24The corresponding entPhysicalIndex is pointing to
SNMPv2-SMI::mib-2.47.1.1.1.1.2.21 = STRING: "DC power supply, 4000 watt 1"SNMPv2-SMI::mib-2.47.1.1.1.1.2.22 = STRING: "power-supply 1 fan-fail Sensor"...power supply entry's.
Conditions: Occurs on Cisco IOS Release 12.2(18)SXE and Cisco IOS Release 12.2(18)SXF among others.
Workaround: Create an SNMP view to exclude this entPhysicalIndex in the entPhysicalContainsTable.
•
Symptoms: Cisco IOS authentication proxy does not work when both HTTP and HTTPS servers are enabled.
Conditions: Occurs only when the HTTPS server is enabled in parallel with the HTTP server.
Workaround: Disable the HTTPS server on the router.
•
The supplied note does not exist in CDETS
•
Symptoms: Cisco Unified CallManager Express (CME) allows call to connect after the call forward no answer (CFNA) timer has expired.
Conditions: Occurs with Cisco IOS Release 12.4(5). Occurs when there is a delay between call-proc and alerting messages from the ISDN side.
Workaround: Use a longer CFNA timer or use the application default.c.old command.
•
Symptoms: MGCP three-way call conferencing may fail because of an abrupt onhook event at the originating endpoint.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.13) and that is configured for voice calls over Media Gateway Control Protocol (XGCP).
Workaround: There is no workaround.
•
Symptoms: A router that is configured for SNA Switching Services (SNASw) may crash.
Conditions: This symptom is observed when links with an end node go down and when there are multiple links to the end nodes, at least one of which supports CP-CP sessions, and one of which does not. The symptom occurs on rare occasions because of a timing condition.
Workaround: Change the end node device configuration such that all links to the SNASw router support CP-CP sessions. As per the APPN architecture, only one link does actually support CP-CP sessions.
Further Problem Description: The symptom occurs because there is a mix of APPN links (that support CP-CP sessions) and LEN links (that do not support CP-CP sessions) from an end node to the SNASw router. The recommended configuration is to have all links between two partners be of the same type. Because LEN links generally do not support parallel TGs, most likely these should be APPN links, all supporting CP-CP sessions. This is a product-dependent configuration on the end node product.
•
Symptoms: Cisco Catalyst 4500 Supervisors and Cisco Catalyst 4948 that are running Cisco IOS Release 12.2(31)SG crash when one of the following commands are issued:
- show buffers all - show buffers assigned - show buffers input-interface
Conditions: This symptom occurs when one of the following commands is issued:
- show buffers all - show buffers assigned - show buffers input-interface
Workaround: Do not use any of the above commands. For troubleshooting high CPU issues use the steps indicated in the following tech tip instead:
/en/US/products/hw/switches/ps663/products_tech_note09186a00804cef15.shtml
•
The supplied note does not exist in CDETS
•
Symptoms: A router crashes due to the stack for process Exec running low when configuring the auto qos command on an ATM subinterface.
Conditions: The symptom has been observed on a Cisco router loaded with Cisco IOS interim Release 12.4(10.5).
Workaround: There is no workaround.
•
Symptoms: The OSPF Stub Router Advertisement feature may stop functioning after an RPR+ or SSO switchover has occurred, and the newly active RP does not originate router LSAs with infinity metric as it should do when the max-metric router-lsa on-startup router configuration command is enabled.
Conditions: This symptom is observed on a Cisco router that has dual RPs that function in RPR+ or SSO mode when NSF is not enabled on the router and when the standby RP is in the "Standby-Hot" state.
Workaround: Do not configure RPR+ or SSO. Rather, configure RPR. If this is not an option, there is no workaround.
•
Symptoms: Networks do not show in the Multiprotocol BGP (MBGP) table, as can be seen in the output of the show ip mbgp command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SB, Release 12.2SR, Release 12.4, or Release 12.4T.
Workaround: Enter the clear ip bgp neighbor-address command to enable the networks to enter the MBGP table.
•
Symptoms: A crash or traceback may occur when the route-map option for fall-over is configured for a BGP peer-session template or peer-group.
Conditions: Occurs when the fall-over [route-mapmap-name] is configured under router bgpautonomous-system-number.
Workaround: There is no workaround. Avoid using the route-map option.
•
Symptoms: High CPU usage may occur in the "CCH323_CT" process on a gateway.
Conditions: This symptom is observed on a Cisco router that is configured as an H.323 gateway and that functions in the following topology:
IP Phone---CCM--- Incoming VoIP Dial Peer -- Cisco H.323 Gateway---FXS -- IVR
The "app-h450-transfer.2.0.0.9.tcl" application is applied on the incoming VoIP dial peer. The symptom occurs when IVR transfers the call and when the transferred call is put on hold.
Workaround: Enter the clear call voice id call-id command to clear the VoIP leg between the Cisco CallManager and the Cisco H.323 gateway. Doing so decreases the CPU usage. Obtain the Call ID from the output of the show call active voice brief command.
Alternate Workaround: Reload the router. Note, however, that high CPU usage may occur immediately after you have reloaded the router if the scenario that is described in the Conditions re-occurs.
•
Symptoms: Multicast traffic from a DMVPN spoke is dropped by a hub when CEF is enabled on the tunnel interface of the hub. This situation causes the spoke to remain in registering mode and the hub to forward the decapsulated data.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(9)T1 or an earlier release in a DMVPN environment when the mGRE tunnel interfaces are within a VRF.
Workaround: Disable CEF on the tunnel interface of the hub. Doing so enables the hub to receive the multicast traffic, although the traffic is then process-switched.
•
Symptoms: MGCP NAS calls are dropped.
Conditions: This problem is seen when there are heavy E1 flaps.
Workaround: There is no workaround.
•
Symptoms: A router that has a Cisco IOS firewall enabled may crash because of a breakpoint exception after the following error message has been generated:
%SYS-3-MGDTIMER: Uninitialized timer, timer stop, timer = 66596A90. -Process= "IP VFR proc and %SYS-2-BADSHARE: Bad refcount in pak_enqueueConditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(7) or Release 12.4.(12) when the ip virtual-reassembly command is enabled on an interface.
Workaround: Disable the virtual fragment reassembly (VFR) configuration on the interface by entering the no ip virtual- reassembly command.
•
Symptoms: Cisco 2800 router experiences memory leak when continuously receiving abnormal MGCP messages.
Conditions: Occurs when MGCP media gateway is enabled.
Workaround: There is no workaround.
•
Symptoms: A PPP session that is initiated from a client may not be forwarded. to an LNS.
Conditions: This symptom is observed on a Cisco router after the PPP session has been established.
Workaround: Enter the vpdn source-ip global configuration command.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptoms: With X25 over TCP (XOT) enabled on a router or Catalyst switch, malformed traffic sent to TCP port 1998 will cause the device to reload. This was first observed in Cisco IOS Release 12.2(31)SB2.
Conditions: Occurs only when x25 routing is enabled on the device.
Workaround: Use IPSEC or other tunneling mechanisms to protect XOT traffic. Also, apply ACLs on affected devices so that traffic is only accepted from trusted tunnel endpoints.
•
Symptoms: Outbound calls fail on a MGCP-controlled CAS channel on a Cisco VoIP gateway.
Conditions: This symptom is observed when the following conditions occur:
- A timeslot on an E&M T1 trunk is taken out of service from the connected switch side, showing as a permanent inbound seizure. In this situation, the output of the show voice call summary command indicates that the status for this channel is "EM_PARK".
- A Cisco CallManager that interworks with the Cisco VoIP gateway checks the status of the trunk via an MGCP AUEP command. The gateway responds with an "ES: rlc" message, which indicates that the trunk is available for calls.
Because the reported availability and actual availability of the channel are mismatched, all outbound calls on the channel fail.
Workaround: Attempt to clear the out-of-service state from the connected switch side. If this is not possible, when interworking with the Cisco CallManager, first enter the shutdown command followed by the no shutdown command on the voice port and then enter the same commands on the T1 controller. Doing so causes the gateway to send an NTFY message that indicates that there is an inbound seizure on the channel.
•
Symptoms: A Cisco router is crashing at p_dequeue.
Conditions: This symptom is observed when testing the Echo cancelling feature in the Cisco 1700 platform but is not platform dependent.
Workaround: There is no workaround.
•
Symptoms: With an ATA flash card, the dir disk0: command will fail if any filename or directory name stored on disk0 contains embedded spaces. This applies to disk1 or disk2 as well. This situation can also occur with a compact flash (CF) card using the dir flash: command.
Conditions: This symptom has been observed when using a removable flash card, such as an ATA flash car or CF card, that is formatted to use DOSFS. The removable flash card is removed from the router and inserted into a laptop that is running a version of the Microsoft Windows operating system. A "New Folder" directory is created on the flash card and the flash card is removed from the laptop and re-inserted into the router. Entering the dir command on the router may fail to show all of the stored files or may crash the router.
Workaround: Remove or rename all files and directories having names with embedded spaces so that no file or directory names contains embedded spaces.
•
Symptoms: Cisco 3745 router crashes with a bus error exception.
Conditions: The occurs after a WAN outage when Skinny Call Control Protocol (SCCP) and session initiation protocol (SIP) phones try to re-home to Cisco Unified CallManager (CCM) after using Cisco Survivable Remote Site Telephony (SRST).
Workaround: There is no workaround.
•
Symptoms: A DHCP interface may not be switched when you enter the ip dhcp smart-relay command.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS interim Release 12.4(12.15a) and that is configured for MPLS VPN.
Workaround: There is no workaround.
•
Symptoms: When Cisco IOS firewall is configured, some TCP connections fail.
Conditions: Occurs on an integrated service router.
Workaround: There is no workaround other than disabling the firewall.
•
Symptoms: Multiple conflicting conform/exceed/violate actions are allowed under a single class-map.
Conditions: Occurs when a user configures multiple conflicting conform/exceed/violate actions under the same class-map.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2800 router running zone-based firewall and URL filtering may reload.
Conditions: Occurs when URL filtering is unconfigured or reconfigured under the policy map during periods of high traffic.
Workaround: There is no workaround.
•
Symptoms: The latency for the RSH command could increase when they are flowing through an FWSM module.
Conditions: The following issue was observed on an FWSM that is running 2.2 (1) software. The long delay was triggered by using either Cisco IOS Release 12.3(13a)BC1 or Release 12.3(17a)BC1 on routers toward which those RSH commands were sent.
Workaround: Either bypass the FWSM module or downgrade to Cisco IOS Release 12.3(9a)BC3 which is not affected by this extra delay issue.
•
Symptoms: When you enter the show auto command, an "% Ambiguous command..." error message is generated.
Conditions: This symptom is observed on a Cisco 3845 that runs Cisco IOS interim Release 12.4(13.13)T4 but may also affect other releases.
Workaround: There is no workaround.
•
Symptoms: A PIM hello message may not reach the neighbor.
Conditions: This symptom is observed on a Cisco router when an interface comes up and a PIM hello message is triggered.
Workaround: Decrease the hello timer for PIM hello messages.
Further Problem Description: The symptom occurs because the PIM hello message is sent before the port can actually forward IP packets. IGP manages to get its neighborship up but PIM does not, causing RPF to change to the new neighbor and causing blackholing to occur for up to 30 seconds.
•
Symptoms: The ringback tone level that is played on a platform that is configured for use in a country in Europe may be very low compared to the ITU specification, which states that tones should be nominal -10dBm0.
Conditions: This symptom is observed on a Cisco AS5400XM.
Workaround: There is no workaround.
•
Symptoms: A router may crash with chunk corruption.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(11)T or later releases with VSA and is using QoS and IPSec prefragmentation.
Workaround: Disable prefragmentation by using the crypto ipsec fragmentation after-encryption command.
•
Symptoms: With NAT behind spoke, Next Hop Resolution Protocol (NHRP) tables are incorrect on the spoke. Packets from spoke1 destined for spoke2 are incorrectly routed to Hub1.
Conditions: Occurs under the following scenario: 1. Spoke1 is registered to Hub1 and Spoke2 is registered to Hub2. 2. Without Applying NAT on MidRouter1, packets from Spoke1 are routed directly to Spoke2. 3. After applying NAT on MidRouter1, packets from Spoke1 to Spoke2 are routed via Hub1.
Workaround: There is no workaround.
•
Symptoms: The following error message is displayed on a Cisco AS5850 router every hour:
%HA_CLIENT-3-NO_CF_BUFFER: The MARVEL CRYPTO HA client failed to get a buffer (len=1120) from CF (rc=1); checkpointing failed -Traceback= 0x201C9FBC 0x217C1B58 0x217C2068 0x21BBD32C 0x21BBDFD0 0x21BBE180 0x21DCF368 0x21DCF5C4Conditions: This symptom has been observed on a Cisco AS5850 gateway running crypto images (c5850tb-k9p9-mz) in RPR+ mode.
Workaround: There is no workaround.
•
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
Symptoms: Device crashes when an ACL is removed.
Conditions: Occurs when traffic matching that ACL is flowing on the interface.
Workaround: Stop the traffic or remove the ip access-group command from the interface level before deleting the ACL.
•
Symptoms: The clear hostview name command clears all of the host entries in the DNS view, causing DNS resolution to fail.
Conditions: Occurs on a router loaded with Cisco IOS Release 12.4(13.5)T and later releases.
Workaround: There is no workaround.
•
Symptoms: Cisco 2600XM router runs out of memory while trying to boot large images.
Conditions: This defect produces crashes under two scenarios: 1.) During loading of large images, such as a c2600-adventerprisek9-mz. 2.) During reload where router goes into ROMMon.
Workaround: There is no workaround.
•
Symptoms: After reloading, one of two dialer interfaces binds all BRI channels, and finally the dialer uses only one channel. However, the one channel not used remains bound to the dialer. Therefore, the other dialers can not use an idle channel. When the problem occurs, the idle BRI channel interface status will become "hardware:down line:up".
Conditions: This problem is found when a router is rebooting, and its peer router over ISDN begins to transmit packets.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.
Conditions: This symptom is observed when traffic flows run across the router, for example, when the client is outside and server is inside, and when static NAT translation is used for periods of about two minutes.
Workaround: Configure a route map that matches the static NAT translation, and apply the static NAT entry by entering either one of the following commands:
- ip nat inside source static tcp local-ip local-port global-ip global-port route-map name reversible
- ip nat inside source static local-ip global-ip route-map name reversible
•
Symptoms: The following Serial & Asynchronous High-Speed WAN Interface Cards may ignore data terminal ready (DTR) transitions:
-HWIC-8A/S-232 -HWIC-4A/S
Conditions: This occurs when X25 and X28 calls are cleared.
Workaround: There is no workaround.
•
Symptoms: SIP calls legs may hang on a voice gateway.
Conditions: This symptom is observed when outgoing SIP calls are not answered and when the terminating user agent (UA) does not send the final response to an INVITE message.
Workaround: There is no workaround.
•
Symptoms: After a mapping ID has been removed from the Stateful NAT Translation (SNAT) global configuration, a SNAT router may crash unexpectedly.
Conditions: This symptom is observed on a Cisco router that functions as a SNAT router and that runs Cisco IOS Release 12.4 or Release 12.4T.
Workaround: There is no workaround.
•
The supplied note does not exist in CDETS
•
Symptoms: Telephony Application Programmer's Interface (TAPI) sockets are not released by Cisco Unified CallManager Express (CME) after TCP connection closes.
Conditions: Occurs when multiple TAPI clients are brought up and shut down.
Workaround: There is no workaround.
•
Symptoms: IP phone fails to display the appropriate name and number in the To: field.
Conditions: Occurs when call routing takes more time than usual, such as a call from a SIP trunk to a PSTN gateway. The IP phone displays either garbage characters or the caller's ephone-dn name. There is no other impact on phone functionality.
Workaround: There is no workaround.
•
Symptoms: Datagrams fragmented on a router that is running Cisco IOS Release 12.4T may use the same fragmentation identification.
Conditions: This symptom occurs when datagrams are fragmented due to a lower MTU size.
Workaround: There is no workaround.
•
Symptoms: TCP disconnects occur after HTTP redirect.
Conditions: Occurs immediately after an HTTP redirect that includes a port number in the URL.
Workaround: Do not specify a port number in the redirected URL.
•
Symptoms: A Cisco IAD 2400 series may reject sequence numbers for Q.921, causing calls to be dropped or a PBX to lock up.
Conditions: This symptom is observed when a Cisco IAD 2400 series is connected to a third-party vendor phone system and third-party vendor PBX and occurs only when sequence number 16 or 68 is sent to the IAD.
Workaround: There is no workaround.
•
Symptoms: After a gateway receives a high number of calls, calls may not go through intermittently.
Conditions: This symptom is observed on a Cisco 3800 series that functions as a gateway and that is configured for E1R2 signaling. The symptom occurs when the gateway sends a "clear forward" forward to the PSTN before the PSTN sends a "B1" message.
Workaround: There is no workaround.
•
Symptoms: The output may be stuck on a POS interface that is configured for Frame Relay encapsulation. When this situation occurs, the output queue is not emptied, and LMI remains down.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(12) or later. This happens only with very specific hardware configurations including NPE-G1 and PA-POS-OC3SMI. The issue observed when aforementioned Port Adapter is located at slot 4 and not seen with other hardware configurations.
Workaround: Place POS PA in other slot(s). PA location reconfiguration in chassis should fix the problem.
•
Symptoms: The T.37 Fax Offramp process may leak small amounts of memory.
Conditions: This symptom is observed on a Cisco router when the fax call on the PSTN side hangs up before the call completion.
Workaround: There is no workaround.
•
Symptoms: IS-IS may not advertise the prefix of a passive interface to the IS-IS database on a local router.
Conditions: This symptom is observed on a Cisco router when you shut down an interface (for example, G9/1/1) of a 5-port GE SPA (SPA-5X1GE) that is installed in a SIP-600, replace the SPA-5X1GE with another card, and then enter the no shutdown interface configuration command on the interface at the same location (G9/1/1) on the new card. In this situation, the prefix for the interface (G9/1/1) is not advertised.
Possible Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
A second workaround: Enter the "no passive-interface..." followed by "passive-interface..." under "router isis" configuration mode.
•
Symptoms: One-way audio may occur and DTMF digits may not function.
Conditions: This symptom is observed on a Cisco gateway such as a Cisco AS5400 after a SIP transfer has occurred.
Workaround: Enter the no voice-fastpath disable command to resolve the one-way audio issue. There is no workaround for the DTMF issue.
•
Symptoms: Router experiences tracebacks when client attempts to send email.
Conditions: Occurs on a Cisco 1800 router running Cisco IOS Release 12.4(11)T2. Router is configured as an Enterprise Class Teleworker (ECT) spoke.
Workaround: Enable "Inspect TCP" instead of SMTP.
•
Symptoms: When configured with CEFv6 and VTIv6, all packets routed to the Virtual Tunnel Interface (VTI) drop. The show ipv6 traffic command displays format errors.
Conditions: Occurs only when IPv6, CEF, and VTI are configured.
Workaround: Disable CEF.
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.
Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.
•
Symptoms: IKE fragmented packets with offset > 0 cannot pass NAT router from outside to inside.
Conditions: This symptom is observed on a Cisco 7206VXR (NPE-G2) with the c7200p-adventerprisek9-mz.124-11.T1 image with NAT.
Workaround: There is no workaround.
•
The supplied note does not exist in CDETS
•
Symptoms: When shut/no shut is executed on a dialer interface, the associated cellular interface stays down even though the causing dialer interface is up.
Conditions: Occurs when the dialer persistent feature enabled.
Workaround: Reload the router. You can also configure the dialer-group command, although this defeats the purpose of the dialer persistent command.
•
Symptoms: Traceback within Process "EAP Framework" is observed when receiving a crafted EAP-ID- RESPONSE packet. Router will see an accompanying SYS-2-MALLOCFAIL error with the traceback.
Conditions: Router has port configured with dot1x parameters on which the packet is received.
Workaround: There is no workaround.
•
Symptoms: In a scenario where traffic is passed to and from two different interfaces, both with the ip admission command configured, EAP over UDP communication will only be triggered for hosts initiating traffic.
This situation results in return traffic that should be allowed after completing the NAC process (for example, via NAC exemption) to be blocked.
Conditions: This symptom has been observed when the ip admission command is configured on two communicating interfaces and NAC needs to be triggered in order to open traffic for return traffic.
Workaround: Instead of sending traffic from A->B and B->A, trigger traffic from A->B and if B sends traffic to any other dummy destination like C. This results in NAC to be triggered for A when it sends the traffic to B, and B will be posture validated when it sends traffic to C.
•
Symptoms: A bus error crash occurs on a Cisco router that is running Cisco IOS Release 12.2(31)SB3.
Conditions: This symptom is seen with AAA and PPPoE configured.
Workaround: There is no workaround.
•
Symptoms: QoS may not function on a dot11 interface. When this situation occurs, all packets are processed according go to the best-effort queue, regardless of whether the packets are data packets, video packets, or voice packets.
Conditions: This symptom is observed on a Cisco router such as a Cisco 1800 series only when the router functions is in pure bridging mode.
Workaround: Do not configure the router for bridging. Rather, use a routing configuration.
•
Symptoms: A router crashes while sending large control packets between client and L2TP Network Server (LNS) in L2TP callback scenario.
Conditions: This symptom happens with a Cisco 7200 router that is running Cisco IOS interim Release 12.4(13.13)T1.
Workaround: There is no workaround.
•
Symptoms: A CAMA 911 call drops after 6 to 11 minutes.
Conditions: This symptom is observed on a Cisco access server such as an AS5350 or AS5400 that processes CAMA calls over a T1 CAS link in the following configuration:
ds0-group 1 timeslots 1 type fgd-os mf dnis-ani
Workaround: There is no workaround.
Further Problem Description: Note that the symptom does not occur when CAMA calls are made over a PRI link.
•
Symptoms: A router may crash at the "qos_collect_aces" function when you apply a service policy to an interface.
Conditions: This symptom is observed when the policy map contains a class that matches not only on multiple named ACLs but also on numbered ACLs and when the class map is configured with a large number of ACEs that exceeds the threshold limit.
Workaround: Remove a few of the ACEs from the class map to ensure that the number of ACEs does not exceed the threshold limit.
•
Symptoms: LDAP packet is modified while passing through NAT router causing LDAP to fail.
Conditions: Network Topolgy ============== LDAP server------->(fa00)NAT Router(fa(01)------>LDAP clientThe packet after the NAT router seems to have been fragmented and expanded to two parts in LDAP:
Case1 - LDAP failed without "no-payload" ===== - case1_before_nat_router -----> NAT Router -----> case1_after_nat_router - LDAP packet modifiedCase2 - LDAP passed with "no-payload" ===== - case2_before_nat_router -----> NAT Router -----> case2_after_nat_router - LDAP packet unchangedWorkaround: There is no workaround.
•
Symptoms: DTMF path confirmation is not received for a SIP call.
Conditions: This problem is due to an issue with the SIP state machine, which may result in an error along the lines of the following:
00:05:10: //-1/xxxxxxxxxxxx/SIP/Error/sipSPISipIncomingMsg: Invalid method for (STATE_IDLE): ACKThe call state should not be IDLE.
Workaround: There is no workaround.
•
Symptoms: The h245 caps suppress nte command may not function, causing an IPPIPGW to continue to advertise the NTE capability in an H.245 capability message.
Conditions: This symptom is observed on a Cisco router that functions as an IPIPGW and that runs Cisco IOS Release 12.4 or Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: RTP packets get transmitted when the mode is recvOnly and inactive.
Conditions: This problem is observed on both the Cisco 2800 and the Cisco 3800 platforms that are running Cisco IOS interim Release 12.4(13.9).
Workaround: There is no workaround.
•
Symptoms: A T38 fax outbound to the Cisco AS5850 fails.
Conditions: After upgrading from Cisco IOS Release 12.3(11)T9 to Cisco IOS Release 12.4(7e), it is observed that fax calls from an analog Cisco IAD2420 or Cisco IAD2430 outbound to the Cisco AS5850 fail. It appears the Cisco AS5850 is having trouble falling back from T38 to passthrough. Standard configuration is T38 enabled on the Cisco AS5850 but not on the analog IAD. Disabling T38 on the Cisco AS5850 results in successful faxing.
Workaround: There is no workaround.
•
Symptoms: Router experiences memory leak.
Conditions: Occurs when the router is a group domain of interpretation (GDOI) member and encrypts bulk rate multicast traffic. If the user enters the clear crypto sa command to delete all of the IPsec SAs, the memory leak occurs.
Workaround: Either avoid using multicast fast switch or do not manually clear bulk GDOI SAs.
•
Symptoms: H.323 calls intermittently disconnect.
For each new call the H.323 GW will generate a TCP Port to be used for call setup. Intermittently the GW will generate a TCP Port that is being used for an established connection. When the GW initiates the three way handshake for the new call, it receives a response with an unexpected ACK sequence number. The GW will then send a TCP RST causing the currently established TCP connection/call to be torn down.
Conditions: This problem is observed in both Cisco IOS Release 12.4(13a) and Release 12.4(13b).
Workaround: There is no workaround.
•
Symptoms: If an access control list (ACL) is used for a destination only prefix, a fatal error is declared and shuts down optimized edge routing (OER). For destination only traffic classes, prefix-list should be used, not ACL or access control entry (ACE).
Conditions: This behavior is observed on Cisco IOS Release 12.4(11)T and later releases at this time.
Workaround: Use prefix list instead of ACL/ACE for destination only traffic classes. For example: - use prefix list for a traffic class 100.1.1.0/24 - use ACE for traffic class 100.1.1.0/24 DSCP af11
•
Symptoms: Virtual Switch Interface (VSI) process stack overflow causes card to crash.
Conditions: Occurs when connection goes into condition alarm state while multicast is configured and it is managed by Operation and Maintenance (OAM).
Workaround: There is no workaround.
•
Symptoms: An MGCP endpoint may become stuck and generate the following error message:
400 Nas Software error
Conditions: This symptom is observed when a call agent sends a CRCX message after a modem reset.
Workaround: Execute a shut/no shut on the controller.
•
Symptoms: Router crashes when the mobile router-service roam priority command is entered.
Conditions: Crash is observed during unconfiguration after verifying for generic routing encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7206 router may generate a traceback and the following error message:
"SYS-2-CHUNKMALLOCFAIL"Conditions: Seen when the router is configured for QOS pre-classify and a network failure occurs..
Workaround: There is no workaround.
•
Symptoms: The router will crash when IPSec is established only in the case when both PKI and IKE AAA accounting are configured.
Conditions: This symptom occurs when PKI is configured, and the DN is used as the ISAKMP identity. The crash only occurs when the DN is not available, and the server tries to use the DN in the AAA accounting recording.
Workaround: Do not use this configuration combination (PKI, DN as ISAKMP identity and AAA accounting).
•
Symptoms: Cisco 7200 LAC and Cisco 7300 LNS Router crash when approximately 2100 sessions have connected.
Conditions: Occurs when sending bulk PPPoE sessions on the router.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of a bus error. Spurious accesses may be observed.
Conditions: This symptom is observed on a Cisco 7200 series router that has an NPE-G1 and that runs Cisco IOS Release 12.3(22). The router is configured as a PE router and uses MQC hierarchical policies for some subinterfaces and the legacy rate-limit command for other subinterfaces.
Workaround: There is no workaround.
•
Symptoms: Interface is shown in the Admin Down state after router reloads.
Conditions: Occurs on a Cisco 2800 router with serial WIC-1DSU-T1-V2 configured for Serial Line ARP (SLARP). Occurs with Cisco IOS Release 12.4(9)T1 and Cisco IOS Release 12.4(11)T1.
Workaround: After the router reboots, enter the no shut command under the appropriate interface.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table, which may lead to traffic loss.
Conditions: This problem occurs under certain circumstances and timing conditions.
Workaround: When the symptom occurs, enter the clear ip route command for the prefix in the VRF.
•
Symptoms: BSTUN and DLSW features do not work.
Conditions: This symptom has been observed on Cisco 3220 and Cisco 3250 routers.
Workaround: There is no workaround.
•
Symptoms: A platform may crash when you apply a service policy to an interface.
Conditions: This symptom is observed on a Cisco AS5850 with a basic QoS configuration that includes a class map, a policy map, and a service policy on an interface. The symptom may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: Session initiation protocol (SIP) processing fails on a Cisco 3825. Router fails to send outbound requests and responses.
Conditions: Occurs when router is configured for IPIPGW and is running Cisco IOS Release 12.4(11)XW in the following topology:
IP phone -- Callmanager -- H323 -- IPIPGW -- SIP -- SBC-->PSTN
SIP bind commands are configured on the IPIPGW under "voice service voip"
Workaround: Remove the SIP bind statements in the configuration, then add them again. This defect does not occur when SIP bind commands are not used.
•
Symptoms: SSG memory is leaking in Cisco IOS Release 12.4(13b).
Conditions: This symptom occurs when the RADIUS proxy feature is used. Leaking could be triggered on the following call flow scenario:
1.
2.
3.
4.
5.
Workaround: There is no workaround.
•
Symptoms: Cisco MGX Route Processor Module (RPM-XF) is unable to check Multiprotocol Label Switching (MPLS) label switched path (LSP) connectivity.
Conditions: Executing the ping mpls command has no effect.
Workaround: There is no workaround.
•
Symptoms: Incoming traffic from a LAN is not correctly marked, preventing the traffic from being correctly enqueued when it is sent to a DSL interface, and causing the traffic to be dropped.
Conditions: This symptom is observed on a Cisco router when you enable QoS through class-map and policy-map commands.
Workaround: There is no workaround.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: When the interface controller functions of an NPE-G2 functions in promiscuous mode, for example, when HSRP is configured, packets that are not destined for the router may be forwarded anyway.
Condition 1: This symptom is observed on a Cisco 7200 series with an NPE-G2 that runs Cisco IOS Release 12.2(31)SB5 but is not release-specific.
Workaround 1: If HSRP is configured, enter the standby use-bia command. You may need enter the shutdown command followed by the no shutdown command to change the controller state.
Symptom 2: When BVI is configured on native Gigabit Ethernet interfaces of an NPE-G2 within the same group, a ping may not go through.
Condition 2: This symptom is observed on a Cisco 7200 series with an NPE-G2 that runs Cisco IOS Release 12.2(31)SB5 but is not release-specific.
Workaround 2: Configure a static MAC address.
•
Symptoms: A VWIC2-2MFT-T1/E1 may stay in alarm state after either shut/ no shutting the controller or removing and replacing the interface cable.
Conditions: The controller is configured as follows:
controller E1 0/0/0 framing NO-CRC4 ds0-group 0 timeslots 16 type ext-sig... ds0-group 30 timeslots 30 type ext-sig alarm-trigger blue 0
The problem has been observed in the c3845-spservicesk9-mz.124-9.T3 image.
Workaround: Shut/no shut the controller or remove and replace the cable a second time.
•
Symptoms: The ip nat outside source static command has no effect when used with VPN routing/forwarding (VRF).
Conditions: Traffic from an inside interface is not translated to the outside interface.
Workaround: There is no workaround.
•
Symptoms: When the BGP session between a Route Reflector (RR) and PE router flaps, the RR may no longer send some routes to the PE router.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsi85222. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi85222. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the clear ip bgp * all in command on the PE router to retrieve all routes from the RR.
•
Symptoms: A router may crash because of a watchdog timeout when a second ISDN call is established in an ADSL backup scenario when the ADSL is down.
Conditions: This symptom is observed on a Cisco 2811 router that runs Cisco IOS Release 12.4(11)T2 and on a Cisco 3845 router that runs Cisco IOS Release 12.4(11)T1 when QoS is configured on the dialer interface. The symptom may not be platform-specific.
Workaround: Remove the service policy from the dialer interface.
•
Symptoms: The TTL of a CNAME will be zeroed on a DNS reply after passing through a Cisco router that is configured for Network Address Translation (NAT).
Conditions: This symptom is observed on a Cisco router that is configured for NAT that is running Cisco IOS Release 12.4 or 12.4T. Only CNAME records are affected.
Workaround: Use static NAT translations with the keyword "no-payload".
•
Symptoms: Executing the clear crypto sa command.
Conditions: The problem is that the clear crypto sa and the clear crypto isakmp commands are usually used, but these commands do not trigger the reregistration.
Workaround: Use the clear crypto gdoi command.
•
Symptoms: The received image line from a Cisco Unified CallManager (CCM) is incorrectly presented as an audio line to the switch on the other side.
Conditions: Image line received from CCM has c line = "0.0.0.0".
Workaround: There is no workaround.
•
Symptoms: Crash occurs with the following error message:
%SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 173E112C data 173EEFC8 chunkmagic 15A3C78B chunk_freemagic 185993E4 -Process= "Check heaps", ipl= 0, pid= 5, - Traceback= 0x15653E8 0x311CC 0x31440 0x2ED80 0x7D855C chunk_diagnose, code = 2 chunk name is L2TP CCConditions: Occurs when Cisco NPE-G2 is configured with L2TP running Cisco IOS Release 12.4(11)T1.
Workaround: There is no workaround.
•
Symptoms: Having a configuration similar to the following:
interface Dialer1
ip address ip add <mask>
encapsulation frame-relay
dialer pool 1
dialer remote-name other_end
dialer string 0
dialer string oe_tn
dialer caller oe_tn
dialer max-call 1
dialer-group 1
frame-relay map ip addr oe_dlci broadcast
frame-relay interface-dlci loc_dlci
frame-relay ip tcp header-compression
no shutdown !And entering in the following will crash the device:
interface Dialer1
shutdown
no interface Dialer1Conditions: Removing the Dialer interface configuration while having IPHC configured on that interface will crash the platform. This is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(16.5).
Workaround: Remove any IPHC CLI from the Dialer interface prior to deleting the Dialer interface from the configuration.
•
Symptoms: H323-->SIP interworking fails for a Fast start call when transcoding is enabled on an IPIPGW. Transcoding is done between G711ulaw and G729r8 codecs.
Conditions: This failure is seen for H323--SIP--SIP--SIP and H323--SIP--SIP-- H323 call flows when transcoding is enabled on IPIPGW1. It is also seen on H323--H323--H323--SIP call flow for transcoding on IPIPGW2. This is seen only with a Fast Start call (both with H245 Tunnel enabled and disabled), and the call passes with a slow start call.
Workaround: There is no workaround.
•
Symptoms: Abnormal delay occurs during create connection (CRCX) processing.
Conditions: MGCP receives a CRCX and while processing it, it tries to allocate the necessary resources by calling the RM. The resource allocation should take 40 to 50 ms, and the RM should respond with SUCCESS/FAILURE. But in the failed case, even after 2 seconds, the RM does not respond.
Workaround: There is no workaround.
•
Symptoms: High-availability agent sends keepalive messages to UDP port 0, which causes the keepalive mechanism to fail.
Conditions: Occurs on a mobile router configured to use UDP for keepalive messages.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
For example:
class-map type inspect match-any cm-esp match access-group 100
policy-map type inspect in2out class type inspect cm-esp pass
access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
Workaround: Configure the access list so that the source is "any", for example:
access-list 100 permit esp any host 10.1.1.2 access-list 100 permit esp any host 10.0.0.2
First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect".
Further Problem Description: If an explicit deny rule is added to the above example, for example:
access-list 100 permit esp host 10.0.0.2 host 10.1.1.2 access-list 100 permit esp host 10.1.1.2 host 10.0.0.2 access-list 100 deny esp any any
Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
Router# show access-lists 100
Extended IP access list 100 10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches) 20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches) 30 deny ip any any (1 match)
•
Symptoms: Packets in traffic queues that are below their configured threshold may be dropped.
Conditions: This symptom is observed on a Cisco 877 and Cisco 1801 that run Cisco IOS Release 12.4(9)T3 when one of the queues trespasses its threshold. Note the following scenarios:
- When congestion is present, traffic that exceeds its threshold on a CBWFQ service class causes drops on the LLQ classes although the traffic that is associated with the LLQ classes is below the associated threshold.
- When best-effort bandwidth exceeds its threshold, LLQ traffic is discarded although it is below its own threshold.
- When there is no congestion, the router operates as expected.
Workaround: There is no workaround.
Further Problem Description: Note that the symptom does not occur on a Cisco 878 and Cisco 1803.
•
Symptoms: Relay agent router forwarding fails due to the selection of wrong source address (link- address of 0::0).
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(16.5)T and when interfaces are configured as UNNUMBERED interfaces.
Workaround: There is no workaround.
•
Symptoms: DNS forwarding source interface when configured on a router with split DNS feature, does not send out the DNS queries through the expected configured interface.
Conditions: This symptom is seen on a router that is loaded with Cisco IOS Release 12.4(11)T3.
Workaround: Use DNS forwarder <ip address> under the DNS view.
•
The supplied note does not exist in CDETS
•
Symptoms: Cisco 7200 router crashes when configured as a PE.
Conditions: Router is configured as provider edge (PE) router in a hub and spoke topology. It is located in the hub. When ping/traceroute commands are issued from a LAN on the hub towards a LAN in the spoke, it causes the Cisco 7200 to crash. Ping/traceroute issued from the other end does not cause a crash, but traffic does not go through the PE.
Issue was seen with Cisco IOS Release 12.4(15)T. It was not seen with Cisco IOS Release 12.4(11)T.
Workaround: There is no workaround.
•
Symptoms: When running double authentication crypto configurations (ah encap and esp encap auth together) and passing large packet data that requires fragmentation, errored packets can be observed.
Conditions: This symptom has been observed only on routers with AIM-VPN-PLUS AIM cards installed. Routers that support this AIM are the Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3700, and Cisco 3800 routers.
Workaround: Do not use ESP and AH double authentication. You can use the no crypto engine accel command in the configuration to run encryption in the SW engine.
•
Symptoms: Interface flap on a GET VPN group member (GM) may cause the GM not to re-register immediately to the key server (KS) after the interface is up. It can take up to a maximum of 8 minutes before re-registration happens.
Conditions: An interface is down long enough, eg. greater than eight minute, the problem will be seen after the interface is back up.
Workaround: Use EEM and trace the interface state or routing protocol neighbor. As soon as interface is UP or routing protocol neighbor is UP, issue the clear crypto gdoi command on the GM to force reregistration.
•
Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:
-Process= "IP RIB Update", ipl= 3, pid= 68-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04 6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x609538FCConditions: No specific conditions are known to cause this fault.
Workaround: There is no workaround.
•
Symptoms: Memory is leaking in case of radius-proxy users.
Conditions: This symptom is seen when a rad-proxy host object is already present in the SSG box, and it receives the access-request. The accounting starts from the proxy client, which is sent to the AAA server and AAA replies with an access-accept.
Workaround: There is no workaround.
•
Symptoms: Line protocol goes down on a Cisco 7200 router.
Conditions: Occurs while attaching a policy to a packet over SONET (POS) interface configured for frame relay encapsulation.
Workaround: There is no workaround.
•
Symptoms: Clicking the "About" menu item yields a blank popup window and a Java error.
Conditions: Occurs using Cisco Unified CallManager Express (CME) 4.1 with Java 1.5.0_11.
Workaround: There is no workaround.
•
Symptoms: EzVPN hardware client will not attempt to connect to the same peer or the next peer after QUICK MODE failure during IKE.
Conditions: This symptom is observed when EzVPN hardware client remains in SS_OPEN state after the failure of QUICK MODE.
Workaround: Clear the EzVPN session.
•
Symptoms: Cisco Intrusion Prevention System (IPS) can be evaded by using vertical tab characters in the request.
Conditions: Occurs when IPS functionality enabled. Apache uses the isspace libc function to parse HTTP requests, which will return "true" for 0x9, 0xa, 0xb, 0xc, 0xd, and 0x20 characters.
Workaround: There is no workaround.
•
Symptoms: Percentage-based traffic shaping fails.
Conditions: Occurs on a Cisco router that is configured for percentage-based traffic shaping on output policy.
Workaround: There is no workaround.
•
Symptoms: Cisco AS5850 feature boards crash.
Conditions: This symptom occurs when giving the no pri-group timeslots command.
Workaround: There is no workaround.
•
Symptom:
After a variable amount of time the router hangs and stops responding to pings or to the console. All traffic stops passing through the router.
Workaround:
There is no workaround
•
Symptoms: A Cisco AS5850 responds with a 500 Endpoint Unknown to a CRCX for an endpoint on a channelized T3 card. The endpoint otherwise responds normally to AUEP command.
Conditions: This symptom is observed on a Cisco AS5850 that is controlled via MGCP, and the endpoint naming t3 command is configured on the router in either global MGCP configuration or MGCP profile.
Workaround: Do not configure the endpoint naming t3 command. Use t1 endpoint naming instead.
•
Symptoms: Real Time Streaming Protocol (RTSP) inspection does not work with fragmentation.
Conditions: Occurs only when fragmentation is set. Without fragmentation this problem does not occur.
Workaround: There is no workaround.
•
Symptoms: Phone A believes that its offer (in first INVITE) is not answered yet, but it is wrong because UPDATE is for second leg where SDP answer is already sent in a 183 Session Progress.
Conditions: This symptom occurs in a call forwarding scenario. Call comes in from PSTN to a SIP and forwarded to a another SIP Phone.
Workaround: There is no workaround.
•
Symptoms: If there is an ACL and DSCP being used for packet matching on class- map, only the first packet descriptor will get a match, and everything else will not. If DSCP is removed, the packet matching works again.
Conditions: This symptom is observed on a Cisco 7200 with ACL and DSCP with match all option.
Workaround: There is no workaround.
•
Symptoms: You may not be able to configure ATM over MPLS (ATMoMPLS).
Conditions: This symptom is observed on Cisco 7301 that has an ATM port adapter.
Workaround: There is no workaround.
•
Symptoms: Performing the snmpwalk on the ipRouteTable MIB may cause high CPU and reloads.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(13b) or later releases.
Workaround: Create a view that excludes the ipRouteTable:
snmp-server view cutdown 1.3.6.1.2.1.4.21 exclude snmp-server view cutdown internet included snmp-server community <comm> view cutdown RO
This view restricts the objects that the NMS can poll. It excludes access to the ipRouteTable, but allows access to the other MIBs.
•
Symptoms: No ringback is generated in calls from VoIP to a PBX end using Cisco Multicast Manager (CMM).
Conditions: This symptom has been observed when a call is made from the VoIP side to the PBX side through an MGCP-controlled CMM.
PBX <-------GW (CMM or Cisco 2620XM) <----CCM <----IP Phone
Workaround: Use a Cisco 2620XM router in place of CMM.
•
Symptoms: Executing the show port modem calltracker command on a Cisco AS5400XM can cause bus error crash.
Conditions: This symptom occurs on a Cisco AS5400XM with multiple calls being made and terminated when running Cisco IOS Release 12.4(13a).
Workaround: There is no workaround.
•
Symptoms: When a label switch controller (LSC) for a BPX has an MPLS binding for an IP route, and that IP route goes away, it will correctly get a binding for a less specific IP route, assuming one exists. The problem occurs when that more specific IP route returns. The MPLS bindings stays with the less specific route, instead of switching to the more specific route.
Conditions: Occurs on Cisco IOS Release 12.4(13a). When an LSC has two routes, the more specific route must be removed, then re-added for this problem to occur.
Workaround: Clear the IP route for both routes to correct the problem.
•
Symptoms: A router may crash or produce a spurious access by giving "no encap frame-relay" on a Multilink Frame Relay (MFR) member link.
Conditions: Occurs when a PA-MC-T3-EC/PA-MC-2T3-EC interface is a member of an MFR bundle. The router with NPE-G2 may crash or the router with NPE-G1 may give a spurious access by giving "no encap frame-relay" on that interface.
Workaround: There is no workaround.
•
Symptoms: All DATA analog dialout calls are setting Bearer Capability to 0x8090 instead of 0x0890A3 (indicating the x-Law) where the A3 suffix is for A- law.
Conditions: This symptom has been observed on a Cisco AS5xxx router that is running Cisco IOS software later than Cisco IOS Release 12.4(7e) and having to make outgoing DATA calls.
Workaround: Change to Cisco IOS Release 12.4(7e).
•
Symptoms: When a bidir PIM, with no directly connected receivers, router has to change its RPF interface to the RP, multicast traffic could be lost for up to 60 seconds.
Conditions: This symptom occurs if the connection to the first RP is lost and the middle router changes its RPF for its bidir upstream interface. The middle router then restarts the election process on all DF interfaces, and purges the interface point in the leaf router out its OI @L. That interface will only get repopulated upon a periodic state refresh from the leaf router because the leaf router does not have an RPF change and therefore has no reason to send a triggered Join.
Workaround: There is no workaround.
•
Symptoms: Router with VPN Services Adapter (VSA) crashes.
Conditions: Occurs when Cisco Unified CallManager (CCM) has an access control entry (ACE) defined for the router. When the port number is removed from the crypto interface, the router crashes.
Workaround: There is no workaround.
•
Symptoms: Data corruption copy error tracebacks are seen on the console or output from the show logging command:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x41224EFC,- Traceback= 0x4153A7D0 0x4155BA0C 0x4157FAF0 0x41224EFC 0x41DDC0A8 0x41DDC198 0x41DC6D84 0x41DF3B0C 0x41DC506C 0x41DCE5A4 0x41D91AF8 0x41D90F88 0x41D9BEFC 0x41D9C0C0 0x41DAEA68Conditions: Refer to CSCsj44081 for more information.
Workaround: There is no workaround.
•
Symptoms: The prefix of a serial interface that is configured for PPP or HDLC and that functions as a passive interface for IS-IS may not be installed in the local IS-IS database.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF6 but is not release-specific.
Workaround: Remove and reconfigure the passive-interface command.
First Alternate Workaround: Enter the clear isis * command.
Second Alternate Workaround: Enter any command that triggers the generation of the local IS-IS database.
•
Symptoms: On a Cisco IOS voice gateway, the show call active voice brief command output on the IP leg shows rx counters stay at 0 for 46 seconds.
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(7e).
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS may reload unexpectedly.
Conditions: Occurs when using show commands on an exec session that has been established through one of the integrated modems on a WIC-AM or WIC-2AM.
Workaround: There is no workaround.
•
Symptoms: Cisco Security Device Manager (SDM) does not show Intrusion Prevention System (IPS) signatures deployed for Cisco IOS Release 12.4(15)T and Cisco IOS Release 12.4(15)T1 images. This prevents signature view and tuning. Also on navigating to SEAP related screens, the following warning is displayed. "IPS is not enabled on any interface. Please enable IPS.", even though IPS is already configured and deployed.
Conditions: Occurs when the router is running Cisco IOS Release 12.4(15)T or Cisco IOS Release 12.4(15)T1. Issue is due to missing tags in XML file returned by IOS.
Workaround: Downgrade Cisco IOS Release 12.4(11)T3.
•
Symptoms: Bidirectional Forwarding Detection (BFD) sessions do not come up on Cisco ISR routers.
Conditions: BFD sessions remain in Down state and do not transition to Up state.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash due to a bus error.
Conditions: Occurs on multiple Cisco router platforms running Cisco IOS Release 12.4(15)T1. The crash can occur if an access-list linked to a service-policy is removed, or if a service-policy is removed on an interface.
Workaround: There is no workaround.
•
Symptoms: Cisco Multiservice IP-to-IP Gateway (IPIPGW) crashes during a stress scenario.
Conditions: This symptom occurs in a stress scenario with 100 SIP-H323 calls + 150 SIP-H323 DTMF interworking (rtp-nte to h245-alpha) calls.
Workaround: There is no workaround.
•
Symptoms: A router may crash when you configure an access control list (ACL) that has at least 50-60 ACEs (about 100 nodes) that is used in policy maps that are already applied to an interface or when you boot the router after having made the configuration change. When the crash occurs, the following error message is generated:
%ALIGN-1-FATAL: Corrupted program counter pc=0x0 , ra=0x0 , sp=0x66EFB8A0
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(15)T or Release 12.4(15)T1.
Workaround: There is no workaround.
•
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability.
Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml.
•
Symptoms: QoS does not work on the dot11 driver when VLAN is configured. All packets go to the voice queue.
Conditions: This is seen only when vlan is configured for dot11 interface.
Workaround: Remove the VLAN.
•
Symptoms: An IP phone with video capabilities is unable to set up a video call across a NAT boundary and the phone unregisters from Cisco Unified CallManager (CCM).
Conditions: Occurs if the IP video phone is on the NAT outside and CallManager is on the NAT inside.
Workaround: There is no workaround.
•
Symptoms: RTP and RTCP ports are leaked when a ReleaseComplete (reason=newConnectionNeeded) is received as a response to a FastStart Setup that is sent.
Conditions: This problem is seen in Cisco IOS Release 12.4(11)T and Release 12.4(15)T images for a normal H323 to H323 gatekeeper routed call with no supplementary services.
Workaround: There is no workaround.
•
Symptoms: A device with a PA-MC-2T3+ may reset because of a bus error if a channel group is removed while the show interface command is being used from another telnet session at the same time, and then the telnet session is cleared.
The device may also display Spurious Memory Accesses.
Conditions: These symptoms have been observed in the latest Cisco IOS 12.4T and 12.2S releases.
Workaround: Do not remove a channel group while using the show interface command for that interface.
•
Symptoms: A call made over a SIP trunk from a remote phone registered to Cisco Unified CallManager Express (CME) 4.1 to a phone registered to a SIP proxy server results in router crash due to memory overrun.
Conditions: Occurs under the following conditions: 1. Phone call has to be from remote phone. 2. MLPPP should be configured as the WAN link. 3. SIP trunk also traverses the same WAN link.
Workaround: Remove MLPPP.
•
Symptoms: SNASwitch HPR/IP (Enterprise Extender - EE) receiving retransmissions due to HPR/IP UDP packets being dropped at the UDP socket layer in the SNASw router. This leads to poor throughput across the HPR/IP pipe.
Conditions: This can occur when receiving large bursts of HPR/IP traffic inbound to the SNASwitch router. The UDP socket inbound queue can hold a maximum of 50 packets. If more than 50 HPR/IP packets are received before the SNASwitch process can run and dequeue some, subsequent packets will be dropped.
Workaround: There is no workaround.
Further Problem Description: The output of the show ip socket detail command or the show udp detail command (depending on your release of IOS) will show the number of drops that have occurred, the maximum queue size(50) and the highwater value.
HPR/IP Uses ports 12000 through 12004. Here is an example of UDP port 12003 showing 190577 dropped inbound packets:
Proto Remote Port Local Port In Out Stat TTY OutputIF 17 --listen-- x.x.x.x 12003 0 0 61 0 Queues: output 0 input 0 (drops 190577, max 50, highwater 50)
Resolution Summary: The resolution of this bug adds a new qsize parameter on the snasw port configuration command. This allows the specification of a UDP socket queue size value for HPR-IP ports only.
For example:
snasw port EE hpr-ip GigabitEthernet0/1 qsize 500Note that the default of 50 was not changed by this. In order to increase the size of the UDP socket queue the new parameter must be specified.Other parameters may need to be adjusted as well:Global configuration:ip spd queue max-threshold 512 ip spd queue min-threshold 500Under each IP interface where HPR/IP packets are flowing in and out of this router add:hold-queue 500 in•
Symptoms: Some Cisco 2800 and Cisco 3800 platform routers are observed to crash upon startup after the 256MB-v5 has been loaded, and the signature files saved to flash.
Conditions: This symptom occurs when loading the 256MB-v5.sdf file and saving signature files to flash using the ip ips config location flash. The router will then crash when restarted when the files are read out of flash.
Workaround: The crash has not been observed with the package files, such as IOS-S300-CLI.pkg, nor was it repeatable on a Cisco 3725 or Cisco 2651 router.
•
Symptoms: If the filter within a class-map is changed from DSCP to ACL, classification of packets under any of the class-maps stops working.
Conditions: This happens right after reload while traffic is running and matching using the DSCP filter.
Workaround: Reapply the service policy after you make the change and it will start matching properly.
•
Symptom: Router is getting crashed while removing bundle "no bundle test_p2p" .
Condition: Occurs after configuring no bundle test_p2p on point-to-point interface.
Workaround: There is no workaround.
•
Symptoms: Cisco Security Manager (CSM) rollback fails.
Conditions: Occurs with signatures loaded with version 2006-12-18.
Workaround: Disable Intrusion Prevention System (IPS) to unload signatures and reload the desired signature level.
•
Symptoms: Virtual circuit (VC) goes to inactive state due to the fact that peak cell rate (PCR) is higher than physical bandwidth.
Conditions: Problem occurs on Cisco 877 router with ADSL2+ and with Cisco IOS Release 12.4(11)XJ3 and Cisco IOS Release 12.4(15)T1. Occurs when device is configured for VBR-NRT and PCR rate higher than VC bandwidth.
Workaround: Reset the VC.
•
Symptoms: Multicast replicated packets are dropped when passed through an interface with crypto map attached and VPN Services Adapter (VSA) is active.
Conditions: Occurs when multicast packets are coming in the fast switching path, and multicast packets get replicated on different interfaces.
Workaround: use the no ip mroute-cache command to disable multicast fast switching.
•
Symptoms: The following message is seen on the router:
*Aug 6 16:34:47.188: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x8005EC50, -Traceback= 0x809971F4 0x809B9C2C 0x809DD8A4 0x8005EC50 0x800651E4 0x800652A8 0x809E42D4 0x809C4A38 0x800652EC 0x809C4BA0 0x809E42D4 0x80A0854C 0x800DB8C0 0x800DEE48Conditions: The conditions under which this symptom occurs are not known at this time.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400HPX crashes due to a bus error as indicated by show version "System returned to ROM by bus error at PC 0x61728370, address 0xB0D0B45".
Just before the crash the following error message is seen:
%SYS-2-NOTQ: unqueue didn't find 674D6D40 in queue 3C
-Process= "MGCP Application", ipl= 0, pid= 170Conditions: This symptom is observed on a Cisco AS5400HPX.
Workaround: There is no workaround.
•
Symptoms: While running a Cisco IOS Release 12.4 Mainline release, a Cisco router mAY crash with a bus error. The error displayed will be similar to:
Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x605AFF94
Conditions: This symptom has been observed only if gateway is configured for Voice over IP (VoIP).
Workaround: There is no workaround.
•
Symptoms: Packets are not matching access-list entries (ACE) at the bottom of the "permit" list while some more specific "deny" ACE are on top on the ACL. Less specific IP should match the "permit" statement on the end of the ACL, but it does not.
Conditions: Occurs on a NPE-G2 with Cisco IOS Release 12.4(15)T1 after a migration from NPE-G1 with Cisco IOS Release 12.3(15b). Packets are not matching the bottom "permit" access-list entries (ACE) while some more specific "deny" ACE are on top on the ACL. Less specific IP should match the "permit" statement on the end of the ACL, but it isn't.
Workaround: There is no workaround.
•
Symptoms: A Cisco access server may run out of free processor memory. This symptom can be seen in the show process memory command. Increased memory utilization will be seen in the Dead pool.
Conditions: This symptom has been observed only in access servers that participate in Cisco Customer Voice Portal (CVP).
When a VXML application is configured with fetchaudio, the fetchaudio playout fails after user disconnect. The fetchaudio should have been removed from the prompt list, but it was not. This causes the session not to be freed when the application is finished.
Workaround: A reload will temporarily free the leaked memory.
•
Symptoms: When using redundant key server (KS), after losing and regaining connect to the primary KS, group members (GMs) will continually generate thousands of register attempts. A GDOI session is correctly created, so the GMs can encrypt and decrypt traffic. However they will be heavily loaded with register attempts, and a significant number of logging messages will be generated. The thousands of register attempts will also overload the KS, preventing other routers from connecting.
Conditions: When redundant KS are configured, if the GMs do not have a connection to the primary KS on boot or when the IPSEC or GDOI lifetime expires. If they lose connection and regain it before the lifetimes expire, the problem does not occur.
Workaround: Configure the GMs for a single KS.
•
Symptoms: GRE traffic needs to be specifically allowed in the outside interface terminating DMVPN IPSec protected traffic.
Conditions: This symptom is observed on a DMVPN tunnel interface with tunnel protection IPSec, with CEF or fastswitching.
Workaround: - use process switching. - allow the GRE traffic.
•
Symptoms: In the startup-config, the VPN routing/forwarding (VRF) definition comes after the crypto keyring as well as the crypto ISAKMP profile definition. This causes the following error messages when the router boots:
% warning: VRF tag your-vrf is not found in configuration % vrf your-vrf not configuredConditions: Occurs on a router configured for VRF and IPSec.
Workaround: Reconfigure the ISAKMP profile and keyring after the router boots.
•
Symptoms: No Cisco IOS IPS signature category other than "all" may be selected before loading the signature package on to the router.
c2811#conf tEnter configuration commands, one per line. End with CNTLZ.c2811(config)#ip ips signature-category c2811(config-ips-category)#category ? all All CategoriesConditions: Also seen when CSM loads signatures and tries to set the basic category to retired false.
c2811(config)#ip ips signature-category c2811(config-ips-category)#category ios_ips basic ^ ^ unrecognized...Workaround:
1) Set category all to retired true
2811b#conf t 2811b(config)#ip ips signature-category 2811b(config-ips-category)#category all 2811b(config-ips-category-action)#retired true 2811b(config-ips-category-action) 2811b(config-ips-category-action)#exit 2811b(config-ips-category)#exit Do you want to accept these changes? [confirm] 2811b(config)#2) Load signatures using copy command or CSM
3) Set desired categories to retired false
2811b#conf t Enter configuration commands, one per line. End with CNTLZ. 2811b(config)#ip ips signature-category 2811b(config-ips-category)#category ios_ips basic 2811b(config-ips-category-action)#retired false 2811b(config-ips-category-action)#exit 2811b(config-ips-category)#exit Do you want to accept these changes? [confirm] 2811b(config)#•
Symptoms: Category processing (the time after the user enters category selection to the time the prompt returns) took 8 minutes to complete.
Conditions: When adding or modifying any signature categories with the following releases: 12.4(11)T2, 12.4(11)T3, 12.4(15)T.
Workaround: There is no workaround.
Further Problem Description: Scenarios that this issue will happen: 1. configure the following categories first category all retired true category ios_ips basic retired false then load sig pkg on to the router, the router then took ~ 2 minutes to build the engines. Afterwards, removing the "ios_ips basic" or add any other sig categories, then the router will take 8 minutes category procesing.
2. configure the following categories first category all retired true
then load sig pkg on to the router, then add "category ios_ips basic" or any other categories, e.g. "web_services", the router then took ~ 8 minutes for category processing. Afterwards, removing the "ios_ips basic" or add any other sig categories, then the router will take 8 minutes for category processing.
•
Symptoms: Semaphore hog messages occur on PA-MC-2T3-EC port adapter.
Conditions: When Multilink Point-to-Point Protocol (MLPPP) or Multilink Frame Relay (MFR) are configured, using shut/no shut or making CRC changes causes the messages.
Workaround: There is no workaround.
•
Symptoms: A spurious access error occurs in tfib_post_table_change_sanity_check () function.
Conditions: This symptom occurs if route is deleted. ROUTE_DOWN event is triggered in tfib_post_table_change() function which in turn calls tfib_post_table_sanity_check(). In that function, spurious access is reported, as the only path of route is down.
Workaround: There is no workaround.
•
Symptoms: Some L2TP clients may fail to establish a secure session with Cisco IOS-based L2TP server.
Conditions: Occurs when the L2TP client is not fully compliant of RFC-3817.
Workaround: There is no workaround.
•
Symptoms: Router crashes when WebVPN client attempts to use Outlook Web Access.
Conditions: Occurs when PKI trustpoint configuration is incomplete or incorrect.
Workaround: There is no workaround.
•
Symptoms: A router crashes while a service policy is being attached, detached, or modified across a virtual template under traffic.
Conditions: This symptom is observed on a Cisco 7200 or Cisco 7301 router that is configured with MLPPP over FR on channelized interfaces.
Workaround: There is no workaround.
•
Symptoms: During a mid-call codec switch from g.711 to g.729 on a gatekeeper- controlled gateway, the gateway may intermittently receive a Bandwidth Confirmation (BCF) message from the gatekeeper and wrongly detect it as a Bandwidth Reject (BRJ) message. This results in a release complete being sent from the gateway with a cause code of 65.
Conditions: This condition appears to be intermittent, due to the order of the OLC and the ECS (Empty Capability Set) messaging. This issue will be seen only on gatekeeper-controlled gateways that are doing bandwidth control. This issue is currently being seen only when codecs are switched mid-call to a codec with less bandwidth utilization.
Workaround: Any of the following workarounds should alleviate this issue:
1. Disable bandwidth requests from the gateway:
voice service voip h323 no ras brq
2. Configure all call legs to use the same codec.
3. Do not use a gatekeeper with this gateway.
Further Problem Description: This issue appears to be a recurrence of CSCee60960 and can be seen by enabling the following debugs:
- debug h225 asn1 - debug ras - debug cch323 all
The following would be seen after the BCF is received:
581565: .Aug 15 13:45:06.376: //-
1/xxxxxxxxxxxx/H323/cch323_ras_handle_recv_msg: received msg of type
BCF_CHOSEN
581566: .Aug 15
13:45:06.376: //94506/5A1D2CEFA2CC/H323/cch323_percall_ras_sm: ccb
0xC2A5CA58: received event CCH323_RAS_EVENT_BCF while at
CCH323_RAS_STATE_ACTIVE state
581567: .Aug 15
13:45:06.376: //94506/5A1D2CEFA2CC/H323/cch323_percall_ras_sm: ccb
0xC2A5CA58: changing to new state CCH323_RAS_STATE_ACTIVE
581568: .Aug 15 13:45:06.376: //-
1/xxxxxxxxxxxx/H323/cch323_iev_queue_service: Dispatch 0x1E internal event
to
H245 IWF SM
581569: .Aug 15 13:45:06.376: //94506/5A1D2CEFA2CC/H323/run_h245_iwf_sm:
received IWF_EV_BRJ while at state IWF_OLC_OUT_AWAIT_BCF
581570: .Aug 15 13:45:06.376: //-
1/xxxxxxxxxxxx/H323/h323_set_release_source_for_peer: ownCallId[94506], src
[6]
581571: .Aug 15
13:45:06.376: //94506/5A1D2CEFA2CC/H323/h245_iwf_set_new_state: changing
from
IWF_OLC_OUT_AWAIT_BCF state to IWF_OLC_IDLE state
581572: .Aug 15 13:45:06.376: //-
1/xxxxxxxxxxxx/H323/cch323_iev_queue_service: Dispatch 0xE internal event
to
H245 IWF SM
581573: .Aug 15 13:45:06.376: //94506/5A1D2CEFA2CC/H323/run_h245_iwf_sm:
received IWF_EV_OLC_FAILED while at state IWF_ACTIVE
581574: .Aug 15 13:45:06.376: //-
1/xxxxxxxxxxxx/H323/h323_set_cc_cause_for_spi_err: Categorized cause:65,
category:278
•
Symptoms: IMA group interface does not come up after the reload.
Conditions: This symptom is observed on a Cisco 2811 router with ATM interface that is using VWIC2-2MFT-T1/E1 connected to MGX AUSUM card.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the IMA interface.
•
Symptoms: Secondary key server (KS) (new primary) fails to create new TEKs during rekey intervals after network split.
Conditions: Network split --> merge--->split happens between coop key servers and secondary KS left with no TEKs earlier.
Workaround: Clear crypto gdoi in secondary key server. May also require clear crypto gdoi in group members.
•
Symptoms: Router runs out of free memory after applying service policies.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.4(15)T with a large QOS configuration. When service-policy is applied to an interface, the memory consumption becomes too high and the free memory is reduced in 235Mb as each service-policy is applied. The interface can be shutdown, but the behavior is the same.
Workaround: There is no workaround. Downgrade to Cisco IOS Release 12.4(11)T1 or upgrade to Cisco IOS Release 12.4T(15)T2.
•
Symptoms: When Cisco's Secure Device Provisioning Registrar (SDP) is configured on a Cisco 7206 router that has a hardware encryption accelerator card enabled (the VSA card), the registrar fails to process incoming requests properly.
Conditions: Occurs when the SDP Registrar processes registration requests coming from a remote location and when the VSA card is enabled.
Workaround: Disabling the VSA card makes the registrar operations work in software mode, and then it works properly.
•
Symptoms: Traffic is inspected by zone-based firewall even though the policy map has an applicable "pass" statement. Instead traffic should be passed without inspection.
Conditions: Possibly occurs only for dynamic interfaces like "virtual-access."
Workaround: Use the "inspect" policy-map action.
•
Symptoms: Cisco 1812J router fails to forward incoming multicast traffic. This problem might be also seen with HWIC-4ESW on other routers.
Conditions: Occurs when the "ip igmp snooping" feature is used with switch-port and a VLAN interface is used as the incoming interface
Workaround: Disable "ip igmp snooping" or use a routed-port instead of a switch-port.
•
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only) , and entitled "PRP crash by show ip bgp regexp", which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at /en/US/products/products_security_response09186a00808bb91c.html
•
Symptoms: CSM rollback of Cisco IOS IPS device fails.
Conditions: This symptom occurs on signatures loaded that are more recent than 2006-12-18.
Workaround: Disable IPS and reload required signatures.
Further Problem Description: The getConfigInfo request is returning the loaded typedefs and causing CSM to consider the signature package to be out of sync with the database.
•
Symptoms: A Cisco router acting as a DHCP server may experience the following problem when Secure ARP is also configured, and the Secure ARP keepalive time is less than the DHCP lease time. If a client device goes into sleep mode for a period of time less than the DHCP server's configured lease time but more than the Secure ARP time, the DHCP lease will be cancelled at the server. If the client awakes, it will have a valid DHCP lease, for the remainder of the last lease time it was granted. When the device awakes and attempts to renew its IP address, it sends a unicast DHCPREQUEST to the DHCP server. Because the lease has been removed from the DHCP server, and there is no ARP entry for the client, the DHCP Server does not send any reply to the device. The Secure ARP feature will, however, prevent the device from communicating until its lease has expired.
Conditions: This symptom has been observed with a Cisco router acting as a DHCP server when Secure ARP is also configured.
Workaround: Disable Secure ARP on the DHCP server or change the Secure ARP keepalive time to correspond to the lease time.
•
Symptoms: A NAT router fails a H323 connection by ARP resolution failure, which ARP request is triggered by H225/H245 packet. When the problem occurs, the NAT router creates an incomplete entry and sends an unexpected ARP request for the destination IP address instead of the next-hop IP address, whereas the destination prefix is not a directly connected route. Therefore if the next-hop router of NAT router disables proxy ARP, the packet forwarding fails. Ping to same destination succeeds when the problem occurs.
Conditions: This problem happens under the following conditions:
- Static NAT or dynamic NAT is configured.
- The next-hop router of NAT router disables proxy ARP.
- H323 terminal device tries to call for another one over NAT router.Workaround: Enable proxy ARP on the next-hop router.
•
Symptoms: Before sending initial Invite, a Cisco gateway is doing DNS SRV query which gives the actual server name where SIP service is running. And then DNS A query for this server gives IP address of Proxy Server. So initial call is established through this SIP-proxy server. After getting SIP Refer message, to initiate call-transfer with Transfer-to location as Domain-Name, SIP-gateway is doing just DNS A Record Query for Refer-to Host which is returning an IP address where SIP is not running. This causes Transfer Failure.
Conditions: This symmptom is observed on a Cisco 2800 series router but is not platform dependent. The Transfer-target address received in Refer is a FQDN (with default port -5060 OR no port).
Workaround: There is no workaround.
•
Symptoms: Memory access errors occur at run time, possibly causing the router to crashing.
Conditions: Occurs on routers running Cisco IOS Release 12.4(13.13)T1 and later releases.
Workaround: There is no workaround.
•
Symptoms: Time-based ACL matches packets even though the access list is set to INACTIVE.
Conditions: Occurs on router running Cisco IOS Release 12.4.
Workaround: There is no workaround.
•
Symptoms: Policy-map counters may not be accurate and may yield erroneous bps values. If these values are used in policers, it may mean unexpected packet drops.
Conditions: This issue has been seen in a crypto/QoS environment where packet reassembly is needed (such as tunnel protection scheme with tunnel configured to have IP MTU of 1500).
Workaround: In some platforms, such as Cisco 7200 NPE-G1/VAM2+, it has been seen that disabling hardware encryption fixes the issue.
•
Symptoms: A Cisco router may reload and display a message similar to the following:
Aug 19 12:28:51.960: %SYS-3-MGDTIMER: Previous timer has bad forward linkage, timer = 64176C30. -Process= "IPSEC key engine", ipl= 4, pid= 150 -Traceback= 0x607462F0 0x6084FD88
12:28:52 zulu Sun Aug 19 2007: Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x60815DD4
Conditions: This symptom has been experienced on a Cisco 7206VXR that is running Cisco IOS Release 12.4(16).
Workaround: There is no workaround.
•
Symptoms: With Cisco Unity Express (CUE) integrated to Cisco Unified Communication Manager (CUCM)/CallManager and utilizing SRST functionality, when the IP phones are registered to the SRST router, the message-waiting indication (MWI) states may be incorrect.
Conditions: When a phone registers to a Cisco SRST router, each directory number (DN) gets a particular ephone-dn number that will have a particular MWI state. If the phone unregisters from the SRST router and later re-registers to the router (possibly due to an intermittent connectivity to the CUCM), the ephone-dn number may be different since the ephone-dn numbers are assigned sequentially in a first-come, first-served fashion. The MWI state, however, is remembered from the previous registration that used that ephone-dn number so the MWI status could be incorrect.
Workaround: Configure both the SRST router and the CUE to use SUBSCRIBE/NOTIFY MWI method.
•
Symptoms: When a service policy is modified after it has been applied to an interface, the changes do not take effect.
Conditions: Occurs on a Cisco 2800 router running Cisco IOS Release 12.4(15)T.
Workaround: Apply the service policy to the interface a second time.
•
Symptoms: Native VLAN information is not included in CDP packets going out ports of an EtherSwitch (ESW) module in Cisco 28xx and Cisco 38xx routers. All the platforms using switchports (of any kind built-in/NM/WIC/HWIC) have this issue: Cisco 8xx, Cisco 17xx, Cisco 18xx, Cisco 26xx, Cisco 36xx, Cisco 37xx, Cisco 28xx, and Cisco 38xx.
Conditions: This symptom causes Cisco IP phone models 7961, 7941 and 7970 that are running SCCP firmware to fail to forward traffic coming from a PC connected at the back of the phone.
Workaround: Enable the "Voice VLAN Access" setting on the phone.
•
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are created. The incomplete cache entries can be verified by typing the show ip nhrp command and looking for "type incomplete". The memory leaked can be seen by examining the output of the show chunk command and looking for "NHRP Cache".
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
Symptoms: The following SNMP is incorrectly generated:
"%SNMP-3-INPUT_QFULL_ERR: Packet dropped due to input queue full
This issue is affecting the CISCO-MEMORYPOOL-MIB instead.
Conditions: Occurs on a Cisco 2600 series router running Cisco IOS Release 12.4(11)T3. The router keeps dropping SNMP packets. The log shows that the packets are dropped because of the input queue beeing full. Although the utilization is sometimes high, this could not be the root cause, as the router keeps dropping packets regardles of the current utilization. Also, the snmp process takes 5-20% of the CPU load.
Workaround: Exclude ciscoMemoryPoolMIB from your query with the following commands: snmp-server view public-view iso included snmp-server view public-view ciscoMemoryPoolMIB excluded Apply this view to the RW community string. This view will exclude only ciscoMemoryPoolMib, all other MIBs will be available.
•
Symptoms: Secure copy (SCP) from a server to a router fails.
Conditions: Occurs when attempting to use SCP to copy a file from a server to a router running Cisco IOS Release 12.4(15)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 871 router that is configured for VPN remote access re-initiates itself when the VPN server is unavailable.
Conditions: Occurs when the VPN server is unavailable. The router repeatedly attempts to connect to the server.
Workaround: Configure a backup VPN server that can be used when the primary server fails.
•
Symptoms: Rekeying may cause unexpected side effects due to a badcodefix in CSCsk03183. As that DDTS and this fix only existed in the v124_15_t_throttle branch for the T2 release candidate, this issue never made it out to the field or customers.
•
Symptoms: On an ATM interface, if tx-ring-limit were set to 1 with heavy traffics then the interface might get wedged. Throughput performance is degraded due to many packets got dropped.
Conditions: This symptom occurs when setting tx-ring-limit to 1 under an ATM interface with heavy burst traffics.
Workaround: Recommend minimal tx-ring-limit is 2 under this circumstance.
•
Symptoms: Cisco 7200 router may crash when members are moved from a Distributed Link Fragmentation and Interleaving over Leased Lines (dLFIoLL) interface to a Multilink Frame Relay (MFR) interface.
Conditions: Occurs when the QoS service policy is in suspend mode on a MFR interface.
Workaround: Ensure the QoS policy is not in suspend mode before moving members from LFIoLL to MFR.
•
Symptoms: When multicast traffic is sent over the Dynamic Multipoint VPN (DMVPN) tunnel, and a policing policy is applied on the physical interface on which the tunnel is built, policing does not happen. This occurs even though the "show policy-map interface" indicates that policing is in place.
Conditions: Occurs when policing is applied for multicast traffic on a DMVPN Tunnel interface.
Workaround: Issue is not seen when policy-map is attached to the tunnel interface.
•
Symptoms: Compressed Real-Time Protocol (cRTP) shows errors and Low Latency Queuing (LLQ) shows drops from default queue although there is no traffic to match it.
Conditions: This problem can be seen under load of MPPP bundle of several serial interfaces with LLQ and cRTP enabled.
Workaround: There is no workaround.
•
Symptoms: Router crashes when the no ip nat outside command is removed while traffic is being processed.
Conditions: Occurs on a Cisco 7200 router that uses ACL as source.
Workaround: There is no workaround.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb- radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
•
Symptoms: On a Cisco router, OSPF might go into a loop during SPF calculation, causing high CPU utilization and rendering the router inaccessible.
Conditions: This symptom occurs when router LSAs with a link metric disallowed by RFC 2328 are present in the network (note that Cisco routers do not originate such LSAs) and when the network is unstable (link flapping during the SPF calculation).
Workaround: To fix the problem, reload the router. To prevent the problem, manually configure a link metric according to RFC 2328.
Important Note: CSCsk36324 caused MPLS TE defect CSCsl18176 and has been backed out under defect CSCsl18176. A new fix for this issue will be committed under defect CSCsl32318.
•
Symptoms: When one of the T1 or E1 controller NM-HDV2 goes down, the voice calls in the other controller are dropped.
This condition relates to interface x/0 x/0/0 (for example, 4/0 causes 4/0/0 to go down).
Conditions: This problem could happen in the MGCP PRI backhauled setup with NM- HDV2.
Workaround: There is no workaround.
•
Symptoms: Router might crash when an extended ACL is applied.
Conditions: Occurs when QoS with the extended ACL is configured first and ACL statements are defined later.
Workaround: Configure permitted host statements sucessively and do the same for permitted networks, then configure ACL statements and attacth this ACL to a class-map.
•
Symptoms: Memory leak occurs when multicast packets pass through an interface with crypto map attached and the VSA crypto engine is used.
Conditions: Occurs because multicast packets coming in through the fast-switching path get replicated on different interfaces.
Workaround: Use the no ip mroute-cache command to disable multicast fast- switching.
•
Symptoms: POTS/PRI calls cause phone to ring but have no voice.
Conditions: Occurred on a router configured for zone-based firewall (ZBF).
Workaround: Use Context-Based Access Control (CBAC) instead of ZBF.
•
Symptoms: IKE security associations cause memory leak.
Conditions: Caused by the failure of IKE phase one exchange.
Workaround: There is no workaround.
•
Symptoms: Router fails to process traffic after a reload.
Conditions: IKE/IPSec SA fails to come up, blocking traffic on the serial interface.
Workaround: Either remove the crypto map on the router and reapply them or remove the online diag.
•
Symptoms: Changes made to Network-Based Application Recognition (NBAR) policies are not automatically applied. Instead the policy must be removed and reapplied to the interface.
Conditions: Occurs in Cisco IOS Release 12.4.11(T) and later releases.
Workaround: Upgrade to Cisco IOS Release 12.4(16).
•
Symptoms: A router crashes.
Conditions: This symptom is observed when you are running Cisco IOS Release 12.4(17) or Release 12.4T and when you copy the saved configuration to the running configuration.
Workaround: There is no workaround.
•
Symptoms: A router may crash when the clear pppoe all command is entered.
Conditions: Occurs when a service policy is attached to a virtual template.
Workaround: There is no workaround.
•
Symptoms: The inside interface of a Cisco router running EZVPN may become unresponsive when sending ICMP messages from a remote VPN client connection.
Conditions: Occurs when LZS compression is used on a Windows Vista client.
Workaround: Disable LZS compression.
•
Symptoms: Cisco IPIPGW does not establish TCP connection for H.245 on the TCP port suggested by Cisco Unified CallManager (CCM).
Conditions: The IPIPGW is configured for FS-to-SS interworking. In CCM, the "Wait for Far-End H.245 Terminal Capability Set" option is unchecked.
Workaround: There is no workaround.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml
•
Symptoms: Router may crash or report a spurious access when a Data-Link Connection Identifier (DLCI) is altered.
Conditions: Occurs on PA-MC-T3-EC and PA-MC-2T3-EC. When the frame-relay fragment command is entered, a router with NPE-G2 will crash or a router with NPE-G1 will produce a spurious access if frame-relay is unconfigured on the interface.
Workaround: Unconfigure "Frame-relay fragment" first and then unconfigure frame-relay encapsulation.
•
Symptoms: HWIC-4SHDSL_IMA responds with a F5 end-to-end cell instead of a F5 segment cell.
Conditions: HWIC-4SHDSL-IMA is used as a CPE and F5 segment cells are sent to it.
Workaround: There is no workaround.
•
Symptoms: The ATM interface line protocol goes down when configuring OAM-related configurations.
Conditions: Occurs when configuring "oam-pvc" and "oam-bundle."
Workaround: There is no workaround.
•
Symptoms: Router experiences traceback: ipnat_dns_fix_resou.
Conditions: Occurs when DNS traffic traverses the router and NAT is configured.
Workaround: There is no workaround.
•
Symptoms:Classification is not happening in third-level policy-map classes
Conditions: Occurs on a Cisco 7200 router running a prerelease build of Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
•
Symptoms: The Gigabit controller of NPE-G2 board does not correctly recognize the QinQ encapsulation. dropping the packets as giants. The packets with double encapsulation above 1496 bytes are not passing through, being dropped at the input of the NPE-G2 as giants. Reverting to single encapsulation on both sides, the behavior returns as expected, allowing the ping with any size.
Conditions: Occurs on a Cisco 7200 router running Cisco IOS Release 12.2(31)SB7.
Workaround: Configure the L2 interface MTU to 1504 instead of 1500.
•
Symptoms: Router crashes after adding link while member links are shut down.
Conditions: Occurs on a Cisco 7200 router with PA-MC-T3-EC.
Workaround: Reloads may be caused by route flapping. Add new members while existing members are active.
•
Symptoms: A Cisco router may reload unexpectedly with a software forced crash.
Conditions: This symptom is observed when the FXS port is configured with a DN and the gateway is being reset by CallManager 4.2.
Workaround: There is no workaround.
•
Symptoms: TCP checksum corruption occurs on A Cisco 7200 NPE-G2 router using VSA for IPSec encryption terminating GRE+IPSec tunnels into VRF's. NAT is applied on the GRE tunnel for translating post decrypted clear packets. If there also exists a Crypto Map (on any other interface), and even if the crypto map is not related to the GRE tunnels, then TCP packets traversing through the GRE+IPSec tunnel and getting NAT'd could lead to TCP checksum corruption.
Conditions: 7200-G2-VSA as headend terminating GRE+IPSec Tunnel Protection tunnels into VRF's. The ingress WAN interface is also in a VRF (front-door VRF). NAT outside applied on the GRE tunnel, and NAT inside applied on the VRF LAN interface. When a spoke sends ICMP or UDP packets, the Cisco 7200 VSA decrypts the packets, NAT's them and sends forwards to the VRF LAN segment. No issues here. When the Spoke sends TCP packets, the 7200-VSA decrypts, NAT's and forwards. But the receiving router on the far-end complains about TCP checksum corruption and drops the packets. So the TCP checksum is not being corectly modified by the 7200-VSA post NAT.
Workaround: Remove any CryptoMaps from all interfaces on the Cisco 7200. Or use VAM2+ instead of VSA.
•
Symptoms: Router crashes with simultaneous format on an ATA file system through CLI and SNMP.
Conditions: This symptom is observed on a router that runs Cisco IOS with ATA file system.
Workaround: There is no workaround.
•
Symptoms: EzVPN configured with virtual interface and using Cellular/Async interface as its outside interface with dial-on-demand routing (DDR), can not bring up a call. Also, when Cellular/Async interface loses its IP address, EzVPN gets stuck waiting for the interface to obtain an IP again.
Conditions: Occurs on a Cisco router with DDR on the Ezvpn outside interface (Async or Cellular). Async/cellular losing its IP address
Workaround: There is no workaround.
•
Symptoms: Low call success rate (CSR) is seen when calls traverse a Cisco 3845 router configured for Network Address Translation (NAT) and acting as a session border controller (SBC).
Conditions: This is seen while doing Performance testing on NAT-SBC. The CSR was as low as 25% while making just 75 SIP calls.
Workaround: There is no workaround.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml.
•
Symptoms: No ring on Cisco Unified IP Phone 7941 while hunting the second overly number in call forward no answer (CFNA) configuration.
Conditions: Overlay button is configured on Cisco 7941, and CFNA configured from first number to second number.
Workaround: Use Cisco IOS Release 12.4(11)XJ3 or Cisco IOS Release 12.4(11)T3.
•
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1.
2.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
•
Symptoms: A VXML gateway intermittently fails to submit a recording.
Conditions: This symptom is observed in Cisco IOS Release 12.4.
Workaround: There is no workaround.
•
Symptoms: Crypto maps support order entry of policy idents using sequence numbers. The sending of packets on the outbound interface cascades through the ordered list and applies encryption according to the first match. The packet is encrypted and encapsulated with the appropriate ESP header, which includes the SPI. When receiving an IPSec packet, the SPI is relevant for identifying the security association and the appropriate keys. Once the packet is decrypted, the IP header is compared against the policy idents, which should match. When an ordered list of policy idents is used, the IP header should be compared against the policy idents associated with the security association. This bug was identified based on the code attempting to compare the IP header against the first match in the ordered set of policy idents as opposed to the policy ident associated with the SPI. As a result, the packet is dropped because of invalid policy idents checking.
Conditions:
1. A crypto map with a point-to-point IPSec SA is established to a remote peer.
2. A crypto map with a group IPSec SA is established to a GET VPN group.
3. The order of the crypto map entries is such that the point-to-point SA is prioritized ahead of the group SA.
4. The proxy idents of the group SA are a superset of the point-to-point SA.
5. Outbound traffic matches the point-to-point SA proxy idents first; therefore, it is encrypted with the point-to-point SA.
6. A received encrypted packet uses the SPI to identify the correct key, which happens to associate with the group SA.
7. The packet is decrypted using the group SA.
8. The packet is subsequently checked against the proxy idents. The check is done in priority order, which matches first on the point-to-point SA. The security association used for decryption and the security association used for proxy ident matching are inconsistent; therefore, the packet is dropped despite the fact that the proxy ident matches for the subsequent group security association.
9. The context of the decryption SHOULD have been preserved such that the group SA proxy idents are used for the matching. This would have made the key used for the decryption and the proxy idents consistent, allowing the packet to be forwarded.
Workaround: There is no workaround. The point-to-point IPSec policy ident must be removed in order for the GDOI policy to be applied. This prevents a graceful transition between point-to-point IPSec and GET VPN.
•
Symptoms: All frames received on gigabit ethernet interface are dropped. All drops are reported as overruns in the output of show interfaces and show controllers.
Conditions: Symptom is observed on gigabit ethernet interfaces on NPE-G2 network processor of Cisco 7200 Series Routers. All IOS trains that support NPE-G2 are affected.
Symptom is observed only when the gigabit ethernet controller is in promiscuous mode and with moderate traffic rate. Line protocol on the interface remains up when the error condition is present.
Workaround: There is no workaround. When the gigabit controller falls into this condition, the only way to recover is to power-cycle the router. Soft reload does not clear the problem.
Further Problem Description: Ethernet controller goes into promiscuous mode under two conditions: - bridging is configured on the interface - number of MAC addresses that have to be stored in its MAC address filter table exceed the capacity of the table.
The latter case may happen when a large number of HSRP groups is configured or a large number of IP multicast groups are to be received on the interface.
•
Symptoms: Router is unable to turn on the message waiting indicator (MWI) lights of phones connected to Siemens PBX systems that run a recent software release. The router fails to convert SIP notify messages into the appropriate QSIG MWI messages.
Conditions: The occurs only on Siemens PBXs that have been upgraded to a recent software release.
Workaround: There is no workaround.
•
Cisco IOS emits the %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures.
A traceback appears after the error message. This traceback is encountered with long URLs.
It is important to note that this error message does not imply that packet data is corrupted. However, it does provide an early indicator of other conditions that can eventually lead to poor system performance or a Cisco IOS restart.
•
Symptoms: Router reloads while attaching service policy to hierarchical class-maps.
Conditions: Occurs when hierarchical class-map is used, as shown as below:
Class-map c1 Match ip precedence 0 Class-map c2 Match class c1
Policy-map out Class c2
Interface ethernet0/0 Service-policy output out
When the policy-map is applied, the router reloads immediately after "service-policy output out".
Workaround: Instead of hierarchical class-maps, use flat class-maps:
Class-map c1 Match ip precedence 0 Class-map c2 Match ip precedence 0(Instead of "match class c1")
Policy-map out Class c2
Interface ethernet0/0 Service-policy output out
•
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
•
Symptoms: A Cisco 7200 NPE-G2 router with a VSA encryption card, terminating IPSec EasyVPN Dynamic Virtual Tunnel Interfaces, exhibits high CPU utilization during IKE and IPSec rekeys, potentially causing some tunnels to go down.
Conditions: This symptom is observed on a Cisco 7200-G2 router with a VSA card, acting as an IPSec HUB, terminating EasyVPN DVTI remote-access IPSec tunnels into VRFs. At high tunnel scale (more than 1000 tunnels), the CPU can spike close to 100 percent during IKE and/or IPSec rekey, potentially causing traffic and tunnels to drop.
Workaround: Do not use more than 1000 RA EasyVPN DVTI tunnels on a Cisco 7200. Or switch to Legacy EasyVPN tunnels (with dynamic crypto maps).
•
A Cisco router running IOS version 12.4(15)T1 may reload unexpectedly due to a bus error crash. This has been experienced repeatedly. The information gathered points to a software issue. At this stage, the root cause has not been found. This enclosure will be updated as more information is gathered.
Workaround: There is no workaround at the current time.
•
Symptom: multipart post to http server failed
Conditions: http client uses multipart post recroding data to server, the failure was caused by content-disposition filename string being enclosed between a pair of quote (") character.
Workaround: None.
•
Symptoms: IPsec failover facilitated by Hot Standby Routing Protocol (HSRP) does not work because the subsystem is not correctly initialized.
Conditions: Occurs on routers running Cisco IOS Release IOS 12.4(15)T and Cisco IOS Release 12.4(15)T1.
Workaround: There is no workaround.
•
Symptoms: Security Device Manager (SDM) is unable to restore default alert frequency parameters after alert frequency has been set to another value.
Conditions: Occurs when using SDM to manage Intrusion Prevention System (IPS) 5.x signatures on routers running Cisco IOS Release 12.4(11)T2 and later releases.
Workaround: Use CLI to reset the alert frequency to default.
•
Symptom: Need to keep IVR related error debugs enabled all the times for perversive CAP contact center
Conditions: When a voice gateway is used as an IVR "contact center", it is often necessary to turn on error debugs for ivr, vxml, http client, rtsp and mrcp.
Workaround: The error debugs need to be manually enabled each time the router is reloaded or when all debugs are disabled.
•
Symptoms: OAM cells are not generated when a new ATM subinterface and PVC is configured. Check subinterface and PVC status and enable the debug atm oam interface atmx/x.xxx command. Subinterface will be up/up. PVC will be down, and no debug output will be seen.
Conditions: This symptom has been seen in various Cisco IOS 12.4 images.
Workaround: Perform shut/no shut commands on ATM subinterface.
•
Symptoms: Intrusion Prevention System (IPS) causes high CPU usage and crashes on routers with 256MB or less memory.
Conditions: Occurs if IPS 5.x signatures are loaded using the copy <url> idconf command before configuring "ip ips signature-category". If "ip ips signature- category" is configured (and only necessary categories are selected) prior to signature load, crash does not occur.
Workaround: Perform the following steps: 1. remove all IPS configuration from the router 2. make IPS configuration again (do not load the signatures) 3. configure "ip ips signature-category" and enable only necessary categories there 4. load the signatures by "copy <url> idconf"
<B>Further Problem Description:</B>
It is strongly recommended to load only BASIC set of signatures for IOS IPS 5.x.
According to IPS 5.x documentation, enabling all signatures in the same time is NOT recommended as it can cause memory exhaustion and router crash:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5. htm
Enabling signature categories prior to signature load ensures that only necessary signatures will be compiled. Doc link above contains correct configuration example. Follow this sequence to avoid memory ehxaustion.
•
The supplied note does not exist in CDETS
•
Symptoms: PA-MC-2T3-EC interface is not usable.
Conditions: The interface is configured with Multilink Frame Relay (MFR) encapsulation and soft online insertion and removal (OIR) is done in that PA. Issue is seen only with frame-relay mfr encapsulation and is not seen with HDLC/PPP/ frame-relay encapsulations.
Workaround: There is no workaround.
•
Symptoms: Cisco 1801 and Cisco 1803 routers fail to establish ISDN layer 2 connection with a certain third-party PBX.
Conditions: Occurs on routers running Cisco IOS Release 12.4(15)T1 and earlier releases.
Workaround: There is no workaround.
•
Symptoms: VXML application causes memory leak
Conditions:If the calling docuemnt and called docuemnt of a subdialog share the same root document, the tree structure used for the root document will not be released after the call session is finished.
Workaround: There is no workaround.
•
Symptoms: Abnormally large FreshTime value appears in IVR HTTP client cache entry.
Conditions: This symptom is observed when a VXML voice browser downloads a file from an HTTP server. If the file was modified very recently, the FreshTime for that file may show up with a very large value.
Workaround: There is no workaround.
•
Symptoms: The MPLS forwarding table has an untagged outgoing entry for a VPNv4 prefix in a CSC case.
Conditions: This is an LDP/IGP (OSPF etc.) based CSC-PE. The VPNv4 prefix shall have a local/redistributed (PE-CE OSPF etc.) path as well as an iBGP path. If the CE path is toggled and then there is a LABEL ONLY change from the iBGP neighbor, the issue will be seen. BGP will end up programming "Untagged" for the local/redistributed prefix, overwriting what is given by LDP.
Workaround: There is no real workaround. To clear the problem, issue a clear ip route command for the vrf-prefix in question. If there are redundant paired PEs, make sure to clear the problem on both routers with the clear ip route command.
•
Symptoms: Cisco IOS configured with the Dynamic Multipoint VPN (DMVPN) feature allows stale tunnel endpoint entries to remain in the system. This occurs even though the Next Hop Resolution Protocol (NHRP) cache entry does not exist.
Conditions: When a spoke registers with a changed tunnel IP address (overlay address), there will be two overlay addresses mapped to same NBMA address on the hub. As a result when the NHRP mapping for the stale overlay address (old tunnel address) expires on the hub, the tunnel endpoint entry is not deleted, resulting in a stale tunnel endpoint entry.
Workaround: There is no workaround.
•
Symptoms: SIP traffic may not have port range correctly translated when using NAT port map. Destination ports that should be translated into standard SIP port range (16348 - 32768) are instead being translated to port numbers lower than 16384.
Conditions: Symptom has been observed on pre-release version of Cisco IOS Release 12.4(15)T2. May exist in other 12.4T releases of IOS.
Workaround: There is no workaround.
•
Symptoms: If a L2TP packet is fragmented before reaching the L2TP network server (LNS) in a virtual private dial-up network (VPDN) tunnel terminated with VPN routing/forwarding (VRF), it is not reassembled. The first fragment leaks to the global routing table.
Conditions: Occurs in routers running Cisco IOS Release 12.4(11)T and later releases.
Workaround: Avoid L2TP packet fragmentation.
•
Symptoms: Fax call is aborted while testing PRI E1 feature.
Conditions:Occurs in routers running a pre-release version of Cisco IOS Release 12.4(15)T2.
Workaround: Use the fax rate disable command to disable the fax relay feature under the VoIP dialpeer.
•
Symptoms: Router reloads unexpectedly.
Conditions: This occurs when a SSH and WebVPN session are established to the router and a Remote Desktop (RDP) session is brought up through the WebVPN. The interface used by the SSH and WebVPN sessions has IPSec configured and uses a VPN Services Adapter (VSA).
Workaround: Use the no crypto engine accelerator slot command to disable the IPSec hardware encryption card - VSA with the command
•
Symptoms: When the clear crypto gdoi command is entered on the key server, all keys are destroyed, which can seriously impact network traffic.
Conditions: This works as designed, and a warning message has been added to IOS. If the command is issued on a group member, the group member can re-register.
Workaround: There is no workaround.
•
Symptoms: After a software upgrade, router has an unnecessary command, text relay fax rate disable, added to its "voice service pots" configuration.
Conditions: Occurs on routers for which "fax rate disable" is configured when you upgrade from Cisco IOS Release 12.3(11)T10 to Cisco IOS Release 12.4(15)T1.
Workaround: There is no workaround.
•
Symptoms: Warm upgrade does not work as expected.
Conditions: Occurs when you perform a warm upgrade from a small IOS image to a large image.
Workaround: Use the reload command instead of the reload warm fileimage-path command to boot the new image.
•
Symptoms: T38 negotiation is failing for an incoming UPDATE request that has a T38 offer.
Conditions: This symptom occurs when the voice gateway is running Cisco IOS Release 12.4(15)T and is processing incoming Session Initiation Protocol (SIP) calls. When the SIP call is active and an UPDATE request is received that contains a T38 offer, the UPDAE request is rejected. The switchover from voice to fax fails.
Workaround: Fax over T38 works fine when midcall INVITE is used for T38 negotiation.
•
Symptoms: A Cisco router may reload due to a bus error while browsing file shares through SSLVPN.
Conditions: Occurs on a Cisco 2851 router running Cisco IOS Release 12.4(15)T1. The crash occurs after a user opens file in a shared folder. If the user then tries to go to the parent directory by editing the URL to remove the file name, the router will reload.
Workaround: There is no workaround.
•
Symptoms: Router reloads while configuring the ssg vc-service-map command.
Conditions: Occurs on a Cisco 7200 series router running Cisco IOS Release 12.4(18.4)T.
Workaround: There is no workaround.
•
Symptoms: A voice gateway may modify the Presentation Indicator field when processing a voice call.
Conditions: The voice gateway is running Cisco IOS Release 12.4(9)T5 and processing incoming Session Initiation Protocol (SIP) calls. An incoming SIP call that has its Presentation Indicator (PI) field Oct 3a set to 0xA0 or to any other value is changed to 0x00 for no apparent reason when it is forwarded to the Telephony call leg.
Workaround: There is no workaround.
•
Symptoms: SIP gateway does not pass privacy information to the ISDN leg.
Conditions: The voice gateway is running Cisco IOS Release 12.4(15)T and processing incoming session initiation protocol (SIP) calls. When a SIP message is received on the voice gateway with calling number containing non-digit (calling number preceded by a '+'), then octet_3a information present in the SIP mesage is not passed to the ISDN leg.
Workaround: There is no workaround.
•
Symptoms: Cisco 7200 router crashes when unconfiguring service policy from Multilink Frame Relay (MFR) interface.
Conditions: Occurs if one of the MFR bundle link interfaces was previously being used for Multilink PPP over Frame-relay. Changing the encapsulation may not clean up queuing configuration properly - a dual first in first out (FIFO) queue may remain on the interface.
Workaround: Ensure a dual FIFO queue is not present on MFR bundle link interface. It should be plain FIFO queue. If it is a dual FIFO, change the interface to HDLC encapsulation, which should remove the dual FIFO queue, then back to MFR bundle link encapsulation.
•
Symptoms: A router may experience a bus error during a Group Domain of Interpretation (GDOI) rekey:
Conditions: Occurs on routers running Cisco IOS Release 12.4T and serving as a GDOI rekey server.
Workaround: There is no workaround.
•
The supplied note does not exist in CDETS
•
Symptoms: When two Cisco transcoders are connected back-to-back, calls may not be properly torn down when the Cisco Unified CallManager (CCM) goes into Call Preservation mode by sending the transcoder a "StartMediaFailureDetection" message. This can lead to stuck calls until the Skinny Call Control Protocol (SCCP) application is reset or the router is reloaded.
Conditions: Occurs because the transcoder will only send MediaFailure when both RTP streams stop receiving packets for the configured time (default 1200 seconds). If one side continues to receive RTP, MediaFailure will never be sent to CCM.
Workaround: Reset the SCCP application on router or reload the router.
•
Symptoms: Router reloads unexpectedly while unconfiguring policy-map.
Conditions: Occurs on Cisco 7200 routers running a pre-release version of Cisco IOS Release 12.4(15)T2.
Workaround: There is no workaround.
•
Symptoms: Error occurs in a Mobile IP redundancy environment. The standby router reloads when trying to synchronize with the active router with the following error:
%SYS-6-STACKLOW in MobileIP Standby
Conditions: Occurs on a router running Cisco IOS Release 12.4(15)T.
Workaround: There is no workaround.
•
Symptoms: Cisco Intrusion Prevention System (IPS) does not inspect intra-zone traffic when router is configured with zone-based firewall.
Conditions: Occurs on routers using Cisco IOS IPS and zone-based firewall features.
Workaround: Create a separate zone for each interface. Use an appropriate naming scheme to assist in identifying which interfaces would normally be in the same zone if not for this issue. Create service policies that allow all traffic between the interfaces that were previously in the same zone.
Note: This workaround only works on routers running Cisco IOS Release 12.4(15)T and later releases.
•
Symptoms: A Cisco IOS router configured for WCCP may stop redirecting traffic following a change in topology.
Conditions: The router must be configured for WCCP redirection using the hash assignment method. When there is only a single appliance in the service group, the loss of hash assignment details is permanent. However with multiple appliances in the group, the loss of assignment information is transitory; the router soon recovers.
Workaround: To recover the assignment details, the WCCP configuration needs to be removed and readded to the router. Use the no ip wccp service command followed by ip wccp service args command.
Further Problem Description: The changes also address the situation where some WCCP clients are sending modified weight field in the WCCP message, and this way creates a topology change situation.
Resolved Caveats—Cisco IOS Release 12.4(15)T1
Cisco IOS Release 12.4(15)T1 is a rebuild release for Cisco IOS Release 12.4(15)T. The caveats in this section are resolved in Cisco IOS Release 12.4(15)T1 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: SNMP does not use the source address in a VRF.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or Release 12.4T.
Workaround: Ensure that an SNMP interface is not defined in a VRF.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router may intermittently generate the following error message:
%SYS-2-NOBLOCK: may_suspend with blocking disabled. -Process= "Pool Manager"Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4T.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: The following error message may be generated on a router that is configured for VPN or VPNv4:
For VPN:
ALIGN-3-SPURIOUS: Spurious memory access made at bgp_vpn_afmodify_walkFor VPNv4:
ALIGN-3-SPURIOUS: Spurious memory access made at bgp_vpnv4_afmodify_walkConditions: This symptom is observed on a Cisco router that is configured for BGP and IPv4 in a VRF address-family configuration and that imports routes from a VRF.
Workaround: There is no workaround. However, the error message is of a cosmetic nature and can be ignored.
•
Symptoms: When you enter the ip multicast limit rpf command, protection may fail after the RPF link becomes operational.
Conditions: This symptom is observed on a Cisco router that is configured for APS switchover.
Workaround: Clear the state of the corresponding multicast route by entering the clear ip mroute command.
Miscellaneous
•
Symptoms: When an MFR interface flaps, and outbound service policy is unexpectedly removed from the interface.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(15)T and that is configured with a PA-MC-T3-EC port adapter. The symptom is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: Packets may drop when the mode of operation for a Multilink Frame Relay (MFR) bundle transitions from hardware to software and then back to hardware.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(15)T and that has an PA-MC-T3-EC port adapter that is configured for MFR.
Workaround: There is no workaround.
•
Symptoms: "%VPA-3-TSBUSY:VPA" and other error messages may be generated intermittently, and calls may fail.
Conditions: This symptom is observed on a Cisco 7206VRX that is configured with multiple VXC voice port adaptors.
Workaround: There is no workaround.
•
Symptoms: When a router boots and when bursty traffic occurs, the following error messages may be generated:
%ALIGN-SP-STDBY-3-SPURIOUS: Spurious memory access made at 0x72AB2370 reading 0xB8 %ALIGN-SP-STDBY-3-TRACE_SO: -Traceback= (s72033-adventerprisek9_wan_dbg-0-dso-bn.so+0x1AE370) ([42:0]+0x1AE47C) ([31:-3]3-dso-b+0x220994) ([41:0]+0x220FB8) ([41:0]+0x221A90) ([41:0]+0x22214C) ([41:0] +0x222D6C) ([41:0]+0x2233CC)Conditions: This symptom is observed when bursty IPC traffic occurs while the router boots or during a switchover, typically with heavy configuration data exchanges.
Workaround: There is no workaround.
•
Symptoms: A Windows XP SP2 L2TP/IPSec client may fail to connect to a Cisco IOS L2TP server when NAT-T is in use and when an embedded crypto accelerator card is enabled.
IKE phase I is established fine (the state is "QM_IDLE"), but IKE phase II fails. When a matching phase II transform is presented on the L2TP client, an SA is created, a traceback is generated, and then the SA is deleted. Phase II fails and the L2TP session is never established.
When you enable the debug l2tp all command, an error message about incorrect L2TP UDP checksums is displayed.
Conditions: This symptom is observed on a Cisco 870 series, Cisco 1800 series, Cisco 2800 series, and Cisco 3800 series that function as an L2TP server.
Workarounds: Disable the onboard crypto accelerator, or install an AIM crypto accelerator.
Further Problems Description: The Windows XP SP2 L2TP/IPSec client connects without any problems when NAT-T is not in use.
•
Symptoms: When you repeatedly change active routers by enabling preemption and then change the priorities on the router interface, the router may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.5)T after you have shut down the interface of the active router.
Workaround: No known workaround.
•
Symptoms: A Cisco 3700 series with an IMA interface may crash.
Conditions: This symptom is observed when the ATM IMA PVC had an AutoQoS configuration.
Workaround: Remove the AutoQoS configuration.
•
Symptoms: The microcode reload pxf command does not function.
Conditions: This symptom is observed on a Cisco RPM-XF that runs Cisco IOS Release 12.4 or Release 12.4T and occurs either with the microcode reload pxf command or the microcode reload sar command. However, the symptom is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1812 that is configured with USB devices may not boot.
Conditions: This symptom is observed on a Cisco 1812 that runs Cisco IOS interim Release 12.4(13.13)T1 or Release 12.4(15)T1.
Workaround: There is no workaround.
•
Symptoms: A router may reset and generate a crashinfo file when memory that was allocated by a dead process is freed by another process.
Conditions: This symptom is observed on an RPM-XF-512 that runs Cisco IOS Release 12.4T but is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco router can experience a memory corruption crash related to encryption.
Conditions: This symptom has been observed when the memory lite global configuration command is disabled.
Workaround: Enable the memory allocation lite (malloc_lite) feature by using the memory lite command.
•
Symptoms: A router may crash when a service policy is attached to an interface.
Conditions: This symptom is observed only when the service policy is attached to many (more than 100) interfaces and is related to class ID exhaustion. The symptom does not occur when the service policy is attached to a few interfaces.
Workaround: Do not attach a service policy to a large number of interfaces.
•
Symptoms: A router that functions as an LNS and ISG may crash at the "chunk free" function when a call is being freed or disconnected.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(31)SB and is caused by a race condition. The symptom may not be release-specific.
Workaround: There is no workaround.
Further Problem Description: The following configuration suggestions may reduce the likelihood that the race condition occurs:
–
l2tp tunnel receive-window 10000
l2tp tunnel timeout hello 180–
–
aaa authentication ppp user-auth if-needed group csm-auth-acct
–
–
–
–
•
Symptoms: A router may crash when both a WIC-1AM or WIC-2AM and PVDMs are installed in the chassis.
Conditions: This symptom is observed when the modem interfaces are in the up/up state, that is, calls do not have to be in process for the symptom to occur.
Workaround: Remove the WIC-1AM or WIC-2AM from router and use only PVDMs.
•
Symptoms: A router crashes because of a watchdog timeout when you apply an extended access control list (ACL) to a crypto map.
Conditions: This symptom is observed on a Cisco 7200 series that has a VPN Service Adapter (VSA) when you apply an extended ACL to a crypto map as in the following example:
access-list 110 permit tcp host x.x.x.x gt 1023x.x.0.0 0.0.255.255
The symptom occurs only when port 65535 is included in the port range.
Workaround: Use an access control entry (ACE) that does not contain port 65535. For example, an ACE that is defined as "greater than 1023" can be defined as "more than 1023 and less than 65534".
•
Symptoms: A "SIP UPDATE" message from a Cisco CallManager or SIP Proxy Server with a "Cseq" value of 0 may be rejected or considered invalid by A Cisco gateway.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.4(9)T4 or a later release and that is connected to a SIP endpoint.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(9)T3.
•
Symptoms: A router that is configured for QoS and traffic shaping may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(15)T and that functions in a DMVPN environment.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may become unresponsive or reload unexpectedly when an Embedded Event Manager (EEM) Tool Command Language (Tcl) policy that has an invalid policy registration line is registered.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image later than Release 12.4(11)T when the policy registration line is malformed. This line may become malformed when the Tcl policy is saved with a program that inserts new lines at locations where you do not expect them.
Workaround: Before the policy is registered, inspect the policy by entering the more flashdevice:filename.tcl command to ensure that the script does not have a malformed event registration line.
•
Symptoms: Classification in an inbound policy map fails.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G2 when an access control list (ACL) is used twice in a class map.
Workaround: Do not use an ACL twice in a class map. Rather, create and apply two different ACLs with the same ACEs. Note that the symptom does not occur in Release 12.4(11)T2.
•
Symptoms: A router may crash right after it has booted when it receives traffic over an interface.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G2, that has a policy map that is applied to the interface that receives traffic, and that has a named ACL that is applied in the class map.
Workaround: Do not configure named ACLs. Rather, configure numbered ACLs. Note that the symptom does not occur in Release 12.4(11)T2.
•
Symptoms: A Cisco platform may reload when you configure or unconfigure an EEM policy.
Conditions: This symptom is observed only on a Cisco platform that runs a modular Cisco IOS software image when a syslog message is being generated while you configure or unconfigure the EEM policy.
Workaround: Do not configure or unconfigure an EEM policy while a syslog message is being generated.
Wide-Area Networking
•
Symptoms: The count of the CCB value at the interfaces for the primary and backup channel may be incorrect, and the count of the available B-channels may also be incorrect.
Conditions: This symptom is observed on a Cisco platform after you have entered the isdn test l2 disconnect command on the interface for the backup D-channel.
Workaround: There is no workaround.
•
Symptoms: When a NOTIFY message is forwarded by a terminal gateway to the ISDN side, the NOTIFY message may be incorrectly decoded.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.11), interim Release 12.4(13.5)T, or interim Release 12.4(13.8)T.
Workaround: There is no workaround.
•
Symptoms: When an LNS renegotiates LCP with a client, a LAC may not forward a CONFREQ message from the client to the LNS. This situation may cause a loop with LCP negotiation and authentication between the client and the LNS, and an L2TP tunnel is established between the LAC and the LNS.
Conditions: This symptom is observed when the debug snmp packet is enabled and when the following configurations are present:
On the LNS, the lcp renegotiation always command is enabled:
vpdn-group vpdn group name
lcp renegotiation alwaysOn the LAC, the snmp-server trap for l2tun session command is enabled:
snmp-server enable traps l2tun session
snmp-server host ip-address version 2c communityWorkaround: Do no enable the debug snmp packet command when the lcp renegotiation always command is enabled on the LSN and when the snmp-server trap for l2tun session command is enabled on the LAC.
•
Symptoms: A call may be present on a backup D-channel but the Call Control Block (CCB) information may be missing.
Conditions: This symptom is observed on a Cisco platform after you have entered the isdn test l2 disconnect command on the interface for a backup D-channel.
Workaround: There is no workaround.
•
Symptoms: You may not be able to establish an L2TP/IPSec connection to a router.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(11)T or a release that is based on Release 12.4(11)T such as Release 12.4(11)XJ when the l2tp security crypto-profile profile-name command is enabled.
Workaround: Disable the l2tp security crypto-profile profile-name command. Then, configure a dynamic crypto map to encrypt the L2TP traffic.
Note that the symptom does not occur in earlier releases such as Release 12.4(9)T3.
Further Problem Description: When you enable the debug ppp negotiation, debug vpdn l2x-packets, and debug l2tp all commands, the following (or a similar) output is generated when the PPP negotiation starts after the L2TP connection has been established:
ppp2 PPP: Phase is ESTABLISHING, Passive Open ppp2 LCP: State is Listen L2X:CEF From tunnel: Received 84 byte pak L2TP:(Tnl47793:Sn3):CEF From tunnel: 84 byte buffer returned ppp2 LCP: Timeout: State ListenAfter this output, the debugs show that the router sends CONFREQ packets until the PPP negotiation times out and the L2TP tunnel is torn down.
Resolved Caveats—Cisco IOS Release 12.4(15)T
This section describes possibly unexpected behavior by Cisco IOS Release 12.4(15)T. All the caveats listed in this section are resolved in Cisco IOS Release 12.4(15)T. This section describes severity 1 and 2 caveats and select severity 3 caveats.
EXEC and Configuration Parser
•
Symptoms: A Cisco 7200 router running Cisco IOS interim Release 12.4(13.13)T may crash.
Conditions: This symptom has been observed while issuing the write terminal or show running-config or copy running-config to startup-config commands.
Workaround: There is no workaround.
Miscellaneous
•
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
•
Symptoms: PA-8B-ST might be powered down when booting the image.
Workaround: software OIR will bring UP the card.
•
Symptoms: A Cisco router with an ESCORT jacket card crashes.
Conditions: This symptom has been observed with a Cisco 7200 router loaded with Cisco IOS Release 12.4XD crashes if an ESCORT jacket card is present
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: When configuring a Serial interface or issuing show commands related to that Serial interface, a router may incorrectly configure a different Serial interface or may show output from a different Serial interface in the router.
Conditions: The conditions under which the problem manifest itself are unknown, and appear to be random. The symptom exists only when using a channelized T3 card and configuring one of the T1's.
Workaround: A router reload clears the issue.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable.
This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the "workarounds" section of the advisory.
The advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of Cisco IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml.
•
Symptoms: CE-CE connectivity may get broken even though AToM VCs are up.
Conditions: This symptom has been observed on Pseudowire redundancy feature configured with PPPoMPLS or HDLCoMPLS.
Workaround: There is no workaround.
•
Symptoms: SNASw generates a Last Message Fault Error(FFFF0306).
Conditions: SNASw attached PU is including Control Vectors on its Bind Response, although the Bind Response sent by the SNASw attached PU has the Control Vector Bit turned off (Byte 7 Bit 6).
Workaround: There is no workaround.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Symptoms: Counters in the show policy-map interface command may be wrongly updated.
Conditions: This symptom has been observed on a policy-map with a child policy used multiple times.
Workaround: Clone your child policy to use child policies with unique names.
Further Problem Description: This symptom has been seen in Cisco IOS Release 12.4T, but not seen in Cisco IOS Release 12.3.
•
Symptoms: Some links in an IMA group are shown as down though they are active at the IMA level.
Conditions: With a third party as a DSLAM, when IMA group is made inactive and then active again, some links are shown as down and not counted as active.
Workaround: Entering a shutdown command and then the no shutdown command from the command line at the DSL group recovers from the issue.
•
Symptoms: On routers that are configured for WCCP, interfaces that are connected to the content engine can become locked. By locked, what is meant is that the interface driver is in a state where the physical interface will stop sending and receiving packets.
Conditions: This issue has been introduced by CSCuk61396, only the images that have the fix for CSCuk61396 are affected by this issue.
Workaround: There is no workaround. If an interface becomes locked, the only way to recover the system is to do a reload.
•
Symptoms: A router crashes while attaching or detaching a service policy on a virtual-template.
Conditions: This symptom has been observed on a virtual template with traffic on and IP header compression configured.
Workaround: Do not configure IP header compression on a virtual template or do not send traffic through the router while attaching or detaching a service-policy.
Further Problem Description: The crash occurs due to memory allocated by qos-create_default_fo being corrupted.
•
Symptoms: PPPoEoA/PPPoA sessions may go down while sending traffic more than >=1024 pkt. size
Conditions: This symptom has been observed with 4k/8k sessions over 1k l2tp tunnels. with less no. of tunnel like 1 tunnel the problem not seen.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: When a Cisco 2600 router is loaded with the c2600-entservices-mz.124-9.T4 image, the router hangs during reload.
Conditions: This symptom has been observed when a Cisco 2600 router is loaded with the c2600-entservices-mz.124-9.T4 image.
Workaround: There is no workaround.
•
Symptoms: A PC is not able to connect to a wireless router (871 model) using the protocol EAP-FAST.
Conditions: This symptom has been observed after upgrading the Cisco IOS version and keeping the same configuration in the router.
Workaround: For wireless, go back to the older version of IOS where EAP-FAST is working fine.
•
Symptoms: When 6000 L2TP sessions are disconnected, a Cisco IOS LNS router is stuck on High CPU Utilization (99% or 100%) with PPP IP Route process for 5 minutes.
Conditions: This symptom has been observed under stress test conditions (thousands sessions are disconnected at once) with no traffic and using Cisco IOS Release 12.4(13). This symptom has not been observed on earlier releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco 2811 series router may crash due to I/O memory corruption.
Conditions: This symptom has been observed on a router running CME 4.1 with Cisco IOS Release 12.4(11)XJ3 and using IP communicator and/or IP phones.
Workaround: Stop using IP phones or IP communicator.
•
Symptoms: Crash when unconfiguring IPS with an interface in outbound direction only. IPS is globally unconfigured using the no ip IPS policy-name command.
Conditions: This symptom has been observed with IPS configured with an interface in the outbound direction only. Enter the no ip ips policy-name command where policy name is the name of the created IPS policy.
Workaround: Configure inbound inspection as well as outbound.
Wide-Area Networking
•
Symptoms: The trunking gateway (TGW) crashes when checked for gateway interconnect functionality for SETUP messages with all PRI switch types from User to NT side.
Conditions: This symptom has been observed with Cisco IOS interim Release 12.4 (15.6). This symptom occurs when the isdn test call interface Serial1:23 22222 command is entered at the Call Starter and with Switch Types: OGW: primary-ni TGW: primary-dms100.
Workaround: There is no workaround.
•
Symptoms: The router can reload if using the vpdn-group command lt2p ignore tx-speed on a router acting as a LAC. This command is expected to be used on an LNS, but if it is used on the LAC, a reload can occur.
Conditions: This symptom has been observed on a router acting as an LAC.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(11)T4
Cisco IOS Release 12.4(11)T4 is a rebuild release for Cisco IOS Release 12.4(11)T. The caveats in this section are resolved in Cisco IOS Release 12.4(11)T4 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: In AAA RADIUS Server Load Balancing feature testing, Computed Retransmit Tries and Outstanding Transactions debug messages are missing. Whether the AAA server is marked dead correctly cannot be determined when the outstanding number of retries is more than the number of tries to mark a server dead.
Conditions: This symptom has been observed in Cisco IOS interim Release 12.4 (11.1)T and interim Release 12.4(10.8)T2.
Workaround: There is no workaround.
•
Symptoms: Memory leak occurs in Cisco IOS AAA module.
Conditions: This symptom is observed when any IP admission sessions are formed.
Workaround: There is no workaround.
•
Symptoms: Datagrams fragmented on a router that is running Cisco IOS Release 12.4T may use the same fragmentation identification.
Conditions: This symptom occurs when datagrams are fragmented due to a lower MTU size.
Workaround: There is no workaround.
•
Cisco IOS software has been enhanced with the introduction of additional software checks to signal improper use of internal data structures. This enhancement was introduced in select Cisco IOS software releases published after April 5, 2007.
Details: With the new enhancement in place, Cisco IOS software will emit a "%DATACORRUPTION-1-DATAINCONSISTENCY" error message when it detects an inconsistency in its internal data structures. This is a new error message. The following is an example.
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestampMay 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy errorThe error message is then followed by a traceback.
It is important to note that this error message does not imply that packet data is being corrupted. It does, however provide an early indicator of other conditions that can eventually lead to poor system performance or an IOS restart.
Recommended Action: Collect show tech-support command output and open a service request with the Technical Assistance Center (TAC) or designated support organization. Pay particular attention to any other error messages or error symptoms that accompany the "%DATACORR UPTION-1-DATAINCONSISTENCY" message and note those to your support contact.
IP Routing Protocols
•
Symptoms: When there are link flaps in the network, various PE routers receive the following error message:
%BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix 155:14344:10.150.3.22/32 from 10.2.2.1Or, a local label is not programmed into the forwarding table for a sourced BGP VPNv4 network.
Conditions: These symptoms are observed when an iBGP path for a VPNv4 BGP network is present, and then a sourced path for the same route distinguisher (RD) and prefix is brought up.
Workaround: Remove the iBGP path. Note that when the sourced path comes up first, the symptoms do not occur.
Alternate Workaround: Use different RDs with the different PE routers. When the RD and prefix do not match exactly between the iBGP path and the sourced path, the symptoms do not occur.
•
Symptoms: A default route with an incorrect mask may not be installed.
Conditions: This symptom is observed on a Cisco router that is configured for OSPF.
Workaround: There is no workaround.
•
Symptoms: A router that is running Cisco IOS may unexpectedly reload. The crashes can be very different in nature, but the crashinfo should show the IP Input process as the currently running process:
---- Partial decode of process block ----Pid 84: Process "IP Input" stack 0x46C3C080 savedsp 0x46758540Conditions: This symptom is seen when the router is configured for NAT and receives a fragmented skinny packet that it needs to reassemble and translate.
Workaround: Prevent the router from receiving a fragmented skinny packet by ensuring the path MTU between the call manager server and the router is large enough. Usually skinny packets are not larger than 800 bytes.
•
Symptoms: IKE fragmented packets with offset > 0 cannot pass NAT router from outside to inside.
Conditions: This symptom is observed on a Cisco 7206VXR (NPE-G2) with the c7200p-adventerprisek9-mz.124-11.T1 image with NAT.
Workaround: There is no workaround.
•
Symptoms: Ldap packet modified passing through NAT router causing ldap to fail.
Conditions:
Network Topolgy
==============
LDAP server------->(fa00)NAT Router(fa(01)------LDAP client
The packet after the NAT router seems to have been fragmentedexpanded to two
parts in ldap:
Case1 - LDAP failed without "no-payload"
=====
–
–
Case2 - LDAP passed with "no-payload"
=====
–
–
Workaround: There is no workaround.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table, which may lead to traffic loss.
Conditions: This problem occurs under certain circumstances and timing conditions.
Workaround: When the symptom occurs, enter the clear ip route command for the prefix in the VRF.
•
Symptoms: The TTL of a CNAME will be zeroed on a DNS reply after passing through a Cisco router that is configured for Network Address Translation (NAT).
Conditions: This symptom is observed on a Cisco router that is configured for NAT that is running Cisco IOS Release 12.4 or 12.4T. Only CNAME records are affected.
Workaround: Use static NAT translations with the keyword "no-payload".
•
Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:
-Process= "IP RIB Update", ipl= 3, pid= 68-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED046125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8Address Error (load or instruction fetch) exception, CPU signal 10, PC =0x609538FCConditions: No specific conditions are known to cause this fault.
Workaround: There is no workaround.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb- radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
ISO CLNS
•
Symptoms: IS-IS may not advertise the prefix of a passive interface to the IS-IS database on a local router.
Conditions: This symptom is observed on a Cisco router when you shut down an interface (for example, G9/1/1) of a 5-port GE SPA (SPA-5X1GE) that is installed in a SIP-600, replace the SPA-5X1GE with another card, and then enter the no shutdown interface configuration command on the interface at the same location (G9/1/1) on the new card. In this situation, the prefix for the interface (G9/1/1) is not advertised.
Possible Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected interface.
A second workaround: Enter the "no passive-interface ..." followed by "passive-interface ..." under "router isis" configuration mode.
•
Symptoms: The prefix of a serial interface that is configured for PPP or HDLC and that functions as a passive interface for IS-IS may not be installed in the local IS-IS database.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18)SXF6 but is not release-specific.
Workaround: Remove and reconfigure the passive-interface command.
First Alternate Workaround: Enter the clear isis * command.
Second Alternate Workaround: Enter any command that triggers the generation of the local IS-IS database.
Miscellaneous
•
Symptoms: A router that is configured for QoS may reload unexpectedly or other serious symptoms such as memory corruption may occur.
Conditions: This symptom is observed on a Cisco router that has a cable QoS profile with a name that has a length that is greater than 32 characters as in the following example:
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C00000000011111111111222222222333^12345678901234567890123456789012||PROBLEM(Variable Overflowed).Workaround: Change the name of the cable QoS profile qos profile to a length that is less than 32 characters.
•
Symptoms: Traffic does not flow in the setup on the LAC----Client connection. The Tx locks up after 5 retries during the GigEth Tx underflow.
Conditions: This symptom has been observed when bidirectional traffic is sent in a hairpinning setup.
Workaround: There is no workaround.
•
Symptoms: The native Gigabit Ethernet (GE) interface on an NPE-G1 card may reset unexpectedly.
Conditions: This symptom is observed on a Cisco 7200 series when the underrun counter for the native GE interface increments continuously. You can verify the underrun counter in the output of the show interfaces gigabitethernet slot/port command.
Workaround: There is no workaround.
•
Symptoms: NAT configurations did not go through due to insufficient memory.
Conditions: This behavior was observed on a Cisco 831 router running Cisco IOS Interim Release 12.4(1.2)PI1a and also Interim Release 12.4(2.2)T.
Workaround: There is no workaround.
•
Symptoms: Cisco Catalyst 4500 Supervisors and Cisco Catalyst 4948 that are running Cisco IOS Release 12.2(31)SG crash when one of the following commands are issued:
–
–
–
Conditions: This symptom occurs when one of the following commands is issued:
–
–
–
Workaround: Do not use any of the above commands. For troubleshooting high CPU issues use the steps indicated in the following tech tip instead:
http://www.cisco.com/warp/public/473/cat4500_high_cpu.html
•
Symptoms: A Cisco AS5850 router may crash while querying ifDescr.
Conditions: This symptom occurs when data and analog calls are active. The router may crash while querying ifDescr.
Workaround: There is no workaround.
•
Symptoms: High CPU use may occur in the "IP Background" process, and the router may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router that is configured for RIP and that receives a RIP host route that is subsequently replaced by a route that is dynamically assigned to an interface. For example, this situation may occur on a PPP interface that has the ip address negotiated command enabled.
Workaround: Use a route map to block the advertised route.
•
Symptoms: When the OER BGP Inbound Optimization feature is configured and when route control is enforced, route control does not prepend autonomous systems or communities. Rather, router control prepends the same autonomous systems or communities to all external OER interfaces.
Conditions: This symptom is observed on a Cisco router when OER manages inside prefixes that are either learned or configured.
Workaround: There is no workaround.
•
Symptoms: When the Embedded Event Manager (EEM) Tcl policies that use cli_lib.tcl are configured, telnet connections to the device result in it sending three quick "Username" prompts and then killing the connection without providing the user the time to actually enter a username.
Conditions: This problem does not happen unless EEM is configured with Tcl policies that use the cli_lib.tcl library.
Workaround: Try telnet twice. The first time it will fail for the above reason, and second time it will work.
•
Cisco IOS software configured for Cisco IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
A mitigation for this vulnerability is available. See the "Workarounds" section of the advisory for details.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml.
•
Symptoms: A Cisco router may unexpectedly reload when the Embedded Event Manager (EEM) applet is removed from the configuration or shortly after the EEM applet has been removed.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(10.8)T or a later release and occurs most often when the applet was registered when the router booted. The symptom is not release-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco 5400XM router reloads unexpectedly during stress.
Conditions: This symptom has been seen during the stress of TDM-IP H.323 calls and SIP-SIP transcoding calls being run simultaneously.
Workaround: There is no workaround.
•
Symptoms: A router may reload or a leak memory may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: The ringback tone level that is played on a platform that is configured for use in a country in Europe may be very low compared to the ITU specification, which states that tones should be nominal -10dBm0.
Conditions: This symptom is observed on a Cisco AS5400XM.
Workaround: There is no workaround.
•
Symptoms: A router may crash with chunk corruption.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(11)T or later releases with VSA and is using QoS and IPSec prefragmentation.
Workaround: Disable prefragmentation by using the crypto ipsec fragmentation after-encryption command.
•
Symptoms: When you repeatedly change active routers by enabling preemption and then change the priorities on the router interface, the router may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.5)T after you have shut down the interface of the active router.
Workaround: No known workaround.
•
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
Symptoms: A router may go into initial configuration dialog on bootup.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(11)T2 with the c7200p-adventerprisek9-mz image.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7961 router with a Cisco 7914 sidecar gets the display into a stuck state if a second call arrives while the first call is in progress of call transfer. The phone display is stuck on connected "Active call" even though the first call had been transferred.
This same symptom is found with the following scenario:
1.
2.
3.
4.
5.
Conditions: This symptom has been observed with a Cisco 7961 router with a Cisco 7914 sidecar configured with shared or overlay lines when a second call arrives on the same shared lines.
Workaround: Reset the IP phone to clear the phone.
•
Symptoms: IPIPGW is not sending h245-address in progress to CCM. As a result of this, IPIPGW receives release complete from CCM and call fails.
Conditions: This symptom is seen in a simple call from CCM to CME with IPIPGW sitting in between CCM and CME.
Workaround: There is no workaround.
Further Problem Description:
CCM--------- IPIPGW --------- CME
Here CCM is making h323 call to CME via IPIPGW. When CME is sending connect to IPIPGW, IPIPGW is sending progress to CCM without h245-address. As a result of this, CCM disconnects the call by sending releaseComplete to IPIPGW.
•
Symptoms: RTP packets get transmitted when the mode is recvOnly and inactive.
Conditions: This problem is observed on both the Cisco 2800 and the Cisco 3800 platforms that are running Cisco IOS interim Release 12.4(13.9).
Workaround: There is no workaround.
•
Symptoms: If many l2tp sessions are brought up and down again continuously, the following error messages will be displayed on the console:
%L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_session_get_l2x_cfg::241],-Traceback= 0x121FE88 0x25394E8 0x2539730 0x25558CC 0x2555FA0 0x254C0C40x254BB88 0x254BCD8 0x254BDD8 0x2554040 0x2548250 0x2541E50 0x2541F6C 0x7D6510%L2TP-3-ILLEGAL: _____:_____: No session config, -Traceback= 0x121FE880x25394E8 0x2539748 0x25558CC 0x2555FA0 0x254C0C4 0x254BB88 0x254BCD8 0x254BDD80x2554040 0x2548250 0x2541E50 0x2541F6C 0x7D6510Conditions: This symptom happens in both VPDN and Xconnect applications.
Workaround: Reload the router.
•
Symptoms: If an access control list (ACL) is used for a destination only prefix, a fatal error is declared and shuts down optimized edge routing (OER). For destination only traffic classes, prefix-list should be used, not ACL or access control entry (ACE).
Conditions: This behavior is observed on Cisco IOS Release 12.4(11)T and later releases at this time.
Workaround: Use prefix list instead of ACL/ACE for destination only traffic classes. For example:
–
–
•
Symptoms: OER MC is not notified of subinterface status change (UPDOWN) if the status of physical interface changes.
Conditions: If the physical interface status is changed to DOWN from UP either due to the no shut command or interface on remote side is administratively "no shut" or if the physical cable connects after disconnect, then the status of all the subinterfaces on this physical interface changes as well. If these subinterfaces are OER External or OER Internal interfaces then OER MC is not notified of the changes. OER MC continues to keep in DOWN state would not use this interface to optimize the traffic.
Workaround: Disable and reenable OER MC. Configure the shut command followed by the no shut command under OER master.
Further Problem Description: Workaround is useful if the problem is noticed in time. It is possible that the problem occurs, but it is not noticed. OER would be working under suboptimal conditions or not working at all.
•
Symptoms: The router will crash when IPSec is established only in the case when both PKI and IKE AAA accounting are configured.
Conditions: This symptom occurs when PKI is configured, and the DN is used as the ISAKMP identity. The crash only occurs when the DN is not available, and the server tries to use the DN in the AAA accounting recording.
Workaround: Do not use this configuration combination (PKI, DN as ISAKMP identity and AAA accounting).
•
Symptoms: SSG memory is leaking in Cisco IOS Release 12.4(13b).
Conditions: This symptom occurs when the RADIUS proxy feature is used. Leaking could be triggered on the following call flow scenario:
1.
2.
3.
4.
5.
Workaround: There is no workaround.
•
Symptoms: Incoming traffic from a LAN is not correctly marked, preventing the traffic from being correctly enqueued when it is sent to a DSL interface, and causing the traffic to be dropped.
Conditions: This symptom is observed on a Cisco router when you enable QoS through class-map and policy-map commands.
Workaround: There is no workaround.
•
Symptoms: A router may crash when both a WIC-1AM or WIC-2AM and PVDMs are installed in the chassis.
Conditions: This symptom is observed when the modem interfaces are in the up/up state, that is, calls do not have to be in process for the symptom to occur.
Workaround: Remove the WIC-1AM or WIC-2AM from router and use only PVDMs.
•
This caveat consists of two symptoms, two conditions, and two workarounds:
Symptom 1: When the interface controller functions of an NPE-G2 functions in promiscuous mode, for example, when HSRP is configured, packets that are not destined for the router may be forwarded anyway.
Condition 1: This symptom is observed on a Cisco 7200 series with an NPE-G2 that runs Cisco IOS Release 12.2(31)SB5 but is not release-specific.
Workaround 1: If HSRP is configured, enter the standby use-bia command. You may need enter the shutdown command followed by the no shutdown command to change the controller state.
Symptom 2: When BVI is configured on native Gigabit Ethernet interfaces of an NPE-G2 within the same group, a ping may not go through.
Condition 2: This symptom is observed on a Cisco 7200 series with an NPE-G2 that runs Cisco IOS Release 12.2(31)SB5 but is not release-specific.
Workaround 2: Configure a static MAC address.
•
Symptoms: Executing the clear crypto sa command.
Conditions: The problem is that the clear crypto sa and the clear crypto isakmp commands are usually used, but these commands do not trigger the reregistration.
Workaround: Use the clear crypto gdoi command.
•
Symptoms: Having a configuration similar to this
interface Dialer1
ip address <ip add> <mask>
encapsulation frame-relay
dialer pool 1
dialer remote-name <other_end>
dialer string 0
dialer string oe_tn
dialer caller oe_tn
dialer max-call 1
dialer-group 1
frame-relay map ip <addr> <oe_dlci> broadcast
frame-relay interface-dlci <loc_dlci>
frame-relay ip tcp header-compression
no shutdown !
And entering in the following will crash the device:
interface Dialer1
shutdown
no interface Dialer1
Conditions: Removing the Dialer interface configuration while having IPHC configured on that interface will crash the platform. This is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(16.5).
Workaround: Remove any IPHC CLI from the Dialer interface prior to deleting the Dialer interface from the configuration.
•
Symptoms: H323-->SIP interworking fails for a Fast start call when transcoding is enabled on an IPIPGW. Transcoding is done between G711ulaw and G729r8 codecs.
Conditions: This failure is seen for H323--SIP--SIP--SIP and H323--SIP--SIP-- H323 call flows when transcoding is enabled on IPIPGW1. It is also seen on H323--H323--H323--SIP call flow for transcoding on IPIPGW2. This is seen only with a Fast Start call (both with H245 Tunnel enabled and disabled), and the call passes with a slow start call.
Workaround: There is no workaround.
•
Symptoms: Packets in traffic queues that are below their configured threshold may be dropped.
Conditions: This symptom is observed on a Cisco 877 and Cisco 1801 that run Cisco IOS Release 12.4(9)T3 when one of the queues trespasses its threshold. Note the following scenarios:
–
–
–
Workaround: There is no workaround.
Further Problem Description: Note that the symptom does not occur on a Cisco 878 and Cisco 1803.
•
Symptoms: DNS forwarding source interface when configured on a router with split DNS feature, does not send out the DNS queries through the expected configured interface.
Conditions: This symptom is seen on a router that is loaded with Cisco IOS Release 12.4(11)T3.
Workaround: Use DNS forwarder <ip address> under the DNS view.
•
Symptoms: Interface flap on a GET VPN group member (GM) may cause the GM not to re-register immediately to the key server (KS) after the interface is up. It can take up to a maximum of 8 minutes before re-registration happens.
Conditions: An interface is down long enough, eg. greater than eight minute, the problem will be seen after the interface is back up.
Workaround: Use EEM and trace the interface state or routing protocol neighbor. As soon as interface is UP or routing protocol neighbor is UP, issue the clear crypto gdoi command on the GM to force reregistration.
•
Symptoms: A Cisco router may become unresponsive or reload unexpectedly when an Embedded Event Manager (EEM) Tool Command Language (Tcl) policy that has an invalid policy registration line is registered.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image later than Release 12.4(11)T when the policy registration line is malformed. This line may become malformed when the Tcl policy is saved with a program that inserts new lines at locations where you do not expect them.
Workaround: Before the policy is registered, inspect the policy by entering the more flashdevice:filename.tcl command to ensure that the script does not have a malformed event registration line.
•
Symptoms: EzVPN hardware client will not attempt to connect to the same peer or the next peer after QUICK MODE failure during IKE.
Conditions: This symptom is observed when EzVPN hardware client remains in SS_OPEN state after the failure of QUICK MODE.
Workaround: Clear the EzVPN session.
•
Symptoms: A Cisco AS5850 responds with a 500 Endpoint Unknown to a CRCX for an endpoint on a channelized T3 card configured with external call control (ss7 calls) and t3 naming. The endpoint would respond normally to AUEP command.
Conditions: This symptom is observed on a Cisco AS5850 that is controlled via MGCP, and the endpoint naming t3 command is configured on the router either in global MGCP configuration or MGCP profile.
Workaround: Do not configure "endpoint naming t3". Use flat t1 endpoint naming instead.
•
Symptoms: Phone A believes that its offer (in first INVITE) is not answered yet, but it is wrong because UPDATE is for second leg where SDP answer is already sent in a 183 Session Progress.
Conditions: This symptom occurs in a call forwarding scenario. Call comes in from PSTN to a SIP and forwarded to a another SIP Phone.
Workaround: There is no workaround.
•
Symptoms: You may not be able to configure ATM over MPLS (ATMoMPLS).
Conditions: This symptom is observed on Cisco 7301 that has an ATM port adapter.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform may reload when you configure or unconfigure an EEM policy.
Conditions: This symptom is observed only on a Cisco platform that runs a modular Cisco IOS software image when a syslog message is being generated while you configure or unconfigure the EEM policy.
Workaround: Do not configure or unconfigure an EEM policy while a syslog message is being generated.
•
Symptoms: Data corruption copy error tracebacks are seen on the console or output from the show logging command:
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x41224EFC, -Traceback= 0x4153A7D0 0x4155BA0C 0x4157FAF0 0x41224EFC 0x41DDC0A8 0x41DDC1980x41DC6D84 0x41DF3B0C 0x41DC506C 0x41DCE5A4 0x41D91AF8 0x41D90F88 0x41D9BEFC0x41D9C0C0 0x41DAEA68Conditions: Refer to CSCsj44081 for more information.
Workaround: There is no workaround.
•
Symptoms: Cisco Multiservice IP-to-IP Gateway (IPIPGW) crashes during a stress scenario.
Conditions: This symptom occurs in a stress scenario with 100 SIP-H323 calls + 150 SIP-H323 DTMF interworking (rtp-nte to h245-alpha) calls.
Workaround: There is no workaround.
•
Symptoms: RTP and RTCP ports are leaked when a ReleaseComplete (reason=newConnectionNeeded) is received as a response to a FastStart Setup that is sent.
Conditions: This problem is seen in Cisco IOS Release 12.4(11)T and Release 12.4(15)T images for a normal H323 to H323 Gatekeeper routed call with no supplementary services.
Workaround: There is no workaround.
•
Symptoms: Some Cisco 2800 and Cisco 3800 platform routers are observed to crash upon startup after the 256MB-v5 has been loaded, and the signature files saved to flash.
Conditions: This symptom occurs when loading the 256MB-v5.sdf file and saving signature files to flash using the ip ips config location flash. The router will then crash when restarted when the files are read out of flash.
Workaround: The crash has not been observed with the package files, such as IOS-S300-CLI.pkg, nor was it repeatable on a Cisco 3725 or Cisco 2651 router.
•
Symptoms: When using redundant key server (KS), after losing and regaining connect to the primary KS, group members (GMs) will continually generate thousands of register attempts. A GDOI session is correctly created, so the GMs can encrypt and decrypt traffic. However they will be heavily loaded with register attempts, and a significant number of logging messages will be generated. The thousands of register attempts will also overload the KS, preventing other routers from connecting.
Conditions: When redundant KS are configured, if the GMs do not have a connection to the primary KS on boot or when the IPSEC or GDOI lifetime expires. If they lose connection and regain it before the lifetimes expire, the problem does not occur.
Workaround: Configure the GMs for a single KS.
•
Symptoms: No Cisco IOS IPS signature category other than "all" may be selected before loading the signature package on to the router.
c2811#conf tEnter configuration commands, one per line. End with CNTLZ.c2811(config)#ip ips signature-categoryc2811(config-ips-category)#category ?all All CategoriesConditions: Also seen when CSM loads signatures and tries to set the basic category to retired false.
c2811(config)#ip ips signature-categoryc2811(config-ips-category)#category ios_ips basic^^ unrecognized...Workaround:
1.
2811b#conf t
2811b(config)#ip ips signature-category
2811b(config-ips-category)#category all
2811b(config-ips-category-action)#retired true
2811b(config-ips-category-action)
2811b(config-ips-category-action)#exit
2811b(config-ips-category)#exit
Do you want to accept these changes? [confirm]
2811b(config)#
2.
3.
2811b#conf t
Enter configuration commands, one per line. End with CNTLZ.
2811b(config)#ip ips signature-category
2811b(config-ips-category)#category ios_ips basic
2811b(config-ips-category-action)#retired false
2811b(config-ips-category-action)#exit
2811b(config-ips-category)#exit
Do you want to accept these changes? [confirm]
2811b(config)#
•
Symptoms: A spurious access error occurs in tfib_post_table_change_sanity_check () function.
Conditions: This symptom occurs if route is deleted. ROUTE_DOWN event is triggered in tfib_post_table_change() function which in turn calls tfib_post_table_sanity_check(). In that function, spurious access is reported, as the only path of route is down.
Workaround: There is no workaround.
•
Symptoms: IMA group interface does not come up after the reload.
Conditions: This symptom is observed on a Cisco 2811 router with ATM interface that is using VWIC2-2MFT-T1/E1 connected to MGX AUSUM card.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the IMA interface.
•
Symptoms: Secondary key server (KS) (new primary) fails to create new TEKs during rekey intervals after network split.
Conditions: Network split --> merge--->split happens between coop key servers and secondary KS left with no TEKs earlier.
Workaround: Clear crypto gdoi in secondary key server. May also require clear crypto gdoi in group members.
•
Symptoms: CSM rollback of Cisco IOS IPS device fails.
Conditions: This symptom occurs on signatures loaded that are more recent than 2006-12-18.
Workaround: Disable IPS and reload required signatures.
Further Problem Description: The getConfigInfo request is returning the loaded typedefs and causing CSM to consider the signature package to be out of sync with the database.
•
Symptoms: Before sending initial Invite, a Cisco gateway is doing DNS SRV query which gives the actual server name where SIP service is running. And then DNS A query for this server gives IP address of Proxy Server. So initial call is established through this SIP-proxy server. After getting SIP Refer message, to initiate call-transfer with Transfer-to location as Domain-Name, SIP-gateway is doing just DNS A Record Query for Refer-to Host which is returning an IP address where SIP is not running. This causes Transfer Failure.
Conditions: This symptom is observed on a Cisco 2800 series router but is not platform dependent. The Transfer-target address received in Refer is a FQDN (with default port -5060 OR no port).
Workaround: There is no workaround.
•
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are created. The incomplete cache entries can be verified by typing the show ip nhrp command and looking for "type incomplete". The memory leaked can be seen by examining the output of the show chunk command and looking for "NHRP Cache".
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
Symptoms: On an ATM interface, if tx-ring-limit were set to 1 with heavy traffics then the interface might get wedged. Throughput performance is degraded due to many packets got dropped.
Conditions: This symptom occurs when setting tx-ring-limit to 1 under an ATM interface with heavy burst traffics.
Workaround: Recommend minimal tx-ring-limit is 2 under this circumstance.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml.
TCP/IP Host-Mode Services
•
Symptoms: The latency for the RSH command could increase when they are flowing through an FWSM module.
Conditions: The following issue was observed on an FWSM that is running 2.2 (1) software. The long delay was triggered by using either Cisco IOS Release 12.3(13a)BC1 or Release 12.3(17a)BC1 on routers toward which those RSH commands were sent.
Workaround: Either bypass the FWSM module or downgrade to Cisco IOS Release 12.3(9a)BC3 which is not affected by this extra delay issue.
Wide-Area Networking
•
Symptoms: After reloading, one of two dialer interfaces binds all BRI channels, and finally the dialer uses only one channel. However, the one channel not used remains bound to the dialer. Therefore, the other dialers can not use an idle channel. When the problem occurs, the idle BRI channel interface status will become "hardware:down line:up".
Conditions: This problem is found when a router is rebooting, and its peer router over ISDN begins to transmit packets.
Workaround: There is no workaround.
•
Symptoms: A bus error crash occurs on a Cisco router that is running Cisco IOS Release 12.2(31)SB3.
Conditions: This symptom is seen with AAA and PPPoE configured.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(11)T3
Cisco IOS Release 12.4(11)T3 is a rebuild release for Cisco IOS Release 12.4(11)T. The caveats in this section are resolved in Cisco IOS Release 12.4(11)T3 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: Cisco IOS CLI commands that contain the slash character (/) are not interpreted correctly when executed over HTTP using HTTP POST.
Conditions: This symptom is observed when the HTTP POST method is used to configure commands such as the interface GigabitEthernet0/1 command.
Workaround: Execute Cisco IOS CLI commands that contain the slash character over SSH or Telnet.
IP Routing Protocols
•
Symptoms: A router may not clear BGP routes when you enter the clear bgp ipv6 unicast * command.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2SXF but is not release-specific.
Workaround: There is no workaround.
•
Symptoms: Multicast traffic from a DMVPN spoke is dropped by a hub when CEF is enabled on the tunnel interface of the hub. This situation causes the spoke to remain in registering mode and the hub to forward the decapsulated data.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(9)T1 or an earlier release in a DMVPN environment when the mGRE tunnel interfaces are within a VRF.
Workaround: Disable CEF on the tunnel interface of the hub. Doing so enables the hub to receive the multicast traffic, although the traffic is then process-switched.
•
Symptoms: The following symptoms may occur:
–
–
–
Conditions: These symptoms are observed in a DMVPN configuration when the hub has CEF enabled.
Workaround: Disable CEF on the hub.
•
Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.
Conditions: This symptom is observed when traffic flows run across the router, for example, when the client is outside and server is inside, and when static NAT translation is used for periods of about two minutes.
Workaround: Configure a route map that matches the static NAT translation, and apply the static NAT entry by entering either one of the following commands:
–
–
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority packets. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(18) or a later release but may also affect other releases.
Workaround: Use ACLs to block invalid IP control packets from reaching the control plane.
•
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
•
Symptoms: A Cisco router that is configured as a route reflector may cause slow convergence for other peers if one PE router requests a route-refresh.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.0(31)S5 and that is configured as a route reflector. The symptom may also affect other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco MGX-RPM-XF-512 resets after deleting Multicast VPN routing from a VRF and then deleting that VRF.
Conditions: This symptom has been observed on a system running Cisco IOS Release 12.4(6)T5 configured for Multicast VPN routing while deleting an interface.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A traceback may be generated when packets are transmitted over a basic IPSec connection between two peers in transmission mode and tunnel mode using multilink interfaces.
Conditions: This symptom is observed on a Cisco 3845 that runs Cisco IOS Release 12.4(5). The symptom may also affect other releases.
Workaround: There is no workaround.
•
Symptom: A key server that functions in a Dynamic Group VPN (DGVPN) may crash because of a race condition.
Conditions: This symptom is observed when the Key Encryption Key (KEK) timeout value is configured to be equal to the Traffic Encryption Key (TEK) timeout value (for example, both are 300 seconds). When a user changes any GETVPN configurations, a rekey from the key server is triggered. If this rekey is initiated right after a KEK rekey, the key server may crash.
Workaround: Ensure that the KEK timeout value is much larger than the TEK timeout value.
•
Symptoms: The locally significant certificate (LSC) cannot be upgraded on an ephone by using CME secure authentication.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(11)T2 when the authorization query fails, which you can see by enabling debug commands.
Workaround: Use an earlier release to upgrade the LSC on the ephone.
•
Symptoms: In a Dynamic Group VPN (DGVPN) environment with a key server and multiple Group Members (GMs), when a configuration change is made on the key server, the key server sends the GMs new security associations (SAs). After a GM has received these new SAs, when the SAs on the GM are cleared and when a packet is received, the GM may crash.
Conditions: This symptom is observed when the following conditions are present:
1.
2.
3.
4.
In this situation, when the GM receives the packet, the GM crashes.
Workaround: There is no workaround.
•
Symptoms: Interface flaps on an ATM IMA port adapter may cause the router to reload.
Conditions: This symptom has been observed when using an PA-A3-8T1IMA/PA-A3- 8E1IMA port adapter on Cisco 7xxx series router platforms. Flaps must be observed or the shutdown and no shutdown commands must be performed on an applicable interface. However, this symptom is a rare condition, and will not necessarily occur with every flap. This symptom can occur with or without traffic.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience memory leaks in the Crypto IKMP process when using certificates for Internet Security Association and Key Management Protocol (ISAKMP) for peer authentication.
Conditions: This symptom has been observed on Cisco IOS Release 12.2(18)SXE5 and Release 12.4(9)T2. This symptom is platform independent.
Workaround: There is no workaround to prevent the leak and the only way to recover is to reboot the device.
•
Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
config t
ip ssh version 1
endAlternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
10.1.1.0/24 is a trusted network that is permitted access to the router, all other access is deniedaccess-list 99 permit 10.1.1.0 0.0.0.255
access-list 99 deny anyline vty 0 4
access-class 99 in
endFurther Problem Description:
For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cntrl_acc_vtl_ps6350_TSD_Products_Configuration_Guide_Chapter.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
•
Symptoms: "%VPA-3-TSBUSY:VPA" and other error messages may be generated intermittently, and calls may fail.
Conditions: This symptom is observed on a Cisco 7206VRX that is configured with multiple VXC voice port adaptors.
Workaround: There is no workaround.
•
Symptoms: A router that is configured for SNA Switching Services (SNASw) may crash.
Conditions: This symptom is observed when links with an end node go down and when there are multiple links to the end nodes, at least one of which supports CP-CP sessions, and one of which does not. The symptom occurs on rare occasions because of a timing condition.
Workaround: Change the end node device configuration such that all links to the SNASw router support CP-CP sessions. As per the APPN architecture, only one link does actually support CP-CP sessions.
Further Problem Description: The symptom occurs because there is a mix of APPN links (that support CP-CP sessions) and LEN links (that do not support CP-CP sessions) from an end node to the SNASw router. The recommended configuration is to have all links between two partners be of the same type. Because LEN links generally do not support parallel TGs, most likely these should be APPN links, all supporting CP-CP sessions. This is a product-dependent configuration on the end node product.
•
Symptoms: An MGCP gateway may intermittently unregister from a Cisco CallManager when calls to EVM FXS port are being made.
Conditions: This symptom is observed when a MGCP gateway is configured with an Extension Voice Module (EVM) that uses FXS port. The symptom occurs in the following call scenario:
1.
2.
3.
4.
In this call scenario, the Cisco CallManager unregisters the gateway after not responding to the DLCXs.
Workaround: Configure the EVM FXS ports for H.323.
Alternate Workaround: Do not use the EVM. Rather, use the VWIC on the motherboard.
•
Symptoms: After a router is booted or reloaded, a PVC bundle configuration that is established under an IMA interface is lost.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.3(11)T7 or Release 12.3(14)T7 and that has the service-policy output command enabled on the PVC bundle. The symptom may also affect Release 12.4 and Release 12.4T.
Workaround: Disable the service-policy output command on the PVC bundle.
•
Symptoms: Scan of a router when a DNS server is enabled can cause high CPU usage of the DNS process itself. Overall performance of the device can deteriorate to some extent.
Conditions: This symptom has been observed on a router when a DNS server is enabled when running Cisco IOS software from Cisco IOS interim Release 12.4 (11.1)T up to but not including Cisco IOS interim Release 12.4(13.08)T.
Workaround: The only way to rectify this situation is to reboot the device.
Further Problem Description: Upgrading the software is suggested.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router may fail to forward packets via a tunnel interface.
Conditions: This symptom is observed when the tunnel interface is configured for Dynamic Multipoint VPN (DMVPN) and QoS.
Workaround: There is no workaround.
•
Symptoms: When a flash card is inserted in slot0 after a Cisco IAD 2430 series voice gateway boots up, the flash card is not found. Using the dir slot0: command to see if the card is recognized displays the following message:
Flash card inserted in slot0. Reading filesystem on the device... Wait for the completion message before accessing device Error reading slot0Conditions: This symptom has been observed on a Cisco IAD2430, Cisco IAD2431, Cisco IAD2432, or Cisco VG224 voice gateway when the gateway is reloaded without the flash card and the flash card is inserted. While observed with Cisco IOS Release 12.4(4)T6, this symptom can occur with any version of Cisco IOS Release 12.4.
Workaround: Keep the flash card in the slot0: when booting the voice gateway or reboot after inserting the flash card.
•
Symptoms: On a router that functions in a GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, an access control list (ACL) may be bypassed when there is an ACL on the tunnel interface.
Conditions: This symptom is observed when the ACL on the tunnel interface is configured on the outbound physical interface on which the IPSec tunnel is terminated.
Workaround: Apply the outbound ACL on the protected LAN interface instead of on the tunnel interface.
•
Symptoms: Classification fails after a router is reloaded.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G2, a PA-2H port adapter, and a PA-MC-8TE1+ port adapter.
Workaround: There is no workaround.
•
Symptoms: When two cooperative Group Domain of Interpretation (GDOI) key servers are set up without a rekey policy, and then the rekey policy is added, either key server may reload unexpectedly.
Conditions: The symptom is observed in a Dynamic Group VPN (DGVPN) configuration.
Workaround: There is no workaround.
•
Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an SSG with PBHK enabled, when a host has received an IP address that is associated with a service (via the "J" Service-Info attribute), has logged out from the SESM, and then renews its IP address.
Workaround: There is no workaround.
•
Symptoms: A router that is configured with an HWIC-ADSL-B/ST crashes because of memory corruption and generates the following error message:
%SYS-3-OVERRUN: Block overrun at 3F379450 (red zone 2A2A2A2A)Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A RADIUS server that is used for accounting may unexpectedly be marked dead by a router.
Conditions: This symptom is observed when RADIUS extended source ports are used and when the new extended ports potentially overlap with the UDP port range of other applications. For example, the symptom may occur when the router processes UDP packets for RTP such as in an IP-to-IP Gateway setup.
Workaround: Remove the radius-server source-ports extended command from the configuration.
•
Symptoms: When the cooperative key server protocol is running and when a failure occurs, the group member may not re-register.
Conditions: This symptom is observed when a network partition occurs and when the secondary key server does not create its own traffic encryption key (TEK). The group member then fails with an SPI mismatch error (which is addressed in caveat CSCsi42884). After this situation has occurred, the group member does not re-register.
Workaround: Enter the clear crypto gdoi command on the group member.
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Symptoms: When you associate and then disassociate a VRF from a tunnel source interface, a DMVPN spoke may crash.
Conditions: This symptom is observed only when a VRF is configured on a tunnel interface.
Workaround: There is no workaround.
•
Symptoms: When IKE phase 1 is cleared and IPSec requests a rekey, IKE fails to rekey.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.5)T. IKE rekeys phase 1 after two attempts instead of five attempts. IKE does rekey successfully within the time frame of two attempts. However, when the network connection to the peer is down and not restored within the time frame of two attempts, the rekey fails. In this situation, IKE should make five attempts. Note that the symptom is not release-specific.
Workaround: There is no workaround.
•
Symptoms: A VSI session may become stuck in the "RESYNC_UNDERWAY" state, preventing LVC connections from being set up. This situation is not cleared automatically, and error messages are not flushed, as is shown in the output of the show controller vsi session command.
Conditions: This symptom is observed on a Cisco router that functions as a Label Switch Controller (LSC).
Workaround: There is no workaround.
•
Symptoms: SIP calls legs may hang on a voice gateway.
Conditions: This symptom is observed when outgoing SIP calls are not answered and when the terminating user agent (UA) does not send the final response to an INVITE message.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on a router that is configured for SSG when unsupported 3GPP attributes are received by SSG.
Conditions: This symptom is observed when SSG is configured to function in RADIUS proxy mode.
Workaround: Ensure that the unsupported 3GPP attributes are removed by filtering them before a RADIUS packet is received by SSG.
•
Symptoms: A cooperative key server that functions in a network split and merge scenario may crash.
Conditions: This symptom is most likely to occur when rekey retransmissions have been configured, which may cause some instability when there is a network split and merge.
Workaround: Disable rekey retransmissions.
Further Problem Description: A network split describes a network partition scenario in which two cooperative key servers can no longer communicate with each other. A network merge describes a scenario in which communication between two partitioned networks is restored and in which the two key servers also start to communicate with each other.
•
Symptoms: A Cisco IAD 2400 series may reject sequence numbers for Q.921, causing calls to be dropped or a PBX to lock up.
Conditions: This symptom is observed when a Cisco IAD 2400 series is connected to a third-party vendor phone system and third-party vendor PBX and occurs only when sequence number 16 or 68 is sent to the IAD.
Workaround: There is no workaround.
•
Symptoms: The first time a Cisco IOS IPS 4.x signature performs an inline deny action against a flow and/or attacker, a dynamic ACL is created. However, subsequent times a deny action is performed, the signature does trigger but no dynamic ACL is created.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(9)T3 with advanced IP services when Cisco IOS IPS has a signature action that is configured for "denyinlineflow" and/or "denyattackerinline" and when Cisco IOS IPS is enabled on an interface in the outbound direction.
Workaround: Enable Cisco IOS IPS on an interface in the inbound direction only.
•
Symptoms: The DNS view name is not stored in RAM when the ip dns view command is configured on a router.
Conditions: This symptom is observed on a router that runs Cisco IOS Release 12.4(11)T2.
Workaround: There is no workaround.
•
Symptoms: One-way audio may occur and DTMF digits may not function.
Conditions: This symptom is observed on a Cisco gateway such as a Cisco AS5400 after a SIP transfer has occurred.
Workaround: Enter the no voice-fastpath disable command to resolve the one-way audio issue. There is no workaround for the DTMF issue.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A key server with a lower priority may become the primary key server when the key server with a higher priority is incorrectly marked dead.
Conditions: This symptom is observed randomly during cooperative key server election and seems to occur only with two key servers.
Workaround: Enter the clear crypto gdoi on the current primary key server to restart the cooperative key server election and to enable the correct key server to become the primary key server.
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
•
Symptoms: A router may reset and generate a crashinfo file when memory that was allocated by a dead process is freed by another process.
Conditions: This symptom is observed on an RPM-XF-512 that runs Cisco IOS Release 12.4T but is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco router can experience a memory corruption crash related to encryption.
Conditions: This symptom has been observed when the memory lite global configuration command is disabled.
Workaround: Enable the memory allocation lite (malloc_lite) feature by using the memory lite command.
•
Symptoms: A Cisco 7200 series may crash during bootup or while writing or erasing the configuration during the "flow_def_master_list_lookup" process.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G1 or NPE-G2. The symptom occurs during bootup or when a configuration is written to or erased from memory. The symptom may also occur when you enter the show running-config command.
Workaround: There is no workaround.
•
Symptoms: An ephone DN gets stuck in a busy state. Callers do get a ringback tone but no phone does actually ring.
Conditions: This symptom is observed when an ephone is connected to a Cisco router in a Cisco Unified CallManager Express (CME) configuration.
Workaround: Remove the DN and then add it back. All of the buttons for this DN must be added back on the ephone.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: The h245 caps suppress nte command may not function, causing an IPPIPGW to continue to advertise the NTE capability in an H.245 capability message.
Conditions: This symptom is observed on a Cisco router that functions as an IPIPGW and that runs Cisco IOS Release 12.4 or Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table.
Conditions: This symptom is observed on a Cisco RPM-XF-512 that runs Cisco IOS Release 12.4(6)T5 but is not platform-specific.
Workaround: Enter the clear ip route command for the prefix in the VRF.
•
Symptoms: When you reload a Cisco 2600 series, the router may hang.
Conditions: This symptom is observed on a Cisco 2600 series when you attempt to run the c2600-entservices-mz image of Cisco IOS Release 12.4(9)T4. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: When an SSG does not receive a RADIUS accounting stop message for a particular user from an Access Zone Router (AZR), the same user (with the same MAC address) does receive a new IP address from the AZR (which is also a DHCP server). In this situation, SSG receives the accounting start message from the AZR and does acknowledge the receipt, but may not create any input in the RADIUS proxy user table.
Conditions: This symptom is observed when the hotspot is part of a network that is configured as an SSG RADIUS proxy client.
Workaround: There is no workaround.
•
Symptoms: When the Reverse Route Remote Peer option is enabled, packets may not be forwarded correctly.
Conditions: This symptom is observed when both CEF and the reverse-route remote-peer command are enabled. When you enable the debug ip cef drops command, typically, the following is shown:
CEF-Drop: Stalled adjacency for remote-physical-ip-addr on Ethernet1/0 for destination remote-protected-ip-addr CEF-Drop: Packet for remote-protected-ip-addr -- encapsulationWorkaround: Disable CEF.
Alternate Workaround: Add a next hop to the reverse route, for example, by entering the reverse-route remote-peer ip-address command.
•
Symptoms: Some Atomic IP signatures may fail to alarm when they are compiled together, although they do fire when they are compiled individually.
Conditions: This symptom is observed with Cisco IOS IPS is configured on one or more interfaces and when multiple Atomic IP signatures are compiled and enabled.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS software that is running the Bidirectional Forwarding Detection (BFD) protocol, attempts to remove BFD sessions may fail.
Conditions: The symptom has been observed after the maximum number of supported sessions has been configured. The maximum number is 128 in most but not all releases.
Workaround: There is no workaround.
•
Symptoms: A router that functions as an LNS and ISG may crash at the "chunk free" function when a call is being freed or disconnected.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.2(31)SB and is caused by a race condition. The symptom may not be release-specific.
Workaround: There is no workaround.
Further Problem Description: The following configuration suggestions may reduce the likelihood that the race condition occurs:
–
l2tp tunnel receive-window 10000
l2tp tunnel timeout hello 180–
–
aaa authentication ppp user-auth if-needed group csm-auth-acct
–
–
–
–
•
Symptoms: BSTUN and DLSW features do not work.
Conditions: This symptom has been observed on Cisco 3220 and Cisco 3250 routers.
Workaround: There is no workaround.
•
Symptoms: A platform may crash when you apply a service policy to an interface.
Conditions: This symptom is observed on a Cisco AS5850 with a basic QoS configuration that includes a class map, a policy map, and a service policy on an interface. The symptom may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of a watchdog timeout when a second ISDN call is established in an ADSL backup scenario when the ADSL is down.
Conditions: This symptom is observed on a Cisco 2811 router that runs Cisco IOS Release 12.4(11)T2 and on a Cisco 3845 router that runs Cisco IOS Release 12.4(11)T1 when QoS is configured on the dialer interface. The symptom may not be platform-specific.
Workaround: Remove the service policy from the dialer interface.
•
Symptoms: A router may crash when you unconfigure a Cisco IOS IPS rule from an interface that has the IPS rule enabled in the outbound direction only.
Conditions: This symptom is observed on a Cisco router when you globally unconfigure a Cisco IOS IPS rule by entering the no ip ips name ips-name command.
Workaround: Configure both inbound and outbound inspection.
•
Symptoms: A router crashes because of a watchdog timeout when you apply an extended access control list (ACL) to a crypto map.
Conditions: This symptom is observed on a Cisco 7200 series that has a VPN Service Adapter (VSA) when you apply an extended ACL to a crypto map as in the following example:
access-list 110 permit tcp host x.x.x.x gt 1023x.x.0.0 0.0.255.255
The symptom occurs only when port 65535 is included in the port range.
Workaround: Use an access control entry (ACE) that does not contain port 65535. For example, an ACE that is defined as "greater than 1023" can be defined as "more than 1023 and less than 65534".
•
Symptoms: A "SIP UPDATE" message from a Cisco CallManager or SIP Proxy Server with a "Cseq" value of 0 may be rejected or considered invalid by A Cisco gateway.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.4(9)T4 or a later release and that is connected to a SIP endpoint.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(9)T3.
•
Symptoms: When Enhanced Compressed Real-Time Transport Protocol (ECRTP) is configured and when multiple packet drops occur, cRTP packets may stop being sent, and only cUDP packets are sent instead. Because cUDP packets are nearly as large as uncompressed packets, compression becomes completely inefficient.
Conditions: This symptom is observed on a Cisco router when ECRTP is configured on an interface and when a few packet drops occur, as in the following configuration example:
interface Serial2/0
ip address x.x.x.x x.x.x.x
ip rtp header-compression ietf
ip header-compression recoverable-loss 1Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: H.323 calls on a Cisco IOS VoIP gateway may fail after the gateway has processed about 54,500 calls.
Conditions: This symptom is observed when H.323 uses TCP to transport signaling messages. When the Cisco IOS gateway must generate a unique port for the local TCP session, this port is selected from a range of open ports. When the number of times that an unique TCP session is created for the same IP address on the gateway exceeds 54,500, further attempts to create a local TCP port fail and calls are not completed.
The symptom occurs for H.323 calls only when a separate TCP session is established for the H.245 session. When H.245 tunneling is enabled or no H.245 session is established, the symptom does not occur for H.323 calls.
When the debug ip tcp transaction command is enabled on the gateway, the "TCP: Ran out of ports for network 0" debug output is generated when the symptom occurs.
Enabling debugs on a Cisco IOS gateway should always be done with caution to minimize impact to the performance of the router. As a minimum, ensure that logging to the console is changed from the default behavior of the debug level to, for example, an informational level.
Workaround: After the symptom has occurred, reload the Cisco IOS VoIP gateway. To prevent the symptom from occurring, ensure that for H.323 call processing all H.323 devices have H.245 tunneling enabled. This may not always be possible: for example, H.245 tunneling on Cisco CallManager is not supported.
Wide-Area Networking
•
Symptoms: A virtual-access interface is not freed when a client session is torn down.
Conditions: This symptom is observed on a Cisco router that is configured for VPDN when the client session is momentarily disconnected and then reconnected.
Workaround: There is no workaround.
•
Symptoms: A router may crash while establishing a PPP session.
Conditions: This symptom is observed when the ppp reliable-link interface configuration command is enabled on an interface that is bound to a dialer profile.
Workaround: Disable the ppp reliable-link interface configuration command, save the configuration, and reload the router. Disabling the command without reloading the router is not sufficient.
•
Symptoms: When you attempt to change the ISDN T306 timers, the changes are not accepted.
Conditions: This symptom is observed on a Cisco platform that runs Cisco IOS Release 12.4. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
Further Problem Description: The ISDN T306 configuration updates the values of the ISDN T307 timers.
•
Symptoms: A Non-Facility Associated Signaling (NFAS) configuration with a back-to back PRI connection may fail and an "L3_GetUser_NLCB EVENT 0X2 No NLCB 2" error message may be generated, that is, a ping from the client to the router mail fail.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.11) when an interface is configured as a dialer interface. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interface interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is configured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(11)T2
Cisco IOS Release 12.4(11)T2 is a rebuild release for Cisco IOS Release 12.4(11)T. The caveats in this section are resolved in Cisco IOS Release 12.4(11)T2 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The MIB object rttMonLatestRttOperTime returns value of 0.
Conditions: This occurs for IPSLA RTP operation only irrespective of whether operation is success or failed.
Workaround: There is no workaround.
•
Symptoms: A router hangs on a regular basis producing the following traceback:
%SYS-2-NOTQ: unqueue didn't find 0 in queue 82E19A74-Process= "<interrupt level>", ipl= 2-Traceback= 0x80836CE8 0x814DC7F0 0x814EBE5C 0x816DF1F0 0x816DF2A8 0x816DEF740x816DE8D4 0x80076750 0x8072CFA0 0x8072D10C 0x803B128C 0x80143E5C 0x801383B40x8013AB0C 0x8013D6E0 0x8037DF44Conditions: This symptom is observed on a router that is acting as an EzVPN Client. From the traceback, it seems that the BVI interface is involved in the crash.
Workaround: Disable bridging or HW encryption.
•
Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted "msg-auth-response-get-user" TACACS+ packet is received.
Conditions: This symptom is observed after the Cisco platform had send an initial "recv-auth-start" TACACS+ packet.
Workaround: There is no workaround.
•
Symptoms: A TLB exception may occur on a Cisco platform that functions as a PE router in an MPLS environment, and the following error message may be generated:
TLB (load or instruction fetch) exception, CPU signal 10 (BadVaddr : DEADBEF3)Conditions: This symptom is observed on a Cisco platform when TACACs accounting and authorization is enabled and when the TACACs server is reachable through the global routing table.
Workaround: Disable AAA. If this not an option, there is no workaround.
•
Symptoms: Scheduling of IPSLA RTP operation seems to crash router sometimes.
Conditions: This symptom has been observed on a Cisco 3845 router with Cisco IOS Release 12.4(9)T.
Workaround: There is no workaround.
•
Symptoms: After a router has crashed, another crash may occur while the crashinfo is being generated, and a traceback with memory addresses is displayed.
Conditions: This symptom is observed on a Cisco router when, during the crash, the data in key memory locations is written to a crashinfo file on the bootflash device of the router.
Workaround: Specify an alternate storage device to store the crashinfo in the startup configuration, for example, by adding the following line to the startup configuration:
exception crashinfo disk0:
•
Symptoms: Router crashes while executing the type slm frame-relay interface command.
Conditions: This symptom has been observed on a Cisco 7200 router loaded with Cisco IOS Release 12.4(13.2)T.
Workaround: There is no workaround.
•
Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.
Conditions: This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:
–
–
–
–
–
–
–
Workaround: For extensive information and a workaround, see Field Notices:
http://www.cisco.com/en/US/support/tsd_products_field_notice_summary.html
EXEC and Configuration Parser
•
Symptoms: The config_log_persist_dbase file is created in the flash file making it unusable.
Conditions: This symptom has been observed on a Cisco 3700 series that is running Cisco IOS interim Release 12.4(10.8)T.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: EIGRP-specific Extended Community 0x8800 is corrupted and shown as 0x0:0:0.
Conditions: This symptom is observed when EIGRP-specific Extended Community 0x8800 is received via an IPv4 EBGP session on a CE router. This occurs typically in the following inter-autonomous system scenario:
ASBR/PE-1 <----> VRF-to-VRF <----> ASBR/PE-2Workaround: Use a configuration such as the following to remove extended communities from the CE router:
router bgp 1address-family ipv4 vrf oneneighbor 1.0.0.1 remote-as 100neighbor 1.0.0.1 activateneighbor 1.0.0.1 route-map FILTER inexit-address-family!ip extcommunity-list 100 permit _RT.*_!!route-map FILTER permit 10set extcomm-list 100 delete!•
Symptoms: Post NAT split-packet, FW is not seeing the pack, resulting in FW reporting out-of-order sequence error for subsequent packets.
Conditions: This symptom is observed in post NAT split packets.
Workaround: There is no workaround.
•
Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.
Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.
Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.
•
Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.
Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN interface.
Workaround: There are 2 workarounds:
1.
ip nat inside source static 172.16.68.5 172.16.68.5It is not a scalable workaround but may work for some deployments.
2.
•
Symptoms: Conferencing cannot be performed from a Cisco 7960 IP Phone behind a Cisco 871 router as an EZVPN spoke performing NAT.
Conditions: This symptom is observed in Cisco IOS Release 12.4(6)T IOS and later.
Workaround: There is no workaround.
•
Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.
Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.
Workaround: There is no workaround.
•
Symptoms: A crash may occur when using ipsec_ezvpn on a router.
Conditions: This symptom has been observed when both ipsec and ezvpn commands are configured.
Workaround: There is no workaround.
•
Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.
Workaround: Enter the no auto-summary command.
•
Symptoms: Connectivity is lost through a router when traffic is processed twice by NAT.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(8a), that is configured for NAT and PBR, and that has a firewall feature enabled. Under certain conditions, traffic is processed twice by NAT when it does not need to be.
Workaround: Remove the firewall configuration from the router.
Further Problem Description: Syslogs and the output of the show ip nat translation command show that traffic that is processed twice by NAT does not traverse the router.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•
Symptoms: A Cisco 871 router configured for VPN remote access, using EasyVPN in client mode, and having firewall and NAT enabled experiences TCP sessions problems when a Cisco IP Phone is connected behind the 871 and uses the VPN tunnel to reach its CallManager. This problem might cause the IP Phone to fail to register with the CallManager, and in some situations it does not permit calls to be made.
Conditions: When both EasyVPN in client mode and firewall are enabled for an 871 remote access router, and we connect a Cisco IP Phone to the router to be able to use the CallManager on the central office.
Workaround: This problem does not happen all the time, however there isn't a workaround for the the specific situation where it fails and we need to have all respective features enabled. However, is EasyVPN in network extension is used, then the problem does not exit.
Miscellaneous
•
Symptoms: A gatekeeper rejects new registration requests from a Cisco Unified CallManager (CUCM) or other H.323 endpoints with Registration Rejection (RRJ) reason of duplicateAlias. Attempting to clear this stale registration fails and a "No such local endpoint is registered, clear failed." error message is generated.
Conditions: This symptom is observed in the following topology:
CUCM H.225 trunks register to a gatekeeper (GK) cluster. Gatekeeper 1 (GK1) and gatekeeper 2 (GK2) are members of the GK cluster. The CUCM registers first to GK1, then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.
When the H.225 trunk attempts to register with GK1, it is rejected because the alternate registration is still present, and there is no way to clear it.
10.9.20.3 34273 10.9.20.3 32853 SJC-LMPVA-GK-1 H323-GW AENDPOINT-ID: 450FC24400000000 VERSION: 5 AGE: 1618993 secsSupportsAnnexE: FALSEg_supp_prots: 0x00000050H323-ID: SJC-LMPVA-Trunk_4Workaround: Reset the gatekeeper by entering the shutdown command followed by the no shutdown command, or reboot the affected GK.
•
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
•
Symptoms: A router that is configured with a virtual template may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router on which a session that uses a virtual-template is terminated and occurs when the session is cleared from a DSL CPE router that is the peer router for the connection.
Workaround: There is no workaround.
•
Symptoms: The show run command for control-plane generates inconsistent outputs for Cisco IOS Release 12.0S train images.
Conditions: This symptom has been observed on routers running Cisco IOS Release 12.0S images.
Workaround: There is no workaround.
•
Symptoms: The running configuration may not be accessible after you have copied a small file to the running configuration.
Conditions: This symptom is observed on a Cisco router that has an ATA file system after you have rebooted the router.
Workaround: Reboot the router once more.
•
Symptoms: When you enter the redundancy switch-activity force command on the active eRSC of a Cisco AS5850 while incoming VoIP H.323 calls and outgoing CAS calls are being processed, the standby eRSC does become the active eRSC and processes the calls but soon afterwards may crash at "csm_enter_idle_state."
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(9)T and that functions in RPR+ mode. The symptom may also affect Cisco IOS Release 12.4.
Workaround: There is no workaround.
Further Problem Description: The symptom does not occur when PRI calls are being processed.
•
Symptoms: A Cisco router may crash with an illegal opcode exception when you configure dot1q encapsulation on a subinterface.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.4, a rebuild of Release 12.4(4)T, or Release 12.4(9)T. Note that the symptom may be platform-independent. The symptom occurs under the following conditions:
–
–
Workaround: First configure the subinterface for dot1q encapsulation. Then, enter the service-policy statements.
Important Note: If you apply the workaround, save the configuration, and then reload the router, the router will cycle continuously while booting the configuration. Do not save the configuration with the service policy applied.
•
Symptoms: When the Group Member needs to connect to an alternate Key Server because the connection to the First Key Server on the list fails, the connection to the 2nd key server on the Group Member list fails also.
Conditions: All the conditions where this happens have not been identified, but the symptom seems to happen with low lifetimes of IPsec SA lifetime of 120 and KEK rekey lifetime of 300.
Workaround: This symptom was not observed with higher lifetimes. Also, if 'clear crypto gdoi' is typed on the Group Member, it seems to get to the 2nd Key Server.
•
Symptoms: Permanent tcp-redirection not installed on the SSG for User with browser configured with proxy web when authenticated
Conditions: PWLAN platform with SSG and SESM User with Proxy configured on his browser.
After the user get authenticated, the permanent tcp-redirection is not installed on the SSG, the user can browse on the internet but can't get access anymore to the SESM web page when he wants to disconnect.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.
Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.
Workaround: Disable SNMP polling for ccrpCPVGEntry.
•
Symptoms: In the redundancy environment, when DHCP subsystem encounters an error and message buffer (for example, SCTP buffer) used for communicating with the redundant peer is not released properly, the memory remains consumed. Subsequently, low memory condition is encountered.
Conditions: This condition is encountered when buffers used in SR are not released properly.
Workaround: There is no workaround.
•
Symptoms: An AAA server does not authenticate.
Conditions: This symptom is observed on a Cisco platform that functions as an AAA server and that runs Cisco IOS Release 12.3(13) when you dial up using Microsoft callback through an asynchronous line. Dialup through an ISDN modem works fine.
Workaround: There is no workaround.
•
Symptoms: A router that is configured as a voice gateway may crash because of a bus error. Just before the crash occurs, messages of the following type may be generated:
%ALIGN-1-FATAL: Corrupted program counterConditions: This symptom is observed on a Cisco 2811 that is configured as a Cisco Multiservice IP-to-IP Gateway (IPIPGW). However, the symptom is not platform-dependent.
Workaround: There is no workaround.
•
Symptoms: The SNMP IfIndex Persistence feature may not function as expected. The ifIndex table that is created when you enter the snmp-server ifindex persist command is not loaded when the router boots and the indexes of all interfaces are reassigned in a sequential order that depends on the interface number.
Conditions: This symptom is observed on a Cisco router when you first create a subinterface with a sequence number that is lower or in between the numbers of the existing interfaces and then you reload the router.
Workaround: There is no workaround.
•
Symptoms: The following error messages may be generated on a gateway that functions in a configuration in which 80 channels are processed by a VXML Server, and the call may be dropped:
//-1//HTTPC:/httpc_streaming_create: attempt to create a session with id 699while this id is in use//2144684/0BCEFBA9AA28/VXML:/vxml_media_done:CALL_ERROR; fail with vapp error 2, protocol_status_code=0//2144684/0BCEFBA9AA28/VXML:/vxml_media_done:CALL_ERROR; *** error.badfetch.http.0 event is thrownConditions: This symptom is observed rather rarely on a Cisco AS5400 gateway when the HTTP client session IDs range from 1 to 2048 because of the socket limit per Cisco IOS process. The error messages are generated when the HTTP client attempts to create a new session with the same ID as an old session that is still in use. In this situation, only a benign warning message should be generated, and the call should be accepted. If an HTTP streaming session remains in use for a long time and the traffic load of the gateway is high, the symptom is more likely to occur.
Workaround: Configure an event handler as in the following example:
<catch event="error.badfetch.http.0"><!-- Actual event handler goes in here --></catch>If this is not an option, the symptom may be mitigated by disabling IVR streaming mode via the ivr prompt streamed none command.
•
Symptoms: When a first MGCP NAS package call is cleared by the clear interface dialer command, no further calls are possible from the dialer into the NAS.
Conditions: This happens only when the clear interface dialer command is issued in the dialer to clear the call. If the call is cleared in any other form the issue does not arise.
Workaround: Avoid clearing calls using the clear interface dialer command instead one can clear the serial interface.
•
Symptoms: IKE negotiation fails with a wrong group preshared key.
Conditions: This symptom is observed on a Cisco router that has an eight character key such as "cisco123" that is defined under the EzVPN group configuration and occurs after you have entered the password encryption aes command.
Workaround: To prevent the symptom from occurring, do not use an eight character key under the EzVPN group. After the symptom has occurred, re-enter the group and key.
•
Symptoms: Trend OPACL signatures 50000_1 and 50000_2 fail to alarm.
Conditions: This symptom has been observed with Cisco IOS IPS configured on one or more interfaces and TREND OPACL signatures 50000_1 and 50000_2 modified to alarm.
Workaround: There is no workaround.
•
Symptoms: Malformed SSH version 2 packets may cause a memory leak, causing the platform to operate under a degraded condition. Under rare circumstances, the platform may reload to recover itself.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after it has received malformed SSHv2 packets.
Workaround: As an interim solution until the affected platform can be upgraded to a Cisco IOS software image that contains the fix for caveat CSCse24889, configure SSH version 1 from the global configuration mode, as in the following example:
config tip ssh version 1endAlternate Workaround: Permit only known trusted hosts and/or networks to connect to the router by creating a vty access list, as in the following example:
10.1.1.0/24 is a trusted network thatis permitted access to the router, allother access is deniedaccess-list 99 permit 10.1.1.0 0.0.0.255access-list 99 deny anyline vty 0 4access-class 99 inendFurther Problem Description:
For information about configuring vty access lists, see the Controlling Access to a Virtual Terminal Line document:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cntrl_acc_vtl_ps6350_TSD_Products_Configuration_Guide_Chapter.html
For information about SSH, see the Configuring Secure Shell on Routers and Switches Running Cisco IOS document:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
•
Symptoms: A router that is configured for DMVPN may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4T. The symptom could occur in Release 12.4.
Workaround: There is no workaround.
•
Symptoms: A Cisco gatekeeper running with Cisco IOS Release 12.4 may experience a Traceback and DSMP timed out while testing H323 Testcall, Silent call detection and long call duration detection features.
Conditions: This symptom has been observed when a Cisco gatekeeper is running with Cisco IOS Release 12.4.
Workaround: There is no workaround.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Symptoms: A Communication Media Module (CMM) may fail to come online after it has been reloaded, power-cycled, or crashed. The output of the show test module command for the CMM indicates that the loopback test on port 1 of the module has failed:
Loopback Status [Reported by Module 1] :
Ports 1 2 3 4 5--------------------F N N N .Conditions: This symptom is observed on a Cisco Catalyst 6000 series that has a Supervisor Engine 2 that runs CatOS 8.5(5) software and a CMM that runs Cisco IOS Release 12.4.
Workaround: Enter the clear cam dynamic and reset the CMM once more.
•
Symptoms: On IPSEC gateways, some RADIUS accounting tickets are sent with the User-Name attribute. 1% of the tickets seems to be impacted.
Conditions: This symptom has been observed with routers running Cisco IOS Release 12.4(4)T.
Workaround: There is no workaround.
•
Symptoms: A second PRI link gets deactivated, with no ability to process incoming and outgoing calls, when the second one is remotely, physically, manually (CLI command) deactivated.
Conditions: This symptom occurs when the first PRI is type primary-net5, and the second PRI is type primary-qsig. Deactivate the second PRI remotely or locally by physically disconnecting the cable or issuing the shutdown command under the corresponding E1 controller.
Workaround: There is no workaround.
•
Symptoms: L2tp does not start for users authenticated via radius although "Service-Outbound" is returned as well as vpdn avp-pairs
Conditions: This symptom is observed when trying to bring the vpdn with Radius authentication on Cisco IOS Release 12.3(14)YX2.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A router may crash when you configure On-Demand Address Pools (ODAP) with Dynamic Host Configuration Protocol (DHCP) and when the router that requests the address pool (subnet) runs out of available addresses.
Conditions: This symptom is observed in an MPLS-VPN network when you configure ODAPs on virtual home gateways (VHGs) and provider edge (PE) routers.
Workaround: There is no workaround.
•
Symptoms: When you enter the clear ip dhcp binding command to clear DHCP bindings, the corresponding DHCP-initiated subscriber sessions are not cleared.
Conditions: This symptom is observed on a Cisco router that functions as an Intelligent Service Gateway (ISG).
Workaround: Enter the clear ip subscriber command to clear the subscriber sessions.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: No form of the ip local pool poolname command is accepted. An error message says it is an incomplete command.
Conditions: This symptom is seen on Cisco IOS Release 12.4(10.8) image.
Workaround: There is no workaround.
•
Symptoms: The crash happens on a Cisco 7200 device that function as a responder with 2000 tunnels.
Conditions: This symptom is observed with GRE and 100 Mbps bidirectional imix traffic.
Workaround: There is no workaround.
•
Symptoms: When one of the controllers of a VWIC-2MFT-E1 Voice/WAN interface card that is connected back-to-back to another router is shut down, ISDN L2 may go down on the second E1 controller of the VWIC-2MFT-E1.
Conditions: This symptom is observed on a Cisco 3725 that runs Cisco IOS interim Release 12.4(11.1).
Workaround: There is no workaround.
•
Symptoms: A VPN 3002 client cannot form an IKE session with a Cisco IOS VPN hub over TCP encapsulation (cTCP). The hub will fail in processing AM1 packet sent by the VPN client.
Conditions: This symptom is observed on a Cisco IOS VPN hub over TCP encapsulation.
Workaround: There is no workaround.
•
Symptoms: A router crashes when PPPoEoA sessions are torn down.
Conditions: This symptom is observed when the maximum number of class-map instances are configured on the router.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router may experience a unexpected reload.
Conditions: This symptom occurs in Cisco IOS Release 12.4(11)T and later when the router is configured with IPSec and NAT, and when it needs to fragment a large packet to be encrypted over the IPSec tunnel.
Workaround: Downgrade to a version before Cisco IOS Release 12.4(11)T, for example, Cisco IOS Release 12.4(9)T or older.
•
Symptoms: Crypto engine qos is shown as disabled.
Conditions: This symptom occurs while testing the LLQ feature of IPSec and IPSec with GRE.
Workaround: If reapplying the service-policy in the interface after disabling once, it will get enabled. But then, the failure also occurs due to CSCsf96266.
•
Symptoms: If CBAC is configured in conjunction with VPN tunnels, TCP connections through the firewall might fail.
CBAC ignores the SYN/ACK packets coming from IPsec tunnel and then drops all outbound TCP packets except initial SYN, generating message "Invalid Segment tcp".
Outbound TCP connections to the Internet (not over IPSec tunnel) are not affected and work fine with CBAC.
Conditions: VPN tunnels must be configured on the router in conjunction with CBAC.
Workaround: Disable hardware encryption on the router with the command:
no crypto engine accelerator•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Symptoms: The service-policy is being displayed twice when using the show run command.
Conditions: This symptom occurs when using the show run command on virtual-template interfaces.
Workaround: There is no workaround. This symptom is not service affecting.
•
Symptoms: A router that is configured with IPsec session may crash because of a bus error.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(6)T or a later release when there are two different IPsec sessions to different peers that protect the same traffic. The symptom may be triggered by clearing crypto sessions.
Workaround: There is no workaround.
•
Symptoms: When connecting to the Cisco 871 router via dot1x authentication if the user waits too long to log in, the port gets stuck in a held state. All dot1x packets will be ignored and all other traffic dropped.
Conditions: The dot1x port-control-auto must be applied to the VLAN SVI and the user must wait to log in until after the port has entered a held state. This is the initial dot1x timeout.
Workaround: Clear dot1x all on the Cisco 871 router or reboot the router and then log in before the port enters the held state.
Configure dot1x port-control-auto on the physical interface instead of the VLAN SVI.
Further Problem Description: The only reason to put the dot1x port-control-auto on the SVI instead of the physical interface is to take advantage of the identity profiles to exclude certain MAC addresses from having to log in. If the identity profiles are not being used the dot1x port-control-auto statement should be placed on the physical interface.
•
Symptoms: When an ATM (that is, a cash machine, not a WAN platform) is connected to a switch service module, significant packet loss may occur.
Conditions: This symptom is observed on a Cisco 2800 series router.
Workaround: Change the Ethernet speed to 10 Mbps at both ends.
•
Symptoms: STRING.TCP signatures that contain min-match-length parameters are limited to 16 instances. Signatures of this type do not compile correctly after 16 signatures have been reached, failing to generate an alarm. The only way to determine a signature failure is to test the signature with the proper attack traffic. The signature display does not indicate when these signatures have failed to compile properly.
Conditions: This symptom is observed on a Cisco platform that has IPS configured on one or more interfaces with STRING.TCP signatures present.
Workaround: Test and determine a signature failure. Search the signature file for STRING.TCP signatures that contain min-match-length parameters. Delete working signatures in order for failing signatures to compile correctly. Compilation occurs in the order in which signatures are defined in the signature definition file.
•
Symptoms: When a user configures the no telephony- service command, router crashes at running configuration generation.
Conditions: This symptom is highly unreproducible, but there is a potential race condition between the running configuration generation and the no telephony-service command.
Workaround: There is no workaround.
•
Symptoms: An RSP may crash when you enter the clear counters command.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 when you enter the clear counters command after the termination of voice calls that were made with PA-VXC-2TE1 port adapters.
Workaround: There is no workaround.
•
Symptoms: A device crashes when you delete an ACE that was inserted in the middle of the ACL rather than added at the end of the list.
Conditions: This symptom is observed when all of the following conditions are present:
–
–
–
Workaround: First, delete the inserted ACE. Then, delete the other ACE with the same SRC prefix length and an destination prefix length that is greater than 0.
Alternate Workaround: Delete the complete ACL.
•
Symptoms: With IPv6, IPSec with VTI is non-functional. All crypto related functions would be completely affected.
Workaround: There is no workaround.
•
Symptoms: editConfigDelta CT with an editOp delete action on the map entry doesn't delete the signatures that would be in the map
Conditions: CSM attempts to delete a config delta.
Workaround: CSM could list each signature that needs to be deleted.
•
Symptoms: All GLBP IPv6 group members remain in Active state at all times. No GLPB IPv6 protocol information passed between group members.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(11.4)T and later.
Workaround: There is no workaround.
•
Symptoms: Anyone can have unprivileged telnet access to a system without being authenticated, when a reverse ssh session is established with valid authentication credentials. This only affects reverse ssh sessions where a connection is made with the command " ssh <username>:<portno> <server-address".
Conditions: This issue is only seen when Reverse SSH Enhancement is used.
Workaround: Configure reverse SSH with "ip ssh port portno rotary rotarygroup" syntax. This configuration is explained at the following URL:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a0080267e0f.shtml#newq1
•
Symptoms: QoS packets not being sent properly across IPSec tunnel.
Conditions: When upgrading from Cisco IOS Release 12.4.(9)T2 to Cisco IOS Release 12.4.11(T), packets are not being marked properly across the IPSec tunnel.
Workaround: There is no workaround.
•
Symptoms: With an AES key for both TEK and KEK, policies are not synced between co-op key servers. After changing this to 3des, policies are downloaded in secondary key servers.
Conditions: This symptom has been observed when AES is configured in the group with coop key servers.
Workaround: Use 3DES in the transform set.
•
Symptoms: A spoke may be unable to connect or reconnect to a hub because there may not be a crypto socket.
Conditions: This symptom is observed in a DMVPN Hub-to-Spoke environment.
Workaround: Remove the static NHRP entry from the tunnel interface that connects the spoke to the hub, and reapply the static NHRP entry.
•
Symptoms: Router will crash when the packets are sent out.
Conditions: This symptom has been observed when a QoS policy with the WRED feature is attached to an ATM PVC.
Workaround: There is no workaround.
•
Symptoms: A router may crash with CPU vector 300.
Conditions: This symptom has been observed when Cisco IOS is running QoS and CCE.
Workaround: There is no workaround.
•
Symptoms: IS-IS routes are not learned at remote sides.
Conditions: This symptom is observed on a Cisco 7200 series that has an NPE-G2 when the router connects to the remote sides through a native Gigabit Ethernet (GE) interface.
Workaround: Do not use a native GE interface. Rather, use a GE port adapter such as the PA-GE.
•
Symptoms: On a Cisco IOS router, if a service policy that classifies traffic based on the TOS (Type of Service) byte in the IP header is applied to an interface with IPSec (IP Security) enabled, then traffic does not get classified properly as shown in the show policy-map interface command output, and therefore the correct queueing actions do not take place.
Conditions: This symptom has been observed when a service policy that classifies traffic based on the TOS (Type of Service) byte in the IP header is applied to an interface with IPSec (IP Security) enabled.
Workaround: Use qos pre-classify under the crypto map.
•
Packets are passing through the interface but "show policy-map int" shows 0 match. If there is only policy on the main interface, the policy should get applied to the underlying sub-if and sh policy-map int out should reflect the matching and queuing traffic:
!interface Serial5/0:0no ip addressencapsulation frame-relayload-interval 30no keepaliveframe-relay interface-dlci 203service-policy output llq!interface Serial5/0:0.1 point-to-pointip address 172.0.0.2 255.0.0.0no cdp enableframe-relay class testframe-relay interface-dlci 102 IETFTraffic passing through s5/0:0.1 are not seen by the main interface policy.
giulia#sh policy-map int s5/0:0 | i packets0 packets, 0 bytes0 packets, 0 bytesBandwidth 200 (kbps)Max Threshold 64 (packets)0 packets, 0 bytesWorkaround: Use FRTS and apply the service-policy under each DLCI OR evaluate the possibility of reverting to Cisco IOS Release 12.4(9)T
•
Symptoms: When using MTP on a Cisco IOS router, there could RTP ports and RTPSPI calls hanging. Over time, the hanging rtp ports can accumulate and cause the router to run out of rtp ports and MTP calls fail.
Conditions: When using software MTP for supplementary services or when there is high CPS (calls per second).
Workaround: Reload the router to release hanging ports.
•
Symptoms: A router may crash when the configured route limit is exceeded. When this situation occurs, the following error message is generated:
%MROUTE-4-ROUTELIMIT (x1): [int] routes exceeded multicast route-limit of [dec] - VRF [chars]Conditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN but is platform-independent.
Workaround: There is no workaround.
•
Symptoms: A Cisco c7206VXR NPE-G2 router with SA-VAM2+ card may cause router crash. after a period of time in operation, depending on the IOS version, the error message can be seen multiple time before crashing. -Process= "Crypto Support", ipl= 4, pid= 154 -Traceback= 0x1408008 0xAE28 0x33387C 0x33544C 0x1A882D8 0x1A87DF8 0x2CCF9BC 0x2DD6900 0x782670
Conditions: There is no specific trigger for this. It happens randomly.
Workaround: There is no workaround
•
Symptoms: An IOS router running Cisco IOS Release 12.4(11)T or Cisco IOS Release 12.4(11)T1 with IPS functionality enabled may produce log entries similar to the following:
*Mar 21 20:11:54.445: %ALIGN-3-SPURIOUS: Spurious memory access made at0x60F1B618 reading 0x4*Mar 21 20:11:54.445: %ALIGN-3-TRACE: -Traceback= 0x60F1B618 0x60F065B80x60F06814 0x60FC42E8 0x60FC0984 0x60FC3C4C 0x60FBF684 0x60FBFBB4(etc.)At the same time, router performance may be impacted for a short period of time.
Conditions: This symptom occurs shortly after (re)booting the router, or when the IPS signatures have been recompiled.
Workaround: There is no workaround.
•
Symptoms: Cisco IOS crashes with the message:
dsprm - out of buffer error under loadConditions: This symptom has been observed on a Cisco 2811 chassis with NM-HDV2 with 4 T1's and 64dsp * 4 PVDMs. Use the following to reproduce the conditions:
1.
2.
3.
4.
5.
6.
Workaround: There is no workaround.
•
Symptoms: In a DMVPN setup with spoke having overlapping ISAKMP profiles and DPD enabled, IKE quick mode fails due to ISAKMP profile mismatch. After IKE SA expiry, the IKE SA rekey triggered by ISAKMP keepalives does not use any ISAKMP profile while initiating the SA. With overlapping ISAKMP profiles present, the IKE SA might end up attaching to the incorrect ISAKMP profile instead of the one configured on the corresponding tunnel interface and the one used by original IKE SA, subsequently causing the quick mode to fail due to profile mismatch. The only way to bring them out from that stage is by clearing Phase 1 SA.
Conditions: This symptom occurs during DMVPN testing.
Workaround: There is no workaround.
•
Symptoms: When configuring QoS policy, if the "class class-default" is deleted before configuring any QoS policy, the policy when attached on a vaccess interface cloned from a vtemplate, might not attach at all.
Conditions: This symptom has been observed when configuring QoS policy.
Workaround: Don't delete the "class class-default" at any point in time during configuration.
•
Symptoms: When Cisco Tunneling Control Protocol (CTCP) is enabled on a Cisco IOS VPN hub without any crypto maps configured, CTCP sessions can be formed and leaked if any VPN clients try to connect over CTCP.
Conditions: This symptom occurs when Cisco Tunneling Control Protocol (CTCP) is enabled on a Cisco IOS VPN hub without any crypto maps configured.
Workaround: Disable CTCP when no crypto maps are configured.
•
Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.
There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.
•
Symptoms: No rekeys are sent every 30 minutes to sync psuedotime with anti-replay enabled.
Conditions: This symptom has been observed when a new key server becomes primary.
Workaround: Sometimes, using the clear crypto gdoi command in both key server and group members will restart the rekeys every 30 minutes.
•
Symptoms: When Cisco IOS Firewall is configured with a WAAS Network module on an ISR, TCP connections fail to go through.
Conditions: This symptom has been observed when Cisco IOS Firewall is configured.
Workaround: Disable the Cisco IOS Firewall.
Further Problem Description: This symptom occurs when TCP connections are optimized by WAAS. UDP and ICMP traffic goes through without any issues.
•
Symptoms: For an inbound call across a SIP Trunk, IOS might match an dynamically configured dial-peer instead of the user-defined dial-peer configured with "incoming called-number."
Conditions: This symptom has been observed when Cisco IOS SIP Gateway was also configured as a SIP SRST.
Workaround: Use Cisco IOS Release 12.4(6)T6.
•
Symptoms: NP2-G2 is crashing during reboot when SSG feature configured in the startup-configuration.
Conditions: This symptom has been observed with Cisco IOS Release 12.4(11)T and Cisco IOS Release 12.4(11)T1 and SSG feature activated. No symptom is noticed during reboot with these images if SSG feature is removed from the configuration.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reload when you attempt to open a reversed SSH connection by using the SSHv1 protocol.
Conditions: This condition is observed on a Cisco router that runs Cisco IOS Release 12.4.
Workaround: Force the SSH transport to be SSHv2 by entering the ip ssh version 2 global configuration command.
•
Symptoms: When an acct-stop message is received for a non-RADIUS proxy user (that is, a normal IP user), a router that is configured for SSG crashes.
Conditions: This symptom is observed when SSG is configured for RADIUS proxy mode and when the ssg wlan reconnect command is enabled.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS Router may experience high cpu due to "Per-Minute Jobs" when configured with a ipx extended access list.
Conditions: This symptom has been observed when an ipx extended access list is configured when running Cisco IOS Release 12.4(11)T or newer.
Workaround: There are two parts:
1.
2.
•
Symptoms: When a QoS service-policy, that includes a percentage-based policer, is applied to a Virtual-Template interface the following error occurs:
VTI-NEM(config)#int virtual-template 1VTI-NEM(config-if)#service-policy output tunnel_trafficcir must fall between 8000 and 2000000000cir must fall between 8000 and 2000000000% A service-policy with police in percent configured cannot be attached to a tunnelinterfaceService-policy statement appears twice in the configuration after entering above command.
Conditions: This behavior is seen with Cisco IOS Release 12.4(11)T. Same configuration with Cisco IOS Release 12.4(4)T functions correctly.
Workaround: There is no workaround.
•
Symptoms: A router that is configured as an EasyVPN client is not able to auto connect to the EasyVPN server using its saved Xauth username/password.
Conditions: This symptom is observed when the router is powered-up or when the ISAKMP re-keying happens.
Workaround: Manually execute the crypto ipsec client ezvpn xauth command in the router console and enter the respective username/password.
•
There is a linker bug in the c2.95.3-p11b toolchain, related to PPC PIC code. This linker bug gets triggered when we link in the gcc helper library libgcc.a. This library is compiled PIC by default so that it will work with both normal and PIC images.
The fix is to deploy the c2.95.3-p12 compiler, along with the makesubsys patch to IOS.
•
Symptoms: %SYS-2-LINKED: Bad enqueue of 6C1BE2F8 in queue 663E6620 error
Conditions: management-interface Serial1/0.500 allow ftp ssh tftp snmp telnet
Workaround: Remove management-interface Serial1/0.500 allow ftp ssh tftp snmp telnet
Further Problem Description: The effected Process level on the effected device, bad enqueue messages were also seen at interrupt level on connected devices.
•
Symptoms: A Cisco 7200 series with an NPE-G2 may hang during the boot process.
Conditions: This symptom is observed when several native Gigabit Ethernet ports with "MV64460" hardware come up simultaneously, for example, while he router boots. To verify if the Gigabit Ethernet ports of your router have "MV64460" hardware, look in the output of the show interfaces command.
Workaround: There is no workaround.
•
Symptoms: One or more of the following symptoms may occur. CPU HOGS, crashes, high cpu, and/or memory allocation failures.
Conditions: This problem is triggered when making configuration changes to an access list that is currently in use by a service policy.
Workaround: Disable the service policy before make changes to its components.
•
Symptoms: When a LNS router receives an L2TP ICRQ (Incoming Call Request) message with same assigned session ID as an existing session of another tunnel from the same LAC, it disconnects the session due to unknown AVP.
Conditions: This symptom is observed when a LNS router receives an L2TP ICRQ message with same assigned session ID as an existing session of another tunnel.
Workaround: There is no workaround.
•
Symptoms: When configuring an MQC policer, the parser accepts the conform and exceed actions for the first time they are configured, but does not display them in the running config. The commands also don't take effect when looking at the show policy-map map_name output.
Conditions: This symptom is observed when one tries to configure the conform or exceed actions again, the parser rejects these commands.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: In Cisco IOS Release 12.4(9)T, the TCP stops accepting new connections after a few days of SSLVPN running in the router. The debug ip tcp transaction command shows the error with connection queue limit reached. When the problem happens, the show tcp bri all command shows five connections in CLOSED state.
Conditions: This symptom is observed in Cisco IOS Release 12.4(9)T.
Workaround: Enter the clear tcp tcb * command. This command will clear all the TCP connections on the router.
Wide-Area Networking
•
Symptoms: The virtual-access counters and the RADIUS accounting data exceed the real value.
Conditions: This symptom is observed on a Cisco 7200 PA-A3 port adapter and a Cisco 6400 NRP2-SV when a Layer 2 Tunneling Protocol (L2TP) Network Server (LNS) uses an ATM permanent virtual connection (PVC) as an ingress interface for L2TP tunnels.
Workaround: Configure an Ethernet port as the ingress interface.
•
Symptoms: A ping may be dropped in a PPP callback scenario.
Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.
Workaround: There is no workaround.
•
Symptoms: A crash occurs when commands are executed in a particular order.
Conditions: The crash occurs when the following commands are executed:
interface Dialer0no dialer pool 1shutno interface Dialer0interface Serial2/0no dialer in-bandinterface Dialer0dialer remote-name dt3b7-4no cdp enableThis happens because a freed value was not being set to NULL.
Workaround: There is no workaround
•
Symptoms: A router crashes because of memory corruption. The crashinfo points to the VPDN call manager.
Conditions: This symptom is observed on a Cisco router when L2TP Active Discovery Relay for PPPoE is enabled.
Workaround: There is no workaround.
•
Symptoms: During a test of a B-Channel Maintenance Procedure (BCAC), an incoming SERVICE message is not printed with the correct channel.
Conditions: This symptom is observed when a collision occurs between a SERVICE message and a SETUP message.
Workaround: There is no workaround.
•
Symptoms: In L2TP dialout, fail over with limit and priority options specified gives incorrect output of the show vpdn command, making the limit option unusable.
Conditions: This happens when limit and priority options enabled on the LNS and the ping is made from LNS to the two LACs to check for the working of limit option. Here the session should be the same as that of the limit, but the session is more than the limit specified.
Workaround: There is no workaround.
•
Symptoms: When a T.37 onramp call is made, the following error message may be generated:
%CSM-3-NO_VDEV: No modems associatedConditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS interim Release 12.4(10.7). The symptom may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: A router may crash because of a corrupted memory pointer.
Conditions: This symptom is observed on a Cisco router that is configured for PPPoE Relay and VPDN.
Workaround: There is no workaround.
•
Symptoms: A router crashes during an online insertion and removal (OIR) of a multilink interface.
Conditions: This symptom is observed on a Cisco 7200 series that is configured for MLP and PPP.
Workaround: Shut down the multilink interface before you perform an OIR.
•
Symptoms: Inbound GSM V.110 calls fail to train at a speed of 14400 bps.
Conditions: This symptom is observed on a Cisco AS5400 when the Bearer Capability (BC) does not match the Lower Layer Compatibility (LLC) in the ISDN setup message. The BC should take precedence over the LLC.
Workaround: If this is an option, configure the ISDN switch to send the correct BC and LLC. If this is not an option, there is no workaround.
•
Symptoms: A software forced-crash occurs with a memory corruption in the processor pool memory.
Conditions: This symptom is observed on a Cisco router that is configured for ISDN and that has an unusually long calling name with more than 70 characters in the received Facility IE.
Workaround: There is no workaround.
•
Symptoms: L2TP sessions fail when the L2TP peer (that is, the LAC if IOS is acting as LNS) is sending L2TP AVPs which are hidden. "debug vpdn error" will show the following error message:
"Error unhiding AVP <x>, no shared secret configured"Conditions: This symptom occurs when using the L2TPv2 tunnel protocol, and the L2TP peer is sending L2TP AVPs hidden according to RFC1661, section 4.3.
Workaround: There is no workaround.
•
Symptoms: The show isdn active command still shows disconnected calls even after fixing CSCsg75978 and CSCsh31330.
Conditions: This symptom happens when making analog modem calls after making a normal ISDN digital call.
Workaround: There is no workaround.
•
Symptoms: For normal ISDN call and disconnecting the call, a DISCONNECT message will be issued. The contents of this DISCONNECT message will be replaced with the one that is explicitly configured. This configured message has an invalid facility component and hence the receiving side should send facility reject component which is not seen here (missing).
Conditions: This symptom happens with Cisco IOS Interim Release 12.4(12.15)T. This is happening only for Interface PRI. This is seen for Cisco IOS Release 12.4 mainline and Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: When an LNS renegotiates LCP with a client, a LAC may not forward a CONFREQ message from the client to the LNS. This situation may cause a loop with LCP negotiation and authentication between the client and the LNS, and an L2TP tunnel is established between the LAC and the LNS.
Conditions: This symptom is observed when the debug snmp packet is enabled and when the following configurations are present:
On the LNS, the lcp renegotiation always command is enabled:
vpdn-group <vpdn group name>lcp renegotiation alwaysOn the LAC, the snmp-server trap for l2tun session command is enabled:
snmp-server enable traps l2tun sessionsnmp-server host <IP-address> version 2c <community>Workaround: Do no enable the debug snmp packet command when the lcp renegotiation always command is enabled on the LSN and when the snmp-server trap for l2tun session command is enabled on the LAC.
Resolved Caveats—Cisco IOS Release 12.4(11)T1
Cisco IOS Release 12.4(11)T1 is a rebuild release for Cisco IOS Release 12.4(11)T. The caveats in this section are resolved in Cisco IOS Release 12.4(11)T1 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
IP Routing Protocols
•
Symptoms: After upgrading to Cisco IOS Release 12.4(11)T, tunnel protection shared stopped working for additional tunnels between 2 peers.
Conditions: This symptom has been observed with DMVPN - 2 peers with multiple tunnels (each tunnel is decapsulated in a different VRF. Each tunnel is a distinct DMVPN network.
Tunnel protection [shared] is used since Spoke tunnel source is located in global vrf and uses Loopback1. The tunnel destination is the hub (loopback1).
R103 ([loopback0] is the destination for all tunnels sourced from R100SP loopback 0 [10.1.1.1]
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: The ephone DN may get stuck in SEIZED state and one-way audio would occur afterwards.
Conditions: If another call is dropped during trunk dialing, the DN for this terminated call would move to seized state.
Workaround: Press ENDCALL softkey twice to move the seized DN to idle state after finishing the 2nd trunk call. To work around the one-way audio issue, the call needs to be transferred out and then transferred back. This workaround is not acceptable.
•
Symptoms: Call is disconnected if it is hairpin transferred from a trunk DN.
Conditions: After a trunk DN call is hairpin transferred to another DN, the call is disconnected. This symptom occurs in Cisco IOS Release 12.4(11)T and Release 12.4(12.x)T.
Workaround: Use Cisco IOS Release 12.4(3)XC or later versions.
•
Symptoms: In HA environment, a Cisco 7200 router with VSA acting as standby will crash after or during sync with active.
Conditions: This symptom has been observed when the transform set contains ah.
Workaround: Remove ah from the transform set and use only esp.
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note
•
Symptoms: The dhcp relay crashes at dhcpd_relay_info_is_add.
Conditions: This symptom has been observed with Cisco IOS interim Release 12.4(7.24)PI5d.
Workaround: There is no workaround.
•
Symptoms: A Cisco IOS router may experience a unexpected reload.
Conditions: This symptom occurs when the router has IPS (Intrusion Prevention Systems) configured, and one or more attack signatures has the denyFlowInline action enabled.
Workaround: The workaround is to not enable the denyFlowInline action for any IPS signatures.
•
Symptoms: A 1841 router may reload at retparticle with %SYS-2-BADSHARE errors.
Conditions: The router must be running crypto traffic using a dialer interface over a GSHDSL interface.
Workaround: There is no workaround.
•
Symptoms: Voice calls fail after a redundancy switch activity on a Cisco AS5850 platform.
Conditions: This symptom has been observed on a Cisco AS5850 platform which is in route processor redundancy plus (RPR+) mode.
Workaround: Workaround is to reload the NAS.
•
The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These include:
–
–
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.
•
Symptoms: WCCP service redirection does not work.
Conditions: This symptom has been observed when WCCP redirection is configured on a router where the traffic being redirected enters an interface in a security zone.
Workaround: Remove zone assignment from requests's ingress interface.
•
Symptoms: A Cisco AS5400XM gateway sees many DSM errors:
%DSM-3-INTERNAL: Internal Error : No DSM handle providedalong with a traceback.
Conditions: This symptom has been observed when using a Cisco AS5xxxXM gateway with the AS-5x-FC DSPs and an NFAS PRI and trying to configure (or unconfigure) input gain or output attenuation under the voice-port for the NFAS PRI with the latest Cisco IOS Release 12.4T.
Workaround: There is no workaround.
Further Problem Description: If using Cisco IOS Release 12.4.9T1 or earlier, the condition causes an unexpected reload of the Cisco AS5xxxXM gateway with a bus error.
•
Symptoms: System may crash during bootup.
Conditions: This symptom has been observed when PA-MCX-8TE1+ is in the system and 256MB IO Memory is configured.
Workaround: You can reduce IO memory in the configuration.
Further Problem Description: You should see SCM Abort message in the crash info file.
•
Symptoms: Router is crashing due to memory corruption with following message: %SYS-3-OVERRUN: Block overrun at E73C97D0 (red zone 55555555).
Conditions: This symptom has been observed on a Cisco 1800 router running Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly reload when trying to send a PKI request to a CA.
Conditions: The router must be configured with crpyto PKI trustpoints.
Workaround: Because this is a 1 byte redzone overrun, the following will prevent the crashes, and will display error messages instead.
First, to prevent the usage of chunks, configure the no memory lite command. Second, configure the exception memory ignore overflow processor command to correct the redzone overrun.
•
Symptoms: The SIP Gateway will crash when handling calls involving DTMF relay.
Conditions: This symptom has been observed when sip-notify and sip-kpml are configured as dtmf relay mechanisms on both a Cisco IOS GW and CCM. When a call is coming in from CCM onto the GW, because of a bug (CSCse72749), the GW negotiates the dtmf mechanism as sip-notify where as CCM negotiates the dtmf-re lay mechanism as sip-kpml.
Subsequently CCM sends a subscribe request for KPML. The GW accepts the kpml subscription and starts the respective kpml timers. When the call is terminated, the Cisco IOS GW cleans up the data structures without stopping the kpml timers since the negotiated dtmf relay on the Cisco IOS GW is sip-notify.
Workaround: Do one of the following workarounds to avoid the crash:
1.
2.
•
Symptoms: Router crashes loading the Cisco IOS signature package file.
Conditions: This symptom has been observed most prevalently in the Cisco 871 and Cisco 2600 platforms.
Workaround: There is no workaround.
•
Symptoms: Cisco 851 and 871 routers have no way to remotely upgrade the ROMMON firmware image. Conditions: Cisco IOS versions for the Cisco 851 and 871 routers did not provide a mechanism to remotely upgrade the ROMMON firmware image.
Workaround: Cisco IOS version 12.4(11)T1 for the Cisco 851 and 871 router introduces the upgrade rom-monitor file command which allows the ROMMON firmware image to be remotely upgraded. Please consult this link for more information: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tcf_r/cf_13ht.htm#wp1032550
•
Symptoms: After there are heavy traffic (about 15 Mb/s) on VTI interface with HW encryption, the queue of the interface is stuck.
Conditions: This symptom has been observed when Input/Output Queue Full Error of the show crypto engine accelerator statistic command are increased.
Workaround: Reload the router. Using software encryption is a possible workaround.
•
Symptoms: Looking at the ifIndex table from Cisco IOS shows that ifindex=6 points to the Async18 interface. Running the show snmp mib ifmib ifindex command returns the following output: (SORTED BY Ifindex)
GigabitEthernet0/0: Ifindex 1GigabitEthernet0/1: Ifindex 2Null0: Ifindex 3T1 0/0/0: Ifindex 4T1 0/0/1: Ifindex 5Async18: Ifindex 6Async0/1/0: Ifindex 7recEive and transMit 0/3/0: Ifindex 8recEive and transMit 0/3/1: Ifindex 9Foreign Exchange Office 1/0/0: Ifindex 10Foreign Exchange Office 1/0/1: Ifindex 11Foreign Exchange Office 1/0/2: Ifindex 12Foreign Exchange Office 1/0/3: Ifindex 13Foreign Exchange Office 1/1/0: Ifindex 14Foreign Exchange Office 1/1/1: Ifindex 15Foreign Exchange Office 1/1/2: Ifindex 16Foreign Exchange Office 1/1/3: Ifindex 17Foreign Exchange Office 2/0/0: Ifindex 18Foreign Exchange Office 2/0/1: Ifindex 19Foreign Exchange Office 2/0/2: Ifindex 20Foreign Exchange Office 2/0/3: Ifindex 21Foreign Exchange Office 2/1/0: Ifindex 22Foreign Exchange Office 2/1/1: Ifindex 23Foreign Exchange Office 2/1/2: Ifindex 24Foreign Exchange Office 2/1/3: Ifindex 25Serial0/0/0:0: Ifindex 26Loopback0: Ifindex 27GigabitEthernet0/0.20: Ifindex 28GigabitEthernet0/0.30: Ifindex 29GigabitEthernet0/0.40: Ifindex 30GigabitEthernet0/0.50: Ifindex 31GigabitEthernet0/0.51: Ifindex 32GigabitEthernet0/0.52: Ifindex 33GigabitEthernet0/0.70: Ifindex 34GigabitEthernet0/0.160: Ifindex 35GigabitEthernet0/0.1000: Ifindex 36Serial0/0/0:0.811: Ifindex 37grabbing just the Async interfaces:r-sft-b.s05555.us#sh snmp mib ifmib ifindex | inc AsAsync0/1/0: Ifindex = 7Async18: Ifindex = 6Confirming that Async18 is tied to Tty 0/1/0 (Async 0/1/0) port.r-sft-b.s05555.us#sh lineTty Line Typ Tx/Rx A Modem Roty AccO AccI Uses NoiseOverruns Int* 0 0 CTY - - - - - 0 0 0/0-1 1 AUX 9600/9600 - - - - - 0 0 0/0-0/1/0 18 TTY 115200/115200- inout - - - 0 0 0/0-578 578 VTY - - - - - 0 0 0/0-579 579 VTY - - - - - 0 0 0/0-580 580 VTY - - - - - 0 0 0/0-581 581 VTY - - - - - 0 0 0/0-582 582 VTY - - - - - 0 0 0/0-Line(s) not in async mode -or- with no hardware support:2-17, 19-577When running an SNMP walk on .1.3.6.1.2.1.2.2.1.2 (ifIndex), the Async interface is skipped:
<snip>IF-MIB 1.3.6.1.2.1.2.2.1.2.5 ifDescr.5 T1 0/0/1IF-MIB 1.3.6.1.2.1.2.2.1.2.7 ifDescr.7 Async0/1/0<snip>So the interface is indexed on the router but the snmpwalk/snmpget does not seem to return the value.
The test was running this with snmpv2 whereas the customer was running snmpv3. This test ran with and without the CME configuration and it makes no difference. Both do not return Async18 interface ifIndex 6.
Conditions: This symptom has been observed with a Cisco 3825 router running c3825-adventerprisek9-mz.124-4.XC5.bin image.
Workaround: There is no workaround.
•
Symptoms: With a Cisco C7200-VSA card present in a Cisco 7200, Crypto sessions may not form for an extended period of time after reboot If the debug crypto isa command is enabled, the following message will appear in the logs until the Cisco C7200-VSA card has completed its boot process "ISAKMP (0): Unable to generate DH phase I values!"
Conditions: This symptom has been observed when the router has a large number of IPSEC tunnels configured. The symptom is that the crypto card does not complete its boot process for an extended period of time. The router logs will contain the message "VSA OIR DONE" when the crypto card has finished booting.
Workaround: Shut the router's interfaces and allow the crypto card to finish booting before enabling the interfaces.
•
Symptoms: In a dial backup scenario with backup ezvpn over an async or dialer interface, ezvpn fails to kickoff the async or dialer interface. Hence, dial backup ezvpn can not be brought up.
Initial IKE request packet itself is dropped with the following error:
*Oct 5 07:39:22.187: EZVPN(backup): New State: READY*Oct 5 07:39:22.187: EZVPN(backup): Current State: READY*Oct 5 07:39:22.187: EZVPN(backup): Event: CONNECT*Oct 5 07:39:22.187: EZVPN(backup): No state change*Oct 5 07:39:22.187: ISAKMP:(0):receive null address from sa_req (local 0.0.0.0, remote 10.175.161.41)*Oct 5 07:39:22.191: ISAKMP: Error while processing SA request: Failed to initialize SA*Oct 5 07:39:22.191: ISAKMP: Error while processing KMI message 0, error 2.*Oct 5 07:40:03.551: ISAKMP:(2018):purging SA., sa=841CC6D0, delme=841CC6D0Conditions: This symptom has been observed in a dial backup scenario with backup ezvpn over an async or dialer interface.
Workaround: There is no workaround.
•
Symptoms: Packets are dropped if the tunnel route-via interface command is configured on the tunnel interface.
Conditions: This symptom has been observed with the tunnel protection command and tunnel route-via command configured on the tunnel interface.
Workaround: There is no workaround.
•
Symptoms: In a dial backup scenario with backup ezvpn over an async or dialer interface, EzVPN fails to kickoff the async or dialer interface intermittently. Hence, dial backup ezvpn can not be brought up always, it works intermittently.
IKE request packet in failure cases is dropped with the following error:
*Oct 5 07:39:22.187: EZVPN(backup): New State: READY*Oct 5 07:39:22.187: EZVPN(backup): Current State: READY*Oct 5 07:39:22.187: EZVPN(backup): Event: CONNECT*Oct 5 07:39:22.187: EZVPN(backup): No state change*Oct 5 07:39:22.187: ISAKMP:(0):receive null address from sa_req (local 0.0.0.0, remote 10.175.161.41)*Oct 5 07:39:22.191: ISAKMP: Error while processing SA request: Failed to initialize SA*Oct 5 07:39:22.191: ISAKMP: Error while processing KMI message 0, error 2.*Oct 5 07:40:03.551: ISAKMP:(2018):purging SA., sa=841CC6D0, delme=841CC6D0Conditions: This symptom has been observed in a dial backup scenario with backup EzVPN over an async or dialer interface.
Workaround: There is no workaround.
•
Symptoms: EzVPN leaks some memory with the fix of CSCsg94570. It can take quite some time for the router to run out of memory and cause a reload.
Conditions: This symptom has been observed when
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: FR-ATM interworking can not be configured using connect command.
Conditions: This symptom has been observed when FR-ATM interworking is attempted to be configured using connect command
Workaround: There is no workaround.
•
Symptoms: l2tp tunnels may not come up. When this occurs, the traceback will be seen:
Conditions: This symptom has been observed when the l2tp tunnel timeout no-session never command is set in the vpdn-group configuration.
Workaround: Configure the l2tp tunnel timeout no-session value to other than never.
•
Symptoms: Layer2 of BRI interfaces is not coming up, and it is in "NOT Activated" state
Conditions: This symptom has been observed with Cisco IOS Release 12.4(11.1)T.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(11)T
This section describes possibly unexpected behavior by Cisco IOS Release 12.4(11)T. All the caveats listed in this section are resolved in Cisco IOS Release 12.4(11)T. This section describes severity 1 and 2 caveats and select severity 3 caveats.
Basic System Services
•
Symptoms: "Enqueue to process level" message seen in logs.
Conditions: This symptom has been observed on Cisco IOS Release 12.4T as well as Release 12.4(4)XD2. No debugs are enabled.
Workaround: There is no workaround.
•
Symptoms: In Cisco IOS Release 12.4(10.5)PI5 release testing for AAA RADIUS Server Load Balancing Feature, the CLI "load-balance method least-outstanding" is not getting accepted in server group config. The same CLI is accepted in Cisco IOS Release 12.4(10.1)PI5 release.
Conditions: This symptom has been observed in Cisco IOS Release 12.4(10.5)PI5 release testing.
Workaround: There is no workaround.
•
*7200/7301: Need to include boot/kboot images.
•
Symptoms: Cisco router running PDSN software sends incorrect value for Acct-Session-Time in Accounting Stop Messages. This may lead to over charging.
Conditions: The over charging happens when Acct-Session-Time is used for charging the user. Also this happens only if there are any interim acct start-stop messages (caused due to change in airlink parameters or handoff) sent for the session.
Workaround: G8 can be used for charging.
Further Problem Description: When Acct-Session-Time is used for charging, PDSN will not reset the value after sending the interim acct stop messages. So, it will lead to over charging.
•
Symptoms: A Cisco 3745 router will crash with ipsla_rtp_cfg test after starting ip sla schedule with Cisco IOS Release 12.4(7.18)T release.
Conditions: The router will crash after issuing the below configuration:
conf tcontroller T1 1/0ds0-group 0 timeslots 1 type noneds0-group 1 timeslots 2 type noneds0-group 2 timeslots 3 type noneip sla 1voip rtp 10.10.10.1 source-voice 1/0:1 codec g711utimeout 10000exitip sla sch 1 star now life 300Workaround: There is no workaround.
•
Symptoms: A Cisco router may crash due to a bus error while removing the ip flow egress command from an interface.
Conditions: The router must have the ip flow egress command previously configured on the interface.
Workaround: There is no workaround.
•
Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.
Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.
Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:
event manager applet add-bufferevent syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"action 1.0 cli command "enable"action 2.0 cli command "configure terminal"action 3.0 cli command "buffers particle-clone 16384"action 4.0 cli command "buffers header 4096"action 5.0 cli command "buffers fastswitching 8192"action 6.0 syslog msg "Reinstated buffers command"•
Symptoms: The tacacs-server directed-request command appears in the running configuration when is should be disabled. When you disable the command by entering no tacacs-server directed-request and reload the router, the command appears to be enabled once more.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for CSCsa45148, which disables the tacacs-server directed-request command by default.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa45148. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Temporary Workaround: Each time after you have reloaded the router, disable the command by entering no tacacs-server directed-request.
EXEC and Configuration Parser
•
Symptoms: A router may reject the creation of virtual Token Ring interface with any interface number from 0 to 9 and allow only the creation of virtual Token Ring interface with an interface number that is equal to or greater than 10.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(9.16) or a later release or Release 12.4(9.15)T or a later release.
Workaround: Manually configure the virtual Token Ring interface with a an interface number that is equal to or greater than 10.
IP Routing Protocols
•
Symptoms: A network and host-based configuration download over serial HDLC with an IP address obtained via SLARP fails.
Conditions: This symptom has been observed with a router that has no startup- configuration (after using the write erase command) but is staged for autoinstall over a serial link. An IP address is obtained, but the download fails with the following error message:
%Error opening tftp://255.255.255.255/network-confg (Socket error)%Error opening tftp://255.255.255.255/cisconet.cfg (Socket error)Without this feature, router deployment with automatic configuration download at remote sites over serial interface is not possible.
Workaround: Use another method of autoinstall if possible, or pre- configure the router before deployment.
•
Symptoms: bgp ipv4 session could not be up.
Conditions: This symptom has been observed on Cisco IOS interim Release 12.4(9.15)T only.
Workaround: There is no workaround.
•
Symptoms: If the signalling traffic happens in a different router and the RTP traffic passed through the NAT router, the port for the RTP traffic is not assigned from the configured port range.
Conditions: This symptom has been observed when the signalling traffic is not traversing the NAT router.
Workaround: There is no workaround.
•
Symptoms: A label mismatch may occur between the CEF table and the BGP table, and a new label may not be installed into the CEF table.
Conditions: This symptom is observed after a BGP flap has occurred on a Cisco router that is configured or MPLS VPN but that does not function in an inter-autonomous system and that does not have multiple VRFs.
Workaround: There is no workaround. After the symptom has occurred, enter the clear ip route command for the affected VRF.
•
Symptoms: The router will display SYS-2-MALLOCFAIL messages on the console, and various protocols will operate erratically as a result of a low memory condition.
Conditions: When a router has to duplicate incoming IPv4 multicast packets for transmission on multiple interfaces, and one of those interfaces is a GRE tunnel operating in GRE IPv6 mode, then memory used to duplicate that packet stream will not be freed. As a result, the router will soon exhaust all available memory.
Workaround: The router will not exhaust memory if packets do not need to be duplicated (for example, if they enter on one interface and only exit the box through another interface), or if they do not need to duplicate to a tunnel interface that is running GRE over IPv6 (for example, tunnel mode GRE IPv4 does not have this problem).
•
Symptoms: Error messages are seen such as the following example:
%NHRP-3-PAKREPLY: Receive Resolution Reply packet with error - insufficient resources(5) and data packets that should be taking a direct spoke-spoke tunnel are taking the spoke-hub-spoke path.Conditions: This symptom has been observed in a DMVPN Phase 3 Network when building or refreshing a spoke-spoke tunnel.
Workaround: See the Further Problem Description for how to manually see and clear the problem. The fix for CSCsd74859 "DMVPN Phase 3: Network NHRP mappings are not refreshed when being used" will help reduce the occurrence.
Further Problem Description: Use the show ip nhrp command to look for NHRP mapping entries that are covered by an NHRP network mapping entry in the table.
Example:
Network mapping:
192.168.13.0/24 via 10.0.0.13, Tunnel0 created 00:02:51, expire 00:07:08Type: dynamic, Flags: router natNBMA address: 172.16.3.1Incomplete mapping covered by above network mapping
192.168.13.70/32, Tunnel0 created 00:02:51, expire 00:00:13Type: incomplete, Flags: negativeCache hits: 61192.168.13.72/32, Tunnel0 created 00:02:51, expire 00:00:13Type: incomplete, Flags: negativeCache hits: 16If this example indicates the symptom is present. Clearing the incompletemappings clears the symptom, but it can easily come back.Example:
clear ip nhrp 192.168.13.70
•
Symptoms: On Cisco IOS interim Release 12.4(9.16)T when running a DMVPN configuration with dual hub routers and with OSPF as the IGP, the router may experience a crash as NHRP attempts to send a NHRP resolution request.
Conditions: This symptom has been observed on routers with Cisco IOS interim Release 12.4(9.16)T when running a DMVPN configuration with dual hub routers and with OSPF as the IGP.
Workaround: There is no workaround.
•
Symptoms: A router running Cisco IOS may unexpectedly reload. The crashes can be very different in nature, but the crashinfo should show the IP Input process as the currently running process:
---- Partial decode of process block ----Pid 84: Process "IP Input" stack 0x46C3C080 savedsp 0x46758540Conditions: This is seen when the router is configured for NAT and receives a fragmented skinny packet that it needs to reassemble and translate.
Workaround: Prevent the router from receiving a fragmented skinny packet by ensuring the path MTU between the call manager server and the router is large enough. Usually skinny packets aren't larger than 800 bytes.
Miscellaneous
•
Symptoms: When a CEF initialization failure occurs, an ATM PVC that is configured for OAM may not pass traffic even though the PVC link status is up:
Router#show ip interface brief | include ATMATM3/0/0 unassigned YES manual up upATM3/0/0.100 unassigned YES unset up upATM3/0/0.300 10.1.1.1 YES manual up upATM3/0/0.999 unassigned YES unset up upRouter#show cef interface brief | include ATMATM3/0/0 unassigned up dCEFATM3/0/0.100 unassigned down dCEFATM3/0/0.300 10.1.1.1 down dCEFATM3/0/0.999 unassigned down dCEFRouter#show ip cef | include 10.1.1.10.1.1.0/30 attached ATM3/0/0.300When CEF fails to initialize the ATM PVC, atm3/0/0.300, no /32 receive entries are created. Traffic that is destined for the IP address of the subinterface is dropped.
Conditions: This symptom is observed on a Cisco router and occurs only when PAM is configured on the PVC.
Workaround: To prevent the symptom from occurring, do not configure OAM on the PVC. When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected ATM subinterface. After the workaround has been applied, the output of the show ip cef command shows the following:
Router#show ip cef | include 10.1.1.10.1.1.0/30 attached ATM3/0/0.30010.1.1.0/32 receive10.1.1.1/32 receive10.1.1.3/32 receive•
Symptoms: GDOI operation with AES encryption is not operational. In some cases, using GDOI with AES as the encryption transform causes the router to crash.
Conditions: This symptom has been observed when AES is configured to be used in the transform-set applied to the crypto gdoi map (via the profile keyword).
Workaround: Use 3DEs in the transform.
Further Problem Description: A crash only occurs with HSP encryption engines.
•
Symptoms: No QoS service policy can be applied to vlan interface.
Conditions: This symptom has been observed when the service-policy command was blocked for all VLAN interfaces under all condition.
Workaround: There is no workaround.
•
Symptoms: Under heavy stress few tdm backplane timeslots (3 or 4) are lost after 12 hours
Conditions: This symptom has been observed with SS7 with more than 50 calls per second.
Workaround: There is no workaround.
•
When Forced target is used for Active probing then probing may not occur in certain conditions.
Example: Prefix: 10.1.1.0/24 Forced Target: 10.2.2.2
Routes on BR: No route for 10.2.2.0/24 Route for 10.1.1.0/24 exists
•
Symptoms: Under heavy stress few tdm assertion failures are seen
Conditions: This symptom has been observed with SS7 with more than 50 calls per second.
Workaround: There is no workaround.
•
Passive monitoring of Applications using DSCP as part of application definition is broken because of missing conversion from DSCP to ToS.
This fix is important for feature to work.
•
Symptoms: An EEM policy with event interface can not be registered and traceback appears.
Conditions: This symptom has been observed when configuring the EEM policy with event interface, and specifying a poll-interval larger than 2097151.
Workaround: When configuring the EEM policy with event interface, specify poll- interval with value less than 2097151.
•
With a certain combination of debugs enabled, the packet contents are being displayed. This isn't prudent with GDOI, since there is sensitive information being displayed.
•
Symptoms: The router reload when a router running as dVTI server in IPSEC VPN and process 2000 IPSEC tunnels at the same time.
Conditions: The router is running as an IPSEC dVTI server and handle 2000 tunnels setup request at the same time
Workaround: There is no workaround.
•
Symptoms: Router crashes.
Conditions: This symptom has been observed only when 40 sub directories are created and only when dir /recursive is issued. Normal dir works fine.
Workaround: Use 'show disk' instead of dir /recursive if more than 40 sub-directories are created.
•
Symptoms: Permanent tcp-redirection not installed on the SSG for User with browser configured with proxy web when authenticated
Conditions: This symptom has been observed on a PWLAN platform with SSG and SESM User with Proxy configured on his browser.
After the user get authenticated, the permanent tcp-redirection is not installed on the SSG, the user can browse on the internet but can't get access anymore to the SESM web page when he wants to disconnect.
Workaround: There is no workaround.
•
Symptoms: VPN_HW-1-PACKET_ERROR: Packet encryption/Decryption error msg
Condition: Enable hardware and connect a session using browser.
Workaround: Enable software VPN Module.
•
Symptoms: CPU utilization keeps on increasing and reaches 100 % and stays there on configuring turbo acl with 'ACCESS-LIST COMPILED' command. In turn the router becomes too slow to respond for keystrokes.
Condition: This symptom has been observed with both NPEG2 and NPEG1 processors on 7200 for 12.4(10.05)PI05 image version.
Workaround: There is no workaround.
•
The builtin category file does not reflect the latest format of the sensor category file.
There is no work around
•
Symptoms: A Cisco 7200 series may send a corrupted packet via a 2-port T3 serial, enhanced port adapter (PA-2T3+). The rate of corrupted packets is very low.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.2SB, Release 12.4T, or Release 12.4(4)XD3 and occurs when the router functions under high stress conditions such as a high CPU load and an oversubscribed interface of the PA-2T3+.
Workaround: Avoid a high CPU load and oversubscription of the interface of the PA-2T3+.
•
Symptoms: EzVPN failed to get ping for tunnel # 4097 and up.
Conditions: This symptom has been observed when establishing more than 4096 EzVpn tunnels. Only 1-4096 tunnels can get traffic through.
Workaround: There is no workaround.
•
Symptoms: Router crash at retrieve_qos_feature_object
Conditions: This symptom is observed on a Cisco 7206VXR (NSE-1) processor that is running Cisco IOS Release 12.4(11.1)T release.
Workaround: There is no workaround.
•
Symptoms: NAT configurations didn't go through due to insufficient memory.
Conditions: This symptom has been observed on a Cisco 831 router running Cisco IOS Interim Release 12.4(1.2)PI1a and also Interim Release 12.4(2.2)T.
Workaround: There is no workaround.
•
Symptoms: A Cisco 1801 router might crash with a watchdog timeout after displaying some %SYS-3-CPUHOG messages pointing to the ILPM process.
Workaround: There is no workaround other than not using inline-power.
•
Symptoms: The active router in an HSRP configuration may not respond to an ARP request for the virtual IP address. When the symptom occurs, both routers in the HSRP configuration have correct HSRP and ARP entries. Entering the clear arp command on the standby router in the HSRP configuration does not resolve the problem.
Conditions: This symptom is observed when the same HSRP virtual IP address exists in different HSRP groups on different routers.
Workaround: Enter the no standby redirects command to prevent the symptom from occurring.
•
Symptoms: Mallocfail error messages and tracebacks are seen on the Cisco 1802W router due to normal particle pool memory leaks.
Conditions: This symptom has been seen on a Cisco 1802W router that is running Cisco IOS Release 12.4(6)T with the command "qos pre-classify" enabled under the virtual tunnel interface.
Workaround: Disable the HW encryption, or disable "qos pre-classify".
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Symptoms: Long unconfiguration time seen for very large QoS configurations (in excess of 40k policy maps)
Conditions: This symptom has been observed on Cisco IOS Release 12.2SBand Release 12.4T.
Workaround: There is no workaround.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
The originating router (a Cisco 5400 gateway) through Traceback at AFW_Instance_DecrRefCount
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: Deleting a Multilink interface may cause the system to reload.
Conditions: This symptom is observed when a service policy, configured for IP Header Compression, is applied to a Multilink interface and that interface is subsequently shutdown and deleted. The problem is restricted to a Cisco 12000 series router, running Cisco IOS Release 12.0(32)SYA.
Workaround: Remove the service policy before deleting the interface.
•
Symptoms: A Cisco180x router crashes at BD_RingClear while configuring the no pvc VCdescr pvc number command on ATM interface.
Conditions: This symptom has been observed when configuring the no pvc VCdescr pvc number command on ATM interface.
Workaround: There is no workaround.
•
Symptoms: A Cisco Multiservice IP-to-IP Gateway (IPIPGW) may crash while functioning under stress.
Conditions: This symptom is observed on a Cisco IPIPGW that runs Cisco IOS interim Release 12.4(9.4) or interim Release 12.4(9.9)T.
Workaround: Configure slow start:
voice service voip h323call start slowNote that the symptom does not occur in releases earlier than Cisco IOS interim Release 12.4(9.4) or interim Release 12.7(7.24)T.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptoms: A router is crashing due to bad chunk reference count.
Conditions: This symptom has been observed on Cisco 7200 routers running Cisco IOS Release 12.4(6)T2 configured for H.323 voice services.
Workaround: There is no workaround.
•
Symptoms: 'ASSERTION FAILED' messages observed when sending upstream IPSEC traffic through ADSL ATM interface.
Jun 25 00:12:48.123: ASSERTION FAILED: file "../les/if_ng_dslsar_atm.c", line 666Jun 25 00:12:48.131: ASSERTION FAILED: file "../les/if_ng_dslsar_atm.c", line 666Jun 25 00:12:48.131: ASSERTION FAILED: file "../les/if_ng_dslsar_tx.c", line 2927Jun 25 00:12:48.147: ASSERTION FAILED: file "../les/if_ng_dslsar_atm.c", line 666Jun 25 00:12:48.147: ASSERTION FAILED: file "../les/if_ng_dslsar_tx.c", line 2927Jun 25 00:12:48.155: ASSERTION FAILED: file "../les/if_ng_dslsar_atm.c", line 666Jun 25 00:12:48.155: ASSERTION FAILED: file "../les/if_ng_dslsar_tx.c", line 2927After 'ASSERTION FAILED' is observed traffic cannot be passed through ATM interface. UUT needs to be rebooted to return to normal operation.
Conditions: 'ASSERTION FAILED' message observed when sending unidirectional upstream IPSEC traffic:
–
–
Workaround: There is no workaround.
•
Symptoms: A Cisco Systems 7200 series router may encounter a block overrun with Redzone corruption, and subsequently crash if Turbo ACL is configured and the following command is entered:
clear eou all
Error messages similar to the following will be output, with associated tracebacks:
%SYS-3-OVERRUN: Block overrun at <address> (red zone <value>)%SYS-6-BLKINFO: Corrupted redzone blk <address>Conditions: This symptom is observed on a Cisco 7200 series router running Cisco IOS Release 12.4 that is configured for Turbo ACL and when the following command is entered:
clear eou all
Workaround: Disable Turbo ACL by entering the following command:
no access-list compiled
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: Spurious memory access is made at ike_profile_remove.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4(6)T3, when there is at least one ike or ipsec sa and the profile is removed using the CLI with debug crypto isakmp turned on.
Workaround: Turn off crypto isakmp debugs or clear all the crypto sessions and then remove the isakmp profile.
•
Symptoms: Media Gateway Control Protocol (MGCP) FXS/FXO port and Cisco IOS T1CAS resets during Hookflash transfer with CCM being the call agent.
Conditions: This condition is seen when two consecutive RQNT messages with S: rel event is received at the Cisco IOS gateway. In this condition, the second RQNT message will not be acknowledged by the Cisco IOS gateway. This results in reset of all the MGCP endpoints on the Cisco IOS gateway.
Workaround: There is no workaround.
•
Symptoms: While unconfiguring telephony service, the router is crashing.
Conditions: This crash is happening only for this image and on one particular router.
Workaround: There is no workaround.
Further Problem Description: The router is crashing since its trying to tftp download files to ephone-10 at the time we unconfigure telephony-service.
The router is searching for the file named SEP003094C30FF9.cnf.xml right before we hit the exception.
•
Symptoms: DMVPN debugs displayed even if they are not turned on explicitly.
Conditions: When a user issues debug dmvpn all crypto ? command dmvpn debugs are enabled.
Workaround: Issue the undebug all command to turn off the debugs.
•
Symptoms: Software-forced reload when configuring and un-configuring policy to interface.
Conditions: The symptom has been observed on a Cisco 7200 router.
Workaround: There is no workaround.
•
CME/SRST Not able to make calls to Unity VM. VM port DN is not coming to "Idle" state after restarting Unity.
•
Symptoms: There is a possibility router crash due to fixing memory leak problem in "SSS Manager."
Conditions: This issue may be happened in LAC router.
Workaround: There is no workaround.
•
Symptoms: The router may reload when it receives XML.
Conditions: Cisco IOS had been configured to receive XML.
A line similar to <lica:request xmlns:lica="http://www.website.com/LA"> is in the XML.
That is a XML namespace is being declared.
Workaround: There is no workaround.
•
Symptoms: Analog FXS port on a Cisco 2800/3800 ISR does not go back to idle if it has been offhook for more than a minute at the end of a call.
Condition: A and B are two FXS ports on the same router connected to analog phones. A calls B. B answers the call. Once the conversation is done, A hangs up. B does not go onhook. After 60 seconds, B starts hearing offhook alert (howler) tone. Putting B onhook now has no effect. B continues to play offhook alert for the rest of its life until the router is reloaded.
Workaround: There is no workaround.
•
Symptoms:
User may be unable to add an uplink interface to an "ssg direction uplink member" group.
Conditions: 2821/2xVWIC2-2MFT-T1/E1 running c2800nm-advipservicesk9-mz.124-9.T
Issue seems to happen during an initial configuration of SSG global commands and may trigger when configuring global ssg bind service commands before interface ssg direction uplink member commands.
Workaround:
1. Configure ssg direction uplink member interface commands before global ssg bind service commands.
2. The default interface ser0/1/1:0 command followed by a router reload which then allows the ssg direction uplink member command to be configured on new serial interface.
•
Symptoms: When an entry is deleted from the IPv6 RIB, the route count as shown by the "show ipv6 route" command is accidentally incremented rather than decremented as it should be. The contents of the RIB are correct. It is just the reported number of entries that is incorrect.
Workaround: There is no workaround.
•
Symptoms: Router runs out of memory when running traffic and CCE related policy(QoS) configured.
Conditions: Normal traffic flow with QoS enabled.
Workaround: There is no workaround.
•
Symptoms: Ospf ipv6 neighbors are not seen with crypto enabled in routers.
Conditions: This is observed with ospfv3 enabled and with md5 authentication in the interfaces.
Workaround: There is no workaround.
•
Symptoms: Unable to Establish L2TP session router unable to process certificate.
Conditions: This symptom has been observed in Cisco IOS interim Release 12.4(10.1)T
Workaround: There is no workaround.
•
Symptoms: Router crashes on unconfig/config of MLPoFR.
Conditions: This symptom has been observed on 7200 router loaded with 12.4(PC_XDT.060731)/12.4(4)XD4 image.
Workaround: There is no workaround.
•
Symptoms: Software-forced crash (SFC) occurs due to memory corruption.
Conditions: This symptom has been observed on a Cisco 7600 router running Cisco IOS Release 12.2(18)SXF5. This happens if the router is acting as an EzVPN sever and xauth is enabled when the crypto session is brought down.
Workaround: There is no workaround.
•
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has been assigned to these vulnerabilities.
This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml
•
Symptoms: A router may unexpectedly reload after reporting "Unexpected timer" errors similar to:
Aug 6 17:29:16.908 GMT: %SIP-3-BADPAIR: Unexpected timer 19 (SIP_TIMER_NOTIFY_RECEIVE_DIGIT) in state 10 (STATE_DEAD) substate 0 (SUBSTATE_NONE)Conditions: The router must be configured for SIP.
Workaround: There is no workaround.
•
Symptoms: TCL standard I/O operations (such as puts) may not display text on the current terminal line (i.e. the terminal line under which the TCL code is running). Sometimes text is displayed on the first connected terminal line (e.g. vty0), and sometimes t he text is not displayed anywhere. Both stdout and stderr streams are affected.
Conditions: This symptom has been observed when more than one user is logged into a device. If the tclsh is always run on vty0 when no other users are logged in, the text will be displayed correctly.
Workaround: There is no workaround other than making sure only one user is connected to the device when tclsh scripts are run.
•
Symptoms: "No more IPHC-Ids" Trace back observed while doing PXF micro-code reloads. In addition, some interfaces did not get IPHC enabled on them, while others used up more than their fair share of IPHC-Ids.
Conditions: This symptom has been observed with a large configuration with over 150 interfaces enabled with IPHC and doing a "micro reload pxf".
Workaround: Reload the card.
•
Symptoms: EasyVPN negotiation fails when using EasyVPN with VTI. A %CRYPTO-6- IKMP_MODE_FAILURE will be printed to the console.
Conditions: This symptom has been observed when using EasyVPN with VTI.
Workaround: Remove VTI from the EzVPN configuration.
•
Symptoms: When a crpyto map is applied on dialer interface that is bound to a built-in modem on a 1800 platform, and traffic is originated over the VPN from the far side to one of the 1800's interface ip addresses that is part of the CRYPTO ACL. In this case, return packets originating from the 1800 will have the IP header checksum byte-swapped. The receiving router / device will generally decrypt the outer ipsec header and drop the inner ip packet due to a bad IP header checksum.
This behavior is only seen when running 12.4(6)T or later versions of code. This only affects traffic to the router's interfaces over the VPN, and does not affect traffic going through the router.
Conditions:
1) built-in modem used on the 1800
2) crypto map is applied on a dialer interface bound to built-in modem
3) Traffic is originated from the far side of the vpn to the 1800's interface ip.
Example: Ping to a inside interface of the 1800 that is part of the crypto ACL
Workaround: There are two possible workarounds:
1. Disable the h/w crypto engine: no crypto engine onboard 0.
2. Downgrade to 12.4(4)T.
Further Problem Description:
Example:
192.168.1.1--router----vpn----built-in-modem--1811---10.1.1.1If a ping is send from 192.168.1.1 to the 10.1.1.1, the return packet (10.1.1.1 to 192.168.1.1) will have the IP/ICMP header checksum byte-swapped. If the header checksum is FA BC, the router will byte-swap incorrectly to BC FA.
This can be verified on a IOS router using "show ip traffic" on the left router. Here is a sample snip of "show ip traffic":
r2800-3#sh ip trafficIP statistics:Rcvd: 1184114 total, 1076147 local destination0 format errors, 48 checksum errors, 0 bad hop count•
Symptoms: Entering the Command Line Interface command show mpls ldp graceful-restart may lead to a router restart.
Conditions: The router will restart if the command output has a Down Neighbor Database entry that entry expires by reaching the reconnect timeout limit when output is printing the neighbor Address list. The router will also restart upon continuing the Command Line Interface output page if the string "--More--" within the context of displaying addresses.
Workaround: Avoid entering show mpls ldp graceful-restart when a graceful-restart database entry is about to expire. If console output is paged at "--More--" entry in the address list context, and the Down Neighbor Database entry may have expired, type the letter "Q" to abort any more output of addresses.
•
Symptoms: When HUB vpn router is running 4k tunnels, under stress re-key and high traffic condition, router may crash.
Conditions: High number of tunnels (>= 4k), after hours re-key, high traffic rate, high cpu usage (close to 100%), and temporarily out of memory.
Workaround: There is no workaround.
Further Problem Description: When process can not allocate more memory, the cleanup operation caused crash.
•
Symptoms: This symptom is seen for TCP sessions. If an application is run which is using TCP and if time based replay is enabled then traffic fails to be decrypted.
Workaround: There is no workaround.
•
Symptoms: HWIC-1GE-SFP may experience an issue where the Gig Ethernet interface is "stuck" in a Line UP/Protocol Down state. While in this state, the interface will not pass traffic. Clearing the interface or manually disabling/enabling will clear the condition. This symptom does not occur when 1000BASE-T SFP is used.
Conditions: A Loss of Signal (for example, unplugging the cable) may cause the interface to become stuck in a Line UP/Protocol Down state.
Workaround: Clearing the interface or manually shutting it down, then bringing it back up will clear the problem.
•
Symptoms: During an IPS signature build, there are error messages such as the following, indicating that the alert-severity for the signature has been corrupted.
%IPS-6-ENGINE_BUILDING: string-tcp - 777 signatures - 3 of 11 engines%IPS-7-UNSUPPORTED_PARAM: master params 5729: alert-severity=firstByte,PAYLOAD,0,1,firstOption,PAYLOAD,20,1,IgmpType,PAYLOAD,24,1,moreOptions,GT_RAW,firstByte,0x46,ipCheckHi,LE_RAW,firstByte,0x4F,zeroOption,EQ_RAW,firstOption,0,oneOption,EQ_RAW,firstByte,0x46,isIgmpQuery,EQ_RAW,IgmpType,0x11,result1,AND_RANGE,moreOptions,zeroOption,result2,AND_RANGE,zeroOption,isIgmpQuery,result,OR_PAIR,result1,result2,0,RET_REG,result,0- This parameter is not supportedConditions: Loading a full signature file from CCO.
Workaround: There is no workaround.
•
Symptoms: facing leak in middle buffers after all Onboard DSPRM Pool are depleted
Conditions: This symptom has been observed when running a Cisco 3825 router, with support for CVP survivability, like: Cisco IOS Software, 3800 Software (C3825-IPVOICEK9-M), Release 12.4(7b).
Workaround: There is no workaround., besides reloading the router, when memory is exhausted
•
Symptoms: During some instances of clearing of SAs, there is a possibility of a crash.
Conditions: The SAs are cleared on STANDBY device first.
Workaround: Clear the SAs first on ACTIVE
•
Symptoms: An MPLS LDP peer on a default VRF resets when a VRF interface goes down.
Conditions: This symptom is observed on a Cisco router when the VRF interface is configured with a subnetwork address that overlaps with the default router ID.
Workaround: Reconfigure the VRF interface address so it does not overlap with the default router ID.
•
Symptoms: GK reloads when "no zone prefix SFO-GK-1 201201* gw-priority 10 SFO_trunk8_8 SFO_trunk6_6 SFO_trunk4_4 SFO_trunk2_2" command is issued on the Gatekeeper.
Conditions: This problem may happen when dynamic prefixes are used.
Workaround: There is no workaround.
•
Symptoms: A Cisco 3845 or Cisco 3825 router with AIM-VPN/HPII-PLUS(EPII-PLUS) may show the following symptoms:
1.
2.
3.
4.
Conditions: This symptom has been observed on the Cisco 2600, Cisco 2800, Cisco 3600, Cisco 3700, Cisco 3800, and Cisco 1800 series routers that are configured with an AIM-VPNII or AIM-VPNII PLUS Virtual Private Network (VPN) encryption and hardware advanced integration module (AIM).
Workaround: Avoid running the show crypto engine accel ring packet command.
•
Symptoms: WRED parameters are not updated in show policy-map output.
Conditions: This symptom is observed on Cisco 7200 (NPEG1 & NPEG2) routers that is configured with single level policy which contains WRED and WFQ on class- default
Workaround: There is no workaround.
•
Symptoms: IOS-Firewall/ips50/v5_atomic-ip.* or atomic-ip sigs in v5_SANITY.* test fail in eARMS
Conditions: This symptom has been observed when IPS is configured.
Workaround: There is no workaround.
Further Problem Description: This DDTS fixes a crash when loading signature 4620:0
•
Symptoms: A 7200 VXR router that has an NPE-G2 may not recognize an SFP-GE-Z transceiver module that is installed in the G0/2 and G0/3 native GE interface of the NPE-G2.
Conditions: This symptom is observed on a 7200 VXR router that runs Cisco IOS Release 12.4(4)XD2 but may also affect other releases.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5850 crashes due to a chunk memory leak. See the following:
Sep 9 13:07:04.428: %DSMP-3-INTERNAL: Internal Error : NO MEMORY -Traceback=0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BCSep 9 13:07:04.468: %DSMP-3-INTERNAL: Internal Error : NO MEMORY -Traceback=0x601C66D4 0x61596938 0x61579DB0 0x61279508 0x6127C34C 0x6127DB50 0x6127F6BCSep 9 13:07:04.744: %MARVEL_HM-3-HM_RULES_RELOAD: Health Monitor causing areload due to Fragmented processor_memory, Free processor_memory = 10402472bytes, Largest processor_memory block = 522632 bytesConditions: This symptom occurs when there is a chunk memory leak.
Workaround: There is no workaround.
•
Symptoms: A Cisco 7200 series that has an NPE-G2 may reload unexpectedly because of a SegV exception.
Conditions: This symptom is observed on a Cisco 7200 series that runs Cisco IOS Release 12.4(4)XD2 or Release 12.4(4)XD3 but does also affect other releases.
Workaround: There is no workaround.
•
Symptoms: Issuing the copy tftp: idconf command twice in a row from the console for an identical signature file results in a router crash.
Conditions: This symptom has been observed when Cisco IOS IPS is enabled and a signature file is being loaded from the CLI.
Workaround: Only issue the copy command for the same signature file once.
•
Symptoms: Port 0 of a PA-MC-2T3EC remains always down Conditions: Port 0 remains down only with 2-port latest MC-T3 PA. Workaround: There is no workaround.
•
Symptoms: After configuring "ip ips config location flash:" on the 1800 platforms, the router will crash with an Unexpected exception.
Conditions: This symptom has been observed on Cisco 1800 routers.
Workaround: There is no workaround.
•
Symptoms: An NPE-G2 may not boot or may crash.
Conditions: This symptom is observed on a Cisco 7200 series.
Workaround: There is no workaround.
•
Symptoms: Unexpected call failures and slow but steady increase in overall memory utilization. Router crash due to memory errors or memory depletion.
Conditions: Cisco IOS PSTN gateway with NM-HDV2 based DSPs terminating PRI trunks as well as running dspfarm media resources such as xcoders and conference resources. Calls are routed to/from Cisco Unified CallManager call processing servers.
Workaround: There is no workaround.
•
Symptoms: GW crashing due to memory corruption at various locations> directives -->
Conditions: sip-kpml is negotiated as dtmf method during a normal Sip Call
Workaround: There is no workaround.
•
Symptoms: Router may be reloaded.
Conditions: When embedded event manager policy was configured with event timer, or with action to long output to console.
Workaround: No workaround is available.
•
Symptoms: Router does not warm reboot using "reload warm" CLI or when it crashes [with warm-reload configured in both cases]
Conditions: Problem is specific to c7200 NPE-G2 and is not seen in other variants of c7200 NPE.
Workaround: There is no workaround.
•
Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.
The Cisco IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the Cisco IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the Cisco IOS FTP Client feature.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml.
•
Symptoms: Serial interface of T3 PA may go down inconsistently after giving shut/no-shut and never come up.
Conditions: This happens in rare conditions when shut/no-shut is applied on the serial-interface of the Channelized T3 PA.
Workaround: There is no workaround.
•
Symptoms: Memory leak and fragmentation occur in terminating H323 gateway upon receipt of H225 notify. Upon processing calls for a couple of days, memory leak and fragmentation leads to H323 gateway crash
Conditions:
Workaround: There is no workaround unless the originating device can be configured not to send NOTIFY. This is not possible in typical CCM IPT deployments.
•
Symptoms: IOS FW ALG and AIC features may not work properly in the CEF path.
Conditions: Router running IOS version 12.4(9)T and latter does not work when IOS FW is enabled in CEF path.
Workaround: Workaround is to disable CEF switching path.
Further Problem Description: The problem occurs due to FW not handling particle chain properly.
TCP/IP Host-Mode Services
•
Symptoms: A Cisco 2800 series router crashes whenever the connection to the URL filter server is reset due to network congestion or a warm or cold reload.
Conditions: This symptom has been observed when the router is running URL filtering with an external Websense or N2H2 server.
Workaround: There is no workaround for cold or warm reload. If the crash occurs due to network congestion or WAN reset, remove the condition that cause the connection to the URL filter to flap.
•
Symptoms: HTTP errors occur while accessing a Win2003 Web Server.
Conditions: This symptom has been observed with a Cisco IOS Voice gateway running Cisco IOS Release 12.4(6)T accessing a Win2003 HTTP web server under heavy load. Cisco IOS Voice has ip http client connection persistent disabled.
Workaround: There are two possible workarounds:
1. Switch to a Win2000 HTTP web server.
2. On a Win2003 server, set "TcpTimedWaitDelay" to the minimum (30 seconds). This does not totally eliminate but will reduce the occurrences of dropped TCP SYN requests from the Cisco IOS router.
Wide-Area Networking
•
Symptoms: Some supplementary services does not work because of QSIG rose_decode_facilityIE problem
Conditions: This symptom has been seen in Cisco IOS Release 12.4(5.13)XC because of memory leak DDTS committed.
Workaround: There is no workaround.
•
Symptoms: The router crashes while it receives an incoming pad call through the TTY line.
Conditions: This symptom has been observed only when the pad call comes through the TTY line, but not when it comes through the serial interface.
Workaround: There is no workaround.
•
Symptoms: A router may reload while executing the show ppp multilink command.
Conditions: This symptom is observed when a multilink bundle goes down while the output is being generated.
Workaround: There is no workaround.
•
Symptoms: Router crashes shortly after changing encapsulation from fr -> hdlc.
Conditions: IPS configured on a map and an interface. First remove IPS from the map and then from the interface. Change the encapsulation.
Workaround: Remove the interface IPHC configuration first.
•
Symptoms: Individual B-channels on the primary T1 in the NFAS group sometimes go OOS for no reason.
Conditions: This symptom is observed when connected to a Cisco PGW that is running Cisco IOS Release 9.3(2). The Cisco AS5400 is connected to the Cisco PGW that is running RLM in the Signaling/Nailed mode.
Also, sometimes ISDN service goes OOS, and also channel states goes to 5 which is maintenance pending.
Workaround: When this happens, put ISDN service can be put back in service manually for individual CIC, but channel state cannot manually be put back in service unless the whole serial interface is bounced. This cannot be done when there is other traffic on the other b-channels.
•
Symptoms: After you have shut down a Frame Relay over MPLS (FRoMPLS) connection, the xconnect command is unexpectedly removed from the standby PRE, preventing the FRoMPLS connection from coming up after an HA switchover has occurred.
Conditions: This symptom is observed on a Cisco 10000 series.
Workaround: When you enter the connect command on the active PRE, also enter the xconnect command and any other configuration from the connect submode on the standby PRE to ensure that the complete configuration is retained on the standby PRE after an HA switchover has occurred.
•
Symptoms: Router getting crashed while executing the show ppp multilink command.
Conditions: if router is configured for sgbp and with enough traffic to bring MLP bundle up
Workaround: There is no workaround.
•
Symptoms: Primary and backup NFAS interfaces may transition from WAIT to OOS even after receiving "in-service" message from the PSTN.
Conditions: This symptom is observed on a Cisco AS5400XM that is running several Cisco IOS 12.4 mainline and 12.4T releases.
Workaround: There is no workaround.
•
Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.
Conditions: This leak occurs when a SETUP message with Display IE is received.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T7
Cisco IOS Release 12.4(9)T7 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T7 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: "Enqueue to process level" message is seen in logs.
Conditions: This symptom has been observed in Cisco IOS Release 12.4T and 12.4 (4)XD2. No debugs are enabled.
Workaround: There is no workaround.
•
Cisco IOS emits the %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures.
A traceback appears after the error message. This traceback is encountered with long URLs.
It is important to note that this error message does not imply that packet data is corrupted. However, it does provide an early indicator of other conditions that can eventually lead to poor system performance or a Cisco IOS restart.
IP Routing Protocols
•
Symptoms: The configuration of a deleted subinterface may show up on a new subinterface and may cause a traffic outage.
Conditions: This symptom is observed on a Cisco router that has IP interface commands enabled when a script adds and deletes ATM subinterfaces on a regular basis.
Workaround: Verify the subinterface configuration. When the configuration of a subinterface cannot be deleted, delete the subinterface, and then create a dummy subinterface that will pull the configuration that could not be deleted. Then recreate the first subinterface with a new configuration.
•
Symptoms: A router may reload unexpectedly when a routing event causes multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.
Conditions: This symptom is observed on a Cisco platform that is configured for PIM.
Workaround: Remove multicast boundary from the configuration.
•
Symptoms: A PIM hello message may not reach the neighbor.
Conditions: This symptom is observed on a Cisco router when an interface comes up and a PIM hello message is triggered.
Workaround: Decrease the hello timer for PIM hello messages.
Further Problem Description: The symptom occurs because the PIM hello message is sent before the port can actually forward IP packets. IGP manages to get its neighborship up but PIM does not, causing RPF to change to the new neighbor and causing blackholing to occur for up to 30 seconds.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table, which may lead to traffic loss.
Conditions: This problem occurs under certain circumstances and timing conditions.
Workaround: When the symptom occurs, enter the clear ip route command for the prefix in the VRF.
•
Symptoms: When the BGP session between a Route Reflector (RR) and PE router flaps, the RR may no longer send some routes to the PE router.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsi85222. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi85222. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the clear ip bgp * all in command on the PE router to retrieve all routes from the RR.
•
Symptoms: A traceback is seen at ipnat_dns_fix_resou.
Conditions: This symptom is observed when DNS traffic traverses the router and NAT is configured.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A router may crash when you attach a VC class to an ATM bundle.
Conditions: This symptom is observed on a Cisco 7200 series but is platform-independent.
Workaround: There is no workaround.
•
Symptoms: A router crashes with crypto tunnels with large transfers such that they cause IP fragmentation.
Conditions: Large pings.
Workaround: There is no workaround.
Further Problem Description: The underlying code has been modified to address this and other issues. It is unlikely that the same conditions that can cause the crash still exist.
•
Symptoms: Fast Ethernet interface 4 may not come up if Cisco Discovery Protocol (CDP) is disabled on that interface. The interface may get stuck in the "Initializing" phase.
Conditions: This symptom is observed when a Cisco 871 router is upgraded to a Cisco IOS Release 12.4(11.1)T image.
Workaround: The interface can be brought up by executing the shutdown command, followed by the no shutdown command, on Fast Ethernet interface 4 or by enabling CDP on the interface. Enabling CDP will work across reboots, whereas the shutdown/no shutdown method must be done after every reboot.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptoms: Conditional default origination into RIPv2 does not work correctly in the following scenarios:
1.
2.
The deault behavior can be seen at the following link:
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_rip.html#wp1011008
Conditions: This symptom is observed if the default-information originate route-map map-name router RIP configuration command is used in order to generate a default route only when the watched network is present.
Workaround: There is no workaround.
•
Cisco IOS software configured for Cisco IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
A mitigation for this vulnerability is available. See the "Workarounds" section of the advisory for details.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml.
•
Symptoms: Having a configuration similar to the following:
%COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. Virtual- Access2.1 linked to wrong idb Virtual-Access2.1And entering in the following will crash the device:
%SYS-6-STACKLOW: Stack for level Network interfaces running low, 0/9000Conditions: Removing the Dialer interface configuration while having IPHC configured on that interface will crash the platform. This is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(16.5).
Workaround: Remove any IPHC CLI from the Dialer interface prior to deleting the Dialer interface from the configuration.
•
Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
For example:
File disk#:crashinfo_20070418-172833-UTC open failed (-1): Directory entries are corrupted, please format the disk
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = Crypto CA. -Traceback= 0x42AB7410 0x424A6E18 0x42469B7C 0x424651E0 %Software-forced reload
Preparing to dump core... %CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xx.xx.x has no SA and is not an initialization offerWorkaround: Configure the access list so that the source is "any," for example:
%OSPFv3-3-DBEXIST: DB already existFirst Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect."
Further Problem Description: If an explicit deny rule is added to the above example, for example:
%ALIGN-3-SPURIOUS T/B ipv6fib_gre_ipv6_classifiedThen the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
Unexpected exception to CPU: vector 300show access-lists 100
Jun 18 06:12:23.008: event flooding: code 10 arg0 0 arg1 0 arg2 0•
Symptoms: When running double authentication crypto configurations (ah encap and esp encap auth together) and passing large packet data that requires fragmentation, errored packets can be observed.
Conditions: This symptom has been observed only on routers with AIM-VPN-PLUS AIM cards installed. Routers that support this AIM are the Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3700, and Cisco 3800 routers.
Workaround: Do not use ESP and AH double authentication. You can use the no crypto engine accel command in the configuration to run encryption in the SW engine.
•
Symptoms: A Cisco AS5850 responds with a 500 Endpoint Unknown to a CRCX for an endpoint on a channelized T3 card. The endpoint otherwise responds normally to AUEP command.
Conditions: This symptom is observed on a Cisco AS5850 that is controlled via MGCP, and the endpoint naming t3 command is configured on the router in either global MGCP configuration or MGCP profile.
Workaround: Do not configure the endpoint naming t3 command. Use t1 endpoint naming instead.
•
Symptoms: Performing the snmpwalk on the ipRouteTable MIB may cause high CPU and reloads.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(13b) or later releases.
Workaround: Create a view that excludes the ipRouteTable:
%SYS-3-OVERRUN: Block overrun at E5D8310 (red zone 00000000) -Traceback= 0x6080CEB0 0x60982108 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-MTRACE: mallocfree: addr, pc 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 662B5B1C,608A6F3C 0,608A6D9C 662B5B1C,608A6D4C 662B5B1C,300001A6 %SYS-6-BLKINFO: Corrupted redzone blk E5D8310, words 6088, alloc 61FE2638, InUse, dealloc 80000000, rfcnt 1 -Traceback= 0x6080CEB0 0x609681D4 0x6098211C 0x60982EC0 0x6098511C 0x609853BC %SYS-6-MEMDUMP: 0xE5D8310: 0xAB1234CD 0xFFFE0000 0x0 0x63894208 %SYS-6-MEMDUMP: 0xE5D8320: 0x61FE2638 0xE5DB2D0 0xE5D8144 0x800017C8 %SYS-6-MEMDUMP: 0xE5D8330: 0x1 0x0 0x1 0x64B53478This view restricts the objects that the NMS can poll. It excludes access to the ipRouteTable, but allows access to the other MIBs.
•
Symptoms: A router that is running Cisco IOS software may reload unexpectedly.
Conditions: This symptom is observed when running show commands on an exec session that has been established through one of the integrated modems on a WIC-AM or WIC-2AM.
Workaround: There is no workaround.
•
Symptoms: The following message is seen on the router:
%Software-forced reloadConditions: The conditions under which this symptom occurs are not known at this time.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400HPX crashes due to a bus error as indicated by show version "System returned to ROM by bus error at PC 0x61728370, address 0xB0D0B45."
Just before the crash the following error message is seen:
%SYS-6-STACKLOW: Stack for process draco-oir-process running low, 0/6000Conditions: This symptom is observed on a Cisco AS5400HPX.
Workaround: There is no workaround.
•
Symptoms: A router crashes while a service policy is being attached, detached, or modified across a virtual template under traffic.
Conditions: This symptom is observed on a Cisco 7200 or Cisco 7301 router that is configured with MLPPP over FR on channelized interfaces.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly with a software forced crash.
Conditions: This symptom is observed when the FXS port is configured with a DN and the gateway is being reset by CallManager 4.2.
Workaround: There is no workaround.
•
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
•
Symptoms: A Cisco 7200 NPE-G2 router with a VSA encryption card, terminating IPSec EasyVPN Dynamic Virtual Tunnel Interfaces, exhibits high CPU utilization during IKE and IPSec rekeys, potentially causing some tunnels to go down.
Conditions: This symptom is observed on a Cisco 7200-G2 router with a VSA card, acting as an IPSec HUB, terminating EasyVPN DVTI remote-access IPSec tunnels into VRFs. At high tunnel scale (more than 1000 tunnels), the CPU can spike close to 100 percent during IKE and/or IPSec rekey, potentially causing traffic and tunnels to drop.
Workaround: Do not use more than 1000 RA EasyVPN DVTI tunnels on a Cisco 7200. Or switch to Legacy EasyVPN tunnels (with dynamic crypto maps).
•
Symptoms: The MPLS forwarding table has an untagged outgoing entry for a VPNv4 prefix in a CSC case.
Conditions: This is an LDP/IGP (OSPF etc.) based CSC-PE. The VPNv4 prefix shall have a local/redistributed (PE-CE OSPF etc.) path as well as an iBGP path. If the CE path is toggled and then there is a LABEL ONLY change from the iBGP neighbor, the issue will be seen. BGP will end up programming "Untagged" for the local/redistributed prefix, overwriting what is given by LDP.
Workaround: There is no real workaround. To clear the problem, issue a clear ip route command for the vrf-prefix in question. If there are redundant paired PEs, make sure to clear the problem on both routers with the clear ip route command.
•
Symptoms: T38 negotiation is failing for an incoming UPDATE request that has a T38 offer.
Conditions: This symptom occurs when the voice gateway is running Cisco IOS Release 12.4(15)T and is processing incoming Session Initiation Protocol (SIP) calls. When the SIP call is active and an UPDATE request is received that contains a T38 offer, the UPDAE request is rejected. The switchover from voice to fax fails.
Workaround: Fax over T38 works fine when midcall INVITE is used for T38 negotiation.
•
Symptoms: A voice gateway may modify the Presentation Indicator (PI) field when processing a voice call.
Conditions: The voice gateway is running Cisco IOS Release 12.4(9)T5 and processing incoming Session Initiation Protocol (SIP) calls. An incoming SIP call that has its PI field Oct 3a set to 0xA0 or to any other value is changed to 0x00 for no apparent reason when it is forwarded to the Telephony call leg.
Workaround: There is no workaround.
•
Symptoms: When Enhanced Compressed Real-Time Transport Protocol (ECRTP) is configured and when multiple packet drops occur, cRTP packets may stop being sent, and only cUDP packets are sent instead. Because cUDP packets are nearly as large as uncompressed packets, compression becomes completely inefficient.
Conditions: This symptom is observed on a Cisco router when ECRTP is configured on an interface and when a few packet drops occur, as in the following configuration example:
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x41579EB0Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T6
Cisco IOS Release 12.4(9)T6 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T6 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: SNMP over IPv6 does not function.
Conditions: This symptom is observed on a Cisco router that integrates the fix for caveat CSCsg02387. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg02387. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Use SNMP over IPv4.
•
Symptoms: Memory corruption occurs when a "| include" is used with a CLI command. An already in-use block gets freed and causes this corruption.
Conditions: This symptom can happen with any usage when a "| include" is used with a CLI command. It was found using a script for IPSec that resulted in "Crash on OIR of IPSec SLC module."
Workaround: There is no work around. It is a programming defect.
Further Problem Description: It is a rare corner case memory corruption when a block gets freed even when it is in use. It is caught by a script under stress testing conditions which results in such a rare condition.
While using CLI and "| include" it is rare to get such a corruption. If it happens, it will lead to box reload.
IP Routing Protocols
•
Symptoms: When there are link flaps in the network, various PE routers receive the following error message:
Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_NOT_PRESENT) Aug 13 14:49:31.793 PDT: %C10K_ALARM-6-INFO: ASSERT MAJOR RP A Secondary removed Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_DOWN) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_REDUNDANCY_STATE_CHANGE) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_NOT_PRESENT) Aug 13 14:49:31.793 PDT: %REDUNDANCY-3-STANDBY_LOST: Standby processor fault (PEER_DOWN) Aug 13 14:49:31.813 PDT: %REDUNDANCY-3-IPC: cannot open standby port no such port Aug 13 14:49:32.117 PDT: %RED-5-REDCHANGE: PRE B now Non-participant(0x1C11 => 0x1421) Aug 13 14:49:32.117 PDT: %REDUNDANCY-5-PEER_MONITOR_EVENT: Active detected a standby insertion (raw-event=PEER_REDUNDANCY_STATE_CHANGE(5))Or, a local label is not programmed into the forwarding table for a sourced BGP VPNv4 network.
Conditions: These symptoms are observed when an iBGP path for a VPNv4 BGP network is present, and then a sourced path for the same route distinguisher (RD) and prefix is brought up.
Workaround: Remove the iBGP path. Note that when the sourced path comes up first, the symptoms do not occur.
Alternate Workaround: Use different RDs with the different PE routers. When the RD and prefix do not match exactly between the iBGP path and the sourced path, the symptoms do not occur.
•
Symptoms: The TTL of a CNAME will be zeroed on a DNS reply after passing through a Cisco router that is configured for Network Address Translation (NAT).
Conditions: This symptom is observed on a Cisco router that is configured for NAT that is running Cisco IOS Release 12.4 or 12.4T. Only CNAME records are affected.
Workaround: Use static NAT translations with the keyword "no-payload".
•
Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:
Aug 13 14:50:52.617 PDT: %RED-5-REDCHANGE: PRE B now Standby(0x1421 => 0x1411) Aug 13 14:50:54.113 PDT: %C10K_ALARM-6-INFO: CLEAR MAJOR RP A Secondary removed Aug 13 14:51:33.822 PDT: -Traceback= 415C75D8 4019FB1C 40694770 4069475C Aug 13 14:51:33.822 PDT: CONFIG SYNC: Images are same and incompatibleAddress Error (load or instruction fetch) exception, CPU signal 10, PC = 0x609538FC
Conditions: No specific conditions are known to cause this fault.
Workaround: There is no workaround.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb- radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
Miscellaneous
•
Symptoms: The output of show running-config command does not show a correct parent-child relationship between the control plane and its underlying service policy.
Conditions: This symptom is observed on a Cisco router that has control-plane features such as policing and port-filtering enabled.
Workaround: There is no workaround.
•
Symptoms: An RSP may crash when you enter the clear counters command.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 when you enter the clear counters command after the termination of voice calls that were made with PA-VXC-2TE1 port adapters.
Workaround: There is no workaround.
•
Symptoms: A router may reload or a leak memory may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: RTP packets get transmitted when the mode is recvOnly and inactive.
Conditions: The problem occurs on a Cisco 3800 platform that is running Cisco IOS interim Release 12.4(13.9).
Workaround: There is no workaround.
•
Symptoms: If an access control list (ACL) is used for a destination only prefix, a fatal error is declared and shuts down optimized edge routing (OER). For destination only traffic classes, prefix-list should be used, not ACL or access control entry (ACE).
Conditions: This behavior is observed on Cisco IOS Release 12.4(11)T and later releases at this time.
Workaround: Use prefix list instead of ACL/ACE for destination only traffic classes. For example: - use prefix list for a traffic class 100.1.1.0/24 - use ACE for traffic class 100.1.1.0/24 DSCP af11
•
Symptoms: When a bidir PIM, with no directly connected receivers, router has to change its RPF interface to the RP, multicast traffic could be lost for up to 60 seconds.
Conditions: This symptom occurs if the connection to the first RP is lost and the middle router changes its RPF for its bidir upstream interface. The middle router then restarts the election process on all DF interfaces, and purges the interface point in the leaf router out its OI @L. That interface will only get repopulated upon a periodic state refresh from the leaf router because the leaf router does not have an RPF change and therefore has no reason to send a triggered Join.
Workaround: There is no workaround.
•
Symptoms: There is a memory corruption crash due to the following:
Aug 13 14:51:33.822 PDT: %ISSU-3-INCOMPATIBLE_PEER_UID: Image running on peer uid (2) is the same -Traceback= 415CCC2C 415C75FC 4019FB1C 40694770 4069475C Aug 13 14:51:33.822 PDT: Config Sync: Bulk-sync failure due to Servicing Incompatibility. Please check full list of mismatched commands via: show issu config-sync failures mclConditions: This symptom is observed on Cisco IOS Release 12.4T with QoS enabled.
Workaround: There is no workaround.
•
Symptoms: A spurious access error occurs in tfib_post_table_change_sanity_check () function.
Conditions: This symptom occurs if route is deleted. ROUTE_DOWN event is triggered in tfib_post_table_change() function which in turn calls tfib_post_table_sanity_check(). In that function, spurious access is reported, as the only path of route is down.
Workaround: There is no workaround.
•
Symptoms: IMA group interface does not come up after the reload.
Conditions: This symptom is observed on a Cisco 2811 router with ATM interface that is using VWIC2-2MFT-T1/E1 connected to MGX AUSUM card.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the IMA interface.
•
Symptoms: Before sending initial Invite, a Cisco gateway is doing DNS SRV query which gives the actual server name where SIP service is running. And then DNS A query for this server gives IP address of Proxy Server. So initial call is established through this SIP-proxy server. After getting SIP Refer message, to initiate call-transfer with Transfer-to location as Domain-Name, SIP-gateway is doing just DNS A Record Query for Refer-to Host which is returning an IP address where SIP is not running. This causes Transfer Failure.
Conditions: This symptom is observed on a Cisco 2800 series router but is not platform dependent. The Transfer-target address received in Refer is a FQDN (with default port -5060 OR no port).
Workaround: There is no workaround.
•
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are created. The incomplete cache entries can be verified by typing the show ip nhrp command and looking for "type incomplete". The memory leaked can be seen by examining the output of the show chunk command and looking for "NHRP Cache".
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
Symptom: On ATM interface, if tx-ring-limit were set to 1 with heavy traffics then the interface might get wedged. Throughput performance is degraded due to many packets got dropped.
Condition: Set tx-ring-limit to 1 under atm interface with heavy burst traffics.
Workaround: Recommend minimal tx-ring-limit is 2 under this circumstance.
•
Symptoms: Compressed Real-Time Protocol (cRTP) shows errors and Low Latency Queuing (LLQ) shows drops from default queue although there is no traffic to match it.
Conditions: This problem can be seen under load of MPPP bundle of several serial interfaces with LLQ and cRTP enabled.
Workaround: There is no workaround.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml.
Resolved Caveats—Cisco IOS Release 12.4(9)T5
Cisco IOS Release 12.4(9)T5 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T5 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.
Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.
Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:
event manager applet add-bufferevent syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"action 1.0 cli command "enable"action 2.0 cli command "configure terminal"action 3.0 cli command "buffers particle-clone 16384"action 4.0 cli command "buffers header 4096"action 5.0 cli command "buffers fastswitching 8192"action 6.0 syslog msg "Reinstated buffers command"•
Symptoms: A router may hand or crash because of memory corruption when HTTP is being accessed.
Conditions: This symptom is observed on a Cisco router when IPS is enabled. Other conditions may trigger the symptom too.
Workaround: When IPS triggers the symptom, disable IPS.
•
Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.
Conditions:This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:
–
–
–
–
–
–
–
Workaround: For extensive information and a workaround, see the following Field Notice:
http://www.cisco.com/en/US/support/tsd_products_field_notice_summary.html
IP Routing Protocols
•
Symptoms: A router running Cisco IOS may unexpectedly reload. The crashes can be very different in nature, but the crashinfo should show the IP Input process as the currently running process:
---- Partial decode of process block ----Pid 84: Process "IP Input" stack 0x46C3C080 savedsp 0x46758540Conditions: This is seen when the router is configured for NAT and receives a fragmented skinny packet that it needs to reassemble and translate.
Workaround: Prevent the router from receiving a fragmented skinny packet by ensuring the path MTU between the call manager server and the router is large enough. Usually skinny packets aren't larger than 800 bytes.
•
Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.
Conditions: This symptom is observed when traffic flows run across the router, for example, when the client is outside and server is inside, and when static NAT translation is used for periods of about two minutes.
Workaround: Configure a route map that matches the static NAT translation, and apply the static NAT entry by entering either one of the following commands:
- ip nat inside source static tcp local-ip local-port global-ip global-port route-map name reversible- ip nat inside source static local-ip global-ip route-map name reversible•
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
Miscellaneous
•
Symptoms: The running configuration may not be accessible after you have copied a small file to the running configuration.
Conditions: This symptom is observed on a Cisco router that has an ATA file system after you have rebooted the router.
Workaround: Reboot the router once more.
•
Symptoms: A router using IPSec reloads immediately after exhausting the memory.
Conditions: This symptom occurs when a memory allocation request fails while processing an IPSec update, usually while creating an IPSec tunnel.
Workaround: There is no workaround.
Further Problem Description: This symptom occurs when updating the IPSec classification data structures.
•
Symptoms: The native Gigabit Ethernet (GE) interface on an NPE-G1 card may reset unexpectedly.
Conditions: This symptom is observed on a Cisco 7200 series when the underrun counter for the native GE interface increments continuously. You can verify the underrun counter in the output of the show interfaces gigabitethernet slot/port command.
Workaround: There is no workaround.
•
Symptoms: IKE negotiation fails with a wrong group preshared key.
Conditions: This symptom is observed on a Cisco router that has an eight character key such as "cisco123" that is defined under the EzVPN group configuration and occurs after you have entered the password encryption aes command.
Workaround: To prevent the symptom from occurring, do not use an eight character key under the EzVPN group. After the symptom has occurred, re-enter the group and key.
•
Symptoms: "%VPA-3-TSBUSY:VPA" and other error messages may be generated intermittently, and calls may fail.
Conditions: This symptom is observed on a Cisco 7206VRX that is configured with multiple VXC voice port adaptors.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the "Crypto IKMP" process.
Conditions: This symptom is observed when you use certificates for IKE authentication.
Workaround: Use preshared keys for IKE authentication.
•
Symptoms: When the OER BGP Inbound Optimization feature is configured and when route control is enforced, route control does not prepend autonomous systems or communities. Rather, router control prepends the same autonomous systems or communities to all external OER interfaces.
Conditions: This symptom is observed on a Cisco router when OER manages inside prefixes that are either learned or configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco 5400XM router reloads unexpectedly during stress.
Conditions: This symptom has been seen during the stress of TDM-IP H.323 calls and SIP-SIP transcoding calls being run simultanesously.
Workaround: There is no workaround.
•
Symptoms: When you associate and then disassociate a VRF from a tunnel source interface, a DMVPN spoke may crash.
Conditions: This symptom is observed only when a VRF is configured on a tunnel interface.
Workaround: There is no workaround.
•
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
Symptoms: One-way audio may occur and DTMF digits may not function.
Conditions: This symptom is observed on a Cisco gateway such as a Cisco AS5400 after a SIP transfer has occurred.
Workaround: Enter the no voice-fastpath disable command to resolve the one-way audio issue. There is no workaround for the DTMF issue.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
•
Symptoms: There are several symptoms:
1.
Aug 13 14:51:33.822 PDT: Config Sync: Starting lines from MCL file: aaa group server radius RSIM ! <submode> "sg-radius" - ip radius source-interface GigabitEthernet6/0/02.
Conditions: This symptom is observed on a Cisco 850 series, Cisco 870 series, Cisco 1800 series, and Cisco 1810 series.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, you must reboot the router to clear the faulty condition.
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack sy stems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
•
Symptoms: A Cisco 7961 router with a Cisco 7914 sidecar gets the display into a stuck state if a second call arrives while the first call is in progress of call transfer. The phone display is stuck on connected "Active call" even though the first call had been transfered.
This same symptom is found with the following scenario:
1.
2.
3.
4.
5.
Conditions: This symptom has been observed with a Cisco 7961 router with a Cisco 7914 sidecar configured with shared or overlay lines when a second call arrives on the same shared lines.
Workaround: Reset the IP phone to clear the phone.
•
Symptoms: A router may reset and generate a crashinfo file when memory that was allocated by a dead process is freed by another process.
Conditions: This symptom is observed on an RPM-XF-512 that runs Cisco IOS Release 12.4T but is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco router can experience a memory corruption crash related to encryption.
Conditions: This symptom has been observed when the memory lite global configuration command is disabled.
Workaround: Enable the memory allocation lite (malloc_lite) feature by using the memory lite command.
•
Symptoms: When you reload a Cisco 2600 series, the router may hang.
Conditions: This symptom is observed on a Cisco 2600 series when you attempt to run the c2600-entservices-mz image of Cisco IOS Release 12.4(9)T4. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: SSG memory is leaking in Cisco IOS Release 12.4(13b).
Conditions: This symptom occurs when the RADIUS proxy feature is used. Leaking could be triggered on the following call flow scenario:
1.
2.
3.
4.
5.
6.
7.
8.
Workaround: There is no workaround.
•
Symptoms: Incoming traffic from LAN is not correctly marked. The same traffic is not correctly enqueued when sent to the DSL interface.
Conditions: Enable QoS by means of class-map and policy-map commands.
Workaround: A software update is needed.
•
Symptoms: A router may crash when both a WIC-1AM or WIC-2AM and PVDMs are installed in the chassis.
Conditions: This symptom is observed when the modem interfaces are in the up/up state, that is, calls do not have to be in process for the symptom to occur.
Workaround: Remove the WIC-1AM or WIC-2AM from router and use only PVDMs.
•
Symptoms: A "SIP UPDATE" message from a Cisco CallManager or SIP Proxy Server with a "Cseq" value of 0 may be rejected or considered invalid by a Cisco gateway.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.4(9)T4 or a later release and that is connected to a SIP endpoint.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(9)T3.
•
Symptoms: Packets in traffic queues that are below their configured threshold may be dropped.
Conditions: This symptom is observed on a Cisco 877 and Cisco 1801 that run Cisco IOS Release 12.4(9)T3 when one of the queues trespasses its threshold. Note the following scenarios:
–
–
–
Workaround: There is no workaround.
Further Problem Description: Note that the symptom does not occur on a Cisco 878 and Cisco 1803.
•
Symptom: Ezvpn hardware client will not attempt to connect to the same peer or the next peer after QUICK MODE failure during IKE
Conditions: Ezvpn hardware client will remain in SS_OPEN state after the failure of QUICK MODE
Workaround: Clear the ezvpn session
•
Symptoms: Phone A believes that its offer (in first INVITE) is not answered yet, but that is wrong because UPDATE is for the second leg where the SDP answer is already sent in a 183 Session Progress.
Conditions: Call forwarding scenario. Call comes in from PSTN to a SIP, and forwarded to a another SIP Phone.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: H.323 calls on a Cisco IOS VoIP gateway may fail after the gateway has processed about 54,500 calls.
Conditions: This symptom is observed when H.323 uses TCP to transport signaling messages. When the Cisco IOS gateway must generate a unique port for the local TCP session, this port is selected from a range of open ports. When the number of times that an unique TCP session is created for the same IP address on the gateway exceeds 54,500, further attempts to create a local TCP port fail and calls are not completed.
The symptom occurs for H.323 calls only when a separate TCP session is established for the H.245 session. When H.245 tunneling is enabled or no H.245 session is established, the symptom does not occur for H.323 calls.
When the debug ip tcp transaction command is enabled on the gateway, the "TCP: Ran out of ports for network 0" debug output is generated when the symptom occurs.
Enabling debugs on a Cisco IOS gateway should always be done with caution to minimize impact to the performance of the router. As a minimum, ensure that logging to the console is changed from the default behavior of the debug level to, for example, an informational level.
Workaround: After the symptom has occurred, reload the Cisco IOS VoIP gateway. To prevent the symptom from occurring, ensure that for H.323 call processing all H.323 devices have H.245 tunneling enabled. This may not always be possible: for example, H.245 tunneling on Cisco CallManager is not supported.
Wide-Area Networking
•
Symptoms: A router may crash while establishing a PPP session.
Conditions: This symptom is observed when the ppp reliable-link interface configuration command is enabled on an interface that is bound to a dialer profile.
Workaround: Disable the ppp reliable-link interface configuration command, save the configuration, and reload the router. Disabling the command without reloading the router is not sufficient.
•
Symptoms: A Non-Facility Associated Signaling (NFAS) configuration with a back-to back PRI connection may fail and an "L3_GetUser_NLCB EVENT 0X2 No NLCB 2" error message may be generated, that is, a ping from the client to the router mail fail.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.11) when an interface is configured as a dialer interface. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A router crashes while sending large control packets between client and L2TP Network Server (LNS) in L2TP callback scenario.
Conditions: This symptom happens with a Cisco 7200 router that is running Cisco IOS interim Release 12.4(13.13)T1.
Workaround: There is no workaround.
•
Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interf ace interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is c onfigured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T4
Cisco IOS Release 12.4(9)T4 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T4 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The MIB object rttMonLatestRttOperTime returns a value of 0.
Conditions: This symptom occurs for IPSLA RTP operation only irrespective of whether the operation succeeds or fails.
Workaround: There is no workaround.
•
Symptoms: A router crashes while executing the type slm frame-relay interface command.
Conditions: This symptom has been observed with a Cisco 7200 router loaded with Cisco IOS interim Release 12.4(13.2)T.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.
Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.
Workaround: There is no workaround.
•
Symptoms: These symptoms have been observed:
–
–
–
Conditions: These symptoms have been observed with DMVPN set up.
Workaround: Disable CEF on the hub.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), BGP may advertise a connected prefix that has been removed from the routing table, and cause using that prefix to get dropped. The advertisement may happen during a reload if IP Event Dampening is configured on the interface and suppresses the interface because of flapping during the reload. The problem may continue until the interface is unsuppressed, which depends on the nature of the flapping that occurs and on the parameters used to configure the dampening. In some releases, the problem may be corrected by a BGP scan. An outage of about one minute is not unreasonable.
Conditions: The symptom may happen if the BGP configuration includes a network command for the connected prefix. It requires an unlikely timing of events which is more likely to be observed with large configurations, and when the interface is configured to use small carrier delay timer. The symptom was observed in a configuration with about 1100 lines and with the carrier-delay msec 0 command configured on the interface in question.
Workaround: If the interface can be configured to filter out link outages during the restart then the IP Event Dampening suppression can be avoided. Configuring the carrier-delay msec 100 command on the interface may achieve this in some cases.
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.2(18) and later.
Workaround: Use ACLs to block invalid IP Control packets from reaching the control plane.
Miscellaneous
•
Symptoms: A traceback may be generated when packets are transmitted over a basic IPSec connection between two peers in transmission mode and tunnel mode using multilink interfaces.
Conditions: This symptom is observed on a Cisco 3845 router that runs Cisco IOS Release 12.4(5).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience memory leaks in the Crypto IKMP process when using certificates for Internet Security Association and Key Management Protocol (ISAKMP) for peer authentication.
Conditions: This symptom has been observed on Cisco IOS Release 12.2(18)SXE5 and Release 12.4(9)T2. This symptom is platform independent.
Workaround: There is no workaround to prevent the leak and the only way to recover is to reboot the device.
•
Symptoms: A Cisco gatekeeper may experience a traceback and DSMP time out while testing H.323 Testcall, Silent call detection, and long call duration detection features.
Conditions: This symptom has been observed on a Cisco gatekeeper with Cisco IOS Release 12.4 while testing H.323 Testcall, Silent call detection, and long call duration detection features.
Workaround: There is no workaround.
•
Symptoms: After a router is booted or reloaded, a PVC bundle configuration that is established under an IMA interface is lost.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.3(11)T7 or Release 12.3(14)T7 and that has the service-policy output command enabled on the PVC bundle. The symptom may also affect Release 12.4 and Release 12.4T.
Workaround: Disable the service-policy output command on the PVC bundle.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: With IPv6, IPSec is non-functional. All crypto-related functions would be completely affected.
Conditions: This symptom has been observed when using IPv6.
Workaround: There is no workaround.
•
Symptoms: On a Cisco IOS router configured with GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, this Access Control List (ACL) is bypassed if there is an ACL on the tunnel interface.
Conditions: This symptom occurs when there is another ACL configured on the outbound physical interface where the IPSec tunnel is terminated.
Workaround: Apply the ACL outbound on the protected LAN interface instead of the tunnel interface.
•
Symptoms: When using MTP on a Cisco IOS router, there could be RTP ports and rtpspi callegs hanging. Over time, the hanging RTP ports can accumulate and cause the router to run out of RTP ports, so MTP calls will fail.
Conditions: This symptom has been observed when using software MTP for supplementary services or when there is a high number of calls per second (CPS).
Workaround: Reload the router to release hanging ports.
•
Symptoms: A Cisco IOS router with DSPRM crashes with an out of buffer error under load.
Conditions: This symptom has been observed on a Cisco 2811 chassis with NM-HDV2 having four T1 connections, PVDM2-64 (4 DSP), and 768 MB RAM. With this setup, create 96 SIP G.729 dial-peers, make calls and start sending voice traffic. Also, create 96 multicast G.711 dialpeers and start traffic.
Workaround: There is no workaround.
•
Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an SSG with PBHK enabled, when a host has received an IP address that is associated with a service (via the "J" Service-Info attribute), has logged out from the SESM, and then renews its IP address.
Workaround: There is no workaround.
•
Symptoms: A router is crashing due to memory corruption with following message:
%SYS-3-OVERRUN: Block overrun at 3F379450 (red zone 2A2A2A2A)Conditions: This symptom has been observed on a Cisco 2800 router running Cisco IOS Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: The radius-server, which is used for accounting, is marked dead.
Conditions: When radius extended source ports is used, the new extended ports may potentially overlap with UDP port range of other applications. An example of this is when the router is also seeing UDP packets for RTP such as in an IP-to-IP Gateway setup.
Workaround: Remove the radius-server source-ports extended command from the configuration.
•
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to exploitation that can allow a malicious user to create extra multicast states on the core routers or receive multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks (VPN) by sending specially crafted messages.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml.
•
Symptoms: If the authenticate register command is configured under the voice register global command, CME SIP failed to registered.
Conditions: The authenticate register command is configured under the voice register global command, when CME is acting as a registrar.
Workaround: Disable the authenticate register command under the voice register global command.
Further Problem Description: In registrar functionality, CME challenges an inbound register request with a 401 response. If the authenticate register command is configured under the voice register global command, the Registering Endpoint then ends a Register Request with Credentials. The Gateway Stack is not processing this request and is dropping it.
•
Symptoms: A VSI session man become stuck in the "RESYNC_UNDERWAY" state, preventing LVC connections from being set up. This situation is not cleared automatically, and error messages are not flushed, as is shown in the output of the show controller vsi session command.
Conditions: This symptom is observed on a Cisco router that functions as a Label Switch Controller (LSC).
Workaround: There is no workaround.
•
Symptoms: Hung SIP calls legs are seen on the voice gateway.
Conditions: Hung legs can be seen when outgoing SIP calls are not answered and the terminating UA does not send the final response for INVITE.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur on a router that is configured for SSG when unsupported 3GPP attributes are received by SSG.
Conditions: This symptom is observed when SSG is configured to function in RADIUS proxy mode.
Workaround: Ensure that the unsupported 3GPP attributes are removed by filtering them before a RADIUS packet is received by SSG.
•
Symptoms: A Cisco 7200 series router may crash during boot time or while writing or erasing configuration at flow_def_master_list_lookup.
Conditions: This symptom has been observed on Cisco 7200-NPEG1 and 7200-NPEG2 routers at bootup. The symptom has also been observed when trying to write or erase configuration from memory or trying to execute the show running- config command.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: In Cisco IOS software that is running the Bidirectional Forwarding Detection (BFD) protocol, attempts to remove BFD sessions may fail.
Conditions: The symptom has been observed after the maximum number of supported sessions has been configured. The maximum number is 128 in most but not all releases.
Workaround: There is no workaround.
Wide-Area Networking
•
Symptoms: When asynchronous serial interfaces are used as member links in multilink PPP bundles, the router may crash due to memory corruption.
Conditions: This problem can occur under conditions where multilink fragmentation is done, and where the bundle includes at least one member link that is an asynchronous interface.
Workaround: Disable fragmentation on the bundle interface for any bundle that may include asynchronous links as members. Alternatively, if the use of multilink is not a requirement, disable multilink on the asynchronous interfaces.
•
Symptoms: The output of the show isdn active command may show disconnected calls.
Conditions: This symptom is observed on a Cisco router when analog modem calls are made after a normal ISDN digital call has been made.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T3
Cisco IOS Release 12.4(9)T3 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T3 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: A router hangs on a regular basis producing the following traceback:
%SYS-2-NOTQ: unqueue didn't find 0 in queue 82E19A74
%HMM_ASYNC-4-NO_MODEMS_PRESENT: HMM Digital Modem Card 1 contains no active modems
ATMPA-3-BADTXPACKET: Switch1: bad tx packet on vcd 9 size 0 -Traceback= 0x60391080 0x60100024 0x6085BC6C 0x6090EF0C 0x6090F858 0x6030691C 0x60306CD4 0x611F7748 0x611DFF70 0x611E0174 0x602A34BC 0x606E57D8 0x603077F4 0x60307E14 0x60863A18 0x60118294$f
Secure IP phone (IP) <-connect to->(IP) 3745GW (T1) <== connect with 185ms delay to==>(T1) Switch <-connect to-> Secure analog phone
%ALIGN-1-FATAL: Illegal access to a low address 08:32:13 AEST Tue Nov 20 2007 addr=0xB8, pc=0x40099888 , ra=0x44020000 , sp=0x465870E8Conditions: This symptom is observed on a router that is acting as an EzVPN Client. From the traceback, it seems that the BVI interface is involved in the crash.
Workaround: Disable bridging or HW encryption.
•
Symptoms: A memory leak may occur in the Entity MIB API process.
Conditions: This symptom is observed when an entity is registered with the same name as an entity that is already registered.
Workaround: There is no workaround.
•
Symptoms: SSLVPN service stops accepting any new SSLVPN connections.
Conditions: A device configured for SSLVPN may stop accepting any new SSLVPN connections, due to a vulnerability in the processing of new TCP connections for SSLVPN services. If "debug ip tcp transactions" is enabled and this vulnerability is triggered, debug messages with connection queue limit reached will be observed. This vulnerability is documented in two separate Cisco bug IDs, both of which are required for a full fix: CSCso04657 and CSCsg00102.
•
Symptoms: The tacacs-server directed-request command appears in the running configuration when is should be disabled. When you disable the command by entering no tacacs-server directed-request and reload the router, the command appears to be enabled once more.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for CSCsa45148, which disables the tacacs-server directed-request command by default.
A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsa45148. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Temporary Workaround: Each time after you have reloaded the router, disable the command by entering no tacacs-server directed-request.
•
Symptoms: Cisco IOS may restart when receiving a crafted TACACS+ msg-auth-response-get-user packet after it sends out an initial TACACS+ recv-auth-start packet.
Conditions: This symptom has been observed with TACACS+ packets.
Workaround: There is no workaround.
•
Symptoms: A router may unexpectedly send an ARP request from all its active interfaces to the nexthop of the network of an SNMP server.
Conditions: This symptom is observed on a Cisco router that has the snmp-server host command enabled after any of the following actions occur:
–
–
–
Workaround: There is no workaround.
•
Symptoms: A TLB exception may occur on a Cisco platform that functions as a PE router in an MPLS environment, and the following error message may be generated:
08:32:13 AEST Tue Nov 20 2007: TLB (store) exception, CPU signal 10, PC = 0x40099888Conditions: This symptom is observed on a Cisco platform when TACACs accounting and authorization is enabled and when the TACACs server is reachable through the global routing table.
Workaround: Disable AAA. Is this not an option, there is no workaround.
IBM Connectivity
•
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this vulnerability requires that an attacker be able to establish a DLSw connection to the device.
There are workarounds available for this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070110-dlsw.shtml
IP Routing Protocols
•
Symptoms: EIGRP specific Extended Community 0x8800 is corrupted and shown as 0x0:0:0.
Conditions: EIGRP specific Extended Community 0x8800 is corrupted when received over IPv4 EBGP session. Typical scenario is an Inter-AS:
-Traceback= 0x40099888 0x402F6358 0x415102F4 0x41510C7C 0x402FF5C4 0x414F1140 0x402FF7B8 0x41C8B8E0 0x41C8EFC0 0x41C8F064Workaround: Disable propagation of extended communities across ASs.
•
Symptoms: Two or more UDP NAT translations that relate to different requests may be assigned port numbers with the same inside global IP address.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.3(11)T9, Release 12.4, or Release 12.4T when more than one IP phone attempts to register through a router that is configured for NAT Overload.
Workaround: There is no workaround.
•
Symptoms: A default route that is defined by the neighbor default-originate command may be ignored by the BGP neighbor.
Conditions: This symptom is observed on a Cisco router after a route flap in the network causes the default route to be relearned.
Workaround: Manually clear the BGP neighbor to enable the router to correctly relearn the default route.
•
Symptoms: Enabling NAT outside on the public interface terminates the VPN connection as GREoverIPSEC. Inbound ACL applied on the public interface starts to drop decrypted GRE traffic.
Conditions: This symptom has been observed with the use of IP NAT outside on the public VPN interface.
Workaround: There are 2 workarounds:
1.
0x41C85260 0x421EA0C4 0x421EA224It is not a scalable workaround but may work for some deployments.
2.
•
Symptoms: NAT configurations are not removed.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4 or Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: New or flapping IGP routes may be injected into BGP even though no corresponding network statements exist.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.3(22) or a later release when the auto-summary command is enabled for BGP.
Workaround: Enter the no auto-summary command.
•
Symptoms: Connectivity is lost through a router that is running NAT where double NAT is occurring.
Conditions: This symptom is observed on a Cisco router that is running Cisco IOS Release 12.4(8a) doing NAT, PBR and Firewall feature set. Under certain conditions, traffic could be double natted when it does not need to be.
Workaround: Remove Firewall configuration on router.
Further Problem Description: Syslogs and show NAT translation will show double natted on traffic that is not making it through the router.
•
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
Miscellaneous
•
Symptoms: Gatekeeper Rejects new registration requests from CUCM or other H.323 endpoints with RRJ reason of duplicateAlias. Attempting to clear this stale registration fails with "No such local endpoint is registered, clear failed." message.
Conditions: CUCM H.225 trunks register to a gatekeeper (GK) cluster. GK1 and GK2 are members of the GK cluster. CUCM registers first to GK1 then fails over to GK2. This registration at GK2 sends an alternate registration to GK1. However, because of network issues, the unregistered indication does not reach GK1.
Once the H.225 trunk attempts to register with GK1, it gets rejected because the alternate registration is still present, and there is no way to clear it out.
%FILESYS-4-RCSF: Active running config access failure (0) <file size>
%SYS-2-FREEFREE: Attempted to free unassigned memory at [...]
Jan 15 15:32:22.643 JST: DLSW-ER:(CSM):startdl_pend timer expired for transparent circuit
ephone-hunt 1 longest-idle pilot 17465711 list 5301, 5302, 5303, 5304, 5305, 5306, 5307, 5308, 5309, 5310, 5311, 5312, 5313, 5314,5315, 5316, 5317, 5318, 5319, 5320
*Apr 7 12:32:14: %SEC-6-IPACCESSLOGRP: list 111 denied pim 0.0.0.0 -> <removed>, 1 packetWorkaround: Reset the gatekeeper with the shutdown command followed by the no shutdown command, or reboot the Cisco IOS GK.
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml.
•
Symptoms: A router that is configured with a virtual template may reload unexpectedly.
Conditions: This symptom is observed on a Cisco router on which a session that uses a virtual-template is terminated and occurs when the session is cleared from a DSL CPE router that is the peer router for the connection.
Workaround: There is no workaround.
•
Symptoms: When a CEF initialization failure occurs, an ATM PVC that is configured for OAM may not pass traffic even though the PVC link status is up:
Router#show ip interface brief | include ATM
*Apr 7 12:32:29: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk header, chunk 680A5374 data 680A79A4 chunkmagic FFFFFFFF chunk_freemagic 0 - Process= "Mwheel Process", ipl= 0, pid= 274, -Traceback= 0x6169C450 0x60102E78 0x601031E4 0x61D418E4 0x61D4230C 0x61CF1A48 0x61D1280C 0x61D05FE4 0x61D0E9FC
chunk_diagnose, code = 1
chunk name is PIM JP GroupQ
ip pim sparse-dense-mode access-list 98 deny any log
%LINK-2-INTVULN: In critical region with interrupt level=0, intfc=ATM0 -Process= "IGMP Snooping Receiving Process"
%SYS-3-MGDTIMER: Running timer, init, timer = 895661C. -Process= "Exec", ipl= 0, pid= 80, -Traceback= 0x14C0F30 0x31DA638 0x31DA7C8 0x31DA914 0x1E019B4 0x1E35634 0x1E34AD0 0x15160F8 0x1515234 0x1542208 0x695548
%SYS-2-GETBUF
510 unsupported caller id length.
SegV exception, PC 0x2142818 at 10:04:23
oer master learn prefixes 100
Breakpoint exception, CPU signal 23, PC =0x606CE1B4When CEF fails to initialize the ATM PVC, atm3/0/0.300, no /32 receive entries are created. Traffic that is destined for the IP address of the subinterface is dropped.
Conditions: This symptom is observed on a Cisco router and occurs only when PAM is configured on the PVC.
Workaround: To prevent the symptom from occurring, do not configure OAM on the PVC. When the symptom has occurred, enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the affected ATM subinterface. After the workaround has been applied, the output of the show ip cef command shows the following:
%ALIGN-1-FATAL: Corrupted program counter
%GT96K_FE-5-LATECOLL: Late Collision on int FastEthernet0/0
Router#%Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000 %Error: timeout value is less than threshold 5000
oer-map BRANCH 20 match traffic-class access-list Optimize_Voice_Traffic set mode route control set mode monitor fast set resolve mos priority 1 variance 30 set resolve delay priority 2 variance 30 set active-probe jitter 10.100.10.1 target-port 1025 codec g729a << set probe frequency 4
VG224# sh voice call summ PORT CODEC VAD VTSP STATE VPM STATE ============== ========= === ==================== ====================== 2/0 - - - FXSLS_ONHOOK 2/1 - - - FXSLS_ONHOOK•
Symptoms: Under heavy stress, few tdm assertion failures are seen.
Conditions: This symptom is seen with SS7 with more than 50 calls per second.
Workaround: There is no workaround.
•
Symptoms: When you enter the redundancy switch-activity force command on the active eRSC of a Cisco AS5850 while incoming VoIP H.323 calls and outgoing CAS calls are being processed, the standby eRSC does become the active eRSC and processes the calls but soon afterwards may crash at "csm_enter_idle_state."
Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS Release 12.4(9)T and that functions in RPR+ mode. The symptom may also affect Release 12.4.
Workaround: There is no workaround.
Further Problem Description: The symptom does not occur when PRI calls are being processed.
•
Symptoms: A Cisco AS5400HPX that is running Cisco IOS Release 12.3(11)T7 may crash with IO Memory corruption.
Conditions: The crash may occur when polling for ccrpCPVGEntry, and resource pooling is enabled on the Gateway.
Workaround: Disable SNMP polling for ccrpCPVGEntry.
•
Symptoms: In the redundancy environment, when DHCP subsystem encounters an error and message buffer (e,g. SCTP buffer) used for communicating with the redundant peer is not released properly, the memory remains consumed. Subsequently, low memory condition is encountered.
Conditions: This condition is encountered when buffers used in SR are not released properly.
Workaround: There is no workaround.
•
Symptoms: You may be able to configure a minimum receive interval as short as 1 ms, which may cause problems on the router.
Conditions: This symptom is observed on a Cisco router that supports Bidirectional Forwarding Detection (BFD). Note that a minimum receive interval shorter than 50 ms is not supported in Cisco IOS software images.
Workaround: Configure a minimum receive interval of 50 ms or longer.
•
Symptoms: An error message indicating memory leak and pending transmission for IPC messages is displayed as follows:
VG224# sh mgcp conn Endpoint Call_ID(C) Conn_ID(I) (P)ort (M)ode (S)tate (CO)dec (E)vent [SIFL] (R)esult[EA (ME)dia (COM)Addr:Port 1. aaln/S2/1 C=,34,-1 I=0x0 P=0,0 M=0 S=9,0 CO=0 E=3,10,10,10 R=41,0 ME=0 COM=0.0.0.0:0
event manager applet RTR-MYPRIVATE_DOWN trap event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down" action Mail mail server "mailaddress@cisco.com" to "mailaddress@cisco.com" from "mailaddress@cisco.com" subject "rtr-myprivate - down" body "Sorry, I'm Down" event manager applet RTR-MYPRIVATE_UP trap event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up" action Mail mail server "mailaddress@cisco.com" to "mailaddress@cisco.com" from "mailaddress@cisco.com" subject "rtr-myprivate - up" body "Hi, I'm Active now"
*Feb 9 12:20:34.147: %SYS-2-MALLOCFAIL: Memory allocation of 1708 bytes failed from 0x605270B0, alignment 32 Pool: I/O Free: 396512 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool
May 22 13:57:44.340 edt: //5690//Devi:/DS_ContactingDest_SetupDone: Unable to Register module
__udivmoddi4 __udivdi3 oer_br_update_iface_counters oer_br_recv_iface_configured oer_br_cc_tlv_process oer_cc_read_tcp oer_br_cc_process_socket_event oer_br_process
oer_br_update_iface_counters oer_pep_iface_update_timer_handler oer_br_process_timer_event tw_timer_tick oer_br_process
__udivmoddi4 __udivdi3 oer_br_update_iface_counters oer_pep_iface_update_timer_handler tw_notify tw_timer_tick oer_br_processConditions: This issue is triggered from fix of the DDTS CSCeb05456. So, this DDTS is applicable only if your Cisco IOS image has integrated the fix of CSCeb05456.
Workaround: Periodically, reload the router so that the IPC buffer pool will be reinitialized.
Further Problem Description: The CSCeb05456 fix failed to release the IPC buffer whenever it could not access the NVRAM device. If number of such denied access is increased, then proportionate amount of IPC buffer is not free, depletes the IPC buffer pool. If this trend continues beyond the threshold level, router will crash.
•
Symptoms: The following error messages may be generated on a gateway that functions in a configuration in which 80 channels are processed by a VXML Server, and the call may be dropped:
!--- Permit TFTP (UDP port 69) packets !--- from trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq tftp !--- Deny TFTP (UDP port 69) packets !--- from all other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq tftp !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in
oer master learn aggregation-type prefix-length 16
ac_mtrDsp_ev(slot 2 dspId 1 heartBeat 0000058D) reset[hbErr 0]
%SYS-2-NULLCHUNK: Memory requested from Null Chunk -Process= "<interrupt level>", ipl= 1, -TracebackConditions: This symptom is observed rather rarely on a Cisco AS5400 gateway when the HTTP client session IDs range from 1 to 2048 because of the socket limit per Cisco IOS process. The error messages are generated when the HTTP client attempts to create a new session with the same ID as an old session that is still in use. In this situation, only a benign warning message should be generated, and the call should be accepted. If an HTTP streaming session remains in use for a long time and the traffic load of the gateway is high, the symptom is more likely to occur.
Workaround: Configure an event handler as in the following example:
crypto map dummy 10 ipsec-isakmp qos pre-classify
interface Ethernet0/0 no ip address service-policy output shape ! interface Ethernet0/0.10 encapsulation dot1Q 10 ip address 10.0.0.1 255.255.255.252 crypto map mymap
00:00:09: %DUAL-3-INTERNAL: IPv6-EIGRP(0) 80: Internal ErrorIf this is not an option, the symptom may be mitigated by disabling IVR streaming mode via the ivr prompt streamed none command.
•
Symptoms: TCP connections that are opened through a Cisco IOS Firewall (CBAC) may not timeout.
Conditions: With Cisco IOS Firewall (CBAC) enabled, the TCP idle timer for a session may be reset even by TCP packets that fail TCP inspection and are subsequently dropped. This could lead to the TCP session not timing out.
Workaround: There is no workaround.
•
Symptoms: When a first MGCP NAS package call is cleared by the clear interface dialer command, no further calls are possible from the dialer into the NAS.
Conditions: This happens only when the clear interface dialer command is issued in the dialer to clear the call. If the call is cleared in any other form the issue does not arise.
Workaround: Avoid clearing calls using the clear interface dialer command instead one can clear the serial interface.
•
Symptoms: A Cisco router that is running Cisco IOS Release 12.3(19) may crash due to a Watch Dog timeout while running the RIP routing protocol.
Conditions: The router may crash due to a Watch Dog timeout if an interface changes state at the exact same time a RIP route learned on that interface is being replaced with a better metric redistributed route. For example, RIP has learned the 192.168.1.0 network from Fast Ethernet 1/0. If RIP learns the 192.168.1.0 network from a redistributed protocol that has a better metric, then the RIP route will be removed. If, during this time the Fast Ethernet 1/0 interface goes down, then the router may potentially crash due to a Watch Dog timeout.
Workaround: There is no workaround.
•
Symptoms: The Cisco 3200 router FastEthernet to Switched virtual interface (SVI) performance is less when compared to the performance of previous releases.
Conditions: The router is configured with plain IP CEF.
Workaround: There is no workaround.
•
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password).
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
The vulnerable cryptographic library is used in the following Cisco products:
–
–
–
–
–
This vulnerability is also being tracked by CERT/CC as VU#754281.
Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml.
Note
•
Symptoms: Voice traffic is dropped in one direction due to IPHC IPCRC error.
Conditions: This problem is found some time after the voice call has been established. When the problem is occurring, the logs show IPHC error messages.
Workaround: Use process switching.
•
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker will not be able to decrypt any previously encrypted information.
Cisco IOS is affected by the following vulnerabilities:
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. There are workarounds available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml.
Note
A combined software table for Cisco IOS is available to aid customers in choosing a software releases that fixes all security vulnerabilities published as of May 22, 2007. This software table is available at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20070522-cry-bundle.shtml.
•
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml.
•
Symptoms: A Cisco AS5850-ERSC gateway reboots continuously with the message:
int Gig Ethernet X/Y no ip route-cache int virtual-template XX no ip route-cache
buffer==NULL check was missed in the function sslvpn_http_write_start_chunk before filling some data into it.
Buffer NULL check is added in sslvpn_http_write_start_chunk function before accessing the buffer.
*Jul 1 04:43:49.183: CEF: Try to CEF switch 10.175.135.48 from Virtual- Access2
configure terminal flow monitor mm_1 record netflow ipv4 as interface Ethernet1/0 ip flow monitor mm_1 input end
ISDN **ERROR**: Module-CCPRI Function-CCPCC_CallIdle Error-Unknown event received in message from L3 or Host: 90Conditions: This symptom has been observed when a Cisco AS5850-ERSC gateway is running Cisco IOS interim Release 12.4(7.24)T.COMP.
Workaround: Boot to ROM monitor mode and enter the following commands:
ISDN Se0/0/0:23 **ERROR**: L3_GetUser_NLCB: DUPLICATE SETUP, message ignored.
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^CThis step skips the upgrade process. To revert back, enter the following commands:
00000000011111111111222222222333^
12345678901234567890123456789012|•
Symptoms: Malformed SSH packets may cause a memory leak.
Conditions: This symptom is observed on a Cisco platform that is configured for SSH version 2 after malformed SSH packets have been received.
Workaround: There is no workaround.You can reduce the number of locations that can connect to the router using vty access-lists:
An example of a VTY access-list can be found here:
|
PROBLEM
(Variable Overflowed).
.iso.3.6.1.2.1.47.1.3.3.1.1.19.29 = 29
.iso.3.6.1.2.1.47.1.3.3.1.1.20.21 = 21More information on configuring vty access-lists can be found here:
http://www.cisco.com/warp/public/707/confaccesslists.html
•
Symptoms: A router that is configured for DMVPN may reload because of a bus error.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS Release 12.4T. The symptom could occur in Release 12.4.
Workaround: There is no workaround.
•
Symptoms: T38 fax calls fail when they come inbound through DID Analog ports. In the debug h245 asn1, there is no OLCAck sent back towards the fax server.
Conditions: This symptom was only reproduced on analog ports. PRI works with the same configuration.
Workaround: Send the fax call through a PRI.
•
Symptoms: Periodic high CPU utilization on CMM modules which can cause performance issues such as poor voice quality, missed control and registration MGCP messages, slow response to command line interface.
The show process cpu history command will display spikes of 100% utilization on the gateway even during hours where low activity is present.
"%ALIGN-3-CORRECT: Alignment correction made at 0x601504F4 reading 0x2225F84A" error messages will be recorded when the CMM gateway is rebooted. This can be seen in the show log command if logging buffered is enabled on the gateway. When this problem occurs, the output of the show alignment command will display a high and increasing count value for the same address.
Conditions: This symptom occurs when the CMM module is using Cisco IOS Release 12.4(8) or later releases, and the Catalyst 6000 supervisor module is a SUP720 that is running Native IOS.
Workaround: There is no workaround.
•
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability was exploited will be affected.
Cisco is providing fixed software to address this issue. There are workarounds available to mitigate the effects of the vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml.
•
Symptoms: DMVPN debugs displayed even if they are not turned on explicitly.
Conditions: When a user issues the debug dmvpn all crypto ? command, DMVPN debugs are enabled.
Workaround: Use the undebug all command to turn off the debugs.
•
Symptoms: A second PRI link gets deactivated, with no ability to process incoming and outgoing calls, when the second one is remotely, physically, manually (CLI command) deactivated.
Conditions: This symptom occurs when the first PRI is type primary-net5, and the second PRI is type primary-qsig. Deactivate the second PRI remotely or locally by physically disconnecting the cable or issuing the shutdown command under the corresponding E1 controller.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A Cisco IOS router may experience an unexpected reload.
Conditions: This problem occurs when the router has IPS (Intrusion Prevention Systems) configured, and one or more attack signatures has the denyFlowInline action enabled.
Workaround: Do not enable the denyFlowInline action for any IPS signatures.
•
Symptoms: Active eRSC reloads with traceback when first (PRI/SS7) call is made.
Conditions: This issue is seen on a Cisco 5850TB that is working with Cisco IOS Release 12.4(11)T. The gateway comes up with this image, when first (PRI/SS7) call is made, the active eRSC reloads unexpectedly with traceback. This reload is seen for both H323 and SIP calls.
Similar issue is seen in Cisco AS5400 when a MGCP-SIP call is made.
Workaround: There is no workaround.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: A memory leak occurs in the middle buffers after all onboard DSPRM pools are depleted.
Conditions: This symptom is observed on a Cisco 3800 series router that runs Cisco IOS Release 12.4(7b) with support for CVP survivability.
Workaround: There is no workaround.
•
Symptoms: A Cisco platform crashes due to a chunk memory leak and generates the following error messages and tracebacks:
.iso.3.6.1.2.1.47.1.3.3.1.1.21.22 = 22
.iso.3.6.1.2.1.47.1.3.3.1.1.21.23 = 23
.iso.3.6.1.2.1.47.1.3.3.1.1.21.28 = 28
.iso.3.6.1.2.1.47.1.3.3.1.1.21.24 = 24
Error: OID not increasing: .iso.3.6.1.2.1.47.1.3.3.1.1.21.28 >= .iso.3.6.1.2.1.4
7.1.3.3.1.1.21.24
SNMPv2-SMI::mib-2.47.1.1.1.1.2.21 = STRING: "DC power supply, 4000 watt 1"
SNMPv2-SMI::mib-2.47.1.1.1.1.2.22 = STRING: "power-supply 1 fan-fail Sensor"
...Conditions: This symptom is observed on a Cisco AS5850 when there is a chunk memory leak. However, the symptom is platform-independent and relates to the Distributed Stream Media Processor (DSMP).
Workaround: There is no workaround.
•
Symptoms: A Cisco 3845 router unexpectedly reloads with bus error as seen in the show version when enabling DSP mini logger (voice dsp <slot> command history enable).
Conditions: This symptom is observed on a Cisco 3845 router that is running Cisco IOS Release 12.4 with conferencing enabled on the DSP slot that minilogger is being turned on for.
Workaround: Disable conferencing on that slot, if possible.
•
Symptoms: A VPN 3002 client cannot form an IKE session with a Cisco IOS VPN hub over TCP encapsulation (cTCP). The hub will fail in processing AM1 packet sent by the VPN client.
Conditions: This symptom is observed on a Cisco IOS VPN hub over TCP encapsulation.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400 gateway may change its RTP sequence numbers after receiving an MDCX command The RTP Stream SSRC is always the same, but the sequence number seems to be randomly initiated again.
Conditions: This symptom occurs when MGCP receives a modification request from PGW for echo cancellation three seconds after the call is established.
Workaround: There is no workaround.
•
The Intrusion Prevention System (IPS) feature set of Cisco IOSÆ contains several vulnerabilities. several vulnerabilities. These include:
several vulnerabilities. These include:
* Fragmented IP packets may be used to evade signature inspection.
* IPS signatures utilizing the regular expression feature of the ATOMIC.TCP
signature engine may cause a router to crash resulting in a denial of
service.
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml
•
Symptoms: A RIP route is learned from a RIP neighbor via a dialer interface (or other virtual interface type). When the neighbor disconnects and the interface goes down, the RIP route is removed from the RIP database. However, the RIP route remains in the routing table.
Conditions:
–
–
–
–
Workaround: Use the clear ip route command to remove the affected routes from the routing table.
•
Symptoms: NAS pkg asynchronous calls fail after a redundancy switchover has occurred, and the following error message is generated:
%HA_CLIENT-3-NO_CF_BUFFER: The MARVEL CRYPTO HA client failed to get a buffer (len=1120) from CF (rc=1); checkpointing failed -Traceback= 0x201C9FBC 0x217C1B58 0x217C2068 0x21BBD32C 0x21BBDFD0 0x21BBE180 0x21DCF368 0x21DCF5C4Conditions: This symptom is observed on a Cisco AS5850 that functions in RPR+ mode. This situation may impact service.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the redundancy switchover command a couple of times to restore the Cisco AS5850 to normal operation.
•
Symptoms: A router crashes because of memory corruption with the following message:
Conditions: Network Topolgy ============== LDAP server------->(fa00)NAT Router(fa(01)------>LDAP clientConditions: This symptom occurs on a Cisco 1800 router that is running Cisco IOS Release 12.4T images and has a HWIC-ADSL-B/ST card.
Workaround: There is no workaround.
•
Symptoms: Malformed SSL packets may cause a router to leak multiple memory blocks.
Conditions: This symptom is observed on a Cisco router that has the ip http secure server command enabled.
Workaround: Disable the ip http secure server command.
•
Symptoms: A Security Device Event Exchange (SDEE) subscription request that does not contain an action is interpreted as an individual request rather than a subscription request.
Conditions: This symptom is observed on a Cisco router that is configured with the Cisco IOS Intrusion Prevention System (IPS).
Workaround: Ensure that the "action=get" action is contained in the subscription GET request.
•
Symptoms: The SIP Gateway will crash when handling calls involving DTMF relay.
Conditions: Following is the scenario that is causing the crash: sip-notify and sip-kpml are configured as DTMF relay mechanisms on both Cisco IOS Gateway and CCM. When a call is coming in from CCM onto the GW, because of a bug (CSCse72749), GW negotiates the DTMF mechanism as sip-notify whereas CCM negotiates the DTMF relay mechanism as sip-kpml. Subsequently, CCM sends subscribe request for KPML. GW accepts the KPML subscription and starts the respective KPML timers. Now when the call is terminated, Cisco IOS GW is cleaning up the data structures without stopping the KPML timers since the negotiated DTMF relay on Cisco IOS GW is sip-notify.
Workaround 1: Migrate to a Cisco IOS version which has CSCse72749 fix integrated.
Workaround 2: Enable either sip-notify or sip-kpml on the Cisco IOS GW (do not enable both).
•
Symptoms: Cisco IOS Firewall ALG and AIC features may not work properly in the CEF path.
Conditions: A Cisco router that is running Cisco IOS Release 12.4(9)T and later releases does not work when Cisco IOS Firewall is enabled in CEF path.
Workaround: Disable CEF switching path.
Further Problem Description: The problem occurs due to FW not handling particle chain properly.
•
Symptoms: Cisco 851 and 871 routers have no way to remotely upgrade the ROMMON firmware image.
Conditions: Cisco IOS versions for the Cisco 851 and 871 routers did not provide a mechanism to remotely upgrade the ROMMON firmware image.
Workarounds: Cisco IOS Release 12.4(11)T1 for the Cisco 851 and 871 router introduces the command upgrade rom-monitor file which allows the ROMMON firmware image to be remotely upgraded. Please consult this link for more information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tcf_r/cf_13ht.htm#wp1032550
•
Symptoms: When an ATM (that is, a cash machine, not a WAN platform) is connected to a switch service module, significant packet loss may occur.
Conditions: This symptom is observed on a Cisco 2800 series router.
Workaround: Change the Ethernet speed to 10 Mbps at both ends.
•
Symptoms: After heavy traffic on a VTI interface with HW encryption (about 15 Mb/s), the queue of the interface is stuck.
When the symptom happens, Input/Output Queue Full Error of "show crypto engine accelerator statistic" is increased.
Conditions: This symptom is observed on a router that is running Cisco IOS Releases 12.4(6)T2, 12.4(6)T5, or 12.4(9)T1 that use HW encryption.
Workaround: There is no workaround.
•
Symptoms: Memory leak is seen in "CCSIP_TCP_SOCKET" process when KPML based DTMF relay is used on a SIP gateway.
Conditions: This symptom is observed when KPML based DTMF relay is used in SIP calls.
Workaround: Use other DTMF relay mechanisms (sip-notify, rtp-nte) to avoid the memory leak.
•
Symptoms: When a user configures the no telephony- service command, router crashes at running configuration generation.
Conditions: This symptom is highly unreproducible, but there is a potential race condition between the running configuration generation and the no telephony-service command.
Workaround: There is no workaround.
•
Symptoms: On a Cisco PE router that has the ip flow egress command enabled on an interface that connects to a CE router, the traffic streams that are destined for the CE router may not be captured.
Conditions: This symptom is observed when the MPLS interface is a multilink interface.
Workaround: Enter the mpls netflow egress command on the interface that connects the PE router to the CE router to enable the traffic streams to be captured by NetFlow. Once the traffic streams are being captured you can remove this command.
•
Symptoms: Looking at the ifIndex table from Cisco IOS shows that ifindex=6 points to the Async18 interface.
Running the Cisco IOS command:
Case1 - LDAP failed without "no-payload" ===== - case1_before_nat_router -----> NAT Router -----> case1_after_nat_router - LDAP packet modified
Case2 - LDAP passed with "no-payload" ===== - case2_before_nat_router -----> NAT Router -----> case2_after_nat_router - LDAP packet unchanged
00:05:10: //-1/xxxxxxxxxxxx/SIP/Error/sipSPISipIncomingMsg: Invalid method for (STATE_IDLE): ACK
"SYS-2-CHUNKMALLOCFAIL"
-Process= "IP RIB Update", ipl= 3, pid= 68
-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04 6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8
Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x609538FC
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x41224EFC,
- Traceback= 0x4153A7D0 0x4155BA0C 0x4157FAF0 0x41224EFC 0x41DDC0A8 0x41DDC198 0x41DC6D84 0x41DF3B0C 0x41DC506C 0x41DCE5A4 0x41D91AF8 0x41D90F88 0x41D9BEFC 0x41D9C0C0 0x41DAEA68
%SYS-2-NOBLOCK: may_suspend with blocking disabled. -Process= "Pool Manager"
ALIGN-3-SPURIOUS: Spurious memory access made at bgp_vpn_afmodify_walk
ALIGN-3-SPURIOUS: Spurious memory access made at bgp_vpnv4_afmodify_walk
%ALIGN-SP-STDBY-3-SPURIOUS: Spurious memory access made at 0x72AB2370 reading 0xB8 %ALIGN-SP-STDBY-3-TRACE_SO: -Traceback= (s72033-adventerprisek9_wan_dbg-0-dso-bn.so+0x1AE370) ([42:0]+0x1AE47C) ([31:-3]3-dso-b+0x220994) ([41:0]+0x220FB8) ([41:0]+0x221A90) ([41:0]+0x22214C) ([41:0] +0x222D6C) ([41:0]+0x2233CC)
ppp2 PPP: Phase is ESTABLISHING, Passive Open ppp2 LCP: State is Listen L2X:CEF From tunnel: Received 84 byte pak L2TP:(Tnl47793:Sn3):CEF From tunnel: 84 byte buffer returned ppp2 LCP: Timeout: State Listen
The %DATACORRUPTION-1-DATAINCONSISTENCY error message is preceded by a timestamp
May 17 10:01:27.815 UTC: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error
%BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix 155:14344:10.150.3.22/32 from 10.2.2.1
---- Partial decode of process block ----
Pid 84: Process "IP Input" stack 0x46C3C080 savedsp 0x46758540
-Process= "IP RIB Update", ipl= 3, pid= 68
-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04
6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8
Address Error (load or instruction fetch) exception, CPU signal 10, PC =
0x609538FC
cable qos profile 12 name g711@10ms_for_any_softswitch_Traa^C
00000000011111111111222222222333^
12345678901234567890123456789012|
|
PROBLEM
(Variable Overflowed).
%L2TP-3-ILLEGAL: _____:_____: ERROR: [l2tp_session_get_l2x_cfg::241],
-Traceback= 0x121FE88 0x25394E8 0x2539730 0x25558CC 0x2555FA0 0x254C0C4
0x254BB88 0x254BCD8 0x254BDD8 0x2554040 0x2548250 0x2541E50 0x2541F6C 0x7D6510
%L2TP-3-ILLEGAL: _____:_____: No session config, -Traceback= 0x121FE88
0x25394E8 0x2539748 0x25558CC 0x2555FA0 0x254C0C4 0x254BB88 0x254BCD8 0x254BDD8
0x2554040 0x2548250 0x2541E50 0x2541F6C 0x7D6510
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x41224EFC, -
Traceback= 0x4153A7D0 0x4155BA0C 0x4157FAF0 0x41224EFC 0x41DDC0A8 0x41DDC198
0x41DC6D84 0x41DF3B0C 0x41DC506C 0x41DCE5A4 0x41D91AF8 0x41D90F88 0x41D9BEFC
0x41D9C0C0 0x41DAEA68
c2811#conf t
Enter configuration commands, one per line. End with CNTLZ.
c2811(config)#ip ips signature-category
c2811(config-ips-category)#category ?
all All Categories
c2811(config)#ip ips signature-category
c2811(config-ips-category)#category ios_ips basic
^
^ unrecognized...
10.1.1.0/24 is a trusted network that is permitted access to the router, all other access is denied
Flash card inserted in slot0. Reading filesystem on the device... Wait for the completion message before accessing device Error reading slot0
%SYS-3-OVERRUN: Block overrun at 3F379450 (red zone 2A2A2A2A)
CEF-Drop: Stalled adjacency for remote-physical-ip-addr on Ethernet1/0 for destination remote-protected-ip-addr CEF-Drop: Packet for remote-protected-ip-addr -- encapsulation
conf t
controller T1 1/0
ds0-group 0 timeslots 1 type none
ds0-group 1 timeslots 2 type none
ds0-group 2 timeslots 3 type none
ip sla 1
voip rtp 10.10.10.1 source-voice 1/0:1 codec g711u
timeout 10000
exit
ip sla sch 1 star now life 300
event manager applet add-buffer
event syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "buffers particle-clone 16384"
action 4.0 cli command "buffers header 4096"
action 5.0 cli command "buffers fastswitching 8192"
action 6.0 syslog msg "Reinstated buffers command"
%Error opening tftp://255.255.255.255/network-confg (Socket error)So the interface is indexed on the router but the snmpwalk/snmpget does not seem to return the value.
Test was run with snmpv2 whereas the customer was running snmpv3. This test was run with and without the CME configuration. Both do not return Async18 interface ifIndex 6.
Conditions: This symptom is observed on a Cisco 3825 router that is running Cisco IOS Release 12.4(4)XC5.
Workaround: There is no workaround.
•
Symptoms: A spoke may be unable to connect or reconnect to a hub because there may not be a crypto socket.
Conditions: This symptom is observed in a DMVPN Hub-to-Spoke environment.
Workaround: Remove the static NHRP entry from the tunnel interface that connects the spoke to the hub, and reapply the static NHRP entry.
•
Symptoms: In a dial backup scenario with backup EzVPN over an asynchronous or dialer interface, EzVPN fails to kickoff the asynchronous or dialer interface intermittently. Dial backup EzVPN cannot be brought up always. It works intermittently.
IKE request packet in failure cases is dropped with the following error:
%Error opening tftp://255.255.255.255/cisconet.cfg (Socket error)
%NHRP-3-PAKREPLY: Receive Resolution Reply packet with error - insufficient resources(5) and data packets that should be taking a direct spoke-spoke tunnel are taking the spoke-hub-spoke path.
192.168.13.0/24 via 10.0.0.13, Tunnel0 created 00:02:51, expire 00:07:08
Type: dynamic, Flags: router nat
NBMA address: 172.16.3.1
192.168.13.70/32, Tunnel0 created 00:02:51, expire 00:00:13
Type: incomplete, Flags: negative
Cache hits: 61
192.168.13.72/32, Tunnel0 created 00:02:51, expire 00:00:13
Type: incomplete, Flags: negativeConditions: This symptom occurs in a dial backup scenario with backup EzVPN over an asynchronous or dialer interface
Workaround: There is no workaround.
•
Symptoms: EzVPN leaks some memory with the fix of CSCsg94570. It can take a long time for the box to run out of memory causing a reload.
Conditions: This symptom is observed when EzVPN leaks memory.
Workaround: There is no workaround.
•
Symptoms: A router may crash when the configured route limit is exceeded. When this situation occurs, the following error message is generated:
Cache hits: 16
If this example indicates the symptom is present. Clearing the incompleteConditions: This symptom is observed on a Cisco 10000 series that is configured for Multicast VPN but is platform-independent.
Workaround: There is no workaround.
•
Symptoms: In a DMVPN setup with spoke having overlapping ISAKMP profiles and DPD enabled, IKE quick mode fails due to ISAKMP profile mismatch. After IKE SA expiry, the IKE SA rekey triggered by ISAKMP keepalives does not use any ISAKMP profile while initiating the SA. With overlapping ISAKMP profiles present, the IKE SA might end up attaching to the incorrect ISAKMP profile instead of the one configured on the corresponding tunnel interface and the one used by original IKE SA, subsequently causing the quick mode to fail due to profile mismatch. The only way to bring them out from that stage is by clearing Phase 1 SA.
Conditions: This symptom occurs during DMVPN testing.
Workaround: There is no workaround.
•
Symptoms: When Cisco Tunneling Control Protocol (CTCP) is enabled on a Cisco IOS VPN hub without any crypto maps configured, CTCP sessions can be formed and leaked if any VPN clients try to connect over CTCP.
Conditions: This symptom occurs when Cisco Tunneling Control Protocol (CTCP) is enabled on a Cisco IOS VPN hub without any crypto maps configured.
Workaround: Disable CTCP when no crypto maps are configured.
•
Cisco devices running an affected version of Internetwork Operating System (IOS) which supports Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device when receiving a specific series of packets destined to port 5060. This issue is compounded by a related bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.
There are no known instances of intentional exploitation of this issue. However, Cisco has observed data streams that appear to be unintentionally triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml.
•
Symptoms: When acct-stop is received for a non-radius-proxy (normal IP) user, the router configured for SSG crashes.
Conditions: This symptom occurs because SSG should be configured in radius- proxy mode. The ssg wlan reconnect command should also be configured.
Workaround: There is no workaround.
•
Symptoms: A router that is configured as an EasyVPN client is not able to auto connect to the EasyVPN server using its saved Xauth username/password.
Conditions: This symptom is observed when the router is powered-up or when the ISAKMP re-keying happens.
Workaround: Manually execute the crypto ipsec client ezvpn xauth command in the router console and enter the respective username/password.
TCP/IP Host-Mode Services
•
Symptoms: A router that is running RCP can be reloaded by a specific packet.
Conditions: This symptom is seen under the following conditions:
–
–
–
Workaround: Put access lists on the edge of your network blocking RCP packets to prevent spoofed RSH packets. Use another protocol such as SCP. Use VTY ACLs.
•
Symptoms: In Cisco IOS Release 12.4(9)T, the TCP stops accepting new connections after a few days of SSLVPN running in the router. The debug ip tcp transaction command shows the error with connection queue limit reached. When the problem happens, the show tcp bri all command shows five connections in CLOSED state.
Conditions: This symptom is observed in Cisco IOS Release 12.4(9)T.
Workaround: Enter the clear tcp tcb * command. This command will clear all the TCP connections on the router.
Wide-Area Networking
•
Symptoms: The router crashes while it receives an incoming pad call through the TTY line.
Conditions: This symptom has been observed only when the pad call comes through the TTY line, but not when it comes through the serial interface.
Workaround: There is no workaround.
•
Symptoms: An L2TPv3 session is established when voluntary tunneling is configured and both peers have corresponding configurations. However, after you configure a pseudowire on a virtual PPP interface on one of the peers, the session on this peer is up but the line protocol is down, an a "virtual-PPP1 is up, line protocol is down" error message is generated.
Conditions: This symptom is observed when the virtual PPP interface is first deleted via the no interface virtual-ppp number command and then reconfigured via the interface virtual-ppp number command before you configure a pseudowire on the virtual PPP interface.
Workaround: Before you configure a pseudowire on the virtual PPP interface, ensure that the virtual PPP interface has never been unconfigured via the no interface virtual-ppp number configuration command.
•
Symptoms: A ping may be dropped in a PPP callback scenario.
Conditions: This symptom is observed on a Cisco router when Multilink PPP (MLP) and the dialer load-threshold command are enabled.
Workaround: There is no workaround.
•
Symptoms: When Multilink PPP (MLP) is enabled for a PPP over Ethernet (PPPoE) session, outbound packets are incorrectly sent without PPPoE headers. This situation causes packets to be dropped.
Conditions: This symptom is observed in Cisco IOS Release 12.4 on all software-forwarding routers and affects only packets that are not multilink-encapsulated (when the bundle has only a single link).
Workaround: Enter the ppp multilink fragment delay interface configuration command to force multilink headers to be applied to all outbound packets.
Alternate Workaround: Disable MLP.
•
Symptoms: During a test of B-Channel Maintenance Procedure (BCAC), incoming SERVICE message is not printed with correct channel
Conditions: This symptom is observed in SERV collision and SETUP collision.
Workaround: There is no workaround.
•
Symptoms: A router may reload unexpectedly when you configure more multilink interfaces than the maximum number that the router can support. The router should not reload but should generate an error message.
Conditions: This symptom is observed on any Cisco router that imposes a limit on the number of multilink interfaces.
Workaround: Do not exceed the maximum number of multilink interfaces.
•
Symptoms: A Cisco router hangs after 5 to 10 minutes of passing async traffic over a dialer interface.
Conditions: normal
Workaround: There is no workaround. A reboot is required to recover.
•
Symptoms: The queuing mode on multilink interfaces erroneously defaults to fair-queuing instead of FIFO, causing distributed Cisco Express Forwarding (dCEF) to fail.
Conditions: This symptom is observed on a Cisco 7500 series and occurs for all multilink interfaces. However, the symptom is platform-independent.
Workaround: There is no workaround.
•
Symptoms: In L2TP dialout, fail over with limit and priority options specified gives incorrect output of the show vpdn command, making the limit option unusable.
Conditions: This happens when limit and priority options enabled on the LNS and the ping is made from LNS to the two LACs to check for the working of limit option. Here the session should be the same as that of the limit, but the session is more than the limit specified.
Workaround: There is no workaround.
•
Symptoms: When a T.37 onramp call is made, the following error message may be generated:
mappings clears the symptom, but it can easily come back.Conditions: This symptom is observed on a Cisco AS5850 that runs Cisco IOS interim Release 12.4(10.7). The symptom may not be platform-specific.
Workaround: There is no workaround.
•
Symptoms: A PSTN Gateway unexpectedly restarts due to a lack of memory. Overtime memory utilization increases, and the show processes memory sorted command indicates that the ISDN process is allocating an increased amount of memory.
Conditions: This leak occurs when a SETUP message with Display IE is received.
Workaround: There is no workaround.
•
Symptoms: A router crashes during an online insertion and removal (OIR) of a multilink interface.
Conditions: This symptom is observed on a Cisco 7200 series that is configured for MLP and PPP.
Workaround: Shut down the multilink interface before you perform an OIR.
•
Symptoms: When a BRI interface flaps rapidly, ISDN Layer 1 detects a link down state, but Layer 2 and Layer 3 may remain in the active state during the transition. This situation may cause the BRI interface to become stuck, and subsequent incoming and outgoing calls to be rejected.
Conditions: This symptom is observed when a cable is pulled out and put back rapidly.
Workaround: Enter the clear interface command on the affected BRI interface.
Alternate Workaround: Enter the shutdown command followed by the no shutdown command on the affected BRI interface.
•
Symptoms: A software forced crash occurs with memory corruption in processor pool memory.
Conditions: This symptom is observed when an unusually long Calling Name, which is more than 70 characters long, in the received Facility IE causes the crash.
Workaround: There is no workaround.
•
Symptoms: For normal ISDN call and disconnecting the call, a DISCONNECT message will be issued. The contents of this DISCONNECT message will be replaced with the one that is explicitly configured. This configured message has an invalid facility component and hence the receiving side should send facility reject component which is not seen here (missing).
Conditions: This symptom happens with Cisco IOS Interim Release 12.4(12.15)T. This is happening only for Interface PRI. This is seen for Cisco IOS Release 12.4 mainline & Release 12.4T.
Workaround: There is no workaround.
