Table Of Contents
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.2(14)SU
Determining the Software Version
Upgrading to a New Software Release
New Hardware Features in Cisco IOS Release 12.2(14)SU
New Software Features in Cisco IOS Release 12.2(14)SU
Open Caveats—Cisco IOS Release 12.2(14)SU
Resolved Caveats—Cisco IOS Release 12.2(14)SU
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco 7000 Family for Cisco IOS Release 12.2(14)SU
January 27, 2005
Text Part Number OL-5458-01 B0
These release notes describe changes to the software for the Cisco 7200 series routers for Cisco IOS Release 12.2(14)SU.
Contents
•
Cisco Product Security Overview
•
•
Introduction
Cisco IOS Software Release 12.2(14)SU features Stateful Failover of IPSec security associations (SAs) for site-to-site VPN (see Figure 1), storage of encrypted pre-shared keys in the configuration, Cisco 7200 NPE-G1 processor support, and VAM2 crypto card support (DES and 3DES only). Cisco IOS Software Release 12.2(14)SU is based on Cisco IOS Release 12.2(11)YX, which supports Stateful Failover of IPSec SAs for site-to-site VPNs, but not on Cisco 7200 routers with the NPE-G1 processor, and not on VAM2 crypto cards.
Figure 1 shows a sample topology for site-to-site configuration of IPSec Stateful Failover with Generic Routing Encapsulation (GRE), a tunnel interface not tied to specific "passenger" or "transport" protocols.
GRE supports multicast traffic, critical for V3PN applications.
Figure 1 Site-to-Site VPN Configuration
There are four possible configurations for the Cisco 7200 series routers using Cisco IOS Release 12.2(14)SU:
•
•
•
•
Figure 2 HSRP VIP on Inside and Outside
Figure 3 HSRP VIP on Outside, RRI Injected Routes on Inside
Figure 4 GRE HA with VIPs on the Outside and Inside Faces
Figure 5 GRE HA with Only a VIP on the Outside, Using RRI to Inject Routes
Features
The following features are new to Cisco IOS Release 12.2(14)SU:
•
•
•
Table 1 provides a summary of the Cisco IOS Release 12.2(14)SU performance guidelines.
Note
Limitations
Cisco IOS Release 12.2(14)SU feature limitations include:
•
•
•
•
•
System Requirements
This section includes the following topics:
•
•
Memory Requirements
Table 2 lists the software images and corresponding memory requirements for the Cisco 7200 series routers in Cisco IOS Release 12.2(14)SU.
Note
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122/122feats.htm#55814
Note
Hardware Supported
Cisco IOS Software Release 12.2(14)SU supports the Cisco 7200 series routers with NPE- 225, NPE-400, and NPE-G1 processors, as well as the VPN Acceleration Module (VAM) and VAM2 crypto cards (DES and 3DES only).
Note
For additional information about supported hardware for these platforms, refer to the Hardware/Software Compatibility Matrix in the Cisco Software Advisor at the following URL:
http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
Determining the Software Version
To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version EXEC command:
Note
router> show versionCisco Internetwork Operating System SoftwareIOS (tm) 7200 series Software c7200-jk9o3s-mz, Version 12.2(14)SU, RELEASE SOFTWAREUpgrading to a New Software Release
For general information about upgrading to a new software release, refer to Software Installation and Upgrade Procedures located at the following URL:
http://www.cisco.com/warp/public/130/upgrade_index.shtml
Feature Set Tables
The Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.
For a complete list of feature sets supported by the Cisco 7200 series routers in Release 12.2, go to the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122/122reqs.htm#xtocid3
Caution
New and Changed Information
This section includes the following topics:
•
•
New Hardware Features in Cisco IOS Release 12.2(14)SU
The following hardware features are new to Cisco IOS Release 12.2(14)SU:
•
•
Note
New Software Features in Cisco IOS Release 12.2(14)SU
Encrypted pre-shared key is the new software feature added to Cisco IOS Release 12.2(14)SU.
The following software features were previously introduced in Cisco IOS Release 12.2(11)YX and Cisco IOS Release 12.2(11)YX1, and are also supported in Cisco IOS Release 12.2(14)SU:
•
•
•
•
•
Caveats
This section lists caveats for the Cisco IOS Release 12.2(14)SU, by tracking number (DDTS #) and release number, and indicates whether the caveat has been corrected. An "O" indicates that the caveat is open in the release; a "C" indicates that the caveat is closed in the release, and an "R" indicates that the caveat is resolved in the release.
Note
http://www.cisco.com/kobayashi/support/tac/tools_trouble.shtml
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.doTable 3 lists the caveats for the Cisco IOS Release 12.2(14)SU.
In this section, the following information is provided for each caveat:
•
•
•
Note
The caveats section includes the following subsections:
•
•
Open Caveats—Cisco IOS Release 12.2(14)SU
This section describes possibly unexpected behavior by Cisco IOS Release 12.2(14)SU. All the caveats listed in this section are open in Cisco IOS Release 12.2(14)SU. This section describes severity 1 and 2 caveats and select severity 3 caveats.
Note
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/xprn122/index.htm•
Symptom: On the standby device, you may see the following IPSec security association (SA) insertion failure message:
%CRYPTO_HA-3-IPSECADDENTRYFAIL: (VIP=80.0.0.200) IPSEC SA entry insertion on standby device failedCondition: This occurs when Quality of Service (QoS) is enabled, and 64 bytes packets of voice data are being sent. At rekey time, we may run into this problem; no failover attempt is needed to trigger this.
Workaround: Do not send small size packets.
•
Symptom: During rekey we may see the following Invalid Packet message:
%VPN_HW-1-PACKET_ERROR: slot: 6 Packet Encryption/Decryption error, Invalid PacketCondition: At rekey time, we may run into this problem; no failover attempt is needed to trigger this.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.2(14)SU
This section describes caveats that have been resolved by Cisco IOS Release 12.2(14)SU.
•
Symptom: A Cisco 7200 series router configured for IPSec may reboot with a bus error. This occurs due to a race condition in rare circumstances. Often, reloading helps continue operations until the code is upgraded.
Workaround: There is no workaround.
•
Symptoms: In a multiple crypto peer and tunnel environment, packets may be encrypted with the wrong security associations and delivered to the wrong peers. This symptom may coincide with the following error on the unintended crypto peers:
%CRYPTO-4-RECVD_PKT_INV_IDENTITY: identity doesn't match negotiated identityConditions: This symptom is observed if the encryption router is a Cisco 7100 series or a Cisco 7200 series that is configured with an Integrated Service Adapter (ISA), an Integrated Service Module (ISM), a Virtual Private Network (VPN) Acceleration Module (VAM), an IP Security (IPSec) accelerator module and that is running Cisco Express Forwarding (CEF) switching.
Workaround: Use fast switching instead of CEF switching.
•
Symptoms: A simple data encryption standard (DES) encrypted mechanism is needed to set a configuration password.
Workaround: A configuration password can be set using:
key config-key encrypted-password <minimum 8 chars password>This password is stored in private NVRAM and can not be viewed. This same password should be used for a DES encryption (and subsequent decryption).
Note
•
Symptom: A Simple Network Management Protocol (SNMP) query for cips3DesCapable may return an incorrect value.
Workaround: There is no workaround.
•
Duplicate (see CSCdu83902).
•
Symptoms: Entering the show ip rsvp neighbor, show ip rsvp listeners, or show ip rsvp sender command line interface (CLI) commands does not provide protection against the deletion of the current state on the router console when, for example, the output pauses in the More state. This situation may cause the router to reload.
Conditions: This symptom is observed on a router that is configured with Resource Reservation Protocol (RSVP).
Workaround: There is no workaround.
•
Symptom: A Cisco 7204VXR router with a VAM card running Cisco IOS Release 12.1(12)CE and configured for IPSec generates an error message ("Error coming back 0004"). The IPSec tunnel stays up and traffic passes without any problem.
Workaround: There is no workaround.
•
Symptom: When using the no crypto engine accelerator[<slot>] command to disable the hardware encryption adapter, the command does not appear in the running configuration, nor is it saved in the startup configuration. After reboot, the adapter is re-enabled.
Workaround: If necessary, remove the adapter from the chassis.
•
Symptom: In a router running Enhanced IGRP (EIGRP), after reload, the subnet of the gig interface which is covered under EIGRP as a passive interface, does not appear in the topology table.
Workaround: Perform a shut/no shut on the interface, or configure an "event-buffer" under the interface configuration mode for the affected interfaces:
interface Ethernet1/0event-bufferThen, copy the running configuration to the startup configuration and perform a shut/no shut on the interface.
Note
•
Symptoms: The protocol ppp virtual-template number interface configuration command may not function.
Conditions: This symptom is platform independent and is observed in an environment that uses permanent virtual circuits (PVCs) or switched virtual circuits (SVCs).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly when you enter the crypto card shutdown<slot> global configuration command, followed by the crypto card enable<slot> global configuration command while traffic is flowing.
Conditions: This symptom is observed on a Cisco 7200 series router that is configured with a VPN Accelerator Module (VAM).
Workaround: Shut down the input interface before you enter the crypto card shutdown <slot> global configuration command followed by the crypto card enable <slot> global configuration command.
•
Symptom: All IKE/IPSec security associations (SAs) on a VAM2 card failed after running for 48 hours.
Workaround: There is no workaround.
•
Duplicate (see CSCed27956).
•
Symptom: Routers using a crypto accelerator will print CPUHOG messages when those crypto accelerators are disabled. When all crypto accelerators are disabled, the Cisco IOS software switches to software crypto and as part of this transition will attempt a DOA clean-up, which is CPU intensive.
Workaround: There is no workaround.
•
Symptom: The counter `#pkts decompress failed' updates when decompressing 100 byte packets instead of showing '#pkts decompressed'.
Conditions: The counter increments with a Cisco 7200 router running a VAM while de compressing 100 byte packets. This problem is not seen for 300, 500, 1400 byte packets.
Workaround: There is no workaround. This is a counter issue and there is no functionality change. A 100 byte packet is not decompressed on the IKE responder.
•
Symptoms: A Cisco 3700 router with a voice feature enabled, such as H.323, may reload because of a bus error at the address 0xD0D0D0B.
Conditions: This symptom is observed on a Cisco 3700 series but may also occur on other Cisco routers.
Workaround: There is no workaround.
•
Symptoms: When using a dialer interface, IKE SAs were not being setup.
Workaround: There is no workaround.
•
Symptoms: Cisco products running Cisco IOS software releases contain vulnerabilities in the processing of H.323 messages, which are typically used in packetized voice or multimedia applications. Features such as NAT and the Cisco IOS Firewall must inspect H.323 messages and may be vulnerable as well. A test suite has been developed by the University of Oulu to target this protocol and identify vulnerabilities.
Support for the H.323 protocol was introduced in Cisco IOS Software Release 11.3T, and all later Cisco IOS releases are affected if configured for various types of Voice/Multimedia Application support. The vulnerabilities can be exploited repeatedly to produce a denial of service (DoS).
Workaround: There are workarounds available that may mitigate the impact, but these techniques may not be appropriate for use in all customer networks. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml.
•
Duplicate (see CSCea32240).
•
Duplicate (see CSCea32240).
•
Duplicate (see CSCea32240).
•
Duplicate (see CSCea32240).
•
Duplicate (see CSCea32240).
•
Symptom: A router running Cisco IOS software using the VPN Accelerator Module (VAM) as the hardware crypto engine incorrectly performs anti-replay detection, even though there is no authentication enabled in the IPSec transform set. This is in violation of RFC2406, and it causes out-of-order Encapsulating Security Payload (ESP) packets to be dropped on the receiver.
Workaround: The workaround is to either disable the VAM, or to configure the sender such that ESP packets will not be delivered out-of-order.
•
Duplicate (see CSCea32240).
•
Symptoms: A Cisco 7000 series router may encounter a bus error when applying a crypto map on a FDDI interface.
Conditions: This symptom is observed on a Cisco 7500 series router that is running Cisco IOS Release 12.2(11)T2, Release 12.2(13)T1, or Release 12.2 (13a). The symptom may also occur in other releases such as Release 12.0 S.
Workaround: There is no workaround.
•
Duplicate (see CSCea66198).
•
Symptom: The following messages are seen on the console.
15:03:20: ISAKMP: someone is trying to make IKE refcount negative: struct 0x53829B6C fordeclare_sa_dead(), from 0x412BF6CC, last_last is 0x4130FA90last locker 0x412E69F8, last_last_locker0x412E69F815:03:20: -Traceback= 412EA138 412BF6E4 412BF7E4 412BB254 412BC03415:03:48: ISAKMP: someone is trying to make IKE refcount negative: struct 0x4B907000 fordeclare_sa_dead(), from 0x412BF6CC, last_last is 0x4130FA90last locker 0x412E69F8, last_last_locker0x412E701815:03:48: -Traceback= 412EA138 412BF6E4 412BF7E4 412BB254 412BC03415:05:00: %CRYPTO-4-IKMP_NO_SA: IKE message from 101.2.129.1 has no SA and is not aninitialization offer15:06:18: ISAKMP: someone is trying to make IKE refcount negative: struct 0x54A6F524 fordeclare_sa_dead(), from 0x412BF6CC, last_last is 0x4130FA90last locker 0x412E69F8, last_last_locker0x412E69F815:06:18: -Traceback= 412EA138 412BF6E4 412BF7E4 412BB254 412BC03415:07:18: ISAKMP: someone is trying to make IKE refcount negative: struct 0x4BF50C5C fordeclare_sa_dead(), from 0x412BF6CC, last_last is 0x4130FA90last locker 0x412E7018, last_last_locker0x412E69F815:07:18: -Traceback= 412EA138 412BF6E4 412BF7E4 412BB254 412BC034Conditions: These messages can be observed if the standby High Availability (HA) enabled router has a peer that does NAT-T, but no Dead Peer Detection (DPD). Currently, all routers running Cisco IOS software and Cisco VPN Clients that support NAT-T also support DPD.
Workaround: Use a DPD enabled router when using NAT-T, or ensure that router is on the public network, i.e. outside the NAT gateway.
•
Symptom: Reverse route injection (RRI) routes are not deleted when dynamic crypto maps with reverse-route are enabled. Security associations (SAs) are established, and routes to the remote protected networks are injected. After failing over several times, the routes are not deleted when the active router transitions to the standby router, even though there are no SAs on the router.
Workaround: There is no workaround.
•
Symptom: IKE will not rekey IKE security associations (SAs) correctly, since for non NAT-T SAs, the peer ports are being set to zero.
Conditions: If an IKE SA belongs to a peer that is not using NAT-T, it will not rekey correctly.
Workaround: There are no workarounds. Increase IKE SA lifetime as much as possible.
•
Symptoms: The counters `#pkts encaps' and `#pkts encrypted' don't match the output of the show crypto ipsec sa command.
Conditions: A Cisco 7200 series router running a VPN Accelerator Module (VAM) encounters errors while processing packets.
Workaround: Disable VAM and use software crypto. Although the counters mismatch, functionality is not affected.
•
Symptoms: A Cisco router may generate a "SYS-2-GETBUF" message during the "Tag Input" process and may subsequently reload unexpectedly.
Conditions: This symptom is observed when the router fragments a Multiprotocol Label Switching (MPLS) packet.
Workaround: There is no workaround.
•
Symptom: The Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) establishment might fail when many (>80) SAs are concurrently negotiated to the headend of a Cisco 7200 router with a VPN Accelerator Module (VAM), due to slow processing by the VAM.
Conditions: These symptoms occur when:
–
–
Workaround: Use group2 instead of group5.
•
Symptom: The SNMP query for "cikeTunHistOutP2SaDelReqs" may return an improper value.
Workaround: There is no workaround.
•
Symptom: A class map does not match packets that are originated from the router. All packets are classified to class-default.
Condition: This problem occurs on Cisco 7200 routers with VAM module when hardware encryption and fast/CEF switching are enabled.
Workaround: Turn off hardware encryption.
•
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on MPLS disabled interfaces.
The vulnerability is only present in Cisco IOS release trains based on 12.1T, 12.2, 12.2T, 12.3 and 12.3T. Releases based on 12.1 mainline, 12.1E and all releases prior to 12.1 are not vulnerable.
More details can be found in the security advisory which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20050126-les.shtml.
•
Symptom: A Cisco 7200 router running Cisco IOS software 12.1(E) crypto image, with dynamic crypto map configuration may drop clear traffic.
Conditions: Access lists are not mandatory for dynamic crypto maps. However, if we add an access list and then remove the access list from the dynamic crypto map, the assigned interface will drop clear traffic.
Workaround: Reattach the access list or delete the dynamic crypto map configuration and create it again.
•
Symptom: The Cisco 7200 routers with NPE-G1 processors and VPN Accelerator Module (VAM) cards are not supported.
Condition: The IKE tunnel fails to come up with Tunnel End-Point Discovery (TED) configured.The negotiation fails at Peer Discovery.
Workaround: A new image has been included in this Cisco IOS software release 12.2(14)SU to support Cisco 7200 routers with NPE-G1 processors and VPN Accelerator Module (VAM) cards.
•
Duplicate (see CSCec21593).
•
Symptom: When a router is configured to perform IKE/IPSec crypto operations, those operations are handled by the Cisco IOS crypto-software by default. When a router has crypto hardware, crypto operations will be handled by the crypto hardware.
Condition: When a failure exists with the crypto hardware or the crypto hardware shuts down, all crypto operations will be switched back to software operations, which can max out the router CPU and potentially disturb normal router operations.
This DDTS introduces a new CLI, which enables the Cisco IOS crypto-software to handle all IKE/IPSec crypto operations. Issue this command to make the router stop handling any IKE/IPSec crypto-operations when there is crypto-hardware failure.
Workaround: There is no workaround.
•
Symptom: When an IPSec crypto card fails, syslog messages are generated which can trigger a syslog SNMP trap when logging it at 'error' level.
Workaround: Set logging to 'informational' level, so as to not generate syslog SNMP traps.
•
Symptoms: A router may reload unexpectedly when removing network commands. The crash will not always happen when network commands are removed. There is a small window where this can happen when a network command which covers an interface running OSPF is removed, and there are outstanding packets from this interface in OSPF queue.
Conditions: This symptom is observed on a Cisco router that has the router ospf global configuration command enabled.
Workaround: There is no workaround.
•
Symptom: The crypto/ISAKMP susbsystem may leak memory related to extended authentication (Xauth) and configuration mode attributes when some ISAKMP security associations (SAs) are not established during Xauth.
Conditions: This leak arises under stress or packet loss conditions where either the client or the server declares the SA dead in the middle of Xauth.
Workaround: There are no workarounds.
•
Symptom: An error 0x4 may occur on a Cisco 7200 router with a VAM.
Conditions: The router is configured for a large number of tunnels and has memory fragmentation or low memory conditions.
Note
Workaround: Reset the crypto card (VAM), however, this will tear down all the existing tunnels.
•
Symptom: The router crashes when the system is running at 100% CPU.
Condition: The router crashes when running at 100% CPU with 500 GRE/IPSec tunnels with dead peer detection (DPD).
Workaround: The CPU should be running at approximately 50%. The Cisco IOS 12.2(14)SU release is qualified for up to 1000 GRE tunnels.
•
Symptom: A Cisco 7200 router running IPSec may crash with tracebacks pointing to mgd_timer_set_exptime_internal().
Conditions: A large number of IPSec tunnels are rekeyed at the same time.
Workaround: There is no workaround. Increasing the IPSEC SA life time might help reduce the stress on the router and hence may avoid this race condition.
•
Symptom: If the SSP channel between the active and standby router is protected by IPSec (encrypted), the security associations (SAs) will be counted when you perform a show crypto ipsec ha command. These should not be included in the list of SAs protected by IPSec Stateful Failover.
Conditions: This will happen when there is an SA specifically covering the SSP connection between the redundant head-end pair.
Workaround: There is no workaround. This is a cosmetic issue.
•
Symptom: A duplicate IKE SA will be created when the link is flapped. This may cause early termination of the IPSEC SAs and potentially stop traffic over the secure link.
Conditions: When a PIX501 is connected to a VPNSM as an EzVPN client and a link flap occurs, a duplicate IKE SA may appear on the VPNSM. This is due to a incorrect handling of an Initial Contact message.
Workaround: The problem can be rectified by clearing the duplicate IKE SAs and letting the EzVPN client re-establish its IPSEC tunnel.
•
Symptom: The processor memory usage increases with every console command.
Condition: With every console command, the processor memory usage increases.
Workaround: This is fixed in the Cisco IOS Release 12.2(14)SU.
•
Symptoms: During VAM card initialization, The VAM card may fail to come up, with a POST failure being the primary cause for the failure. If the hardware were faulty this might be considered the right behavior, but Statistical RNG POST Failures have also occurred on well-functioning hardware.
Conditions: This symptom occurs during VAM card Initialization and then only occasionally when, in accordance with the statistical nature of the RNG Test, happenstance and entropy dictate. It would be quite unusual to see the VAM fail to init from this cause more than once in any given day.
Workaround: Use the microcode reload vam command to re-attempt initialization.
•
Symptom: With IPSec, the Inbound Decrypting Counter on the ingress interface is not updated.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptom: The IPSec card incurs a `0x0006' error occurs when running 2k tunnels.
Condition: When running 2k tunnels overnight, rekeying at every 1hr, a `0x0006' error occurs.
Workaround: When running up to 2k tunnels, the problem is resolved in the Cisco 12.2(14)SU. With more tunnels, the error is still seen.
•
Symptom: A `%ISA-1-ERROR' message occurs with a VAM2 in slot 6 of a Cisco 7200 series router. A `MIPS not ready' message is seen when Online Insertion and Removal (OIR) of the crypto hardware occurs.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptom: A Reverse Route Injection (RRI) route for the VPN clients is deleted immediately after it is installed.
Conditions:
–
–
Workaround: Remove the crypto map from the interface (this will disconnect all the tunnels) and put it back there again.
•
Symptom: The following message is seen when issuing a microcode reload all command on the router which has thousands of Security Associations (SAs) established:
%SCHED-3-THRASHING: Process thrashing at process= Crypto IKMPWorkaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered by an external researcher. The successful exploitation enables an adversary to reset any established TCP connection in a much shorter time than was previously discussed publicly. Depending on the application, the connection may get automatically re-established. In other cases, a user will have to repeat the action (for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful attack may have additional consequences beyond terminated connection which must be considered. This attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch, or computer) and not to the sessions that are only passing through the device (for example, transit traffic that is being routed by a router). In addition, this attack vector does not directly compromise data integrity or confidentiality.
All Cisco products which contain TCP stack are susceptible to this vulnerability.
This advisory is available at: http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml, and it describes this vulnerability as it applies to Cisco products that run Cisco IOSĀ® software.
A companion advisory that describes this vulnerability for products that do not run Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-nonios.shtml.
•
Symptom: Running high availability (HA) with repeated failover, the system goes into an infinite loop and the following message flows on the console:
Dropping remainder of this HA IKE SSP message bcoz of infinitCondition: Running IPSec/HA rekeying every hour with repeated failover, system goes into an infinite loop.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptom: When building one tunnel between the initiator and responder (b5), no rekey occurs. However, sending fixed data traffic (5000pps/64B) causes the CPU to fluctuate between 1-100%.
Workaround: There is no workaround.
•
Symptom: When an active router CPU is very busy and hello packets are not received by the standby router, two active routers may momentarily occur. On the initiator side we will see the anti-replay error message.
Conditions: This symptom occurs when the active router CPU is very high, or short interval failover occur.
Workaround: Don't allow the active router CPU to be near 100%, or don't do short interval failover.
•
Symptom: When you apply a crypto map before configuring the IP address on an interface, an IPSec Security Association (SA) is not triggered.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptom: The no shut command applied to the crypto interface with thousands of subinterfaces and crypto maps attached (initiator) causes a CPUHOG.
Workaround: There is no workaround.
•
Symptom: When the Diffie-Hellman (DH) group5 is configured, the system cannot scale more than 100 tunnels.
Condition: The DH group5 is not scalable. Many `PAK_IN_Q_TIME_LIMIT_EXCEED' messages are seen when trying to build the tunnels as low as 2pps.
Workaround: Use DH-group2 instead.
•
Symptom: The router crashes when the crypto hardware is plugged into a device where the software crypto had already been synchronized with the Active device.
Condition: Inserting the crypto hardware into the router when software crypto is already synchronized with the active device, crashes the box.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptom: The online insertion and removal (OIR) of the crypto hardware causes multiple instances of controller integrated services adapter (ISA) in the running configuration.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release.
•
Symptoms: A router may reload unexpectedly after it attempts to access a low memory address.
Conditions: This symptom is observed after ACLs have been updated dynamically or after the router has responded dynamically to an IDS signature.
Workaround: Disable IP Inspect and IDS.
•
Symptom: The clear crypto isa/sa command on the standby device triggers a state change when the CPU is pegged at 100%.
Condition: With a large number of tunnels, and the CPU running at 90-100%, doing a clear crypto isa/sa command on the standby device triggers a state change as hello packets are not exchanged between the active and standby devices.
Workaround: The problem is resolved in the Cisco 12.2(14)SU release. Still it is not recommended that a clear crypto command be executed with a high CPU. Maintain the CPU at around 50% and also issue a clear crypto isa/sa ha standby resync command if need to be.
•
Symptom: Online Insertion and Removal (OIR) of the crypto hardware on the standby device causes the router to crash.
Conditions: The symptom is seen when the following conditions occur:
–
–
–
Workaround: This problem is resolved in Cisco IOS Release 12.2(14)SU.
•
Symptom: Adding the access control list (ACL) to the dynamic crypto map on the fly causes CPUHOG which in turn forces an Hot Standby Router Protocol (HSRP) state change.
Condition: When you initially build tunnels with a dynamic crypto map on the hub and no ACL configured, then after the tunnels are up, and you configure the ACL to the dynamic crypto map, CPUHOG is seen and the HSRP state is changed.
Workaround: There is no
Guest
