Table Of Contents
Resolved Caveats—Cisco IOS Release 12.4(9)T7
Resolved Caveats—Cisco IOS Release 12.4(9)T6
Resolved Caveats—Cisco IOS Release 12.4(9)T5
Resolved Caveats—Cisco IOS Release 12.4(9)T4
Resolved Caveats—Cisco IOS Release 12.4(9)T3
Resolved Caveats—Cisco IOS Release 12.4(9)T2
Resolved Caveats—Cisco IOS Release 12.4(9)T1
Resolved Caveats—Cisco IOS Release 12.4(9)T
Resolved Caveats—Cisco IOS Release 12.4(6)T11
Resolved Caveats—Cisco IOS Release 12.4(6)T10
Resolved Caveats—Cisco IOS Release 12.4(6)T9
Resolved Caveats—Cisco IOS Release 12.4(6)T8
Resolved Caveats—Cisco IOS Release 12.4(6)T7
Resolved Caveats—Cisco IOS Release 12.4(6)T6
Resolved Caveats—Cisco IOS Release 12.4(6)T5
Resolved Caveats—Cisco IOS Release 12.4(6)T4
Resolved Caveats—Cisco IOS Release 12.4(6)T3
Resolved Caveats—Cisco IOS Release 12.4(6)T2
Resolved Caveats—Cisco IOS Release 12.4(6)T1
Resolved Caveats—Cisco IOS Release 12.4(6)T
Resolved Caveats—Cisco IOS Release 12.4(4)T8
Resolved Caveats—Cisco IOS Release 12.4(4)T7
Resolved Caveats—Cisco IOS Release 12.4(4)T6
Resolved Caveats—Cisco IOS Release 12.4(4)T5
Resolved Caveats—Cisco IOS Release 12.4(4)T4
Resolved Caveats—Cisco IOS Release 12.4(4)T3
Resolved Caveats—Cisco IOS Release 12.4(4)T2
Resolved Caveats—Cisco IOS Release 12.4(4)T1
Resolved Caveats—Cisco IOS Release 12.4(4)T
Resolved Caveats—Cisco IOS Release 12.4(2)T6
Resolved Caveats—Cisco IOS Release 12.4(2)T5
Resolved Caveats—Cisco IOS Release 12.4(2)T4
Resolved Caveats—Cisco IOS Release 12.4(2)T3
Resolved Caveats—Cisco IOS Release 12.4(2)T2
Resolved Caveats—Cisco IOS Release 12.4(2)T1
Resolved Caveats—Cisco IOS Release 12.4(2)T
Obtaining Documentation and Submitting a Service Request
Resolved Caveats—Cisco IOS Release 12.4(9)T7
Cisco IOS Release 12.4(9)T7 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T7 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
Symptoms—A description of what is observed when the caveat occurs.
•
•
Basic System Services
•
Symptoms: "Enqueue to process level" message is seen in logs.
Conditions: This symptom has been observed in Cisco IOS Release 12.4T and 12.4 (4)XD2. No debugs are enabled.
Workaround: There is no workaround.
•
Cisco IOS emits the %DATACORRUPTION-1-DATAINCONSISTENCY error message whenever it detects an inconsistency in its internal data structures.
A traceback appears after the error message. This traceback is encountered with long URLs.
It is important to note that this error message does not imply that packet data is corrupted. However, it does provide an early indicator of other conditions that can eventually lead to poor system performance or a Cisco IOS restart.
IP Routing Protocols
•
Symptoms: The configuration of a deleted subinterface may show up on a new subinterface and may cause a traffic outage.
Conditions: This symptom is observed on a Cisco router that has IP interface commands enabled when a script adds and deletes ATM subinterfaces on a regular basis.
Workaround: Verify the subinterface configuration. When the configuration of a subinterface cannot be deleted, delete the subinterface, and then create a dummy subinterface that will pull the configuration that could not be deleted. Then recreate the first subinterface with a new configuration.
•
Symptoms: A router may reload unexpectedly when a routing event causes multicast boundary to be configured on a Reverse Path Forwarding (RPF) interface.
Conditions: This symptom is observed on a Cisco platform that is configured for PIM.
Workaround: Remove multicast boundary from the configuration.
•
Symptoms: A PIM hello message may not reach the neighbor.
Conditions: This symptom is observed on a Cisco router when an interface comes up and a PIM hello message is triggered.
Workaround: Decrease the hello timer for PIM hello messages.
Further Problem Description: The symptom occurs because the PIM hello message is sent before the port can actually forward IP packets. IGP manages to get its neighborship up but PIM does not, causing RPF to change to the new neighbor and causing blackholing to occur for up to 30 seconds.
•
Symptoms: The MPLS labels for packets that are forwarded via CEF and MPLS over a BGP route may not match the labels in the BGP table, which may lead to traffic loss.
Conditions: This problem occurs under certain circumstances and timing conditions.
Workaround: When the symptom occurs, enter the clear ip route command for the prefix in the VRF.
•
Symptoms: When the BGP session between a Route Reflector (RR) and PE router flaps, the RR may no longer send some routes to the PE router.
Conditions: This symptom is observed on a Cisco router that runs a Cisco IOS software image that integrates the fix for caveat CSCsi85222. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsi85222. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, enter the clear ip bgp * all in command on the PE router to retrieve all routes from the RR.
•
Symptoms: A traceback is seen at ipnat_dns_fix_resou.
Conditions: This symptom is observed when DNS traffic traverses the router and NAT is configured.
Workaround: There is no workaround.
Miscellaneous
•
Symptoms: A router may crash when you attach a VC class to an ATM bundle.
Conditions: This symptom is observed on a Cisco 7200 series but is platform-independent.
Workaround: There is no workaround.
•
Symptoms: A router crashes with crypto tunnels with large transfers such that they cause IP fragmentation.
Conditions: Large pings.
Workaround: There is no workaround.
Further Problem Description: The underlying code has been modified to address this and other issues. It is unlikely that the same conditions that can cause the crash still exist.
•
Symptoms: Fast Ethernet interface 4 may not come up if Cisco Discovery Protocol (CDP) is disabled on that interface. The interface may get stuck in the "Initializing" phase.
Conditions: This symptom is observed when a Cisco 871 router is upgraded to a Cisco IOS Release 12.4(11.1)T image.
Workaround: The interface can be brought up by executing the shutdown command, followed by the no shutdown command, on Fast Ethernet interface 4 or by enabling CDP on the interface. Enabling CDP will work across reboots, whereas the shutdown/no shutdown method must be done after every reboot.
•
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide voice over IP services.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml.
•
Symptoms: "Conditional default origination" into RIPv2 does not work correctly in some situations (http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter
09186a008046702d.html#wp998773).1. When the watching network is not present, the default route is not deleted from the local RIP database. This leads the router to still send the default route.
2. When the watching network is present, the default route is not added to the local RIP database. This leads the router to not send the default route.
Conditions: This symptom is observed if the default-information originate route-map map-name router RIP configuration command is used in order to generate a default route only when the watched network is present.
Workaround: There is no workaround.
•
Cisco IOS software configured for Cisco IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
A mitigation for this vulnerability is available. See the "Workarounds" section of the advisory for details.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml.
•
Symptoms: Having a configuration similar to the following:
interface Dialer1 ip address <ip add> <mask>
encapsulation frame-relay
dialer pool 1
dialer remote-name <other_end>
dialer string 0
dialer string oe_tn
dialer caller oe_tn
dialer max-call 1
dialer-group 1
frame-relay map ip <addr> <oe_dlci> broadcast
frame-relay interface-dlci <loc_dlci>
frame-relay ip tcp header-compression
no shutdownAnd entering in the following will crash the device:
interface Dialer1
shutdown
no interface Dialer1Conditions: Removing the Dialer interface configuration while having IPHC configured on that interface will crash the platform. This is observed on a Cisco 7200 series router that is running Cisco IOS interim Release 12.4(16.5).
Workaround: Remove any IPHC CLI from the Dialer interface prior to deleting the Dialer interface from the configuration.
•
Symptoms: A Cisco IOS router that is running ZPF (Zone-based Policy Firewall) intermittently drops ESP packets even when it is configured to pass them. This causes traffic over an IPsec VPN tunnel through this router to fail intermittently, although the tunnel is up and phase 1 (isakmp) and phase 2 (ipsec) SAs have been established. If the router is configured to log dropped packets, it will log a %FW-6-DROP_PKT syslog message for these packets.
Conditions: This symptom is observed on a Cisco IOS router that is enabled with ZPF (Zone-based Policy Firewall) and that is configured to pass the ESP traffic based on a "match access-group" policy, where the access list has entries to permit the ESP traffic specifically from one host to another.
For example:
class-map type inspect match-any cm-esp
match access-group 100policy-map type inspect in2out
class type inspect cm-esp
passaccess-list 100 permit esp host 10.0.0.2 host 10.1.1.2
access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
Workaround: Configure the access list so that the source is "any," for example:
access-list 100 permit esp any host 10.1.1.2
access-list 100 permit esp any host 10.0.0.2
First Alternate Workaround: Use the classic Cisco IOS firewall instead of ZPF; that is, use "ip inspect."
Further Problem Description: If an explicit deny rule is added to the above example, for example:
access-list 100 permit esp host 10.0.0.2 host 10.1.1.2
access-list 100 permit esp host 10.1.1.2 host 10.0.0.2
access-list 100 deny esp any any
Then the show access-list command will indicate that the dropped packets are hitting the deny rule, although they should match one of the permit rules:
Router# show access-lists 100
Extended IP access list 100
10 permit esp host 10.0.0.2 host 10.1.1.2 (999 matches)
20 permit esp host 10.1.1.2 host 10.0.0.2 (999 matches)
30 deny ip any any (1 match)
•
Symptoms: When running double authentication crypto configurations (ah encap and esp encap auth together) and passing large packet data that requires fragmentation, errored packets can be observed.
Conditions: This symptom has been observed only on routers with AIM-VPN-PLUS AIM cards installed. Routers that support this AIM are the Cisco 1800, Cisco 2600, Cisco 2800, Cisco 3700, and Cisco 3800 routers.
Workaround: Do not use ESP and AH double authentication. You can use the no crypto engine accel command in the configuration to run encryption in the SW engine.
•
Symptoms: A Cisco AS5850 responds with a 500 Endpoint Unknown to a CRCX for an endpoint on a channelized T3 card. The endpoint otherwise responds normally to AUEP command.
Conditions: This symptom is observed on a Cisco AS5850 that is controlled via MGCP, and the endpoint naming t3 command is configured on the router in either global MGCP configuration or MGCP profile.
Workaround: Do not configure the endpoint naming t3 command. Use t1 endpoint naming instead.
•
Symptoms: Performing the snmpwalk on the ipRouteTable MIB may cause high CPU and reloads.
Conditions: This symptom is observed on a router that is running Cisco IOS Release 12.4(13b) or later releases.
Workaround: Create a view that excludes the ipRouteTable:
snmp-server view cutdown 1.3.6.1.2.1.4.21 exclude
snmp-server view cutdown internet included
snmp-server community <comm> view cutdown ROThis view restricts the objects that the NMS can poll. It excludes access to the ipRouteTable, but allows access to the other MIBs.
•
Symptoms: A router that is running Cisco IOS software may reload unexpectedly.
Conditions: This symptom is observed when running show commands on an exec session that has been established through one of the integrated modems on a WIC-AM or WIC-2AM.
Workaround: There is no workaround.
•
Symptoms: The following message is seen on the router:
*Aug 6 16:34:47.188: %DATACORRUPTION-1-DATAINCONSISTENCY: copy error, -PC= 0x8005EC50, -Traceback= 0x809971F4 0x809B9C2C 0x809DD8A4 0x8005EC50 0x800651E4 0x800652A8 0x809E42D4 0x809C4A38 0x800652EC 0x809C4BA0 0x809E42D4 0x80A0854C 0x800DB8C0 0x800DEE48
Conditions: The conditions under which this symptom occurs are not known at this time.
Workaround: There is no workaround.
•
Symptoms: A Cisco AS5400HPX crashes due to a bus error as indicated by show version "System returned to ROM by bus error at PC 0x61728370, address 0xB0D0B45."
Just before the crash the following error message is seen:
%SYS-2-NOTQ: unqueue didn't find 674D6D40 in queue 3C -Process= "MGCP Application", ipl= 0, pid= 170
Conditions: This symptom is observed on a Cisco AS5400HPX.
Workaround: There is no workaround.
•
Symptoms: A router crashes while a service policy is being attached, detached, or modified across a virtual template under traffic.
Conditions: This symptom is observed on a Cisco 7200 or Cisco 7301 router that is configured with MLPPP over FR on channelized interfaces.
Workaround: There is no workaround.
•
Symptoms: A Cisco router may reload unexpectedly with a software forced crash.
Conditions: This symptom is observed when the FXS port is configured with a DN and the gateway is being reset by CallManager 4.2.
Workaround: There is no workaround.
•
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco has released free software updates that address these vulnerabilities. Workarounds are available to mitigate the effects of these vulnerabilities.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
•
Symptoms: A Cisco 7200 NPE-G2 router with a VSA encryption card, terminating IPSec EasyVPN Dynamic Virtual Tunnel Interfaces, exhibits high CPU utilization during IKE and IPSec rekeys, potentially causing some tunnels to go down.
Conditions: This symptom is observed on a Cisco 7200-G2 router with a VSA card, acting as an IPSec HUB, terminating EasyVPN DVTI remote-access IPSec tunnels into VRFs. At high tunnel scale (more than 1000 tunnels), the CPU can spike close to 100 percent during IKE and/or IPSec rekey, potentially causing traffic and tunnels to drop.
Workaround: Do not use more than 1000 RA EasyVPN DVTI tunnels on a Cisco 7200. Or switch to Legacy EasyVPN tunnels (with dynamic crypto maps).
•
Symptoms: The MPLS forwarding table has an untagged outgoing entry for a VPNv4 prefix in a CSC case.
Conditions: This is an LDP/IGP (OSPF etc.) based CSC-PE. The VPNv4 prefix shall have a local/redistributed (PE-CE OSPF etc.) path as well as an iBGP path. If the CE path is toggled and then there is a LABEL ONLY change from the iBGP neighbor, the issue will be seen. BGP will end up programming "Untagged" for the local/redistributed prefix, overwriting what is given by LDP.
Workaround: There is no real workaround. To clear the problem, issue a clear ip route command for the vrf-prefix in question. If there are redundant paired PEs, make sure to clear the problem on both routers with the clear ip route command.
•
Symptoms: T38 negotiation is failing for an incoming UPDATE request that has a T38 offer.
Conditions: This symptom occurs when the voice gateway is running Cisco IOS Release 12.4(15)T and is processing incoming Session Initiation Protocol (SIP) calls. When the SIP call is active and an UPDATE request is received that contains a T38 offer, the UPDAE request is rejected. The switchover from voice to fax fails.
Workaround: Fax over T38 works fine when midcall INVITE is used for T38 negotiation.
•
Symptoms: A voice gateway may modify the Presentation Indicator (PI) field when processing a voice call.
Conditions: The voice gateway is running Cisco IOS Release 12.4(9)T5 and processing incoming Session Initiation Protocol (SIP) calls. An incoming SIP call that has its PI field Oct 3a set to 0xA0 or to any other value is changed to 0x00 for no apparent reason when it is forwarded to the Telephony call leg.
Workaround: There is no workaround.
•
Symptoms: When Enhanced Compressed Real-Time Transport Protocol (ECRTP) is configured and when multiple packet drops occur, cRTP packets may stop being sent, and only cUDP packets are sent instead. Because cUDP packets are nearly as large as uncompressed packets, compression becomes completely inefficient.
Conditions: This symptom is observed on a Cisco router when ECRTP is configured on an interface and when a few packet drops occur, as in the following configuration example:
interface Serial2/0
ip address x.x.x.x x.x.x.x
ip rtp header-compression ietf
ip header-compression recoverable-loss 1
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T6
Cisco IOS Release 12.4(9)T6 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T6 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: SNMP over IPv6 does not function.
Conditions: This symptom is observed on a Cisco router that integrates the fix for caveat CSCsg02387. A list of the affected releases can be found at http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg02387. Cisco IOS software releases that are not listed in the "First Fixed-in Version" field at this location are not affected.
Workaround: Use SNMP over IPv4.
•
Symptoms: Memory corruption occurs when a "| include" is used with a CLI command. An already in-use block gets freed and causes this corruption.
Conditions: This symptom can happen with any usage when a "| include" is used with a CLI command. It was found using a script for IPSec that resulted in "Crash on OIR of IPSec SLC module."
Workaround: There is no work around. It is a programming defect.
Further Problem Description: It is a rare corner case memory corruption when a block gets freed even when it is in use. It is caught by a script under stress testing conditions which results in such a rare condition.
While using CLI and "| include" it is rare to get such a corruption. If it happens, it will lead to box reload.
IP Routing Protocols
•
Symptoms: When there are link flaps in the network, various PE routers receive the following error message:
%BGP-3-INVALID_MPLS: Invalid MPLS label (1) received in update for prefix 155:14344:10.150.3.22/32 from 10.2.2.1
Or, a local label is not programmed into the forwarding table for a sourced BGP VPNv4 network.
Conditions: These symptoms are observed when an iBGP path for a VPNv4 BGP network is present, and then a sourced path for the same route distinguisher (RD) and prefix is brought up.
Workaround: Remove the iBGP path. Note that when the sourced path comes up first, the symptoms do not occur.
Alternate Workaround: Use different RDs with the different PE routers. When the RD and prefix do not match exactly between the iBGP path and the sourced path, the symptoms do not occur.
•
Symptoms: The TTL of a CNAME will be zeroed on a DNS reply after passing through a Cisco router that is configured for Network Address Translation (NAT).
Conditions: This symptom is observed on a Cisco router that is configured for NAT that is running Cisco IOS Release 12.4 or 12.4T. Only CNAME records are affected.
Workaround: Use static NAT translations with the keyword "no-payload".
•
Symptoms: Router tracebacks and then crashes during deconfiguration (removal) of VRF. The following message was seen prior to crash:
-Process= "IP RIB Update", ipl= 3, pid= 68
-Traceback= 609538D8 60D1B8B4 612B2838 612588C8 61258CD4 6125E61C 6125ED04 6125EF30 61261CDC 6125A14C 61265A08 6126BE10 6097CF00 609547D8 609548B8Address Error (load or instruction fetch) exception, CPU signal 10, PC = 0x609538FC
Conditions: No specific conditions are known to cause this fault.
Workaround: There is no workaround.
•
Symptoms: The system crashes when the show ipv6 ospf lsdb- radix hidden command is entered.
Workaround: Do not enter the show ipv6 ospf lsdb-radix command.
Miscellaneous
•
Symptoms: The output of show running-config command does not show a correct parent-child relationship between the control plane and its underlying service policy.
Conditions: This symptom is observed on a Cisco router that has control-plane features such as policing and port-filtering enabled.
Workaround: There is no workaround.
•
Symptoms: An RSP may crash when you enter the clear counters command.
Conditions: This symptom is observed on a Cisco 7500 series that runs Cisco IOS Release 12.4 when you enter the clear counters command after the termination of voice calls that were made with PA-VXC-2TE1 port adapters.
Workaround: There is no workaround.
•
Symptoms: A router may reload or a leak memory may occur when UDP malformed packets are sent to port 2517.
Conditions: This symptom is observed on a Cisco router that functions as a VoIP dial peer and that is configured for H.323.
Workaround: There is no workaround.
•
Symptoms: RTP packets get transmitted when the mode is recvOnly and inactive.
Conditions: The problem occurs on a Cisco 3800 platform that is running Cisco IOS interim Release 12.4(13.9).
Workaround: There is no workaround.
•
Symptoms: If an access control list (ACL) is used for a destination only prefix, a fatal error is declared and shuts down optimized edge routing (OER). For destination only traffic classes, prefix-list should be used, not ACL or access control entry (ACE).
Conditions: This behavior is observed on Cisco IOS Release 12.4(11)T and later releases at this time.
Workaround: Use prefix list instead of ACL/ACE for destination only traffic classes. For example: - use prefix list for a traffic class 100.1.1.0/24 - use ACE for traffic class 100.1.1.0/24 DSCP af11
•
Symptoms: When a bidir PIM, with no directly connected receivers, router has to change its RPF interface to the RP, multicast traffic could be lost for up to 60 seconds.
Conditions: This symptom occurs if the connection to the first RP is lost and the middle router changes its RPF for its bidir upstream interface. The middle router then restarts the election process on all DF interfaces, and purges the interface point in the leaf router out its OI @L. That interface will only get repopulated upon a periodic state refresh from the leaf router because the leaf router does not have an RPF change and therefore has no reason to send a triggered Join.
Workaround: There is no workaround.
•
Symptoms: There is a memory corruption crash due to the following:
%SYS-3-BADFREEMAGIC: Corrupt free block ...
Conditions: This symptom is observed on Cisco IOS Release 12.4T with QoS enabled.
Workaround: There is no workaround.
•
Symptoms: A spurious access error occurs in tfib_post_table_change_sanity_check () function.
Conditions: This symptom occurs if route is deleted. ROUTE_DOWN event is triggered in tfib_post_table_change() function which in turn calls tfib_post_table_sanity_check(). In that function, spurious access is reported, as the only path of route is down.
Workaround: There is no workaround.
•
Symptoms: IMA group interface does not come up after the reload.
Conditions: This symptom is observed on a Cisco 2811 router with ATM interface that is using VWIC2-2MFT-T1/E1 connected to MGX AUSUM card.
Workaround: Enter the shutdown interface configuration command followed by the no shutdown interface configuration command on the IMA interface.
•
Symptoms: Before sending initial Invite, a Cisco gateway is doing DNS SRV query which gives the actual server name where SIP service is running. And then DNS A query for this server gives IP address of Proxy Server. So initial call is established through this SIP-proxy server. After getting SIP Refer message, to initiate call-transfer with Transfer-to location as Domain-Name, SIP-gateway is doing just DNS A Record Query for Refer-to Host which is returning an IP address where SIP is not running. This causes Transfer Failure.
Conditions: This symptom is observed on a Cisco 2800 series router but is not platform dependent. The Transfer-target address received in Refer is a FQDN (with default port -5060 OR no port).
Workaround: There is no workaround.
•
Symptoms: A router that is running NHRP leaks memory when many incomplete cache entries are created. The incomplete cache entries can be verified by typing the show ip nhrp command and looking for "type incomplete". The memory leaked can be seen by examining the output of the show chunk command and looking for "NHRP Cache".
Conditions: This symptom could occur when traffic to nonexistent or non- responding addresses are forwarded by the router over the DMVPN/NHRP cloud.
Workaround: There is no workaround.
•
Symptom: On ATM interface, if tx-ring-limit were set to 1 with heavy traffics then the interface might get wedged. Throughput performance is degraded due to many packets got dropped.
Condition: Set tx-ring-limit to 1 under atm interface with heavy burst traffics.
Workaround: Recommend minimal tx-ring-limit is 2 under this circumstance.
•
Symptoms: Compressed Real-Time Protocol (cRTP) shows errors and Low Latency Queuing (LLQ) shows drops from default queue although there is no traffic to match it.
Conditions: This problem can be seen under load of MPPP bundle of several serial interfaces with LLQ and cRTP enabled.
Workaround: There is no workaround.
•
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device.
The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this bug.
The Security Advisory for this issue is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml.
Resolved Caveats—Cisco IOS Release 12.4(9)T5
Cisco IOS Release 12.4(9)T5 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T5 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: When tuning particle clone, F/S, and header pools after these were made configurable via CSCuk47328, the commands may be lost on a reload.
Conditions: If the device is reloaded the commands are not parsed on a reload and this results in the defaults being active. This may result in traffic loss if the increased buffers were needed to enable greater forwarding performance for the specific network design.
Workaround: Configure an applet to enter the buffer values again after a reload. A sample applet would be:
event manager applet add-bufferevent syslog occurs 1 pattern ".*%SYS-5-RESTART: System restarted --.*"action 1.0 cli command "enable"action 2.0 cli command "configure terminal"action 3.0 cli command "buffers particle-clone 16384"action 4.0 cli command "buffers header 4096"action 5.0 cli command "buffers fastswitching 8192"action 6.0 syslog msg "Reinstated buffers command"•
Symptoms: A router may hand or crash because of memory corruption when HTTP is being accessed.
Conditions: This symptom is observed on a Cisco router when IPS is enabled. Other conditions may trigger the symptom too.
Workaround: When IPS triggers the symptom, disable IPS.
•
Symptoms: Authentication with Security Device Manager (SDM) 2.3.3 fails, preventing you from logging into the router through HTTPS, HTTP, SSH, Telnet, console, or any management application.
Conditions:This symptom is observed on a Cisco router that is "fresh out of the box" and affects the following routers:
–
–
–
–
–
–
–
Workaround: For extensive information and a workaround, see the following Field Notice: http://www.cisco.com/en/US/products/ps5855/products_field_notice09186a0080809c8e.shtml.
IP Routing Protocols
•
Symptoms: A router running Cisco IOS may unexpectedly reload. The crashes can be very different in nature, but the crashinfo should show the IP Input process as the currently running process:
---- Partial decode of process block ----Pid 84: Process "IP Input" stack 0x46C3C080 savedsp 0x46758540Conditions: This is seen when the router is configured for NAT and receives a fragmented skinny packet that it needs to reassemble and translate.
Workaround: Prevent the router from receiving a fragmented skinny packet by ensuring the path MTU between the call manager server and the router is large enough. Usually skinny packets aren't larger than 800 bytes.
•
Symptoms: A router that is configured for static NAT translations may lose its external/global ARP entry for a NAT address.
Conditions: This symptom is observed when traffic flows run across the router, for example, when the client is outside and server is inside, and when static NAT translation is used for periods of about two minutes.
Workaround: Configure a route map that matches the static NAT translation, and apply the static NAT entry by entering either one of the following commands:
- ip nat inside source static tcp local-ip local-port global-ip global-port route-map name reversible- ip nat inside source static local-ip global-ip route-map name reversible•
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
Miscellaneous
•
Symptoms: The running configuration may not be accessible after you have copied a small file to the running configuration.
Conditions: This symptom is observed on a Cisco router that has an ATA file system after you have rebooted the router.
Workaround: Reboot the router once more.
•
Symptoms: A router using IPSec reloads immediately after exhausting the memory.
Conditions: This symptom occurs when a memory allocation request fails while processing an IPSec update, usually while creating an IPSec tunnel.
Workaround: There is no workaround.
Further Problem Description: This symptom occurs when updating the IPSec classification data structures.
•
Symptoms: The native Gigabit Ethernet (GE) interface on an NPE-G1 card may reset unexpectedly.
Conditions: This symptom is observed on a Cisco 7200 series when the underrun counter for the native GE interface increments continuously. You can verify the underrun counter in the output of the show interfaces gigabitethernet slot/port command.
Workaround: There is no workaround.
•
Symptoms: IKE negotiation fails with a wrong group preshared key.
Conditions: This symptom is observed on a Cisco router that has an eight character key such as "cisco123" that is defined under the EzVPN group configuration and occurs after you have entered the password encryption aes command.
Workaround: To prevent the symptom from occurring, do not use an eight character key under the EzVPN group. After the symptom has occurred, re-enter the group and key.
•
Symptoms: "%VPA-3-TSBUSY:VPA" and other error messages may be generated intermittently, and calls may fail.
Conditions: This symptom is observed on a Cisco 7206VRX that is configured with multiple VXC voice port adaptors.
Workaround: There is no workaround.
•
Symptoms: A memory leak may occur in the "Crypto IKMP" process.
Conditions: This symptom is observed when you use certificates for IKE authentication.
Workaround: Use preshared keys for IKE authentication.
•
Symptoms: When the OER BGP Inbound Optimization feature is configured and when route control is enforced, route control does not prepend autonomous systems or communities. Rather, router control prepends the same autonomous systems or communities to all external OER interfaces.
Conditions: This symptom is observed on a Cisco router when OER manages inside prefixes that are either learned or configured.
Workaround: There is no workaround.
•
Symptoms: A Cisco 5400XM router reloads unexpectedly during stress.
Conditions: This symptom has been seen during the stress of TDM-IP H.323 calls and SIP-SIP transcoding calls being run simultanesously.
Workaround: There is no workaround.
•
Symptoms: When you associate and then disassociate a VRF from a tunnel source interface, a DMVPN spoke may crash.
Conditions: This symptom is observed only when a VRF is configured on a tunnel interface.
Workaround: There is no workaround.
•
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml.
•
Symptoms: One-way audio may occur and DTMF digits may not function.
Conditions: This symptom is observed on a Cisco gateway such as a Cisco AS5400 after a SIP transfer has occurred.
Workaround: Enter the no voice-fastpath disable command to resolve the one-way audio issue. There is no workaround for the DTMF issue.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml.
•
Symptoms: There are several symptoms:
1.
...
Input Queue Full Error = 50
Output Queue Full Error = 2811
...2.
Conditions: This symptom is observed on a Cisco 850 series, Cisco 870 series, Cisco 1800 series, and Cisco 1810 series.
Workaround: There is no workaround to prevent the symptom from occurring. When the symptom has occurred, you must reboot the router to clear the faulty condition.
•
The U.S. Computer Emergency Response Team (US-CERT) has reported a network evasion technique using full-width and half-width unicode characters that affects several Cisco products. The US-CERT advisory is available at the following link:
http://www.kb.cert.org/vuls/id/739224
By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack sy stems normally protected by an IPS or firewall.
Cisco response is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml
•
Symptoms: A Cisco 7961 router with a Cisco 7914 sidecar gets the display into a stuck state if a second call arrives while the first call is in progress of call transfer. The phone display is stuck on connected "Active call" even though the first call had been transfered.
This same symptom is found with the following scenario:
1.
2.
3.
4.
5.
Conditions: This symptom has been observed with a Cisco 7961 router with a Cisco 7914 sidecar configured with shared or overlay lines when a second call arrives on the same shared lines.
Workaround: Reset the IP phone to clear the phone.
•
Symptoms: A router may reset and generate a crashinfo file when memory that was allocated by a dead process is freed by another process.
Conditions: This symptom is observed on an RPM-XF-512 that runs Cisco IOS Release 12.4T but is not platform-specific.
Workaround: There is no workaround.
•
Symptoms: A Cisco router can experience a memory corruption crash related to encryption.
Conditions: This symptom has been observed when the memory lite global configuration command is disabled.
Workaround: Enable the memory allocation lite (malloc_lite) feature by using the memory lite command.
•
Symptoms: When you reload a Cisco 2600 series, the router may hang.
Conditions: This symptom is observed on a Cisco 2600 series when you attempt to run the c2600-entservices-mz image of Cisco IOS Release 12.4(9)T4. The symptom may also occur in other releases.
Workaround: There is no workaround.
•
Symptoms: SSG memory is leaking in Cisco IOS Release 12.4(13b).
Conditions: This symptom occurs when the RADIUS proxy feature is used. Leaking could be triggered on the following call flow scenario:
1.
2.
3.
4.
5.
6.
7.
8.
Workaround: There is no workaround.
•
Symptoms: Incoming traffic from LAN is not correctly marked. The same traffic is not correctly enqueued when sent to the DSL interface.
Conditions: Enable QoS by means of class-map and policy-map commands.
Workaround: A software update is needed.
•
Symptoms: A router may crash when both a WIC-1AM or WIC-2AM and PVDMs are installed in the chassis.
Conditions: This symptom is observed when the modem interfaces are in the up/up state, that is, calls do not have to be in process for the symptom to occur.
Workaround: Remove the WIC-1AM or WIC-2AM from router and use only PVDMs.
•
Symptoms: A "SIP UPDATE" message from a Cisco CallManager or SIP Proxy Server with a "Cseq" value of 0 may be rejected or considered invalid by a Cisco gateway.
Conditions: This symptom is observed on a Cisco gateway that runs Cisco IOS Release 12.4(9)T4 or a later release and that is connected to a SIP endpoint.
Workaround: There is no workaround. Note that the symptom does not occur in Release 12.4(9)T3.
•
Symptoms: Packets in traffic queues that are below their configured threshold may be dropped.
Conditions: This symptom is observed on a Cisco 877 and Cisco 1801 that run Cisco IOS Release 12.4(9)T3 when one of the queues trespasses its threshold. Note the following scenarios:
–
–
–
Workaround: There is no workaround.
Further Problem Description: Note that the symptom does not occur on a Cisco 878 and Cisco 1803.
•
Symptom: Ezvpn hardware client will not attempt to connect to the same peer or the next peer after QUICK MODE failure during IKE
Conditions: Ezvpn hardware client will remain in SS_OPEN state after the failure of QUICK MODE
Workaround: Clear the ezvpn session
•
Symptoms: Phone A believes that its offer (in first INVITE) is not answered yet, but that is wrong because UPDATE is for the second leg where the SDP answer is already sent in a 183 Session Progress.
Conditions: Call forwarding scenario. Call comes in from PSTN to a SIP, and forwarded to a another SIP Phone.
Workaround: There is no workaround.
TCP/IP Host-Mode Services
•
Symptoms: H.323 calls on a Cisco IOS VoIP gateway may fail after the gateway has processed about 54,500 calls.
Conditions: This symptom is observed when H.323 uses TCP to transport signaling messages. When the Cisco IOS gateway must generate a unique port for the local TCP session, this port is selected from a range of open ports. When the number of times that an unique TCP session is created for the same IP address on the gateway exceeds 54,500, further attempts to create a local TCP port fail and calls are not completed.
The symptom occurs for H.323 calls only when a separate TCP session is established for the H.245 session. When H.245 tunneling is enabled or no H.245 session is established, the symptom does not occur for H.323 calls.
When the debug ip tcp transaction command is enabled on the gateway, the "TCP: Ran out of ports for network 0" debug output is generated when the symptom occurs.
Enabling debugs on a Cisco IOS gateway should always be done with caution to minimize impact to the performance of the router. As a minimum, ensure that logging to the console is changed from the default behavior of the debug level to, for example, an informational level.
Workaround: After the symptom has occurred, reload the Cisco IOS VoIP gateway. To prevent the symptom from occurring, ensure that for H.323 call processing all H.323 devices have H.245 tunneling enabled. This may not always be possible: for example, H.245 tunneling on Cisco CallManager is not supported.
Wide-Area Networking
•
Symptoms: A router may crash while establishing a PPP session.
Conditions: This symptom is observed when the ppp reliable-link interface configuration command is enabled on an interface that is bound to a dialer profile.
Workaround: Disable the ppp reliable-link interface configuration command, save the configuration, and reload the router. Disabling the command without reloading the router is not sufficient.
•
Symptoms: A Non-Facility Associated Signaling (NFAS) configuration with a back-to back PRI connection may fail and an "L3_GetUser_NLCB EVENT 0X2 No NLCB 2" error message may be generated, that is, a ping from the client to the router mail fail.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(13.11) when an interface is configured as a dialer interface. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
•
Symptoms: A router crashes while sending large control packets between client and L2TP Network Server (LNS) in L2TP callback scenario.
Conditions: This symptom happens with a Cisco 7200 router that is running Cisco IOS interim Release 12.4(13.13)T1.
Workaround: There is no workaround.
•
Symptoms: A terminating gateway (TGW) that is configured for Cisco ISDN Interconnect for Voice Gateways Solution may crash.
Conditions: This symptom is observed on a Cisco router that runs Cisco IOS interim Release 12.4(15.6) and that functions as a TGW with all PRI switch types from the user to the network side. The symptom occurs when the isdn test call interf ace interface-number dialing-string command is entered at the platform on which the call is initiated, when the originating gateway (OGW) is configured for the National ISDN (primary-ni) switch type, and when the TGW is c onfigured for the NT DMS-100 (primary-dms100) switch type. The symptom may also affect Release 12.4T.
Workaround: There is no workaround.
Resolved Caveats—Cisco IOS Release 12.4(9)T4
Cisco IOS Release 12.4(9)T4 is a rebuild release for Cisco IOS Release 12.4(9)T. The caveats in this section are resolved in Cisco IOS Release 12.4(9)T4 but may be open in previous Cisco IOS releases.
The following information is provided for each caveat:
•
•
•
Basic System Services
•
Symptoms: The MIB object rttMonLatestRttOperTime returns a value of 0.
Conditions: This symptom occurs for IPSLA RTP operation only irrespective of whether the operation succeeds or fails.
Workaround: There is no workaround.
•
Symptoms: A router crashes while executing the type slm frame-relay interface command.
Conditions: This symptom has been observed with a Cisco 7200 router loaded with Cisco IOS interim Release 12.4(13.2)T.
Workaround: There is no workaround.
IP Routing Protocols
•
Symptoms: A Route Reflector (RR) does not withdraw a prefix that redistributes itself even if this prefix is removed from the BGP table.
Condition: This symptom is observed on a Cisco router that functions as an RR that advertises two of the same prefixes with different Route Distinguishers (RDs) when one of these prefixes redistributes itself and when the other prefix is a route that is learned from an RR client via iBGP.
Workaround: There is no workaround.
•
Symptoms: These symptoms have been observed:
–
–
–
Conditions: These symptoms have been observed with DMVPN set up.
Workaround: Disable CEF on the hub.
•
Symptoms: In Cisco IOS software that is running the Border Gateway Protocol (BGP), BGP may advertise a connected prefix that has been removed from the routing table, and cause using that prefix to get dropped. The advertisement may happen during a reload if IP Event Dampening is configured on the interface and suppresses the interface because of flapping during the reload. The problem may continue until the interface is unsuppressed, which depends on the nature of the flapping that occurs and on the parameters used to configure the dampening. In some releases, the problem may be corrected by a BGP scan. An outage of about one minute is not unreasonable.
Conditions: The symptom may happen if the BGP configuration includes a network command for the connected prefix. It requires an unlikely timing of events which is more likely to be observed with large configurations, and when the interface is configured to use small carrier delay timer. The symptom was observed in a configuration with about 1100 lines and with the carrier-delay msec 0 command configured on the interface in question.
Workaround: If the interface can be configured to filter out link outages during the restart then the IP Event Dampening suppression can be avoided. Configuring the carrier-delay msec 100 command on the interface may achieve this in some cases.
•
Symptoms: OSPF packets with IP Precedence 0 are classified by SPD as priority. This is an error because only IP Precedence 6 packets should be classified as priority packets by SPD.
Conditions: This symptom has been observed on a Cisco router running Cisco IOS Release 12.2(18) and later.
Workaround: Use ACLs to block invalid IP Control packets from reaching the control plane.
Miscellaneous
•
Symptoms: A traceback may be generated when packets are transmitted over a basic IPSec connection between two peers in transmission mode and tunnel mode using multilink interfaces.
Conditions: This symptom is observed on a Cisco 3845 router that runs Cisco IOS Release 12.4(5).
Workaround: There is no workaround.
•
Symptoms: A Cisco router may experience memory leaks in the Crypto IKMP process when using certificates for Internet Security Association and Key Management Protocol (ISAKMP) for peer authentication.
Conditions: This symptom has been observed on Cisco IOS Release 12.2(18)SXE5 and Release 12.4(9)T2. This symptom is platform independent.
Workaround: There is no workaround to prevent the leak and the only way to recover is to reboot the device.
•
Symptoms: A Cisco gatekeeper may experience a traceback and DSMP time out while testing H.323 Testcall, Silent call detection, and long call duration detection features.
Conditions: This symptom has been observed on a Cisco gatekeeper with Cisco IOS Release 12.4 while testing H.323 Testcall, Silent call detection, and long call duration detection features.
Workaround: There is no workaround.
•
Symptoms: After a router is booted or reloaded, a PVC bundle configuration that is established under an IMA interface is lost.
Conditions: This symptom is observed on a Cisco 2800 series that runs Cisco IOS Release 12.3(11)T7 or Release 12.3(14)T7 and that has the service-policy output command enabled on the PVC bundle. The symptom may also affect Release 12.4 and Release 12.4T.
Workaround: Disable the service-policy output command on the PVC bundle.
•
Multiple voice-related vulnerabilities are identified in Cisco IOS software, one of which is also shared with Cisco Unified Communications Manager. These vulnerabilities pertain to the following protocols or features:
–
–
–
–
–
Cisco has made free software available to address these vulnerabilities for affected customers. Fixed Cisco IOS software listed in the Software Versions and Fixes section contains fixes for all vulnerabilities mentioned in this advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from disabling the protocol or feature itself.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
•
Symptoms: With IPv6, IPSec is non-functional. All crypto-related functions would be completely affected.
Conditions: This symptom has been observed when using IPv6.
Workaround: There is no workaround.
•
Symptoms: On a Cisco IOS router configured with GRE over IPSec or Virtual Tunnel Interface (VTI) configuration, this Access Control List (ACL) is bypassed if there is an ACL on the tunnel interface.
Conditions: This symptom occurs when there is another ACL configured on the outbound physical interface where the IPSec tunnel is terminated.
Workaround: Apply the ACL outbound on the protected LAN interface instead of the tunnel interface.
•
Symptoms: When using MTP on a Cisco IOS router, there could be RTP ports and rtpspi callegs hanging. Over time, the hanging RTP ports can accumulate and cause the router to run out of RTP ports, so MTP calls will fail.
Conditions: This symptom has been observed when using software MTP for supplementary services or when there is a high number of calls per second (CPS).
Workaround: Reload the router to release hanging ports.
•
Symptoms: A Cisco IOS router with DSPRM crashes with an out of buffer error under load.
Conditions: This symptom has been observed on a Cisco 2811 chassis with NM-HDV2 having four T1 connections, PVDM2-64 (4 DSP), and 768 MB RAM. With this setup, create 96 SIP G.729 dial-peers, make calls and start sending voice traffic. Also, create 96 multicast G.711 dialpeers and start traffic.
Workaround: There is no workaround.
•
Symptoms: When a router that has the ssg intercept dhcp command enabled receives a DHCP packet from a host that has already logged out from a Subscriber Edge Services Manager (SESM), the router may unexpectedly reload because of a bus error.
Guest