Table Of Contents
Release Notes for Cisco PDSN Release 5.0 in IOS Release 12.4(22)XR
Migration Scenarios for Cisco PDSN 5.0
Upgrading to New Software Release
Determining the Software Version
Upgrading the Supervisor Image
Changing Configuration on Cisco PDSN in a Live Network
Cisco PDSN Software Features in Release 12.4(22)XR
Unresolved Caveats in Cisco IOS Release 12.4(22)XR
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco PDSN Release 5.0 in IOS Release 12.4(22)XR
Published: August 21, 2009Revised: September 24, 2009, OL-19028-01Cisco IOS Release 12.4(22)XR is based on Cisco IOS Release12.4, with enhancements to the Cisco Packet Data Serving Node (Cisco PDSN) feature. This Cisco PDSN Release 5.0 based on IOS Release 12.4 is optimized for the Cisco PDSN feature on the Cisco Service and Application Module for IP (SAMI) card on the Cisco 7600 Series Router.
Contents
These release notes include important information and caveats for the Cisco PDSN software feature provided by the Cisco IOS 12.4(22)XR for the Cisco 7600 Series Router platform.
This release note describes:
•Upgrading to New Software Release
•Cisco PDSN Software Features in Release 12.4(22)XR
•Obtaining Documentation and Submitting a Service Request
Introduction
Cisco PDSN is an IOS software feature that enables a Cisco SAMI Card on a Cisco 7600 Series Router to function as a gateway between the wireless Radio Access Network (RAN) and the Internet. With Cisco PDSN enabled on a router, a stationary or roaming mobile user can access the Internet, a corporate intranet, or Wireless Application Protocol (WAP) services. Cisco PDSN supports both simple IP and mobile IP operations.
System Requirements
This section describes the system requirements for running Cisco IOS Release 12.4(22)XR:
•Cisco PDSN Software Features in Release 12.4(22)XR
Memory Requirements
To install Cisco PDSN software that supports the SAMI card on the Cisco 7600 Series Router:
•Platform: Cisco 7600 Series Router
•Software/Feature Set: PDSN Software Feature Set
•Image Name: 12.4(22)XR - c7svcsami-c6ik9s-mz.124.22.XR (This file is a bundled image file)
•Required Flash Memory: 256 MB
•Required DRAM Memory: 2048 MB
•Runs From: RAM
Hardware Supported
Cisco IOS Release 12.4(22)XR is optimized for the SAMI card on the Cisco 7600 Series Router.
You can use the Hardware-Software Compatibility Matrix tool to search for hardware components that are supported on a Cisco platform and an IOS Release.
Note You must have a valid Cisco.com account to login to this tool: http://www.cisco.com/cgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi.
Software Compatibility
Cisco IOS Release 12.4(22)XR is developed on Cisco IOS Release 12.4 and supports the features included in Cisco IOS Release 12.4, with the addition of the Cisco PDSN feature.
For information on the new and existing features, see Cisco PDSN Software Features in Release 12.4(22)XR.
MIBs
Old Cisco MIBs will be replaced in a future release. Currently, OLD-CISCO-* MIBs have been converted to more scalable MIBs—without affecting existing Cisco IOS products or NMS applications. You can update deprecated MIBs, to the replacement MIBs as shown in Table 1.
Migration to Cisco PDSN
This section describes the migration paths and scenarios for Cisco PDSN 5.0:
•Migration Path for Cisco PDSN
•Migration Scenarios for Cisco PDSN 5.0
Migration Path for Cisco PDSN
Table 2 lists currently available Cisco PDSN releases and the migration path to the SAMI card.:
Migration Scenarios for Cisco PDSN 5.0
Based on Table 2, there are many possible migration scenarios. This section focuses on those scenarios closest to existing customer deployments. You must determine the migration path based on your end-to-end deployment.
Note•We recommend that you perform the migration during a maintenance window in your deployment.
•You can also use this window for the following network redesign activities:
–Redesigning IP address scheme.
–Configuring the routing protocols.
–Configuring network connectivity between Cisco PDSN and the HA.
–Configuring application connectivity between Cisco PDSN and AAA servers.
–Configuring routing on the new SAMI Cisco PDSN or the HA.
Note For all these migration plans, both hardware and software configurations have significant changes. This requires prudent operation planning and network redesign. The Migration Steps section describes the possible migration steps to minimize both network reconfiguration and service disruption.
Table 3 lists the most common migration scenarios.
Migration Steps
Migration to the Cisco PDSN Release 5.0 image is more than replacing Multi-processor WAN Application Module (MWAM) cards with SAMI modules. Ensure that you plan your migration such that migration activities have a minimal impact on an existing mobile subscriber's service connections.
Table 4 lists the migration tasks that are based on the scenarios established in Table 3.
Upgrading to New Software Release
The following sections describe how to determine the existing software version and how to upgrade your Cisco PDSN:
•Determining the Software Version
•Upgrading the Supervisor Image
•Changing Configuration on Cisco PDSN in a Live Network
For information on upgrading to a new software release, see the product bulletin Cisco IOS Software Upgrade Ordering Instructions, located at:
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/957_pp.htm
Determining the Software Version
To determine the version of Cisco IOS software running on your router, log in to the router and enter the show version command in the EXEC mode:
Router# show version
Cisco IOS Software, SAMI Software (SAMI-C6IK9S-M), Experimental Version 12.4(20090828:113927) [sgontla-dtho_xr7 102]Copyright (c) 1986-2009 by Cisco Systems, Inc.Compiled Fri 28-Aug-09 17:09 by sgontlaROM: System Bootstrap, Version 12.4(15r)XQ1, RELEASE SOFTWARE (fc1)mwtcp_ftb9-pdsn-93 uptime is 9 minutesSystem returned to ROM by SUP request at 17:40:14 UTC Tue Aug 18 2009System restarted at 14:04:25 UTC Mon Aug 31 2009System image file is "c7svcsami-c6ik9s-mz.xr7-dtho"This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:If you require further assistance please contact us by sending email toCisco Systems, Inc. SAMI (MPC8500) processor (revision 2.2) with 786432K/262144K bytes of memory.Processor board ID SAD114203KXFS8548H CPU at 1250MHz, Rev 2.0, 512KB L2 Cache1 Gigabit Ethernet interface65536K bytes of processor board system flash (AMD S29GL256N)Configuration register is 0x2102Router#Upgrading the Supervisor Image
To upgrade the Supervisor image:
Step 1 Copy the SUP image to the disks (for example, disk0: / slavedisk0:).
Step 2 Add the following command to the running-configuration boot system disk0: SUP-image-name. For example:
boot system disk0:s72033-advipservicesk9_wan-mz.122-18.SXE3.bin
Note To enable the image to reload, remove previously configured instances of this command.
Step 3 Run the write memory command to save the running-configuration on the active and standby SUP.
Step 4 Run the reload command on the active SUP.
Both active and standby SUP reload simultaneously and come up with the SXE3-based image.
Running the reload command on the active SUP causes both the active and standby Supervisors to reload simultaneously, causing some downtime during the upgrade process.
Upgrading the SAMI Software
To upgrade an Cisco PDSN image on the SAMI card, follow the directions at:
Changing Configuration on Cisco PDSN in a Live Network
To change the working configuration on a Cisco PDSN in a live environment:
Step 1 Bring the standby PDSN out of service.
For example, to isolate the standby Cisco PDSN from the session redundancy setup, you must run the no cdma pdsn redundancy command.
7600a-Stdy(config)# no cdma pdsn redundancy
Step 2 Run the write memory command to save the configuration.
Step 3 Make the necessary configuration changes on the standby PDSN, and save the configuration.
Step 4 Run the cdma pdsn redundancy command again and save the configuration.
Step 5 Issue the reload command to bring the standby PDSN back into the session redundancy setup with the changed configuration. Verify if the processor comes back in the SR setup using the following show commands:
7600a-Stdy# show standby brief
P indicates configured to preempt.|Interface Grp Prio P State Active Standby Virtual IPGi0/0.101 300 110 Standby 20.20.101.10 local 20.20.101.1017600a-Stdy# show cdma pdsn redundancy
CDMA PDSN Redundancy is enabledCDMA PDSN Session Redundancy system statusPDSN state = STANDBY HOTPDSN-peer state = ACTIVECDMA PDSN Session Redundancy StatisticsLast clearing of cumulative counters neverTotal CurrentSynced from active ConnectedSessions 15 15SIP Flows 15 15MIP Flows 0 0PMIP Flows 0 07600a-Stdy# show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_STDBYScheme: StandbyGroupname: pdsn-rp-sr1 Group State: StandbyPeer present: RF_INTERDEV_PEER_COMMSecurity: Not configured7600a-Stdy# show redundancy states
my state = 8 -STANDBY HOTpeer state = 13 -ACTIVEMode = DuplexUnit ID = 0Split Mode = DisabledManual Swact = EnabledCommunications = Upclient count = 9client_notification_TMR = 30000 millisecondsRF debug mask = 0x07600a-Stdy#Step 6 Configure the standby PDSN to take over as active by reloading the current active PDSN.
Caution Before proceeding with the configuration changes, we recommend that you disable the HSRP preemption configuration on the active and standby PDSN.
Because of a change of configuration following this step, an outage may occur on existing calls on the active PDSN (which is now being taken out of service) when synched with new active units.
Step 7 Configure the current standby PDSN using the procedures described from Step 1 to Step 5.
Note For Cisco PDSN SR to work properly, ensure that configurations on the active and standby Cisco PDSNs are identical.
Cisco PDSN Software Features in Release 12.4(22)XR
Cisco IOS software is packaged in feature sets consisting of software images—depending on the platform. Each feature set contains a specific set of Cisco IOS features.
Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay because of United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.
Cisco IOS Release 12.4(22)XR supports the same feature sets as Cisco Release 12.4; additionally, it supports the PDSN feature. Cisco PDSN Release 5.0 includes the following new and existing features:
•Single IP per Blade
•Osler Support
•Improved Throughput and Transaction Handling
•Cluster Controller Support in Single IP Blade
•IMSI and PCF Redirection
•Mobile IP and AAA Attributes for China Telecom
•Trap Generation for AAA Server Unresponsiveness
•Supervisor Support
•Data Over Signaling
•Differentiated Services Code Point Marking Support
•Nortel Aux A10 Support
•Masking Off IMSI Prefix
•Persistent TFT Support
•Conserve Unique IP-ID for FA-HA IP-in-IP Tunnel
•GRE CVSE Support in FA-HA Tunnel
•Remote Address Accounting
•Default Service Option Implementation
•Configurable Per-Flow Accounting Options
•IP Flow Discriminator Support for PCF Backward Compatibility
•Support for Remark DSCP to Max-class Value
•Command Support for Fragmentation Size
•New Statistics Counters for China Telecom
•Attribute Support
–Served MDN
–Framed Pool
–3GPP2 DNS Server IP
•Virtual Route Forwarding with Sub-interfaces
•Conditional Debugging Enhancements (for Cisco PDSN Release 4.1)
•Multiple Service Connections
•Data Plane
•Subscriber QoS Policy (both downloading per-user profile from the AAA server and configuring a local profile)
•QoS Signaling
•Traffic Flow Templates
•Per-flow Accounting
•Call Admission Control
•PDSN MIB Enhancements (for Cisco PDSN Release 4.0)
•PDSN on SAMI
•Inter-User Priority
•Roamer Identification
•Bandwidth Policing
•Packet Data Service Access—Simple IPv6 Access
•Session Redundancy Infrastructure
•RADIUS Server Load Balancing
•Subscriber Authorization Based on Domain
•PDSN MIB Enhancements
–PPP Counters in Cisco PDSN Release 3.0
–RP Counters in Cisco PDSN Release 3.0
•Conditional Debugging Enhancements—Trace Functionality in Cisco PDSN Release 3.0
•Randomized IMSI Handling
•Protocol Layering and RP Connections
•PPPoGRE RP Interface
•A11 Session Update
•SDB Indicator Marking
•Resource Revocation for Mobile IP
•Packet of Disconnect
•IS-835 Prepaid Support
•Prepaid Billing
•Mobile IP Call Processing Per Second Improvements
•Always-On Feature
•PDSN MIB Enhancements
•Conditional Debugging Enhancements
•Cisco Proprietary Prepaid Billing
•3DES Encryption
•Mobile IP IPSec
•Hardware IPSec Acceleration Using IPSec Acceleration Module—Static IPSec
•1xEV-DO Support
•Integrated Foreign Agent
•AAA Server Support
•Packet Transport for VPDN
•Proxy Mobile IP
•Multiple Mobile IP Flows
•PDSN Cluster Controller / Member Architecture
Refer the Cisco Packet Data Serving Node Release 5.0 for Cisco IOS Release 12.4(22)XR for more information on the features.
Caveats
Caveats describe unexpected behavior in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.
Caveats for Cisco IOS Releases 12.3 are available on Cisco.com at http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_release_notes_list.html
The "Open Caveats" section lists open caveats that apply to the current release; they may also apply to previous releases.
The "Resolved Caveats" section lists caveats resolved in a particular release that may have been open in previous releases.
The "Product Documentation" section lists caveats resolved in a particular release that may have been open in previous releases.
Note If you have an account with Cisco.com, you can use Bug Navigator II to find caveats of any severity for any release. You can access Bug Navigator II on Cisco.com at Software Center: Cisco IOS Software: Cisco Bug Toolkit: Cisco Bugtool Navigator II, or at http://www.cisco.com/support/bugtools.
Open Caveats
The following are the unresolved caveats in Cisco IOS Release 12.4(22)XR and earlier releases.
Unresolved Caveats in Cisco IOS Release 12.4(22)XR
•CSCtb30757—RAA Flow Count Does Not Get Cleared in Standby Mode.
The RAA flow count does not get cleared in the standby mode. When a high number of sessions are opened, the flow counts are displayed correctly. When the sessions are closed or cleared, the flow counts are cleared in the active mode; but they still appear in the standby mode.
This issue is seen:
–when flapping simple IP (SIP) and mobile IP (MIP) sessions.
Workaround: None.
•CSCtb49920—Prepaid Per PCF Statistics Counter Displays The Wrong Output When Doing Handoff With PPP Renegotiation.
When doing inter pcf handoff with ppp renegotiation for the prepaid session, the client service termination and total online access requests sent counters are showing wrongly in new pcf instead of old pcf under show cdma pdsn statistics prepaid pcf ip addr.
This issue is seen:
–when a prepaid session is opened.
–when inter pcf handoff is performed with ppp renegotiation.
Workaround: None.
•CSCtb43404—Mobile IP Tunnel Information Does Not Get Cleared in Standby Mode.
In a standby Cisco PDSN, tunnel user counters in show ipmobile tunnel appear differently from an active PDSN.
This issue is seen:
•With MIP sessions:
–Open 100 MIP sessions , tunnel users counters match in both active and standby Cisco PDSNs, reflecting the number of users connected.
–Perform a handoff for all the sessions. Active Cisco PDSN keeps the tunnel users counter as before; in standby Cisco PDSN, the number of counters increase.
–Close all the sessions. The show ip mobile tunnel displays empty output for both active and standby Cisco PDSNs.
•With PMIP sessions:
–Open 100 PMIP sessions , tunnel users counters match in both active and standby Cisco PDSNs, reflecting the number of users connected.
–Perform a handoff for all the sessions. Active Cisco PDSN keeps the tunnel users counter as before; in standby Cisco PDSN, the number of counters increase.
–Close all the sessions. The show ip mobile tunnel command displays empty output for an active Cisco PDSN; for standby Cisco PDSN, the output is not cleared. (Additional tunnel users are created during handoff.)
Workaround: None.
•CSCtb36803—Downstream AHDLC Fragmentation Not Working with ACCM As Zero in Cisco PDSN Release 5.0.
Downstream AHDLC fragmentation does not work with Asynchronous Control Character Map (ACCM) set to zero in Cisco PDSN Release 5.0. All asynchronous high-level data link control (AHDLC) packets are fragmented only in the outer IP, and not in the AHDLC. This fragmentation in the outer IP affects the IP packets sent to the mobile, where IP packets are greater than 1,460.
This issue is seen:
–for flows involving ACCM) set to zero.
Workaround: None.
Refer Packet Fragmentation section for more information.
Packet Fragmentation
The packet fragmentation is done using IP layer fragmentation and PPP layer fragmentation.
IP Layer Fragmentation
Cisco PDSN fragments IP packets at the IP layer, ensuring that the packet size is less than or equal to the interface MTU (default is 1,500 bytes). There is no GRE, PPP, or user IP header on the second fragment. So in IP layer fragmentation, if you capture packets using GRE.KEY as your filter, you will not capture the second fragment, because it does not have the GRE header in this packet fragment.
The below example snippet shows configuration of the IP layer fragmentation:
interface GigabitEthernet0/0mtu 1600no ip addressno keepalive!interface GigabitEthernet0/0.11encapsulation dot1Q 11ip address 10.10.10.10 255.255.255.0ip mtu 1500!interface GigabitEthernet0/0.100encapsulation dot1Q 100ip address 20.20.20.20 255.255.255.224!interface GigabitEthernet0/0.200encapsulation dot1Q 200ip address 30.30.30.30 255.255.255.224ip mtu 1500PPP Layer Fragmentation
In PPP fragmentation, the GRE header is included in both the packets. These are not IP fragments, as each packet has a different IP header. The GRE.KEY filter for a packet capture captures all PPP fragments related to the subscriber session based on GRE Key.
The below example snippet shows configuration of the PPP layer fragmentation:
interface Virtual-Template1ip unnumbered GigabitEthernet0/0.200peer default ip address pool sip-poolno keepaliveppp accm 0ppp authentication chap pap ms-chap optionalppp accounting noneppp ipcp dns 1.1.1.1 2.2.2.2ppp ipcp address uniqueppp timeout idle 86400Fragmentation in Cisco PDSN Release 4.0
In Cisco PDSN Release 4.0, the default packet fragmentation method is PPP fragmentation. You can use the CLI command no cdma pdsn a10 ahdlc prefragment to disable PPP fragmentation. If you use this command, Cisco PDSN fragments the packets at the IP layer.
Timesaver Radio Access Network (RAN) PCFs can use PPP fragmentation for A10/GRE in the reverse direction, and the PCFs also accept IP layer fragmentation for A10/GRE forward direction. We recommend that you use the IP layer fragmentation because it increases PCF performance.
Fragmentation in Cisco PDSN Release 5.0
Cisco PDSN Release 5.0 uses IP layer fragmentation as the default setting. The PPP fragmentation support for Cisco PDSN will be provided in a later release.
If the PPP MTU on the virtual template is less than 1,500 bytes (default), no changes are required. You must set the MTU to less than 1,450 bytes to ensure that fragmentation is not required.
IP Layer Fragmentation with Default (1,500 Bytes) MTU:
To support IP layer fragmentation in Cisco PDSN Release 5.0, you must make the following changes when the default virtual interface does not specify an MTU. (In this case, the virtual interface will default to 1,500 bytes.)
•Cisco PDSN Release 5.0 offloads PPP byte-stuffing and cyclic redundancy check (CRC) generation to the IXP processor on the SAMI blade to increase performance.
•The MTU must be changed so that the power PC chip on the SAMI platform can send larger than 1,500 bytes to the IXP.
•The SAMI platform then allows the PPC to send the user's IP packet (1,500 bytes) along with the additional IP/GRE/PPP header (1,540 bytes), to the IXP.
•Set the MTU for GigabitEthernet 0/0 interface to 1,600 bytes. If you set the MTU to 1,600 bytes, the MTU of all sub-interface will also be set to 1,600 bytes. So if you have a sub-interface, such as a management interface that you do not want to set to 1,600 bytes, you must set the IP MTU for that sub-interface to 1,500.
•Ensure that the routes back to the PCFs use the sub-interface, which gets the MTU of 1,600 (that is, no "ip mtu xxxx" setting exists). In this case, the interface is GigabitEthernet 0/0.100.
•If the session redundancy between two SAMIs is enabled, ensure that the session redundancy is notified to the sub-interface, which has the MTU set for 1,500 bytes.
Resolved Caveats
The following caveat is resolved in Cisco IOS 12.4(22)XR:
•CSCsu70214
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsw47076
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsv48603
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsx07114
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsu50252
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsy54122
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has released free software updates that address this vulnerability. There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-acl.shtml.
•CSCsy15227
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-auth-proxy.shtml
•CSCsz38104
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely to cause a device that is running Cisco IOS Software to reload. Cisco has released free software updates that address this vulnerability. There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software does not need to run H.323 for VoIP services. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-h323.shtml.
•CSCsr18691
Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available within the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ios-fw.shtml
•CSCsu24505
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•CSCsv75948
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability processing specific NTP packets that will result in a reload of the device. This results in a remote denial of service (DoS) condition on the affected device.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available and are documented in the workarounds section of the posted advisory.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
•CSCsx25880
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected device when the Cisco Unified Border Element feature is enabled. Cisco has released free software updates that address this vulnerability. For devices that must run SIP there are no workarounds; however, mitigations are available to limit exposure of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml.
•CSCsq24002
Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to reload by remotely sending a crafted encryption packet. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tls.shtml.
•CSCsx70889
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090923-tunnels.shtml.
•CSCsv04836
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml.
Product Documentation
Table 5 describes the product documentation that is available.
Table 5 Product Documentation
Document Title Available FormatsRelease Notes for Cisco PDSN Release 5.0 in IOS Release 12.4(22)XR
•On Cisco.com at
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/
12_4_22_xr/release/notes/124_22xrrn.htmlCommand Reference for Cisco PDSN Release 5.0 in IOS Release 12.4(22)XR
•On Cisco.com at
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/
12_4_22_xr/command/reference_xr/pdsn_5_0cr.htmlCisco Packet Data Serving Node Release 5.0 for Cisco IOS Release 12.4(22)XR
•On Cisco.com at
http://www.cisco.com/en/US/docs/ios/12_4/12_4x/
12_4_22_xr/feature/guide/pdsn5_0_fcs.html
Related Documentation
Table 6 describes the related documentation that is available:
Table 6 Related Documentation
Document Title Available FormatsCisco IOS Mobile Wireless Packet Data Serving Node Configuration Guide, Release 12.4T
•On Cisco.com at
http://www.cisco.com/en/US/docs/ios/mwpdsn/
configuration/guide/12_4t/mwp_12_4t_book.htmlDocumentation on Cisco 7600 Series Router
•On Cisco.com at
http://www.cisco.com/en/US/products/hw/routers/ps368/
tsd_products_support_series_home.htmlDocumentation on Cisco Catalyst 6500 Series Switch
•On Cisco.com at
http://www.cisco.com/en/US/products/hw/switches/ps708/
tsd_products_support_series_home.htmlDocumentation on Caveats for Cisco IOS Release 12.4
•On Cisco.com at
http://www.cisco.com/en/US/products/ps6350/
prod_release_notes_list.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
© 2009 Cisco Systems, Inc.
All rights reserved.