Release Notes for the Catalyst 4500-X Series Switches, Cisco IOS XE 3.5.xE
Available Languages
Table of Contents
Release Notes for the Catalyst 4500-X Series Switches, Cisco IOS XE Release 3.5.xE
Supported Hardware on the Catalyst 4500-X Series Switches
Features Not Supported on the Cisco Catalyst 4500-X Series Switches
New Hardware Features in Release IOS XE 3.5.0E
New Software Features in Release IOS XE 3.5.0E
New and Modified IOS Software Features Supported in Cisco IOS XE 3.5.0E
Cisco IOS XE to Cisco IOS Version Number Mapping
Open Caveats for Cisco IOS XE Release 3.5.3E
Resolved Caveats for Cisco IOS XE Release 3.5.3E
Open Caveats for Cisco IOS XE Release 3.5.2E
Resolved Caveats for Cisco IOS XE Release 3.5.2E
Open Caveats for Cisco IOS XE Release 3.5.1E
Resolved Caveats for Cisco IOS XE Release 3.5.1E
Open Caveats for Cisco IOS XE Release 3.5.0E
Resolved Caveats for Cisco IOS XE Release 3.5.0E
Obtaining Documentation and Submitting a Service Request
Release Notes for the Catalyst 4500-X Series Switches, Cisco IOS XE Release 3.5.xE
Current release
IOS XE 3.5.3E—July 7, 2014Prior release
IOS XE 3.5.2E, IOS XE 3.5.1E, IOS XE 3.5.0E—August 26, 2013This release note describes the features, modifications, and caveats for the Cisco IOS XE 3.5.0E software on the Catalyst 4500-X Series switch. This releases delivers new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including enhanced support for IPv6, security, high availability, and IP multicast.
Cisco IOS Software Release XE 3.5.0E is part of the new software releases on Cisco Catalyst 2960S, 2960C, 3560C, 3750-X, 3560-X, 4500E and 4500-X, 4900M, and 4948E/E-F Series Switches. These releases deliver new software and hardware innovations in campus access and aggregation deployments that span across many technologies, including enhanced support for IPv6, security, high availability, and IP multicast.
Support for Cisco IOS XE Release 3.5.0E follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.htmlFor more information on the Catalyst 4500-X switch, visit the following URL:
http://www.cisco.com//en/US/products/ps12332/index.html
Note Although their Release Notes are unique, the platforms Catalyst 4500E and Catalyst 4500-X use the same Software Configuration Guide, Command Reference Guide, and System Message Guide.
Cisco IOS Software Packaging
The Enterprise Services image supports all Cisco Catalyst 4500-X Series software features based on Cisco IOS Software, including enhanced routing.
The IP Base image supports Open Shortest Path First (OSPF) for Routed Access, Enhanced Interior Gateway Routing Protocol (EIGRP) "limited" Stub Routing, Nonstop Forwarding/Stateful Switchover (NSF/SSO), and RIPv1/v2. The IP Base image does not support enhanced routing features such as BGP, Intermediate System-to-Intermediate System (IS-IS), Full OSPF, Full Enhanced Interior Gateway Routing Protocol (EIGRP) & Virtual Routing Forwarding (VRF-lite).
Starting with Cisco IOS Release XE 3.5.0E, OSPF Routed Access in IP Base supports up to 1000 routes.
Cisco IOS XE Release Strategy
Customers with Catalyst 4500-X Series Switches who need the latest hardware and software features should migrate to Cisco IOS Release XE 3.5.0E.
IOS XE 3.4.xSG is a maintenance train supporting Sup7E, Sup7L-E and 4500-X.
Figure 1 displays the one active train, 3.4.0SG.
Figure 1 Software Release Strategy for the Catalyst 4500-X Series Switch
Support
Support for Cisco IOS Software Release XE 3.5.0E follows the standard Cisco Systems® support policy, available at
http://www.cisco.com/en/US/products/products_end-of-life_policy.htmlSystem Requirements
This section describes the system requirements:
- Supported Hardware on the Catalyst 4500-X Series Switches
- Feature Support by Image Type
- MIB Support
- Features Not Supported on the Cisco Catalyst 4500-X Series Switches
- Orderable Product Numbers
Supported Hardware on the Catalyst 4500-X Series Switches
Table 1 lists the hardware supported on the Catalyst 4500-X Series switches.
Table 1 Supported Hardware on the Cisco Catalyst 4500-X Series Switch
1000BASE-BX10-D small form-factor pluggable module
For DOM support, see Table 4.1000BASE-BX10-U small form-factor pluggable module
For DOM support, see Table 4.bv1000BASE-LX/LH small form-factor pluggable module with DOM support
1000BASE-ZX small form-factor pluggable module with DOM support
1000BASE-ZX small form-factor pluggable module with DOM support
CWDM small form-factor pluggable module (See Table 2 for a list of supported wavelengths.)
For DOM support, see Table 4.Dense Wavelength-Division Multiplexing (DWDM) Small Form Factor Pluggable (SFP) module
Cisco 10GBASE-ZR SFP+ Module for SMF
Note This module is only supported on the uplink module in the back-to-front airflow configuration.
Table 2 briefly describes the supported CWDM wavelengths in the Catalyst 4500-X Series switch.
Table 3 briefly describes the supported DWDM wavelengths on the Catalyst 4500-X Series Switches.
For a complete list of Cisco Gigabit Ethernet Transceiver Modules, please refer to the URL:
http://www.cisco.com//c/en/us/td/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html#38544
Table 4 briefly describes the DOM support on the Catalyst 4500-X Series switches.
For details on transceiver module compatibility information, please refer to the URL:
http://www.cisco.com/en/US/products/hw/modules/ps5455/products_device_support_tables_list.html
Feature Support by Image Type
Table 5 is a detailed list of features supported on Catalyst 4500-X Series switches running Cisco IOS Software Release 3.5.0E categorized by image type. Please visit Feature Navigator for package details:
http://tools.cisco.com/ITDIT/CFN/
Table 5 IP Base and Enterprise Services Image Support on Cisco Catalyst 4500-X Series
BGP Increased Support of Numbered as-path Access Lists to 500
CFM/IEEE 802.1ag - D8.1 standard Compliant CFM, Y.1731 multicast LBM / AIS / RDI / LCK, IP SLA for Ethernet
Class Based Ethernet CoS Matching & Marking (802.1p & ISL CoS)
IEEE 802.1s Multiple Spanning Tree (MST) Standard Compliance
IEEE 802.1t1
IEEE 802.3ad Link Aggregation (LACP) Port-Channel Standalone Disable
IGMP Version 3 - Explicit Tracking of Hosts, Groups, and Channels
IP Multicast Load Splitting - Equal Cost Multipath (ECMP) using S, G and Next-hop
IPv6 First Hop Security (FHS):
IPv6 Snooping (Data Gleaning, per-limit Address Limit)
IPv6 First Hop Security (FHS) Phase 2:
Lightweight DHCPv6 Relay Agent (LDRA)
Neighbor Discovery (ND) Multicast Suppress
Source and Prefix Guard2
Yes 3
IPv6 Multicast: Multicast Listener Discovery (MLD) Protocol, Versions 1 and 2
IPv6 Multicast: RPF Flooding of Bootstrap Router (BSR) Packets
Yes 3
Yes3
IPv6 Services: Cisco Discovery Protocol (CDP) - IPv6 Address Family Support for Neighbor Information
IPv6 Switching: CEFv6 Switched Automatic IPv4-compatible Tunnels (in software)
IPv6 Switching: CEFv6 Switched Configured IPv6 over IPv4 Tunnels (in software)
IPv6 Tunneling: Automatic IPv4-compatible Tunnels (in software)
IPv6 Tunneling: Manually Configured IPv6 over IPv4 Tunnels (in software)
Medianet 2.0: Integrated Video Traffic Simulator (hardware-assisted IP SLA); IPSLA generator and responder
Medianet 2.0: Media Monitoring (Performance Monitoring and Mediatrace)
NEAT Enhancement: Re-Enabling BPDU Guard Based on User Configuration
Yes 3
Yes 3
Yes 3
OSPF for Routed Access4
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
Yes 3
RADIUS Attribute 44 (Accounting Session ID) in Access Requests
Smart Install Director—Configuration-only Deployment and Smooth Upgrade
Source Specific Multicast (SSM) - IGMPv3,IGMP v3lite, and URD
TrustSec: IEEE 802.1ae MACSec encryption on user facing ports
TrustSec: IEEE 802.1ae MACSec encryption between switch-to-switch links using Cisco SAP (Security Association Protocol)
Virtual Switching System (VSS) Phase 25
MIB Support
For information on MIB support, please refer to this URL:
ftp://ftp.cisco.com/pub/mibs/supportlists/cat4000/cat4000-supportlist.html
Features Not Supported on the Cisco Catalyst 4500-X Series Switches
The following features are not supported on a Catalyst 4500-X Series switches:
With some exceptions, the VSS maintains “feature parity” with the standalone Catalyst 4500 or 4500-X series switches. Major exceptions include:
- CFM D8.1
- Dot1q Tunnel (“legacy/classic” dot1q tunnel)
- Dot1q tunneling and L2PT (Layer 2 Protocol Tunneling)
- Fast UDLD
- Flexlink
- Mediatrace (Medianet active video monitoring feature)
- Metadata (Medianet feature)
- Per VLAN Learning
- REP and associated featurettes
- UDE
- UDLR
- VLAN Translation (1:1 and 1:2-Selective QinQ)
- VMPS Client
- WCCP
Orderable Product Numbers
New and Changed Information
These sections describe the new and changed information for the Catalyst 4500-X Series switch running Cisco IOS XE software:
New Software Features in Release IOS XE 3.5.0E
- BFD Infra (vrf aware, v4 + v6)
- BGP Client for BFD
- OSPFv2 Client for BFD
- EIGRP Client for BFD
- Static Route Client for BFD
- Static Route support for BFD over IPv6
- malformed attribute error handling
- Cisco-BGP-MIBv2
- Graceful Shutdown
- Add-Path
- VRF dynamic route leaking (for VRF lite)
Configurable TCP Keep Alive Timer.
DHCPv6 Relay Chaining and Route Insertion
Diffserv MIB (RFC 3289) support
Enhancement to create global IPv6 entries for unsolicited NA
Enabling v4 PBR for 4k in IP Base Package
Enabling v4 PIM in IPBase Package
Encrypt “PMK” password inside the switch (e.g., show command)
Energywise Agentless SNMP support
Energywise Wake-On-Lan Support
Flexible Netflow: Application ID
Flexible Netflow: Export to an IPv6 address
Flexible Netflow: Power reading
Generate SNMP trap when EIGRP neighbor down
Improved performance for Wireshark
IPv6 Compliance Features (JITC, USGv6)
- Updated ICMP RFCs 4291, 4443, 3484, 2526, 4861, 4862, 5095, 4007, 3513
- UDP MIB (RFC 4113) and TCP MIB (RFC 4022) support
- VRRP over IPv6 (Existing)
IPv6 First Hop Security Phase II
- Binding table recovery
- Bulk Lease Query support from Lightweight DHCPv6 Relay Agent (LDRA)
- Neighbor Discovery (ND) Multicast Suppress
- Prefix Guard
- Source Guard
Note When either Source or Prefix Guard for IPv6 is enabled, ICMPv6 packets are unrestricted on all Catalyst 4500 series switch platforms running IOS Cisco Release 15.2(1)E. All other traffic types are restricted.
IPv6 Neighbor Discovery Multicast Suppress
Manually Configured Tunnel over IPv4
Multicast VLAN Registration (MVR)
Layer 3 Multichassis Ethernet Channel
Legacy Line Cards Support in VSS system
MACSec Encryption on Cisco Catalyst 4500-X
- IEEE 802.1ae MACSec Layer 2 encryption
- IEEE 802.1ae MACSec encryption on user-facing ports
- IEEE 802.1ae MACSec encryption between switch-to-switch links using Cisco Security Association Protocol (SAP)
Manually Configured Tunnel over IPv4
Need option to configure exponential backoff for NS timer used in NUD
- OSPFv2 NSR
- OSPFv3 NSR
- OSPFv3 BFD
- OSPFv3 Graceful Shutdown
- OSPFv2 NSSA
- OSPFv3 NSSA Option
- OSPFv3 External Path Preference
- OSPFv3 Router Max metric Router LSA
- OSPFv3 Retransmission Limit
Performance Monitor Synchronization
Script based zero touch provisioning
SGA (SGT) Deployability Enhancements
- Layer 2 SGACL for IPv4 Unicast Traffic
- TrustSec SGACL L2 Bridged Forwarding
- Layer 2 SGT Tagging
- VLAN SGT Mapping
Smart Install Configuration-Only Deployment
Smart Install Upgrade Fallback
SMI Director Support with VSS)
New and Modified IOS Software Features Supported in Cisco IOS XE 3.5.0E
The following new and modified software features are supported in Cisco IOS XE Release 3.5.0E.
http://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/15-e/san-macsec.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-gleaning.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/xe-3e/dhcp-xe-3e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dns/configuration/15-e/dns-15-e-book.html
802.1X support for trunk ports
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/config-ieee-802x-pba.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3e/sec-usr-8021x-xe-3e-book.html
Commented IP Access List Entries
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-comm-ipacl.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-comm-ipacl.html
IPv6 ACL Extensions for Hop by Hop Filtering
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/ip6-acl-ext-hbh.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-seq-num.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-seq-num.html
ACL Support for Filtering IP Options
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-support-filter-ip-option.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-support-filter-ip-option.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-create-filter-tcp.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-create-filter-tcp.html
ACL - Named ACL Support for Noncontiguous Ports on an Access Control Entry
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-named-acl-support-for-noncontiguous-ports.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-named-acl-support-for-noncontiguous-ports.html
IP Access List Entry Sequence Numbering
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-seq-num.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-seq-num.html
IOS ACL Support for filtering IP Options
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-support-filter-ip-option.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-syslog.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/sec-acl-named.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/xe-3e/sec-acl-named.html
http://cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-e/ip6-pacl-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/bsdcm/configuration/15-e/bsdcm-15-e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/15-e/snmp-15-e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3e/snmp-xe-3e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/cns/configuration/15-e/cns-15-e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-e/ip6-mcast-pim-pass.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipmulti_pim/configuration/15-e/imc_hsrp_aware.html
OSPFv3 ABR Type 3 LSA Filtering
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-abr-type-3.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-dc-ignore.html
Graceful Shutdown Support for OSPFv3
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-gshutdown.html
OSPF Support for BFD over IPv4
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-bfd-ospf-ipv4-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-vrf-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-bfd-static-route-supp.html
Static Route Support for BFD over IPv6
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/ip6-bfd-static.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/irbfd-bfd-eigrp-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/15-e/ip6-route-bfd-ospfv3.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_tacacs/configuration/15-e/sec-usr-tacacs-15-e-book.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_ssh/configuration/15-e/sec-secure-shell-v2.html
Client Information Signalling Protocol (CISP)
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-ieee-neat.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-mib.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/ip6-route-ospfv3-max-lsa.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-vrf-lite-pe-ce.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/15-e/fhp-15-e-book_chapter_0100.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book_chapter_0110.html
IPv6 Router Advertisement Throttler
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6f-15-e-book_chapter_0111.html
IPv6 Neighbor Discovery Multicast Suppress
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ip6-nd-mcast-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_fhsec/configuration/15-e/ipv6-dest-guard.html
DHCPv6 Relay - Lightweight DHCPv6 Relay Agent
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-ldra.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dns/configuration/15-e/dns-15-e-book_chapter_01.html
DHCPv6 - Relay chaining for Prefix Delegation
http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_dhcp/configuration/15-e/dhcp-15e-book_chapter_010.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/command/ospf-i1.html
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv3-nssa-cfg.html
OSPF support for NSSA RFC 3101
http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_ospf/configuration/15-e/iro-ospfv2-nssa-cfg.html
http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6_nman/configuration/15-e/ip6-tftp-supp.html
http://www.cisco.com/en/US/docs/ios-xml/ios/saf/configuration/15-e/saf-capman.html
Extensible Messaging Client Protocol (XMCP) 2.0
http://www.cisco.com/en/US/docs/ios-xml/ios/saf/configuration/15-e/saf-xmcp.html
Cisco IOS XE to Cisco IOS Version Number Mapping
As Table 7 shows, each version of Cisco IOS XE has an associated Cisco IOS version:
Upgrading the System Software
If you are upgrading to IOS XE Version 3.5.0E and are planning on using VSS, you must upgrade your ROMMON to IOS Version 15.0(1r)SG10. Else, leave the ROMMON at its default level.
Limitations and Restrictions
- Starting with Release IOS XE 3.3.0SG, the seven RP restriction was removed.
- More than 16K QoS policies can be configured in software. Only the first 16K are installed in hardware.
- Adjacency learning (through ARP response frames) is restricted to roughly 1000 new adjacencies per second, depending on CPU utilization. This should only impact large networks on the first bootup. After adjacencies are learned they are installed in hardware.
- Multicast fastdrop entries are not created when RPF failure occurs with IPv6 multicast traffic. In a topology where reverse path check failure occurs with IPv6 multicast, this may cause high CPU utilization on the switch.
- The SNMP ceImageFeature object returns a similar feature list for all the three license levels (IP Base and EntServices). Although the activated feature set for a universal image varies based on the installed feature license, the value displayed by this object is fixed and is not based on the feature license level.
- Standard TFTP implementation limits the maximum size of a file that can be transferred to 32 MB. If ROMMON is used to boot an IOS image that is larger than 32 MB, the TFTP transfer fails at the 65,xxx datagram.
TFTP numbers its datagrams with a 16 bit field, resulting in a maximum of 65,536 datagrams. Because each TFTP datagram is 512 bytes long, the maximum transferable file is 65536 x 512 = 32 MB. If both the TFTP client (ROMMON) and the TFTP server support block number wraparound, no size limitation exists.
Cisco has modified the TFTP client to support block number wraparound. So, if you encounter a transfer failure, use a TFTP server that supports TFTP block number wraparound. Because most implementations of TFTP support block number wraparound, updating the TFTP daemon should fix the issue.
The outputs of certain commands, such as show ip route and show access-lists, contain non-deterministic text. While the output is easily understood, the output text does not contain strings that are consistently output. A general purpose specification file entry is unable to parse all possible output.
While a general purpose specification file entry may not be possible, a specification file entry might be created that returns the desired text by searching for text that is guaranteed to be in the output. If a string is guaranteed to be in the output, it can be used for parsing.
For example, the output of the show ip access-lists SecWiz_Gi3_17_out_ip command is this:
The first line is easily parsed because access list is guaranteed to be in the output:
The remaining lines all contain the term host. As a result, the specification file may report the desired values by specifying that string. For example, this line
will produce the following for the first and second rules
and the following for the third statement
Request the output of the show running-config command using NETCONF and parse that output for the desired strings. This is useful when the desired lines contain nothing in common. For example, the rules in this access list do not contain a common string and the order (three permits, then a deny, then another permit), prevent the spec file entry from using permit as a search string, as in the following example:
The XML output of show running-config command includes the following, which can then be parsed programmatically, as desired:
<X-Interface> permit 0000.0000.ffef ffff.ffff.0000 0000.00af.bcef ffff.ff00.0000 appletalk</X-Interface>
- When attaching an existing policy-map (that is already applied to a control-port) to another front-panel port, the following message displays:
The policymap <policy-map name> is already attached to control-plane and cannot be shared with other targets.Workaround: Define a policy-map with a different name and then reattach. CSCti26172
- If the number of unique FNF monitors attached to target exceeds 2048 (one per target), a switch responds slowly:
– Decrease the number of monitors.
– Attach the same monitor to multiple targets. CSCti43798
- ciscoFlashPartitionFileCount object returns an incorrect file count for bootflash:, usb0:, slot0:, slaveslot0:, slavebootflash:, and slaveusb0:.
Workaround: Use the dir device command (for example, dir bootflash:) to obtain the correct file count. CSCti74130
- If multicast is configured and you make changes to the configuration, Traceback and CPUHOG messages are displayed if the following conditions exist:
– At least 10K groups and roughly 20K mroutes exist.
– IGMP joins with source traffic transit to all the multicast groups.
This is caused by the large number of updates generating SPI messages that must be processed by the CPU to ensure that the platform is updated with the changes in all the entries.
- With traffic running, entering clear ip mroute * with larger number of mroutes and over 6 OIFs will cause Malloc Fail messages to display.
You cannot clear a large number of mroutes at one time when traffic is still running.
Workaround: Do not clear all mroutes at once.
- Although you can configure subsecond PIM query intervals on Catalyst 4500 platforms, such an action represents a compromise between convergence (reaction time) and a number of other factors (number of mroutes, base line of CPU utilization, CPU speed, processing overhead per 1 m-route, etc.). You must account for those factors when configuring subsecond PIM timers. We recommend that you set the PIM query interval to a minimum of 2 seconds. By adjusting the available parameters, you can achieve flawless operation; that is, a top number of multicast routes per given convergence time on a specific setup.
- Energywise WOL is not “waking up” a PC in hibernate or standby mode.
Workaround: Use the show version command. CSCtr30294
Workaround: Select an alternate destination or source port. CSCty05405
- When either the RADIUS-server test feature is enabled or RADIUS-server dead-criteria is configured, and either RADIUS-server deadtime is set to 0 or not configured, the RADIUS-server status is not properly relayed to AAA.
Workaround: Configure both dead-criteria and deadtime.
– Links flap for various Layer 3 protocols.
– A traffic loss of several seconds is observed during the upgrade process.
Workaround: Do not use the quick option with the issu changeversion command. CSCto51562
- While configuring an IPv6 access-list, if you specify hardware statistics as the first statement in v6 access-list mode (i.e. before issuing any other v6 ACE statement), it will not take effect. Similarly, your hardware statistics configuration will be missing from the output of the show running command.
You will not experience this behavior with IPv4 access lists.
Workaround: During IPv6 access-list configuration, configure at least one IPv6 ACE before the "hardware statistics" statement. CSCuc53234
- Routed packets that are fragmented are not policed if the egress interface is on the VSS Standby switch. However, if the egress interface is on the VSS active switch, these packets are policed.
This applies to QoS policing only. QoS marking, shaping and sharing behave as expected.
- When an IPv6 FHS policy is applied on a VLAN and an EtherChannel port is part of that VLAN, packets received by EtherChannel (from neighbors) are not bridged across the local switch.
Workaround: Apply FHS policies on a non EtherChannel port rather than a VLAN. CSCua53148
- During VSS conversion, the switch intended as the Standby device may require up to 9 minutes to reach an SSO state. The boot up time depends on the configuration and on the number of line cards in the system.
Because the Catalyst 4500-X is a “fixed” configuration device, in a VSS, you would expect the two systems to be labeled 'Module 1' and 'Module 2.’ However, because of software implementation similarities with the modular Catalyst 4500E series switches, the Standby switch is labeled 'Module 11.’
- Beginning with IOS Release XE 3.5.0E, error messages that occur when a QoS policy is applied will no longer appear directly on the console when no logging console is configured. They will appear only when a logging method is active (e.g., logging buffered, logging console, …).
Workaround: None. QoS groups are not supported in VSS. CSCuc84739
- Auto negotiation cannot be disabled on the Fa1 port. It must be set to auto/auto, or fixed speed with duplex auto.
- The following messages are seen during boot up after POST check.
Aug 8 20:30:29 %IOSXE-3-PLATFORM: process kernel: mmc0: Got command interrupt 0x00030000 even though no command operation was in progress.These messages are cosmetic only, and no ssh services are available unless configured within IOS.
Caveats
Caveats describe unexpected behavior in Cisco IOS releases. Caveats listed as open in a prior release are carried forward to the next release as either open or resolved.
Note For the latest information on PSIRTS, refer to the Security Advisories on CCO at the following URL:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Open Caveats for Cisco IOS XE Release 3.5.3E
- When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.
- The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.
- When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.
Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437
Workaround: Increase the queue limit to at least 256. CSCto57602
- A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.
- If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.
- When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.
A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.
Workaround: None. You must disable 802.1X accounting. CSCts26844
- When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.
Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.
- When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.
Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561
- When MLD Snooping is disabled, a Catalyst 4500-X switch cannot maintain 6,000 MLD joins, causing traffic loss due to missing outgoing interfaces.
Workaround: Enable MLD snooping. CSCtx82176
- When a Catalyst 4500-X uplink module is removed incorrectly, hardware forwarding tables are frozen, and baseboard ports remain connected for 20 to 25 seconds.
Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871
Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.
- For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.
For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.
Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188
- In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.
Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286
'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.Workaround: None. The ip pim register-rate-limit command does not function. CSCub32679
- Packets that are routed on the same Layer 3 interface (or SVI) that entered on are dropped if received on the VSS standby switch.
- You can attach an input QoS policy to VSL member ports, but you cannot detach it. You only can configure VSL ports.
Workaround: Default the VSL member ports and detach the input QoS policy. CSCuc49150
- For packets with the same ingress and egress Layer 3 interface, ingress QoS marking policy does not work.
Workaround: Turn off ICMP redirect with the ip redirect command. CSCua71929
- On systems performing multicast routing, a brief increase in CPU consumption occurs every few minutes. In large-scale environments, this CPU increase is more noticeable.
- The POST results on the VSS standby switch displayed by the show diagnostic result module all detail command indicate module number 1 rather than 11. The module number is not interpreted by Cisco IOS.
- The following (information-only) error message and traceback may occur during MFIB-to-platform state updates for Bidirectional PIM (*,G/m) entries associated with Bidirectional PIM rendezvous points:
-Traceback= 1#f95b67f80cdf0886bbf15560d7553abc :152CC000+2699F4C :152CC000+269A310 :152CC000+1F1B55C :152CC000+38D5F4C :152CC000+2C25698 :152CC000+2C2EDF4 :152CC000+5F6F0B0 :152CC000+5F6F1A0 :152CC000+2C2F274 :152CC000+2C24AA4 :152CC000+119935C :152CC000+1D94244 :152CC000+119B070 :152CC000+119699C :152CC000+2C50D00 :152CC000+2B5901CThese messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.
Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10
Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017
- Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.
Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975
- In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.
Workaround: Convert the VSS to a standalone setup. CSCug86547
- A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.
Workaround: Reset the term length to 0 on the vty session. CSCuf08112
- On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.
Workaround: Shut then no shut the interface. CSCue72897
- The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.
Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944
- Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.
However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.
Workaround: Use the show memory detailed process iosd debug leaks command. CSCui69486
Workaround: Wait two min before removing the proxy. CSCug69823
- CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.
Workaround: Execute these commands in a single session.
If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561
- If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).
– Rename any config.text files as vlan.dat file. CSCue61001
- While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:
Feb 1 09:19:05.003: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 45 is incompatible with remote side.Feb 1 01:22:42.159 PST: %ISSU-4-FSM_INCOMP: Version of local ISSU client ISSU auth mgr client(2072) in session 65582 is incompatible with remote side.Feb 1 09:22:42.139: %ISSU-3-FSM_MISMATCH_MTU: STANDBY:ISSU nego failed for client ISSU auth mgr client(2072) entity_id 1 session 48 due to mismatch of mtu size 32 & 28.-Traceback= 112D0D64z 1037ACE8z 126EF748z 126EF7B4z 1037BB60z 1037BBD4z 1037CB10z 10167378z 1016ACBCz 110C87FCz 110D26D4z 110D29A0z 110CE92Cz 10D4BAFCz 10D45E50zFeb 1 09:22:42.163: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 48 is incompatible with remote side.These messages does not impact ISSU processing.
These messages may be seen on both VSS and standalone topologies.
- While performing an ISSU upgrade from a prior release (like upgrading IOS Release XE 3.3.0SG (or 3.4.0SG) to 3.5.0E) the following message are displayed several times on the switch console:
%CTS-3-MSG_NOT_COMPATIBLE_WITH_PEER: STANDBY:Message 2 in component 3 is not compatible with the peer.This behavior does not impact functionality.
- When a command's paginated output is sent into a pipe on a switch using VSS, console control is not returned.
1. Use terminal length 0 to turn off pagination.
2. Use any key other than Enter or Space. CSCui44781
- If BFD sessions are hardware offloaded in a VSS, BFD sessions undergo re-negotiation after a VSS switchover.
Workaround: Issue the bfd interval 999 min_rx 999 multiplier 6 command on the interface participating in the BFD session. CSCuh16490
- After kron performs a write of the startup-config (e.g. 'write mem'), it is locked indefinitely (i.e., the startup-config and running-config are unavailable):
Workaround; Reload the switch.
To avoid this condition, use EEM with the timer event to schedule the required task.
Open Caveats for Cisco IOS XE Release 3.5.2E
- When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.
- The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.
- When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.
Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437
Workaround: Increase the queue limit to at least 256. CSCto57602
- A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.
- If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.
- When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.
A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.
Workaround: None. You must disable 802.1X accounting. CSCts26844
- When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.
Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.
- When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.
Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561
- When MLD Snooping is disabled, a Catalyst 4500-X switch cannot maintain 6,000 MLD joins, causing traffic loss due to missing outgoing interfaces.
Workaround: Enable MLD snooping. CSCtx82176
- When a Catalyst 4500-X uplink module is removed incorrectly, hardware forwarding tables are frozen, and baseboard ports remain connected for 20 to 25 seconds.
Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871
Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.
- For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.
For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.
Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188
- In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.
Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286
'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.Workaround: None. The ip pim register-rate-limit command does not function. CSCub32679
- Packets that are routed on the same Layer 3 interface (or SVI) that entered on are dropped if received on the VSS standby switch.
- You can attach an input QoS policy to VSL member ports, but you cannot detach it. You only can configure VSL ports.
Workaround: Default the VSL member ports and detach the input QoS policy. CSCuc49150
- For packets with the same ingress and egress Layer 3 interface, ingress QoS marking policy does not work.
Workaround: Turn off ICMP redirect with the ip redirect command. CSCua71929
- On systems performing multicast routing, a brief increase in CPU consumption occurs every few minutes. In large-scale environments, this CPU increase is more noticeable.
- The POST results on the VSS standby switch displayed by the show diagnostic result module all detail command indicate module number 1 rather than 11. The module number is not interpreted by Cisco IOS.
- The following (information-only) error message and traceback may occur during MFIB-to-platform state updates for Bidirectional PIM (*,G/m) entries associated with Bidirectional PIM rendezvous points:
-Traceback= 1#f95b67f80cdf0886bbf15560d7553abc :152CC000+2699F4C :152CC000+269A310 :152CC000+1F1B55C :152CC000+38D5F4C :152CC000+2C25698 :152CC000+2C2EDF4 :152CC000+5F6F0B0 :152CC000+5F6F1A0 :152CC000+2C2F274 :152CC000+2C24AA4 :152CC000+119935C :152CC000+1D94244 :152CC000+119B070 :152CC000+119699C :152CC000+2C50D00 :152CC000+2B5901CThese messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.
Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10
Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017
- Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.
Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975
- In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.
Workaround: Convert the VSS to a standalone setup. CSCug86547
- A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.
Workaround: Reset the term length to 0 on the vty session. CSCuf08112
- On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.
Workaround: Shut then no shut the interface. CSCue72897
- The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.
Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944
- Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.
However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.
Workaround: Use the show memory detailed process iosd debug leaks command. CSCui69486
Workaround: Wait two min before removing the proxy. CSCug69823
- CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.
Workaround: Execute these commands in a single session.
If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561
- If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).
– Rename any config.text files as vlan.dat file. CSCue61001
- While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:
Feb 1 09:19:05.003: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 45 is incompatible with remote side.Feb 1 01:22:42.159 PST: %ISSU-4-FSM_INCOMP: Version of local ISSU client ISSU auth mgr client(2072) in session 65582 is incompatible with remote side.Feb 1 09:22:42.139: %ISSU-3-FSM_MISMATCH_MTU: STANDBY:ISSU nego failed for client ISSU auth mgr client(2072) entity_id 1 session 48 due to mismatch of mtu size 32 & 28.-Traceback= 112D0D64z 1037ACE8z 126EF748z 126EF7B4z 1037BB60z 1037BBD4z 1037CB10z 10167378z 1016ACBCz 110C87FCz 110D26D4z 110D29A0z 110CE92Cz 10D4BAFCz 10D45E50zFeb 1 09:22:42.163: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 48 is incompatible with remote side.These messages does not impact ISSU processing.
These messages may be seen on both VSS and standalone topologies.
- While performing an ISSU upgrade from a prior release (like upgrading IOS Release XE 3.3.0SG (or 3.4.0SG) to 3.5.0E) the following message are displayed several times on the switch console:
%CTS-3-MSG_NOT_COMPATIBLE_WITH_PEER: STANDBY:Message 2 in component 3 is not compatible with the peer.This behavior does not impact functionality.
- When a command's paginated output is sent into a pipe on a switch using VSS, console control is not returned.
1. Use terminal length 0 to turn off pagination.
2. Use any key other than Enter or Space. CSCui44781
- If BFD sessions are hardware offloaded in a VSS, BFD sessions undergo re-negotiation after a VSS switchover.
Workaround: Issue the bfd interval 999 min_rx 999 multiplier 6 command on the interface participating in the BFD session. CSCuh16490
- After kron performs a write of the startup-config (e.g. 'write mem'), it is locked indefinitely (i.e., the startup-config and running-config are unavailable):
Workaround; Reload the switch.
To avoid this condition, use EEM with the timer event to schedule the required task.
Resolved Caveats for Cisco IOS XE Release 3.5.2E
- On a switch running Cisco IOS XE 3.5.1E, issuing a show command causes a vty / console session to hang; the prompt does not return.
– If an unused VTY session exists, issue the clear vty option or clear line vty-name command.
Open Caveats for Cisco IOS XE Release 3.5.1E
- When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.
- The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.
- When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.
Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437
Workaround: Increase the queue limit to at least 256. CSCto57602
- A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.
- If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.
- When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.
A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.
Workaround: None. You must disable 802.1X accounting. CSCts26844
- When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.
Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.
- When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.
Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561
- When MLD Snooping is disabled, a Catalyst 4500-X switch cannot maintain 6,000 MLD joins, causing traffic loss due to missing outgoing interfaces.
Workaround: Enable MLD snooping. CSCtx82176
- When a Catalyst 4500-X uplink module is removed incorrectly, hardware forwarding tables are frozen, and baseboard ports remain connected for 20 to 25 seconds.
Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871
Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.
- For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.
For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.
Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188
- In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.
Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286
'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.Workaround: None. The ip pim register-rate-limit command does not function. CSCub32679
- Packets that are routed on the same Layer 3 interface (or SVI) that entered on are dropped if received on the VSS standby switch.
- You can attach an input QoS policy to VSL member ports, but you cannot detach it. You only can configure VSL ports.
Workaround: Default the VSL member ports and detach the input QoS policy. CSCuc49150
- For packets with the same ingress and egress Layer 3 interface, ingress QoS marking policy does not work.
Workaround: Turn off ICMP redirect with the ip redirect command. CSCua71929
- On systems performing multicast routing, a brief increase in CPU consumption occurs every few minutes. In large-scale environments, this CPU increase is more noticeable.
- The POST results on the VSS standby switch displayed by the show diagnostic result module all detail command indicate module number 1 rather than 11. The module number is not interpreted by Cisco IOS.
- The following (information-only) error message and traceback may occur during MFIB-to-platform state updates for Bidirectional PIM (*,G/m) entries associated with Bidirectional PIM rendezvous points:
-Traceback= 1#f95b67f80cdf0886bbf15560d7553abc :152CC000+2699F4C :152CC000+269A310 :152CC000+1F1B55C :152CC000+38D5F4C :152CC000+2C25698 :152CC000+2C2EDF4 :152CC000+5F6F0B0 :152CC000+5F6F1A0 :152CC000+2C2F274 :152CC000+2C24AA4 :152CC000+119935C :152CC000+1D94244 :152CC000+119B070 :152CC000+119699C :152CC000+2C50D00 :152CC000+2B5901CThese messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.
Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10
Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017
- Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.
Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975
- In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.
Workaround: Convert the VSS to a standalone setup. CSCug86547
- A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.
Workaround: Reset the term length to 0 on the vty session. CSCuf08112
- On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.
Workaround: Shut then no shut the interface. CSCue72897
- The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.
Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944
- Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.
However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.
Workaround: Use the show memory detailed process iosd debug leaks command. CSCui69486
Workaround: Wait two min before removing the proxy. CSCug69823
- CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.
Workaround: Execute these commands in a single session.
If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561
- If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).
– Rename any config.text files as vlan.dat file. CSCue61001
- While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:
Feb 1 09:19:05.003: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 45 is incompatible with remote side.Feb 1 01:22:42.159 PST: %ISSU-4-FSM_INCOMP: Version of local ISSU client ISSU auth mgr client(2072) in session 65582 is incompatible with remote side.Feb 1 09:22:42.139: %ISSU-3-FSM_MISMATCH_MTU: STANDBY:ISSU nego failed for client ISSU auth mgr client(2072) entity_id 1 session 48 due to mismatch of mtu size 32 & 28.-Traceback= 112D0D64z 1037ACE8z 126EF748z 126EF7B4z 1037BB60z 1037BBD4z 1037CB10z 10167378z 1016ACBCz 110C87FCz 110D26D4z 110D29A0z 110CE92Cz 10D4BAFCz 10D45E50zFeb 1 09:22:42.163: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 48 is incompatible with remote side.These messages does not impact ISSU processing.
These messages may be seen on both VSS and standalone topologies.
- While performing an ISSU upgrade from a prior release (like upgrading IOS Release XE 3.3.0SG (or 3.4.0SG) to 3.5.0E) the following message are displayed several times on the switch console:
%CTS-3-MSG_NOT_COMPATIBLE_WITH_PEER: STANDBY:Message 2 in component 3 is not compatible with the peer.This behavior does not impact functionality.
- When a command's paginated output is sent into a pipe on a switch using VSS, console control is not returned.
1. Use terminal length 0 to turn off pagination.
2. Use any key other than Enter or Space. CSCui44781
- If BFD sessions are hardware offloaded in a VSS, BFD sessions undergo re-negotiation after a VSS switchover.
Workaround: Issue the bfd interval 999 min_rx 999 multiplier 6 command on the interface participating in the BFD session. CSCuh16490
- After kron performs a write of the startup-config (e.g. 'write mem'), it is locked indefinitely (i.e., the startup-config and running-config are unavailable):
Workaround; Reload the switch.
To avoid this condition, use EEM with the timer event to schedule the required task.
Resolved Caveats for Cisco IOS XE Release 3.5.1E
- A Catalyst 4500-X switch might crash while running the Wireshark feature provided you do the following:
Step 1 Start “capture” with an IPv4, IPv6, or MAC filter (using the match keyword).
Step 2 Stop “capture and configure for a different filter.
Workaround: Use an acl/class-map (in config mode) rather than the "monitor capture name match [ipv4 | ipv6 | mac] command. CSCuj23896
- If you issue the show platform cpu packet driver command multiple times, ARP, IGMP and other control protocols cease processing and the following output displays:
– Toggle ipv6 snooping ON and OFF again under "vlan configuration 1" soon after bootup.
- Provided an HTTP server is enabled on a switch, a vulnerability exists in Cisco IOS switches where the remote, non-authenticated attacker can cause Denial of Service (DoS) by reloading an affected device.
An attacker can exploit this vulnerability by sending a special combination of crafted packets.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.2:
http://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVE ID CVE-2013-1100 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1100Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
- When the same ACL is installed on two ports of a switch and a user is unauthenticated or logged out, the ACS-configured dynamic ACLs are not applied or deleted from the port.
- A Dynamic ACL with a remark statement is not pushed from ISE to client and authorization either fails or is unauthorized.
Workaround: Remove the remark statement from the DACL. CSCuj35704
- When you enable either the device-sensor accounting or the access-session accounting attributes command, the accounting request itself is not sent from the switch to the radius (ISE) Server.
Workaround: Do not enable device-sensor accounting.
The user accounting message will not carry the device-sensor attributes to the ISE.
- On a Catalyst 4500 VSS using IOS Release XE 3.4.0SG to 3.4.2SG, or 3.5.0E, the show platform command may be truncated with a "Timed out" message and may rarely produce an unexpected reload. The likelihood of a reload increases if the command is issued over an SSH session or if the output is redirected to a file. The same behavior is observed using IOS Release XE 3.5.0 and the show tech command.
Open Caveats for Cisco IOS XE Release 3.5.0E
- When an SNMP query includes the cpmCPUProcessHistoryTable, the query time is very slow, and CPU utilization of the os_info_p process (OS Information provider) increases substantially. The query time of an almost fully populated table is 68 minutes.
- The show ipv6 access-list command displays incorrect match counts when multicast traffic is matched to an IPv6 access list that is attached to an SVI.
- When you configure open authentication and perform SSO, the spanning tree state and MAC address are not synchronized to the new standby supervisor engine. This behavior interrupts traffic only after the second switchover because the new standby supervisor engine possesses the wrong state after the initial switchover and the second switchover starts the port in the blocking state.
Workaround: Enter shut and no shut on the port to synchronize the STP state. CSCtf52437
Workaround: Increase the queue limit to at least 256. CSCto57602
- A device in a guest VLAN that is connected behind a phone capable of 2nd-port-notification experiences packet loss following a SSO failover. The device experiences an authentication restart after the first CDP frame arrives from the phone.
- If you perform an OIR on a line card, several %C4K_RKNOVA-4-INVALIDTOKENEXPIRED messages appear in the logs.
- When you enable both Cisco TrustSec and RADIUS accounting, a disparity occurs between the RADIUS client (Cisco switch) and the RADIUS/CTS server in how the authenticator field in the header is computed for DOT1X/RADIUS accounting messages.
A Cisco IOS AAA client uses the PAC secret to compute the authenticator; Cisco Secure ACS 5.2 uses the shared secret. This behavior causes a mismatch that results in a rejection of the accounting message, and the client marks the server as unresponsive.
Workaround: None. You must disable 802.1X accounting. CSCts26844
- When more than one Equal Cost Multipath (ECMP) is available on the downstream switch, and Mediatrace is invoked to provide flow statistics, the dynamic policy does not display flow statistics.
Mediatrace cannot find the correct inbound interface and applies the dynamic policy on a different interface from the one used for media flow.
- When you add a "bfd" suffix to the snmp server host x.x.x.x configuration command, the BFD traps, ciscoBfdSessUp and ciscoBfdSessDown, are not generated.
Workaround: Do not specify a "bfd" suffix with the snmp-server host x.x.x.x configuration command. CSCtx51561
- When MLD Snooping is disabled, a Catalyst 4500-X switch cannot maintain 6,000 MLD joins, causing traffic loss due to missing outgoing interfaces.
Workaround: Enable MLD snooping. CSCtx82176
- When a Catalyst 4500-X uplink module is removed incorrectly, hardware forwarding tables are frozen, and baseboard ports remain connected for 20 to 25 seconds.
Workaround: Remove the Catalyst 4500-X module by first pressing the Ejector button for 10 seconds until the light turns green. CSCty67871
Caution: If you remove the module without following this procedure, the system always shuts down (or fails). Always use the Ejector button.
- For the 10-Gigabit interface on a Catalyst 4500-X switch, link flaps are observed if the debounce interval is defined with the link debounce time command to within 1 second of the pulse interval.
For example, if the pulse interval is 250 ms and the debounce interval is 500 ms, then the delta is 250 ms and the debounce will be ineffective.
Workaround: Define a debounce interval that is at least 1 second greater than the incoming pulse interval. CSCtx75188
- In a multichassis port channel on a VSS system with a very high number of link up and down events that occur within a second and typically causes an error-disable event, only the ports on the active switch are error-disabled due to flaps.
Workaround: Use the show spi-fc all command to dump all SPI channel information. CSCuc81286
'Failed to configure service policy on register tunnel' and 'STANDBY:Failed to configure service policy on register tunnel'.Workaround: None. The ip pim register-rate-limit command does not function. CSCub32679
- Packets that are routed on the same Layer 3 interface (or SVI) that entered on are dropped if received on the VSS standby switch.
- You can attach an input QoS policy to VSL member ports, but you cannot detach it. You only can configure VSL ports.
Workaround: Default the VSL member ports and detach the input QoS policy. CSCuc49150
- For packets with the same ingress and egress Layer 3 interface, ingress QoS marking policy does not work.
Workaround: Turn off ICMP redirect with the ip redirect command. CSCua71929
- On systems performing multicast routing, a brief increase in CPU consumption occurs every few minutes. In large-scale environments, this CPU increase is more noticeable.
- The POST results on the VSS standby switch displayed by the show diagnostic result module all detail command indicate module number 1 rather than 11. The module number is not interpreted by Cisco IOS.
- The following (information-only) error message and traceback may occur during MFIB-to-platform state updates for Bidirectional PIM (*,G/m) entries associated with Bidirectional PIM rendezvous points:
-Traceback= 1#f95b67f80cdf0886bbf15560d7553abc :152CC000+2699F4C :152CC000+269A310 :152CC000+1F1B55C :152CC000+38D5F4C :152CC000+2C25698 :152CC000+2C2EDF4 :152CC000+5F6F0B0 :152CC000+5F6F1A0 :152CC000+2C2F274 :152CC000+2C24AA4 :152CC000+119935C :152CC000+1D94244 :152CC000+119B070 :152CC000+119699C :152CC000+2C50D00 :152CC000+2B5901CThese messages are typically observed during SSO, bootup, or when a PIM-enabled interface undergoes a state transition on a switch containing Bidir PIM state entries.
Workaround: Convert the VSS member switch to standalone and bring up VSS again. CSCug86547...Predator and K10
Workaround: Set the BFD timer and multiplier as 100 * 5. CSCuh35017
- Policer and Classification statistics do not increment during ISSU runversion when you downgrade from IOS Release XE 3.5.0E.
Workaround: This issue is transient. Policer and Classification statistics are available after ISSU completes. CSCuh90975
- In a VSS (virtual switching system) setup, the show switch virtual link EXEC command displays VSL control link port numbers on different VSLs (virtual switching links) rather then displaying port numbers on the same link.
Workaround: Convert the VSS to a standalone setup. CSCug86547
- A switch crashes when the you enter the show power inline module 1 and show power inline module 1 detail commands in two different telnet sessions and reset the linecard using a third telnet session.
Workaround: Reset the term length to 0 on the vty session. CSCuf08112
- On configuring power inline consumption, the show power inline command might not display the values of the power consumed by the PD.
Workaround: Shut then no shut the interface. CSCue72897
- The match application name and collect application name commands appear as available for flow record configuration (e.g., when using the ? help listings). However, this configuration is otherwise unsupported: the show flow monitor monitor-name cache command shows the application name as 'unknown,’ and the application table is not exported, so this field cannot be decoded when exported.
Workaround: Do not configure the application name field as a key or non-key field of a flow record. CSCue47944
- Occasionally, when the VSL goes down on a VSS with fast-hello based dual-active detection, the Layer 2 convergence time exceeds the Layer 2 convergence time observed with e-pagp based dual-active detection by 20ms.
However, the Layer 2 convergence time of the former stills meet the sub-second convergence criteria.
Workaround: Use the show memory detailed process iosd debug leaks command. CSCui69486
Workaround: Wait two min before removing the proxy. CSCug69823
- CPU utilization rises and the console may hang on simultaneously executing the following commands from either two VTY's session, or from a Console and a VTY session.
Workaround: Execute these commands in a single session.
If you plan to execute those commands sequentially, close the console session before executing the show tech-support command. CSCuh15561
- If no vlan.dat exists on both source and destination, the sync command fails (i.e., the synchronization between flash to sdflash or sdflash to flash doesn't happen).
– Rename any config.text files as vlan.dat file. CSCue61001
- While either performing an ISSU upgrade from XE 3.4.0 (or earlier) to XE 3.5.0 or performing a downgrade from XE 3.5.0 to an earlier release, the following “authmgr mtu mismatch” error messages might display:
Feb 1 09:19:05.003: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 45 is incompatible with remote side.Feb 1 01:22:42.159 PST: %ISSU-4-FSM_INCOMP: Version of local ISSU client ISSU auth mgr client(2072) in session 65582 is incompatible with remote side.Feb 1 09:22:42.139: %ISSU-3-FSM_MISMATCH_MTU: STANDBY:ISSU nego failed for client ISSU auth mgr client(2072) entity_id 1 session 48 due to mismatch of mtu size 32 & 28.-Traceback= 112D0D64z 1037ACE8z 126EF748z 126EF7B4z 1037BB60z 1037BBD4z 1037CB10z 10167378z 1016ACBCz 110C87FCz 110D26D4z 110D29A0z 110CE92Cz 10D4BAFCz 10D45E50zFeb 1 09:22:42.163: %ISSU-4-FSM_INCOMP: STANDBY:Version of local ISSU client ISSU auth mgr client(2072) in session 48 is incompatible with remote side.These messages does not impact ISSU processing.
These messages may be seen on both VSS and standalone topologies.
- While performing an ISSU upgrade from a prior release (like upgrading IOS Release XE 3.3.0SG (or 3.4.0SG) to 3.5.0E) the following message are displayed several times on the switch console:
%CTS-3-MSG_NOT_COMPATIBLE_WITH_PEER: STANDBY:Message 2 in component 3 is not compatible with the peer.This behavior does not impact functionality.
- When a command's paginated output is sent into a pipe on a switch using VSS, console control is not returned.
1. Use terminal length 0 to turn off pagination.
2. Use any key other than Enter or Space. CSCui44781
- On a Catalyst 4500 VSS using IOS Release XE 3.4.0SG to 3.4.2SG, or 3.5.0E, the show platform command may be truncated with a "Timed out" message and may rarely produce an unexpected reload. The likelihood of a reload increases if the command is issued over an SSH session or if the output is redirected to a file. The same behavior is observed using IOS Release XE 3.5.0 and the show tech command.
- If BFD sessions are hardware offloaded in a VSS, BFD sessions undergo re-negotiation after a VSS switchover.
Workaround: Issue the bfd interval 999 min_rx 999 multiplier 6 command on the interface participating in the BFD session. CSCuh16490
- After kron performs a write of the startup-config (e.g. 'write mem'), it is locked indefinitely (i.e., the startup-config and running-config are unavailable):
Workaround; Reload the switch.
To avoid this condition, use EEM with the timer event to schedule the required task.
Resolved Caveats for Cisco IOS XE Release 3.5.0E
- If you configure flowcontrol receive on/off on an port-channel interface of Supervisor Engine 7-E, only one member interface flaps.
Typically, all the member interfaces change their flowcontrol config so that they flap once.
Workaround: Configure the onminterface command through the range command
- The SNMP engine process shows high CPU, when you execute snmpbulkget or snmpwalk on the following OID:
- If you have a switch running MST and a second switch running RSTP, a Layer 2 loop results; MST and RSTP are not interoperable.
The access port on the MST boundary goes into "Type inconsistent" state for MST instance 0, but not for the other instances (VLAN 100 is a member of instance 1).
*Jan 21 07:55:08.851: %C4K_IOSMODPORTMAN-6-FANTRAYINSERTEDDETAILED: Fan tray ( S/N: Hw: 0.0) has been inserted
- When using PEAPv1/MSChap from an IOS Supplicant to ACS 5 (and possibly other RADIUS servers), authentication fails.
Related Documentation
Refer to the following documents for additional Catalyst 4500-X series information:
http://www.cisco.com//en/US/products/ps12332/index.html
Hardware Documents
Installation guides and notes including specifications and relevant safety information are available at the following URLs:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/hardware/regulatory/compliance/78_13233.html
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_installation_guides_list.html
http://www.cisco.com/en/US/products/ps12332/prod_installation_guides_list.html
Software Documentation
Software release notes, configuration guides, command references, and system message guides are available at the following URLs:
http://www.cisco.com/en/US/products/ps12332/prod_release_notes_list.html
Software documents for the Catalyst 4500 Classic, Catalyst 4500 E-Series, Catalyst 4900 Series, and Catalyst 4500-X Series switches are available at the following URLs:
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configuration_guides_list.html
http://www.cisco.com/en/US/products/hw/switches/ps4324/prod_command_reference_list.html
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_system_message_guides_list.html
Cisco IOS Documentation
Platform- independent Cisco IOS documentation may also apply to the Catalyst 4500 and 4900 switches. These documents are available at the following URLs:
http://www.cisco.com/en/US/products/ps6350/products_installation_and_configuration_guides_list.html
http://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.html
You can also use the Command Lookup Tool at:
http://tools.cisco.com/Support/CLILookup/cltSearchAction.do
http://www.cisco.com/en/US/products/ps6350/products_system_message_guides_list.html
You can also use the Error Message Decoder tool at:
http://www.cisco.com/pcgi-bin/Support/Errordecoder/index.cgi
Notices
The following notices pertain to this software license.
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ ).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
Copyright © 1998-2007 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( http://www.openssl.org/ )”.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS”' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright © 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”.
The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related.
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the “Notices” section.CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)