Open Caveats in Release 12.2(33)SXH and Rebuilds
|
|
|
|
CSCtb69049 |
Cisco IOS |
Modular IOS "exception kernel filepath..." options are ambigous. |
Caveats Resolved in Release 12.2(33)SXH8a
Resolved LegacyProtocols Caveats
Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature that could result in a device reload when processing crafted IP Protocol 91 packets.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-dlsw.
|
|
|
|
CSCsw77313 |
AAA |
failed authentication with login command changes the logged user |
CSCtj95352 |
Cisco IOS |
SUP32 resets with System NMI:**** SP System NMI: reason 0x00000009 |
CSCtk81701 |
Cisco IOS |
Memory leak at "pak_pool_cache_item_get" |
Caveats Resolved in Release 12.2(33)SXH8
|
|
|
|
CSCsy61321 |
AAA |
tac+ acct is not failing over to next server group |
CSCtc19317 |
AAA |
NAS-Port-Type set to incorrect value |
CSCtc72862 |
AAA |
C2W2C: Standby router crashes at pagp_switch_mp_create_idb after SSO |
CSCtc86306 |
AAA |
Authorization requests not using VRF interface |
CSCtd16343 |
AAA |
Radius server declared as dead for MAB if server-private in server group |
CSCsg49757 |
Cisco IOS |
Combining Gig-Sub-intf & crypto connect & vlan with crypto engine |
CSCsg78501 |
Cisco IOS |
IKE should not delete established tunnel upon RSA key regeneration |
CSCsl49350 |
Cisco IOS |
Console keep showing %SYS-3-CPUHOG, process =Per-minute Jobs |
CSCsm30920 |
Cisco IOS |
"shutdown vlan" fails with SSO |
CSCso59974 |
Cisco IOS |
BGP session goes idle after SSO switchover |
CSCsq07729 |
Cisco IOS |
VSS: flowcontrol incompatible msg when standby switch port add in bundle |
CSCsq33458 |
Cisco IOS |
IOS new IKE sa uses DOI of zero when ipsec sa already exists |
CSCsr41377 |
Cisco IOS |
W1.3: after changing native vlan, CDP still send old native VLAN TLV |
CSCsu52504 |
Cisco IOS |
%LINEPROTO-SP-5-UPDOWN msg is output when changing cdp configuration |
CSCsu67919 |
Cisco IOS |
SIP crashes - hqf_cwpa_pak_enqueue_local |
CSCsv82285 |
Cisco IOS |
Cat6k: UDP port 10000 is opened by default |
CSCsw36363 |
Cisco IOS |
SUP32 temperature sensor AUX-1 temperature: N/O |
CSCsw69621 |
Cisco IOS |
BR DOWN if inside bgp is only type of learning configured |
CSCsw96176 |
Cisco IOS |
BFD sessions with version 0 do not come up properly following a reload |
CSCsx24934 |
Cisco IOS |
CPU Monitor not heard and ipc TBs on Active VSS switch on issuing Reload |
CSCsx56011 |
Cisco IOS |
Switch may crash when issuing "show mac-address-table" |
CSCsz23099 |
Cisco IOS |
Memory leak due to CEF: loadinfos in Collection proc |
CSCta56305 |
Cisco IOS |
Detector data port operation status not OK after boot |
CSCta61568 |
Cisco IOS |
Forwarding loop after adding vlan to MST instance |
CSCtb52180 |
Cisco IOS |
set vrf nvgened while vrf deletion in progress causes standby to reload |
CSCtb65406 |
Cisco IOS |
QoS ACL May Not Program L4 ports Correctly In TCAM |
CSCtb83776 |
Cisco IOS |
X6148A-GE-TX-Outdiscard incrementing if queue-limit of priority Q is 0 |
CSCtc22760 |
Cisco IOS |
VSS ENH: Immediate reset LC after crash occurrs on stdby chassis LC |
CSCtc28953 |
Cisco IOS |
Crash on cat6k running MPLS: see resolution note and CSCtc82349 |
CSCtc30868 |
Cisco IOS |
Irregular CPU (peaks) on Cat6500 rtr responder |
CSCtc39052 |
Cisco IOS |
svclc module command adds firewall module command to configuration |
CSCtd18807 |
Cisco IOS |
"set ip next-hop <>" should lookup next hop in VRF when used on VRF int |
CSCtd39596 |
Cisco IOS |
OIR of the LC causes bootup diagnostic to fail on TestL3VlanMet |
CSCtd49505 |
Cisco IOS |
VSS gets to be multicast traffic blackhole after DAD or switchover |
CSCtd64261 |
Cisco IOS |
LBL config sync failure for extended vlan name changes |
CSCtd82666 |
Cisco IOS |
[VSS] Incorrect pMASK fpoe on standby causes traffic black-holed |
CSCtd91871 |
Cisco IOS |
EZVPN - memory leak after ungraceful disconnect of client behind PATl |
CSCte01410 |
Cisco IOS |
lost packests between FWSM and engine when switchover by SSO |
CSCte15193 |
Cisco IOS |
c2w2c:"no spanning-tree vlan 16" command is not removed from standby |
CSCte21190 |
Cisco IOS |
WS-X6148A-GE-TX ports 25-32 stop forwarding traffic |
CSCte40472 |
Cisco IOS |
FWSM: Private vlan association not syncing on VSS systems from switch |
CSCte43407 |
Cisco IOS |
No %LINK-3-UPDOWN log for SPAN destination port |
CSCte48967 |
Cisco IOS |
VSS : isolated pvlan not associated with VRF on DFCs |
CSCte56437 |
Cisco IOS |
TCP connection loss due to NAT incorrect translation on cat6500 |
CSCte72214 |
Cisco IOS |
ME6500 - Traffic may be dropped on applying cos-map. |
CSCte79217 |
Cisco IOS |
ICCQ never decreases, flow stats affected, (S,G) expires |
CSCte81230 |
Cisco IOS |
IP Source Guard feature goes into an incorrect state |
CSCte83052 |
Cisco IOS |
Xauth is getting disabled when putting keyring into isakmp profile12.2 |
CSCte89428 |
Cisco IOS |
SNMP tty traps not sent |
CSCte90261 |
Cisco IOS |
6500 PoE issues with 1120 and 1230 line of APs when using dot1x |
CSCte99373 |
Cisco IOS |
extranet: mrib S,G entry never removed after pim disabled on IIF |
CSCtf02760 |
Cisco IOS |
Kernel crash (cache error) without any crashinfo generated |
CSCtf12634 |
Cisco IOS |
SXH:idb->vlan_id on RP not getting updated on trunk native vlan change |
CSCtf18863 |
Cisco IOS |
REDZONEERROR and crash seen on SXH6 after install operation |
CSCtf37626 |
Cisco IOS |
Ospf flaps with oversubscription on enhanced flexwan Multilink T1 |
CSCtf39183 |
Cisco IOS |
OBFL Master may not be initialized after IOS upgrade from SXF to SXH |
CSCtf51541 |
Cisco IOS |
Mistral reset due to TM_DATA_PARITY_ERROR error |
CSCtf52407 |
Cisco IOS |
Sup720 may reload when passing GRE traffic |
CSCtf54617 |
Cisco IOS |
Supervisor fails to come up due to bad compact flash. |
CSCtf62507 |
Cisco IOS |
Netflow s/w switched flow not entried if disable/enable ip flow ingress |
CSCtf91692 |
Cisco IOS |
Insertion of 6708/6716 linecard into the chassis resets another linecard |
CSCtf97963 |
Cisco IOS |
VSS DFC card miss MN setting, 4Sup: ICS MN ORPOE error |
CSCtg37826 |
Cisco IOS |
Inter range command doesn't work |
CSCtg55075 |
Cisco IOS |
IOS SLB may not purge netflow shortcut properly |
CSCtg58235 |
Cisco IOS |
Minor Error @ bootup on multiple 8xCHT1/E1 SPA cards. |
CSCtg68012 |
Cisco IOS |
%SCHED-3-THRASHING: Process thrashing on watched mssg event |
CSCtg73213 |
Cisco IOS |
c2w2c - Crash seen on Configuring ATMoMoGRE |
CSCtg78883 |
Cisco IOS |
Patch triggers EARL Recovery. |
CSCth04998 |
Cisco IOS |
[VSS] DFC installs drop index for MAC-address |
CSCth13572 |
Cisco IOS |
C2W2C: WS-X6716-10GE Failed TestMacNotification and reset after VSS SSO |
CSCth23794 |
Cisco IOS |
interfaces errdisable with "vlan intern alloc policy descending" config |
CSCth42223 |
Cisco IOS |
DOT1X security violation message not report the interface mode |
CSCth46650 |
Cisco IOS |
Traffic not get through between promiscuous and isolated in Mux mode |
CSCth55383 |
Cisco IOS |
%EARL-DFC2-2-SWITCH_BUS_IDLE message after "show tech" |
CSCth60232 |
Cisco IOS |
SXH: Port-channel interface flap when changing vlan mask |
CSCth76204 |
Cisco IOS |
TestSPRPInbandPing - No swover/crash after failure threshold reached |
CSCti23872 |
Cisco IOS |
traceroute double hop with set vrf due to double ttl decrement |
CSCti36394 |
Cisco IOS |
SXH Firmware - Heathland Board Layer Test Error Counter Monitor |
CSCti84718 |
Cisco IOS |
CPUHOG @ ipnat_ipalias_check_waitlist+E8 after sh/nosh PBR po int |
CSCti85352 |
Cisco IOS |
W1.8: Removing vlan-group from fw mod,vlan-gp already assign get removed |
CSCsh47251 |
Infrastructure |
3700 crashes as soon as loading image |
CSCsl05310 |
Infrastructure |
%SCHED-3-STUCKMTMR tb's seen with 1022 ION |
CSCsy24505 |
Infrastructure |
Process "sbin/dfs_disk0.proc" crashed while inserting CF @ dfs_id_delete |
CSCtc87480 |
Infrastructure |
dir slavenvram and wr mem triggers slavenvram:/(Device or resource busy) |
CSCtd62220 |
Infrastructure |
%DATACORRUPTION-1-DATAINCONSISTENCY: copy error, |
CSCte52416 |
Infrastructure |
VSS member switch crash when power down active switch |
CSCtg19572 |
Infrastructure |
Memory leak in two dfs processes |
CSCtg64468 |
Infrastructure |
indefinit loops in get_bufferpool_info() & get_buffercachepool_info() |
CSCth01674 |
Infrastructure |
*Dead* memory increasing in (coalesced) |
CSCsa94774 |
IPServices |
NAT default breaks Traceroute response |
CSCsy74796 |
IPServices |
Memory leak at ip_multicast_ctl (when creating/deleting interfaces?) |
CSCsz05783 |
IPServices |
NAT translation fails with certain ALG traffic |
CSCta56667 |
IPServices |
tcp.proc displays excessive cpu usage |
CSCtd21890 |
IPServices |
Router crash at dhcp autoinstall |
CSCtf34691 |
IPServices |
HSRP group name tied to static NAT for redundancy is not saved to config |
CSCsk98507 |
LegacyProtocols |
Device crash@novell_send_gen_rip_query. |
CSCte78230 |
LegacyProtocols |
DLSw Ethernet Redundancy and IPV6 will not work together |
CSCta48816 |
Management |
CDP Protocol: %SYS-2-GETBUF: Bad getbuffer, bytes= 32717 |
CSCtc90579 |
MPLS |
Block allocated by 'rsvp_hc_db_nbr_alloc' gets corrupted |
CSCth36724 |
MPLS |
Router reload while unconfiguring vrf interfaces in HA scale tests |
CSCth38699 |
Multicast |
Auto-RP for multicast triggers RP-Discovery with 0 RPs |
CSCso26773 |
QoS |
qos: PI-code: police percent above 43% is not correct for 10G interface |
CSCsu99767 |
Routing |
EIGRP:peer does not send UPDATE to NSF/SSO restarting peer router |
CSCtc72772 |
Routing |
Bulk sync failure and Standby reloads continuously @ "clns route" |
CSCtd49246 |
Routing |
round-trip average of ping MIB may show less value |
CSCtd81664 |
Routing |
Not possible to "set ip next-hop" in vrf with import-map |
CSCtf06436 |
Routing |
high CPU due to HW backwalk continually walking the looped OCE chain |
CSCtf28793 |
Routing |
bgp aggregate-address suppress-map does not suppress specific prefixes |
CSCtf64231 |
Routing |
Inbound route-map change shouldn't be effective immediately |
CSCtg27206 |
Routing |
Static route not redistributed by RIP after link flap |
CSCsb10291 |
Security |
$$TS: Router forced crash on PKI Bind service failure (C_UnbindService) |
CSCsf17411 |
Security |
trustpoint authentication fails if key usage is non standard |
CSCsk22496 |
Security |
Router crashes @ssh_command when remoove crypto key |
CSCsv86113 |
Security |
SSH on VRF int is allowed irrespective of vrf-also key |
CSCsv92274 |
Security |
SSH process might not handle some IPC messages |
CSCsz05583 |
Security |
crypto pki config nvgened before ip config on which it depends - slow |
CSCta77073 |
Security |
Router Crash while unconfiguring crypto trustpoint |
CSCtf47512 |
Security |
SXH5: Memory leak in ACE HAPI and IPSec Key Engine |
CSCtg11808 |
Security |
VSS: Standby supervisor reloads when crypto pki trustpoint removed |
CSCti26768 |
Security |
Bus error while re-configuring a trustpoint |
CSCtd22993 |
WAN |
SNMP ifIndex for certain serial interfaces becomes inactive |
CSCtf03928 |
WAN |
NTP packets received but ignored by the NTP process |
Caveats Resolved in Release 12.2(33)SXH7
Resolved AAA Caveats
Symptoms: The Cisco IOS software image may unexpectedly restart when a crafted “msg-auth-response-get-user” TACACS+ packet is received.
Conditions: This symptom is observed after the Cisco platform had send an initial “recv-auth-start” TACACS+ packet.
Workaround: There is no workaround.
Resolved Multicast Caveats
Symptoms: A router may reload after reporting SYS-3-OVERRUN or SYS-3-BADBLOCK error messages. SYS-2-GETBUF with ‘Bad getbuffer’ error may also be reported.
Condition: Occurs when PIM auto-RP is configured and IP multicast boundary is enabled with the filter-autorp option.
Workaround: Configure IP multicast boundary without the filter-autorp option.
Symptom: A Cisco IOS device may experience an unexpected reload as a result of mtrace packet processing.
Conditions:
Workaround: None other than avoiding the use of mtrace functionality.
Resolved Security Caveats
Symptoms: A Cisco router that is running Cisco IOS Release 12.4(25) may crash due to SSH.
Conditions: This symptom occurs when SSH is enabled on the router. An attempt to access the router via SSH is made.
Workaround: Do not use SSH. Disable SSH on the router by removing the RSA keys:
“crypto key zeroize rsa”
Further Problem Description: This issue has not been seen in Cisco IOS Release 12.4(23) and earlier releases. It also has not been seen in Cisco IOS Release 12.4T images.
Symptoms: Malformed SSH version 2 packets may cause a memory leak.
Conditions: This symptom is observed on a Cisco platform configured for SSH version 2 after it has received malformed SSHv2 packets. The impact of this flaw is that the affected platform may operate in a degraded condition. Under rare circumstances it may reload to recover itself.
Workarounds: Options consist of using SSH version 1 in the interim until the affected platform can be upgraded to a fixed release or permitting only known trusted hosts/networks that can connect to the router by using a VTY access list.
Following are examples of the workarounds:
Configure SSH version 1
!-- configure from global config mode
!-- 10.1.1.0/24 is a trusted network that
!-- is permitted access to the router, all
!-- other access is denied
access-list 99 permit 10.1.1.0 0.0.0.255
More information about configuring VTY access lists is available in Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T Controlling Access to a Virtual Terminal Line:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-cntrl-acc-vtl.html
More information about SSH on IOS is available in the Configuring Secure Shell on Routers and Switches Running Cisco IOS guide:
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Resolved Unknown Caveats
Symptom: 6500 may experience redzone crash at UDLD process. Message may appear %SYS-SP-3-OVERRUN: Block overrun at 44456570 (red zone 6D000700) -Traceback= 40291448 402938DC 40D74570 40D763A0
Traceback will vary from code to code.
Conditions: UDLD configured
Workaround: Disable UDLD.
Symptoms: Upgrade from 12.2(18)SXF6 to 12.2(33)SXH5 introduced additional vty lines to the running-configuration (vtp line 5 - 15). These new lines do not inherit the security ACL or transports configured by the customer on the old lines (0-4). Switch upgrade caused device to be non-compliant with network security policy defined by customer.
Condition: Software upgrade from 12.2(18)SXF6 to 12.2(33)SXH5.
Workaround: We have to manually configure the ACL for those newly introduced vty lines.
Symptom: Currently in EARL7 system, For an IPv6 packet the 96 bytes cover DBUS header (22), Ether header (14), IPv6 harder (40), IPv6 extension headers, and L4 header. That means only 20 bytes (96 - 22 - 14 - 40) are for extension header(s) and L4 header. So even packet with small extension header(s) can use up to 20 bytes that would cause l4_hdr_vld = 0. When that happens, all L4 features cannot be applied and packet would be hardware forwarded based on L3 forwarding result.
Conditions: This issue is present from day one but would cause threat only when ipv6 access-list is configured on any interface and that access-list is containing L4 options.
Workaround: No Workaround
Conditions: When an ipv6 RACL is confiured on an interface. All packets containing ipv6 optional headers are punted to RP. But if any packets that are sent with no L4 header are also hitting this punt entry present at the top of tcam.
Workaround: No Workaround:
Symptoms: A Cat4k switch may reload after receiving a malformed packet on one specific specific port.
Conditions: This symptom may be observed on a Cat4k switch that enables DNSIX audit trail and recieves crafted IP packets on a specific port.
Workaround: Do not enable the DNSIX audit trail.
Resolved WAN Caveats
Symptom: Cisco IOS Software is affected by NTP mode 7 denial-of-service vulnerability. Note: The fix for this vulnerability has a behavior change affect on Cisco IOS Operations for Mode 7 packets. See the section Further Description of this release note enclosure.
Conditions: Cisco IOS Software with support for Network Time Protocol (NTP) contains a vulnerability processing specific NTP Control Mode 7 packets. This results in increased CPU on the device and increased traffic on the network segments.
This is the same as the vulnerability which is described in http://www.kb.cert.org/vuls/id/568372
Cisco has release a public facing vulnerability alert at the following link:
http://tools.cisco.com/security/center/viewAlert.x?alertId=19540
Cisco IOS Software that has support for NTPv4 is NOT affected. NTPv4 was introduced into Cisco IOS Software: 12.4(15)XZ, 12.4(20)MR, 12.4(20)T, 12.4(20)YA, 12.4(22)GC1, 12.4(22)MD, 12.4(22)YB, 12.4(22)YD, 12.4(22)YE and 15.0(1)M.
All other versions of Cisco IOS and Cisco IOS XE Software are affected.
To see if a device is configured with NTP, log into the device and issue the CLI command show running-config | include ntp. If the output returns either of the following commands listed then the device is vulnerable:
ntp master <any following commands>
ntp peer <any following commands>
ntp server <any following commands>
The following example identifies a Cisco device that is configured with NTP:
router# show running-config | include ntp
The following example identifies a Cisco device that is not configured with NTP:
router# show running-config | include ntp
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to “Cisco Internetwork Operating System Software” or “Cisco IOS Software.” The image name displays in parentheses, followed by “Version” and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L:
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
Additional information about Cisco IOS Software release naming conventions is available in “White Paper: Cisco IOS Reference Guide” at the following link:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Workaround: There are no workarounds other than disabling NTP on the device. The following mitigations have been identified for this vulnerability; only packets destined for any configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this vulnerability.
Note: NTP peer authentication is not a workaround and is still a vulnerable configuration.
–
NTP Access Group
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered to be used in conjunction to offer a better mitigation solution.
!--- Configure trusted peers for allowed access
access-list 1 permit 171.70.173.55
!--- Apply ACE to the NTP configuration
For additional information on NTP access control groups, consult the document titled “Performing Basic System Management” at the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1034942
– Infrastructure Access Control Lists
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks.
Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The iACL example below should be included as part of the deployed infrastructure access-list, which will help protect all devices with IP addresses in the infrastructure IP address range:
!--- Feature: Network Time Protocol (NTP)
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
!--- Note: If the router is acting as a NTP broadcast client
!--- via the interface command "ntp broadcast client"
!--- then broadcast and directed broadcasts must be
!--- filtered as well. The following example covers
!--- an infrastructure address space of 192.168.0.X
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
host 192.168.0.255 eq ntp
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
host 255.255.255.255 eq ntp
!--- Note: If the router is acting as a NTP multicast client
!--- via the interface command "ntp multicast client"
!--- then multicast IP packets to the mutlicast group must
!--- be filtered as well. The following example covers
!--- a NTP multicast group of 239.0.0.1 (Default is
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
!--- Deny NTP traffic from all other sources destined
!--- to infrastructure addresses.
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example
interface fastEthernet 2/0
The white paper entitled “Protecting Your Core: Infrastructure Protection Access Control Lists” presents guidelines and recommended deployment techniques for infrastructure protection access lists and is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
– Control Plane Policing
Provided under Control Plane Policing there are two examples. The first aims at preventing the injection of malicious traffic from untrusted sources, whilst the second looks at rate limiting NTP traffic to the box.
—Filtering untrusted sources to the device.
Warning: Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the sender’s IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to help protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP example below should be included as part of the deployed CoPP, which will help protect all devices with IP addresses in the infrastructure IP address range.
!--- Feature: Network Time Protocol (NTP)
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
!--- Deny NTP traffic from all other sources destined
!--- to the device control plane.
access-list 150 permit udp any any eq 123
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
class-map match-all drop-udp-class
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-udp-traffic
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
service-policy input drop-udp-traffic
In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the “permit” action result in these packets being discarded by the policy-map “drop” function, while packets that match the “deny” action (not shown) are not affected by the policy-map drop function.
—Rate Limiting the traffic to the device The CoPP example below could be included as part of the deployed CoPP, which will help protect targeted devices from processing large amounts of NTP traffic.
Warning: If the rate-limits are exceeded valid NTP traffic may also be dropped.
!--- Feature: Network Time Protocol (NTP)
access-list 150 permit udp any any eq 123
!--- Create a Class-Map for traffic to be policed by
class-map match-all rate-udp-class
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!--- NOTE: See section "4. Tuning the CoPP Policy" of
!--- http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html#5
!--- for more information on choosing the most
!--- appropriate traffic rates
policy-map rate-udp-traffic
police 10000 1500 1500 conform-action transmit
exceed-action drop violate-action drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
service-policy input drop-udp-traffic
Additional information on the configuration and use of the CoPP feature can be found in the documents, “Control Plane Policing Implementation Best Practices” and “Cisco IOS Software Releases 12.2 S - Control Plane Policing” at the following links:
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
Further Description: Cisco IOS Software releases that have the fix for this Cisco bug ID, have a behavior change for mode 7 private mode packets.
Cisco IOS Software release with the fix for this Cisco bug ID, will not process NTP mode 7 packets, and will display a message “NTP: Receive: dropping message: Received NTP private mode packet. 7” if debugs for NTP are enabled.
To have Cisco IOS Software process mode 7 packets, the CLI command ntp allow mode private should be configured. This is disabled by default.
Other Resolved Caveats in Release 12.2(33)SXH7
|
|
|
|
CSCsi54201 |
AAA |
IDMGR-3-INVALID_ID error message |
CSCsq71492 |
AAA |
IOS device crash or tracebacks at tplus_handle_req_timeout |
CSCsx15897 |
AAA |
Cisco 3800 shows symptoms of memory leak in AAA component |
CSCsy55362 |
AAA |
Unresponsive Console/VTYs |
CSCtc27153 |
ATM |
Shaping configuration does not work in SXH |
CSCsb95192 |
Cisco IOS |
RRI with HA doesnt populate the routes correctly - static keyword |
CSCsk18794 |
Cisco IOS |
speed and negotiation configuration issue on FE-TX-V2 SPA |
CSCsk49041 |
Cisco IOS |
crypto_ikmp_utils.c: possible Invalid Pointer Read |
CSCsk66851 |
Cisco IOS |
*,G/m entry does not have OIF programmed in HW sometimes |
CSCsk86410 |
Cisco IOS |
Abnormal ISAKMP traffic caused an alignment error and traceback. |
CSCsl30308 |
Cisco IOS |
PIM snooping corrupts PIM RPF Proxy packet |
CSCsl70542 |
Cisco IOS |
OBFL:high cpu during interrupt coalesce |
CSCsl87677 |
Cisco IOS |
changing the access vlan doesn't reflect the vlan of the secure configur |
CSCsm40013 |
Cisco IOS |
Multiple LC crash after shuting down TE tunnel interface |
CSCsm63524 |
Cisco IOS |
SUP32 crashes due to SP hang when it recovers from errdisable |
CSCsm96309 |
Cisco IOS |
OIR-SP-4-WARN message displayed when PS1 or FAN removed |
CSCsq01879 |
Cisco IOS |
7600 EoMPLS mls cef entry for imposition is programmed mtu 0 |
CSCsq63621 |
Cisco IOS |
SPD classifies OSPF IP Precedence 0 as priority |
CSCsr09586 |
Cisco IOS |
Remarks not appearing correctly in Policy Based ACL |
CSCsr50134 |
Cisco IOS |
Router or Linecard may reload at cv6_6pe_frr_stats |
CSCsr74002 |
Cisco IOS |
7600 - VPLS - QinQ- UDLD packet received on qinq flooded to vpls |
CSCsu31088 |
Cisco IOS |
Not able to execute any commands under intf after running SPA FPGA bert |
CSCsu72935 |
Cisco IOS |
C2W2B: memory corruption on 122-32.8.11.XIW20 (w2_x_pi) image |
CSCsu84213 |
Cisco IOS |
RPF-MFD hardware entry is missed after doing SSO. |
CSCsu99813 |
Cisco IOS |
C2HD1-SI:Span Distributed Stops Traffic - Centralized Duplicates |
CSCsv13243 |
Cisco IOS |
BFD config causing BGP session to go down |
CSCsv40523 |
Cisco IOS |
WISM: Gig interfaces show as unknown(4) |
CSCsv43187 |
Cisco IOS |
120seconds after SSO, Some multicast traffic drops |
CSCsw40790 |
Cisco IOS |
SNMP Loop on PA-MC-T3+ interfaces (Installed) |
CSCsx65705 |
Cisco IOS |
router crash on no route-map with match ipv6 address access-list |
CSCsx74064 |
Cisco IOS |
On modular IOS, SSH on VRF int is allowed irrespective of vrf-also key |
CSCsx79379 |
Cisco IOS |
IOS Auth Proxy HTTP may lead to bus error adress 0x0 |
CSCsy04594 |
Cisco IOS |
Vlan interfaces flap when a root guard port receive superior bpdu |
CSCsy37236 |
Cisco IOS |
High CPU at Filesys process on DFC LC and crash at btree_map_search |
CSCsy54583 |
Cisco IOS |
TTY data process on DFC leaks memory at prot_tty_malloc_named |
CSCsy56433 |
Cisco IOS |
Sh rom intermittently fails to display correct region info for standby |
CSCsy58553 |
Cisco IOS |
Linecard reset causes traffic onto frr protected tunnel to be dropped |
CSCsy66446 |
Cisco IOS |
%BIT-SP-4-OUTOFRANGE ltl_fpoe_defer_notify_with_pri on port-channel flap |
CSCsy66678 |
Cisco IOS |
stp_helper_manipulate_queue: standby SP CPUHOG |
CSCsy81934 |
Cisco IOS |
Non-standard static multicast MAC addresses lose ports after reload |
CSCsy86252 |
Cisco IOS |
SP Crash printing "supervisor jamming EOBC. It will be disabled." |
CSCsz04297 |
Cisco IOS |
Cat6k: False Dynamic MAC entry is installed with format 0000.<LTL>.0000 |
CSCsz19246 |
Cisco IOS |
Crash after 'no dot1x port-control auto' |
CSCsz36826 |
Cisco IOS |
6509E fan-tray failed to restore back to HP mode after OIR |
CSCsz38798 |
Cisco IOS |
On SSO, Sup engine/DFC module get reset when MET set deleted |
CSCsz53124 |
Cisco IOS |
IPSEC VPN interoperability issue when IPCOMP compression enabled |
CSCsz53809 |
Cisco IOS |
Configuring vlan name containing space doesnt work across reload. |
CSCsz69993 |
Cisco IOS |
Pause frames on WS-X6708-10GE sent to cpu with flow-control disabled |
CSCsz96469 |
Cisco IOS |
Tracebacks seen @chunk_free_with_pc while unconfiguring |
CSCta06428 |
Cisco IOS |
VSS: Active Crash at iccp_test_get_first_mcast_resp_data |
CSCta06451 |
Cisco IOS |
PfR:BR Memory leak in export path on 7600 |
CSCta15851 |
Cisco IOS |
Changing allowed vlan mask causes WiSM LAG member ports to reset |
CSCta29818 |
Cisco IOS |
Enhanced-Flexwan Module Power Down after Code Upgrade from SXF to SXH |
CSCta42669 |
Cisco IOS |
C2W1: segv exception after portchannel configuration |
CSCta45976 |
Cisco IOS |
BFD adj not formed if NBR IPaddr is on the same RTR but w diff VRFintf |
CSCta56676 |
Cisco IOS |
IPsec SA liftime can go to negative values |
CSCta56890 |
Cisco IOS |
WiSM LAG and Data Ports flaps on SSO Switchover |
CSCta71873 |
Cisco IOS |
Mcast traffic stops flowing across fabric to required fpoes |
CSCta95295 |
Cisco IOS |
IOMEM depleted when PKI servers unavailable for CRL checking |
CSCta98108 |
Cisco IOS |
With NAT, on Netflow database cleanup timer expiry, CPU spikes on 7600 |
CSCtb04231 |
Cisco IOS |
Imprecise parity error crash due to mistral timeout |
CSCtb31400 |
Cisco IOS |
BGP sends Route-Refresh request on entering route-map configuration |
CSCtb45475 |
Cisco IOS |
sh plat hard capacity cpu report system memory usage incorrectly |
CSCtb62031 |
Cisco IOS |
cat6k: High cpu and high inband when reflexive ACL is used with WCCP |
CSCtb70578 |
Cisco IOS |
L2PT incorrectly decapsulates STP PDU for RSPAN causing PVID mismatch |
CSCtb72638 |
Cisco IOS |
Ezvpn server not sending split tunneling access-list to client |
CSCtb78973 |
Cisco IOS |
PM-SP-3-INTERNALERROR: Port Manager Internal Software Error with dot1x |
CSCtb84298 |
Cisco IOS |
Shadow state of wism PO line protocol down on stdby After OIR of WiSM |
CSCtb87149 |
Cisco IOS |
NF is disabled on L3 sub-intf with per interface NF enabled |
CSCtc11691 |
Cisco IOS |
VSS: Switch crashes after loading the sierra 090920 image |
CSCtc15386 |
Cisco IOS |
IOS tags VLAN name configuration command as level 1 |
CSCtc16740 |
Cisco IOS |
Global BPDUGuard does not work on MVAP ports |
CSCtc17058 |
Cisco IOS |
VC stops sending traffic due to duplicate vpn id in port based EoMPLS |
CSCtc22217 |
Cisco IOS |
SPA-8X1FE-TX-V2 negotiation auto and duplex mode issue |
CSCtc24864 |
Cisco IOS |
Enable cdp - removed on shut/ no shut dot1q-tunnel interface |
CSCtc27745 |
Cisco IOS |
LLDP packets go out tagged if native vlan (not Vlan1) is configured |
CSCtc30691 |
Cisco IOS |
Crash/Spurious memory access on privilege ipaddr-object-group/port-objec |
CSCtc38716 |
Cisco IOS |
ME6524 may reset due to single power supply failure |
CSCtc38771 |
Cisco IOS |
12.2SXH: Intermittent BPDU drop over Dot1Q tunnel. |
CSCtc40724 |
Cisco IOS |
Multicast packets may get dropped on 6500 when member join mcast group |
CSCtc40851 |
Cisco IOS |
traceback on applying port acl to interface. |
CSCtc49542 |
Cisco IOS |
VSS: output drops on VS-720 port due to CoS mapping mismatch |
CSCtc52807 |
Cisco IOS |
C2HD1-SI: L3 Portchannel's FPOE mask incorrect after SSO |
CSCtc53958 |
Cisco IOS |
"sh run" on Cat6k results in tunnel flapping on non-modular IOS |
CSCtc79335 |
Cisco IOS |
Sup Crash on several locations with IP SEC config |
CSCtc81772 |
Cisco IOS |
High cpu utilization with IPv6 ACL |
CSCtc90469 |
Cisco IOS |
Sup32 crash just after boot up with ACL Deny Test Failure |
CSCtd01483 |
Cisco IOS |
With fm platform debug on when private-host is config'd the switch crash |
CSCtd13853 |
Cisco IOS |
Linecard interfaces going into UDLD errdisable state on reload |
CSCtd16863 |
Cisco IOS |
6500 PoE issues with 1120 line of APs when using dot1x |
CSCtd18947 |
Cisco IOS |
Port-based EoMPLS stops passing tagged traffic |
CSCtd21153 |
Cisco IOS |
Packets are not netflow switched for wccp-L2-redirect(inbound)with hash |
CSCtd31143 |
Cisco IOS |
SPA in CC mode with SSO breaks connectivity when other sup comes online |
CSCtd35521 |
Cisco IOS |
MVPN PIM neighborship is not formed within vrfs |
CSCtd45736 |
Cisco IOS |
EOAM:LB functionality is broken from 11/17 due to CSCtb70578 |
CSCtd58314 |
Cisco IOS |
memory corruption crash with sh ip arp inspect log |
CSCtd59572 |
Cisco IOS |
Spurious memory access errors seen after fpd upgrade of T3/E3 on SIP200 |
CSCtd59664 |
Cisco IOS |
%ERROR: Standby doesn't support this on configuring speed on SIP-400 int |
CSCtd72437 |
Cisco IOS |
Packets punted to software forwarding when route-map is used for NAT |
CSCtd78587 |
Cisco IOS |
Crash when recovering a port which was err-disabled twice |
CSCtd92043 |
Cisco IOS |
Ph2 rekey use wrong proxy-id's on cat6k ezvpn ipsec-spa-2g |
CSCte08785 |
Cisco IOS |
mac notification change history log not seen for deleted mac entries. |
CSCte20914 |
Cisco IOS |
SPAN Reflector not enabled for WS-SVC-ADM-1-K9 : 2nd Commit |
CSCte56366 |
Cisco IOS |
DSCP values are not mapped to RX priority queue |
CSCte87347 |
Cisco IOS |
FPGA upgrade of CHT1E1 to 2.8 is not successful |
CSCtf03547 |
Cisco IOS |
VSS: Switch went down coz %EARL-SW1_SP-4-EBUS_SEQ_ERROR: with SXH7 image |
CSCtf06477 |
Cisco IOS |
VSS: changing switching mode powers down service modules in SXH |
CSCtf16330 |
Cisco IOS |
DHCP Rogue Server Detection : Multiple DHCPDISCOVER's issue |
CSCtf53433 |
Cisco IOS |
Knob 'platform ipv6 acl punt extension-header' default should be false |
CSCei86912 |
Infrastructure |
Router reloads unexpectedly while issuing GD commands |
CSCin66315 |
Infrastructure |
Inconsistency with sysuptime and rttMonLatestRttOperTime |
CSCsj27963 |
Infrastructure |
Need graceful handling of full nvram |
CSCsk85192 |
Infrastructure |
copy command with : after attribute is not checked against ACS.. |
CSCsl52962 |
Infrastructure |
interface range Port-channel command causes RP crash |
CSCsm80522 |
Infrastructure |
Zero size crash file generated with "test crash" on Sip 600 module |
CSCso40612 |
Infrastructure |
7600 HA router crashed @ parser_syntax_cleanup on |
CSCso48834 |
Infrastructure |
ip sla config with udp-jitter probe failed due to no connection |
CSCso56916 |
Infrastructure |
persistent variable "snmpboot" don't get incremented after reload |
CSCse59109 |
IPServices |
high CPU usage when IP SLA is enabled |
CSCsi99841 |
IPServices |
vrf-aware trustpoint authentication/enrollment doesn't work |
CSCsm52759 |
IPServices |
% Internal software error: 22 seen on telnetting to ipv6 hosts |
CSCsz72591 |
IPServices |
Router configured as a DHCP client crashes with crafted DHCP packet. |
CSCsz97239 |
IPServices |
PmtuAger Expiration and MSS value |
CSCtc55616 |
IPServices |
RSA key generation from SSH session disables SSH service in ION |
CSCtd13820 |
IPServices |
Show Standby causes unexpected exception to CPU: crash at standby_show |
CSCtd32285 |
IPServices |
No nat translation with PAT applied on VRF interfaces |
CSCsc62963 |
LAN |
Have configurable MTU Range 1500 -1530 on PA-1FE and PA-2FE |
CSCsz05918 |
Management |
CDP neighbors do not come up on vlan interface |
CSCsz75221 |
Management |
A local variable in cdp takes up 2k process stack space-prompting crash |
CSCtc40711 |
Management |
next-hop verify-availability still forwards traffic with no CDP neighbor |
CSCtd43540 |
Management |
Memory leak at cdp_handle_version_info |
CSCtb76828 |
Multicast |
%SYS-2-BADSHARE: Bad refcount in datagram_done for MSDP process |
CSCsm42477 |
QoS |
Sierra:Standby reloaded on QOS configuration. |
CSCso29025 |
QoS |
Sip-400: Traceback msgs at process_ok_to_reschedule |
CSCsq11897 |
Routing |
Spurious memory seen at idb_get_ip_addrs and idb_get_ip_unnum |
CSCsq13111 |
Routing |
7609s vlan traffic reporting |
CSCsq99447 |
Routing |
When BFD/ EIGRP configured in more than 32 vrf BFD does not come up |
CSCsr05431 |
Routing |
After SSO, cef removed vrf routes before bgp graceful timers time-out |
CSCsr67177 |
Routing |
Router with IPv6 OSPF crashes on reloading |
CSCsr84530 |
Routing |
Static route not properly redistributed into BGP -- backout CSCsl92283 |
CSCsr88705 |
Routing |
BGP route getting lost after "shut/no shut" of BGP peering interface |
CSCsw30941 |
Routing |
ospfNbrStateChange trap sent by non-DR |
CSCsw99768 |
Routing |
BGP malformed update sent |
CSCsy58115 |
Routing |
Continuous BGP mem increase with non established neighbors |
CSCsz61156 |
Routing |
NH is not stored in BGP table when IPv6 VRF is redistributed |
CSCta07104 |
Routing |
Config-Sync & Traffic failure in VPN SSO scripts |
CSCta08632 |
Routing |
ISIS topology broken after Sup force-switchover with ispf |
CSCtb82674 |
Routing |
IS-IS adjacency stays down after switchover |
CSCtc45716 |
Routing |
SNMPWALK of ipRouteEntry.7 with a view configured triggers high CPU |
CSCtd73256 |
Routing |
a catalyst switch may reload unexpectedly during 'show ip ospf int' |
CSCte10790 |
Routing |
c6500: device crashing on "no 250" on access-list |
CSCse31829 |
Security |
Memory leak in Crypto IKMP process |
CSCsz83570 |
Security |
SSH Sessions disconnect when viewing logs w/ pagers |
CSCtc12312 |
Security |
PKI may get stuck after 32678 CRL fetches |
CSCsi05069 |
WAN |
DCE Sub-interface is not coming up after provisioning |
CSCsw31019 |
WAN |
Router crashes while configuring the command "frame-relay be 1" |
Caveats Resolved in Release 12.2(33)SXH6
Resolved MPLS Caveats
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available.
This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
Resolved Routing Caveats
Symptoms: Cisco IOS device may crash.
Conditions: A Cisco IOS device may crash upon receiving a malformed OSPF message.
Before the issue can be triggered, the Cisco IOS device must be able to establish adjacency with an OSPF peer. The issue will then occur when the processing an OSPF message sent by the peer.
Workaround: There is no workaround. Using OSPF authentication can reduce/minimize the chance of hitting this issue.
Resolved Security Caveats
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service (DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-tunnels
Resolved Unknown Caveats
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent the establishment of new IPsec sessions.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-ipsec
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the authentication proxy server or bypass the consent webpage.
There are no workarounds that mitigate this vulnerability.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090923-auth-proxy
Other Resolved Caveats in Release 12.2(33)SXH6
|
|
|
|
CSCin67182 |
AAA |
Crash in aaa_sg_v2_get_next_server on trying unconfigured radius ser |
CSCsc97727 |
AAA |
Access Point Crashes When Removing TACACS Server |
CSCse12395 |
AAA |
Check keys error for accounting does not cause failover |
CSCsh34529 |
ATM |
autobahn76: ATM interface config lost on standby RP |
CSCsx43905 |
ATM |
Router Crash at dlcncia.c on 12.2(33.4.14)SXH |
CSCee25454 |
Cisco IOS |
SADB peering process leaks memory after overnight test |
CSCek53099 |
Cisco IOS |
SIP200+4xT3/E3:Fail to load cRTP CFG from startup file |
CSCsd39568 |
Cisco IOS |
stats support for PBR set ip nexthop/set interface |
CSCsg35285 |
Cisco IOS |
Slower Cache refresh for int stats when more interfaces up |
CSCsi46897 |
Cisco IOS |
PRE crash after snmpwalk on mib cbQosSetStatsTable |
CSCsj26698 |
Cisco IOS |
Acct-Session-Id in Accounting-Request is different from in Access-Reques |
CSCsk25046 |
Cisco IOS |
Not all ifIndex'es are in cbQosServicePolicyTable |
CSCsk29975 |
Cisco IOS |
Tunnel not up, invalid local address after modify the local address. |
CSCsk62407 |
Cisco IOS |
CPU HOG@fm_format_addr_to_compare on applying large IPv6 ACL |
CSCsl61273 |
Cisco IOS |
Standby crash after autoqos config |
CSCsl72962 |
Cisco IOS |
Mask the debug message error in multicast throttle logic |
CSCsm39160 |
Cisco IOS |
TestCFRW shows incorrectly as failed in show diagnostic sanity |
CSCsm45254 |
Cisco IOS |
OBFL ENV app in infinite-loop causing high CPU |
CSCsm84073 |
Cisco IOS |
c2w2:vrf ping fails after toggle mls mpls recir, sso,remove/add ip vrf |
CSCsm84163 |
Cisco IOS |
Memory leak for IKE/IPSEC after hsrp failover, router crashed w/ no mem |
CSCso35876 |
Cisco IOS |
SRB3:New active SP crash at label_entry_get_inlabel |
CSCso36150 |
Cisco IOS |
duplicate vlan names causing config-sync failures |
CSCso59242 |
Cisco IOS |
sierra: show mem detailed all stat is truncated. |
CSCso79925 |
Cisco IOS |
EC with enhanced hash method (PFC3C) has no knob to use old method (3B) |
CSCso89644 |
Cisco IOS |
c2w2::Missing idb for fibidb NDE_vlan1019 messages and tracebacks after |
CSCsq31935 |
Cisco IOS |
6500 - L3 port channel - CDP packet sent tagged in internal vlan |
CSCsq55506 |
Cisco IOS |
Inter community PVLAN traffic is software switched |
CSCsq69567 |
Cisco IOS |
SSO Switchover + unicast-routing chg cause MC traffic loss for 2 minutes |
CSCsq78343 |
Cisco IOS |
Tidy up the netflow sub flow code |
CSCsq96144 |
Cisco IOS |
Netflow v9 Exported Data issue in case of ECMP |
CSCsr04916 |
Cisco IOS |
PBR dropped the packets after add set vrf vpn1 back to the route-map |
CSCsr63098 |
Cisco IOS |
VRF-Aware Smart-Call Home requirement |
CSCsr99518 |
Cisco IOS |
Granikos should not init rekey after recieving new outbound SA at QM3 |
CSCsu11487 |
Cisco IOS |
pm_fec_is_mec() returns FALSE when 1 of 5 local MEC members is shutdown |
CSCsu27660 |
Cisco IOS |
CDP packet sent tagged in internal vlan |
CSCsu29301 |
Cisco IOS |
C2W21: Ingress SPAN on Sup - ACE module duplicates packets |
CSCsu36715 |
Cisco IOS |
W2.0 : C2 : ION : Memory Leak in MSDP process |
CSCsu67413 |
Cisco IOS |
RRI - Route disappears after ipsec rekey with multi int scenario |
CSCsu92395 |
Cisco IOS |
Crash caused by event manager configuration: "action mail" |
CSCsv12378 |
Cisco IOS |
c2w2:Memory leak in Crypto IKMP process on IOS EzVPN server |
CSCsv24908 |
Cisco IOS |
L2 Fwd Broken on other modules when SIP-400 int flaps |
CSCsv27372 |
Cisco IOS |
telnet to a real(directed mode) via GRE tunnel crates SUP crash on SRC2 |
CSCsv27548 |
Cisco IOS |
Cat6k/sip200: PPP packets punted sip200 multilink interface |
CSCsv27617 |
Cisco IOS |
Flow creation disabled in netflow table after reload for WAN main ints |
CSCsv52025 |
Cisco IOS |
call-home: Port numbers cannot be added to URLs with IP addresses |
CSCsv59334 |
Cisco IOS |
Connected nets redistr from eigrpTObgp when no net 0 is set under eigrp |
CSCsv63799 |
Cisco IOS |
PfR MC/BR bus error crash in ip fast flow |
CSCsw14147 |
Cisco IOS |
VACL unable to capture traffic from RP |
CSCsw32280 |
Cisco IOS |
Diag error on WS-X6148A-45AF card asic with Traffic |
CSCsw41706 |
Cisco IOS |
router reload when registering EEM service diag script |
CSCsw48181 |
Cisco IOS |
Unknown Unicast is dropped on Shut/no Shut of a VLAN |
CSCsw52819 |
Cisco IOS |
Kernel dumper needs a few enhancements. |
CSCsw68514 |
Cisco IOS |
SLB probes iin TESTing state while using client cmd in Vserver config |
CSCsw76117 |
Cisco IOS |
TBs seen after redundancy mode change from sso to rpr |
CSCsw78413 |
Cisco IOS |
BFD over ATM subinterfaces is broken in recent SR images |
CSCsw83488 |
Cisco IOS |
Negative value seen for counters in vpn session |
CSCsx09110 |
Cisco IOS |
Failed to establish ipsec tunnel with CCM |
CSCsx20862 |
Cisco IOS |
Peer RP index unknown messages seen on VSS setup |
CSCsx21886 |
Cisco IOS |
ISSU switchover command sync issue |
CSCsx29377 |
Cisco IOS |
1 sec multicast loss on standby sup720-10g |
CSCsx49889 |
Cisco IOS |
SPA-IPSEC-2G-3-ACEI0TCAMFAILE:SpdSpInstall:cannot install Sp TmInsertSp |
CSCsx55152 |
Cisco IOS |
Switch does not send TC trap if it is not a root bridge |
CSCsx58786 |
Cisco IOS |
Router crash @ routemap_track_nexthop |
CSCsx82825 |
Cisco IOS |
Shutdown Loopback interfaces in VSS recovery mode |
CSCsy01275 |
Cisco IOS |
W15:: SYS-2-MALLOCFAIL: Memory allocation message seen after bootup |
CSCsy01763 |
Cisco IOS |
15 - 20 packets leek to DST with PACL after SSO |
CSCsy03587 |
Cisco IOS |
c2w2b: SYS-2-MALLOCFAIL: Memory allocation failed seen with tracebacks |
CSCsy08838 |
Cisco IOS |
Zamboni allows clear packet inbound on protected interface |
CSCsy16220 |
Cisco IOS |
a switch may crash due to deadlock between snmp and eem |
CSCsy21797 |
Cisco IOS |
Cat6k-Unexpected SNMP messages occurred |
CSCsy24895 |
Cisco IOS |
Memory leak in ACE HAPI process |
CSCsy26526 |
Cisco IOS |
Router is getting crashed at netconf_sessionQs_set_max_message |
CSCsy26979 |
Cisco IOS |
33SXH5: Traceback seen @satvs_assert_class3 |
CSCsy34566 |
Cisco IOS |
Disable VLAN mapping on ME6524, 6148A-GE-TX |
CSCsy37175 |
Cisco IOS |
2FE-PA Subintf lost connection after chassis/Flexwan2 reload |
CSCsy41526 |
Cisco IOS |
PIM msgs duplicated when MPLS configured and IGMP Snooping Off on xface |
CSCsy54365 |
Cisco IOS |
frequent datapath recovery and traffic loss on WS-X6704 with DFC |
CSCsy58886 |
Cisco IOS |
NGN:Active crashes when standby booting up on SRC2->SRC3 ISSU |
CSCsy61956 |
Cisco IOS |
Crash in ios-base when running 'show ip route' or 'show bgp' commands |
CSCsy62753 |
Cisco IOS |
MST configured router crashed after receiving PVST BPDU. |
CSCsy69228 |
Cisco IOS |
Add CLI mls cef tunnel fragment support for non supertycho2 |
CSCsy69740 |
Cisco IOS |
SXH: Traffic drop on L2 PO after cleared psecurity on rcving L2 ports |
CSCsy78994 |
Cisco IOS |
Memory leak in Service Task |
CSCsy82121 |
Cisco IOS |
IGMP Source only not working due to MC_CAP not set |
CSCsy85171 |
Cisco IOS |
CDL2 Read Error: Time out |
CSCsy86050 |
Cisco IOS |
MAC Move Notifications on VSS between active and down ports |
CSCsy87619 |
Cisco IOS |
VSS port channel going down when powering down active switch |
CSCsy95520 |
Cisco IOS |
~500msec Pkt loss after transition to HSRP Active on L3 int |
CSCsz01976 |
Cisco IOS |
Need a cli to dump the rommon environment and unset rommon variable |
CSCsz06187 |
Cisco IOS |
VACL capture for ingress software switched packets |
CSCsz07068 |
Cisco IOS |
VSS: Output Drops on a VSL port due to small Tx Queue limit |
CSCsz12369 |
Cisco IOS |
FPD support for SPA-8X1FE-TX-V2 is not enabled |
CSCsz14072 |
Cisco IOS |
Memory leak at "MAB Framework" process when dot1x is enabled |
CSCsz20625 |
Cisco IOS |
Error message seen if SIP Is OIR'd during Standby SUP bootup |
CSCsz22954 |
Cisco IOS |
Supported WS-X6324-100FX-MM is powered down improperly |
CSCsz23448 |
Cisco IOS |
SIP 200 not coming up and Router Crashes after applying card type E3 1 1 |
CSCsz40969 |
Cisco IOS |
Need to add Me_Kr flow-control status registers back into sierra/whitney |
CSCsz42143 |
Cisco IOS |
WS-X6148A-GE-TX module fails keepalives when excessive errors on port. |
CSCsz44678 |
Cisco IOS |
Tunnel won't forward traffic across global to vrf |
CSCsz47077 |
Cisco IOS |
SWITCH_NUMBER rommon variable set on its own and by "wr erase" command |
CSCsz55834 |
Cisco IOS |
GLBP may provided BIA MAC instead of Virtual MAC for mobile users |
CSCsz62046 |
Cisco IOS |
Crash at memcpy after CPUHOG in SNMP ENGINE |
CSCsz63359 |
Cisco IOS |
c2w2b:"show mls qos ip" displays vslot interface instead switchid and sl |
CSCsz67334 |
Cisco IOS |
ciscoEnvMonTemperatureStatus trap sent sporadically as NotFunctioning |
CSCsz71970 |
Cisco IOS |
c2w2b: Freed Memory being Accessed by lldp_med_free_local_annex |
CSCsz75820 |
Cisco IOS |
JQL: VSS hang on SP after RP crashed by software-forced reload |
CSCsz76015 |
Cisco IOS |
C2W2: Need cli to set PF_BIAS to ensure lower slot# Sup boots as active |
CSCsz84544 |
Cisco IOS |
output drops increment on not-connected interface of 6548GE-TX module |
CSCsz87648 |
Cisco IOS |
SP/RP and redundant system handshake broken when the kernel crashes. |
CSCsz92508 |
Cisco IOS |
SPA module reloads when no response to keep-alive polling |
CSCta01121 |
Cisco IOS |
c2w1:MDEBUG traceback is seen while unconfiguring qos feature in FM. |
CSCta05502 |
Cisco IOS |
Spurious memory access made at psecure_port_del_addr_by_mac_imp |
CSCta06175 |
Cisco IOS |
Cat6500/SXH: Deleted configs re-appear on IDSM reset |
CSCta10870 |
Cisco IOS |
FPOE takes long time to be programmed on active vss switch |
CSCta21771 |
Cisco IOS |
%CONST_DIAG-SP-3-HM_FCI_0_STUCK: Flow control stuck at 0 error on modul |
CSCta27279 |
Cisco IOS |
WCCP s/w switching with Ingress redirection & interface ACL |
CSCta48968 |
Cisco IOS |
Modular IOS kernel crashinfo has missing information |
CSCta52689 |
Cisco IOS |
cat6k crash in RP due to address error with wccp configuration |
CSCta53157 |
Cisco IOS |
SPA-4XT3/E3 int in SIP-200 admin-down on standby after fpd upgrade |
CSCta55498 |
Cisco IOS |
[Modular IOS] MIPS CP0 registers save algorthim needs a few improvements |
CSCta74315 |
Cisco IOS |
WS-X6324-100FX-MM May Be Inoperable and Have Status "Other" |
CSCta76808 |
Cisco IOS |
add CLI command for medium buffer pool |
CSCta94179 |
Cisco IOS |
Recirculated MPLS packets becasue of egress service policy are dropped |
CSCtb23289 |
Cisco IOS |
Major temperature alarm has to force system shutdown |
CSCtb28032 |
Cisco IOS |
Changing module corrupts Flex Link |
CSCtb28712 |
Cisco IOS |
SPAN Reflector not enabled for WS-SVC-ADM-1-K9 |
CSCtb38547 |
Cisco IOS |
Incorrect CP0 values and empty kernel variable section in kernel crashin |
CSCtb60330 |
Cisco IOS |
VTI: Missed DPD ACK on phase 1 expiry causing phase 2 deletion. |
CSCtb63352 |
Cisco IOS |
VSS: With 6KW DC PS, no power to bringup VSL supervisor or linecard |
CSCtb66983 |
Cisco IOS |
Nas-port-type is missing in Access-request |
CSCtb68478 |
Cisco IOS |
"Illegal nextSsIndex value" message should be removed |
CSCtb87454 |
Cisco IOS |
DHCP Rogue Server Detection |
CSCee83031 |
Infrastructure |
test crash, dumping log before command is displayed |
CSCsc77704 |
Infrastructure |
region_find_by_addr goes into infinite loop when spurious memory occurs. |
CSCsc88003 |
Infrastructure |
Issuing banner exec commnad under interface range crash switch |
CSCsd99763 |
Infrastructure |
Cisco 7200 series reload unexpectedly while configuring BGP acces list |
CSCse40379 |
Infrastructure |
IP SLA: Increasing the request-data-size via CLI crashes the device. |
CSCsk41686 |
Infrastructure |
PARSER-3-CFGLOG_NOMEM: constanlty in log |
CSCsm66896 |
Infrastructure |
IP SLA Monitor strDupOctet memory leak |
CSCsq74185 |
Infrastructure |
Image verification not possible on 12.2(33)SRC for the c7200 |
CSCsr08750 |
Infrastructure |
router is crashing after giving the command memory reserve critical 1 |
CSCsr94474 |
Infrastructure |
Running-config stuck: nv_csb_semaphore locked during copy run ftp |
CSCsu65967 |
Infrastructure |
Modular IOS crash at free_lite_internal |
CSCsv90106 |
Infrastructure |
nested crash leads to incomplete crashinfo |
CSCsx10028 |
Infrastructure |
Core dump may fail to write |
CSCsy86078 |
Infrastructure |
Memory corruption Failure |
CSCsz19466 |
Infrastructure |
C2W1: int range command with port-channel load-defer cause router crash |
CSCsz52815 |
Infrastructure |
Crash when 'history hours-of-statistics-kept' has value greater than 9 |
CSCta02715 |
Infrastructure |
SXH5: RP crash on each booting time if <logging count> enabled |
CSCed01880 |
IPServices |
Not able to configure NAT tcp timeouts beyond 4194 sec |
CSCsa41736 |
IPServices |
Router crash after enable NAT rate-limit feature |
CSCsa47672 |
IPServices |
NAT refcount counter maximum value of 65536 (64K) |
CSCse01431 |
IPServices |
NAT-CCE : NAT SBC : outside sip call not go through |
CSCse66643 |
IPServices |
SYS-2-NOBLOCK error when redistributing NAT routes |
CSCsj19805 |
IPServices |
ip igmp static-group broken after reload on int vlan on a 7600 |
CSCsk23972 |
IPServices |
Telnet failed with "No wild listener" error |
CSCsw52416 |
IPServices |
NAT: dynamic nat entries do not timeout in certain case |
CSCsw65614 |
IPServices |
NAT with route maps doesn't work for TCP application |
CSCsx33622 |
IPServices |
Fix MSS calcuation issue in TCP |
CSCsx34372 |
IPServices |
c2w21/C2W2b:OSPF is not working with udlr/ude |
CSCsy39623 |
IPServices |
cannot ping local vlan interface ip address with NAT configured |
CSCsy39667 |
IPServices |
dhcp-proxy-client incorrectly sends DHCPRELEASE in PPP-agg use-case |
CSCsy97506 |
IPServices |
All nat'ed multicast packets punted to software |
CSCsz12488 |
IPServices |
LDAP add with malformed BER attributes causes CPUHOG and MALLOCFAIL |
CSCsz56393 |
IPServices |
Modular IOS - SUP720 - Sends malformed syslog packet |
CSCsz89107 |
IPServices |
high cpu due to ip_input process during SNMP trap |
CSCsz91851 |
IPServices |
NAT : ESP packets not translated with static NAT outside translation |
CSCta24043 |
IPServices |
"%IPNAT-4-ADDR_ALLOC_FAIL" message seen when all ports are not allocated |
CSCta83548 |
IPServices |
NAT Platform: unable to clear an specific nat entry |
CSCta89283 |
IPServices |
Add support for NAT redundancy feature in SX releases |
CSCtb58282 |
IPServices |
show tcp brief can cause crash |
CSCsz71787 |
LegacyProtocols |
Router crash by crafted IP packet. |
CSCej82248 |
MPLS |
%LFD-3-NOOCE: Traceback in lfd_fib_update_mpls_oces |
CSCsy60668 |
MPLS |
W1.5:: Toggle "mpls tra router-id" cause router crash |
CSCsz11877 |
MPLS |
MPLS-TE Tunnel label re-allocation on mid-point router while RSVP-GR |
CSCsz75180 |
MPLS |
Crash due to mpls subintf being removed |
CSCsz92368 |
MPLS |
MDEBUG-2-ACCESSFREED: @tc_handle_dead_peers Enabling/disabling "mpls ip" |
CSCsx34506 |
Multicast |
RPF failure with no PIM neighbor triggers PIM Hello |
CSCta26106 |
QoS |
RSVP-3-CONSISTENCY error followed by an unexpected reboot. |
CSCse15634 |
Routing |
neighbor default-originate doesn't work in address-family ipv4 multicast |
CSCse45978 |
Routing |
BGP to RIP redistribution breaks as RIP nexthop moves to alternate path |
CSCsg92473 |
Routing |
Switch crashes - IPV6 reflexive acl scalability test |
CSCsl90028 |
Routing |
CEF low mem crash after pumping more than 1Lac OSPF routes |
CSCsm05082 |
Routing |
BGP Dampening penalty not decaying on frqnt 'sh ip bgp v all' [dampening |
CSCsm79085 |
Routing |
EIGRP routes flapping due to nexthop changed |
CSCso07371 |
Routing |
SCHED-7-WATCH: Attempt to set uninitialized watched boolean in pfxlist |
CSCsq20928 |
Routing |
CEFv6 dropping IPv6 unicast packets |
CSCsq45082 |
Routing |
ip route with associated track/sla gets removed when track is still up |
CSCsq83006 |
Routing |
Port-channel down makes EIGRP SIA |
CSCsr27794 |
Routing |
BGP updates stuck during peer flap |
CSCsu96698 |
Routing |
BGP: /32 route being advertised while 'summary-only' is configured |
CSCsv17933 |
Routing |
Static route in VRF is not redistributed by RIP after link flap |
CSCsv73754 |
Routing |
crash during vrf unconfig - bgp_vpn_impq_add_vrfs_cfg_changes |
CSCsx08294 |
Routing |
OSPF encounters a bus error crash when running SPF |
CSCsx51299 |
Routing |
Crash when remove and configure ipv6 ACL via telnet and console |
CSCsx98673 |
Routing |
PE not send extended-community to a peer newly added to peer-group |
CSCsy29534 |
Routing |
Bus error crash on removing address-familly in router rip config mode |
CSCsy73123 |
Routing |
Connected route on port-channel subintf not removed when Po is down |
CSCsy76404 |
Routing |
Modular IOS: memory leak in CEF background process |
CSCsy77842 |
Routing |
TB isis_process_no_router after isis router process deleted |
CSCsy84134 |
Routing |
ARP table is flushed when deleting secondary IP address |
CSCsz16724 |
Routing |
BGPv6: default-metric is not being NVGEN'ed and not functionting |
CSCta60119 |
Routing |
non recursive accounting can cause prefixes linked to drop |
CSCsc49862 |
Security |
IPaddress in Subject Alternative Name is not parsed correctly. |
CSCso27236 |
Security |
IOS CA client shows renew date 1 Jan 1970 |
CSCsv23797 |
Security |
SSH:Crash seen on 7200 on mcp_dev |
CSCsv54863 |
Security |
IOS PKI: Not expired Certificate is deleted if autoenrollment fails |
CSCsz84055 |
Security |
System crashed unexpected while open ssh2 session |
CSCtb36521 |
Security |
PKI get stuck in pager when requesting to fetch SCEP capabilites |
CSCtc41114 |
Security |
New SSH sessions with RSA key fails after changing hostname |
CSCsi56413 |
WAN |
PA-POS-OC3SMI interface output stuck. |
Caveats Resolved in Release 12.2(33)SXH5
Resolved AAA Caveats
Symptoms: When “no aaa new-model” is configured, authentication happens through the local even when tacacs is configured. This happens for the exec users under vty configuration.
Conditions: Configure “no aaa new-model”, configure login local under line vty 0 4 and configure login tacacs under line vty 0 4.
Workaround: There is no workaround.
Resolved Infrastructure Caveats
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Symptom: Three separate Cisco IOS Hypertext Transfer Protocol (HTTP) cross-site scripting (XSS) vulnerabilities and a cross-site request forgery (CSRF) vulnerability have been reported to Cisco by three independent researchers.
The Cisco Security Response is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20090114-http
Conditions: See “Additional Information” section in the posted response for further details.
Workarounds: See “Workaround” section in the posted response for further details.
Resolved IPServices Caveats
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of the affected features are enabled, a successful attack will result in a blocked input queue on the inbound interface. Only crafted UDP packets destined for the device could result in the interface being blocked, transit traffic will not block the interface.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the workarounds section of the advisory.
This advisory is posted at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-udp
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted TCP/IP packets could cause any of the following results:
– The configured feature may stop accepting new connections or sessions.
– The memory of the device may be consumed.
– The device may experience prolonged high CPU utilization.
– The device may reload.
Cisco has released free software updates that address this vulnerability.
Workarounds that mitigate this vulnerability are available in the “workarounds” section of the advisory.
The advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-ip
Symptom: An IOS software crash may occur when receiving a specific malformed DHCP packet.
Conditions: An IOS device configured for DHCP Server and receives a DHCP-request from a DHCP relay device. A specific malformed option in the packet packet may induce a software traceback or crash. The specific packet will not occur without manual modification.
Workaround: None.
Multiple Cisco products are affected by denial of service (DoS) vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system.
In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash. This additional vulnerability was found as a result of testing the TCP state manipulation vulnerabilities.
Cisco has released free software updates for download from the Cisco website that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090908-tcp24.
Symptom: High CPU utilization after receives a ARP packet with protocol type as 0x1000.
Conditions: This problem occurs on SUP32 running 12.2(33)SXI. This problem does not occur on SUP720. The problem is only seen when you have bridge-group CLI being used which lead to arp pkts with protocol types as 0x1000 being bridged. The problem does not apply for IP ARP packets.
Workaround: Filter the ARP packet. The device Config should have bridge-group creation first; followed by interface specific bridge-group options.
Additional Information: This problem is now isolated to command ordering in the startup-config file. The bridge <> command is saved before the bridge-group <> command (which is run in the interface-config mode) is saved. The linking of IDB to bridge structure is not happening correctly and some check fails in the bridge code that lets the packet to be processed again and again instead of being dropped.
If the bridge-group <> command is removed in the startup-config and only applied after the bridge <> command is run, the problem will go away. Please use this workaround until a fix is put in.
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this vulnerability.
Several mitigation strategies are outlined in the workarounds section of this advisory.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090325-tcp
Resolved LAN Caveats
Summary: Cisco’s VTP protocol implementation in some versions of Cisco IOS and CatOS may be vulnerable to a DoS attack via a specially crafted VTP packet sent from the local network segment when operating in either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash (and reload/hang). The crafted packet must be received on a switch interface configured to operate as a trunk port.
Workarounds: There are no workarounds available for this vulnerability.
This response is posted at http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20081105-vtp
Resolved Multicast Caveats
Symptom: MSFC crashes with RedZone memory corruption.
Conditions: This problem is seen when processing an Auto-RP packet and NAT is enabled.
Workaround: None known at this time.
Symptoms: PIM packets may be processed on interfaces which PIM is not explicitly configured.
Conditions: Unknown at this time.
Workarounds: Create an ACL to drop PIM packets to such interfaces.
Resolved Routing Caveats
Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset.
Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops.
Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the route-map prepending value to 10 the most that could be added is 21 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition.
Other Resolved Caveats in Release 12.2(33)SXH5
|
|
|
|
CSCec82106 |
AAA |
Router crashes with a bus error when removing AAA comands |
CSCei62358 |
AAA |
Downloading callback-dialstring as part of Tacacs+ author leads to crash |
CSCin40015 |
AAA |
telnet to NAS fails when user profile has access-profile |
CSCsc78999 |
AAA |
Address Error exception at TPLUS |
CSCse02550 |
AAA |
ip radius source-interface not used in combination with vrf |
CSCsl63494 |
AAA |
Issue with session accounting in AAA |
CSCsq37815 |
AAA |
Case sensitive Username authentication is passed with wrong user name |
CSCsq94524 |
AAA |
"aaa accounting update newinfo" causes extra "jitter maximum 0" option |
CSCsv06973 |
AAA |
Router Crashes at tplus_shutdown_single_connection |
CSCsw19816 |
AAA |
cat6000: IOS login enhancments not creating logs for telnet with AAA |
CSCsy00716 |
AAA |
Accounting record has sensitive information in clear text structure |
CSCso64050 |
ATM |
HA functionality is not working when policy attached to atm pvc |
CSCeg35237 |
Cisco IOS |
Watchdog crash after sh crypto session |
CSCeg80842 |
Cisco IOS |
PA-MC-8TE1 controller stuck ( similar to CSCdz72292) |
CSCek70131 |
Cisco IOS |
SIP1 crash at vip_mlp_fastsend with HEARTBEAT error for mlppp qos |
CSCek77996 |
Cisco IOS |
High CPU caused by data traffic with crypto map in crypto connect mode |
CSCsd04608 |
Cisco IOS |
MQC-IPHC: Router crashed while testing mqc-iphc test |
CSCsd45698 |
Cisco IOS |
Cat6K: SLB punted to CPU if src_index is port-channel index |
CSCse63833 |
Cisco IOS |
SNMP bus error while polling cipsStaticCryptomapTable. |
CSCsg14926 |
Cisco IOS |
Standby can not boot because of insufficient memory with 32K interfaces |
CSCsg83756 |
Cisco IOS |
SPA-8XCHT1/E1 after Reload C/A LED green even if no cable plugged |
CSCsg87290 |
Cisco IOS |
SIP1-ChOC3: Extra path flap is observed on ChOC3 SPA interfaces |
CSCsh22225 |
Cisco IOS |
CWAN_HA-STDBY-4-IFCFG_PLAYBACK_ERROR: |
CSCsi55428 |
Cisco IOS |
FRU Trap sequence incorrect when " hw-module subslot shutdown unpowered" |
CSCsi78584 |
Cisco IOS |
T3/E3 SPA:Line protocol is not comin up with E3 and framing bypass |
CSCsj19308 |
Cisco IOS |
PE and CE ping fails over multilink ppp bundle.. |
CSCsk30196 |
Cisco IOS |
BADBUFFER error at pak_copy_contiguous_to_contiguous |
CSCsk33045 |
Cisco IOS |
MST BPDU *must* be sent untagged, even when the switch is configured wit |
CSCsk49151 |
Cisco IOS |
Vlan policy-map rejected upon reloading. |
CSCsk67417 |
Cisco IOS |
Crash while two or more users displays: show ip arp inspection log |
CSCsk84498 |
Cisco IOS |
EVERGLADES:archive,write-mem feature broken |
CSCsk89091 |
Cisco IOS |
HWIF-QOS-ERR: Failure installing Port QoS TX/Rx setting |
CSCsl44170 |
Cisco IOS |
LI tapped PPPoE LCP/PPP control packets originated from router are bogus |
CSCsl53279 |
Cisco IOS |
Physical interfaces on Cat6k set to 10 usec regardless of line speed |
CSCsl72332 |
Cisco IOS |
cat6k crash with 'no mobility network-id 4' |
CSCsm44147 |
Cisco IOS |
SSO failure due to mismatched command on SRB1 |
CSCsm66678 |
Cisco IOS |
Policing not working in MPLS cloud |
CSCsm72121 |
Cisco IOS |
W2: bad cookie magic was detected after SSO switchover with sh vtp count |
CSCsm74948 |
Cisco IOS |
mVPN RP does not send join to directed connected neigbor PE |
CSCsm76792 |
Cisco IOS |
PM HA bulk sync posting RF_DONE before bulk sync has finished |
CSCsm79995 |
Cisco IOS |
Tracebacks are seen while attaching service-policy in a atm pvc |
CSCsm83256 |
Cisco IOS |
IDSM2 Data port operation status not OK after boot OR SSO |
CSCsm98671 |
Cisco IOS |
TestTrafficStress fails with certain configuration |
CSCso03419 |
Cisco IOS |
VRF_Lite aware PBR: Set ip vrf clause changes on Reload/SSO with SIERRA. |
CSCso05889 |
Cisco IOS |
Pak Subblock creation fails from CEF in ION |
CSCso11489 |
Cisco IOS |
%SYS-SP-3-INVMEMINT while collecting ION crashinfo |
CSCso11822 |
Cisco IOS |
LACP PC switchport, on OIR, "channel group 112 active" config gets lost |
CSCso35659 |
Cisco IOS |
L3 traffic rate limited after adding and removing Xcon to a SVI |
CSCso38671 |
Cisco IOS |
VS specific message seen on Sup32 image when "erase startup-config" |
CSCso40891 |
Cisco IOS |
Stb rp reloaded during every bootup, process = FM, fm_free_platform_data |
CSCso72250 |
Cisco IOS |
Incorrect color for SYSTEM led of Active and Standby sup in VS mode |
CSCso88183 |
Cisco IOS |
DOME:dumper.proc crashes on dome when another process crashes |
CSCso93350 |
Cisco IOS |
Boot string fails to set in rommon but no error message |
CSCsq22383 |
Cisco IOS |
SP crash due to CPU hog by online diags |
CSCsq56941 |
Cisco IOS |
6500 - Static MAC cleared from port-channel member ints after reload |
CSCsq73122 |
Cisco IOS |
Proxy-ARP returns BIA instead of VMAC with LAM |
CSCsq82865 |
Cisco IOS |
Parsing error reading route-map match statements if longer than 254 chrs |
CSCsq87496 |
Cisco IOS |
"%OIR-6-INSCARD" syslog not being send from the device |
CSCsr06037 |
Cisco IOS |
the monitor session source is removed by deleting sub-interface |
CSCsr08482 |
Cisco IOS |
PM support to program ethertype to all ports when port-group in mux mode |
CSCsr09062 |
Cisco IOS |
MLP+QoS - Memory corruption due to Change BW and flap int |
CSCsr24647 |
Cisco IOS |
MSFC autostate don't up svclc Vlan int after two SSO switchover |
CSCsr29559 |
Cisco IOS |
WCCP flap corrupts mcast CEF adjacency |
CSCsr39272 |
Cisco IOS |
%DATACORRUPTION-1 due to spa sensor temp overruning buffer |
CSCsr88845 |
Cisco IOS |
unicast BootP replies dropped by DHCP snooping |
CSCsu01372 |
Cisco IOS |
33SB: Result of boot config command not sync to standby RP after reload |
CSCsu10022 |
Cisco IOS |
L2 traffic is policed when CoPP is enabled |
CSCsu33707 |
Cisco IOS |
Multicast traffic will not stop after PIM prune |
CSCsu40077 |
Cisco IOS |
MAB + Dot1x + aggressive timers leave port unauthorized but forwarding |
CSCsu40166 |
Cisco IOS |
PBR packets send out to wrong next hop MAC after ACL is changed |
CSCsu48241 |
Cisco IOS |
memory leak when removing igmp snooping with acl filtering |
CSCsu49257 |
Cisco IOS |
Cstn-id timer should be restarted when access-request is seen |
CSCsu50413 |
Cisco IOS |
RE: acl merge causes high rp cpu for ~50 min after reload |
CSCsu67559 |
Cisco IOS |
Copy Run Start does not provide the same functionality as 'wr mem' |
CSCsu75546 |
Cisco IOS |
C2W21: traffic not span to NAM using span conf mode local-tx source intf |
CSCsu81158 |
Cisco IOS |
Pkt drops on SIP-400 LC due to QoS lock fail for subintfs. |
CSCsu83563 |
Cisco IOS |
MMLS:If rate-lt on when STDBY reloads, doesnt work on swovr:x40/dual RSP |
CSCsu86524 |
Cisco IOS |
IKMP process leak: check_ipsec_proposal |
CSCsu88557 |
Cisco IOS |
[no] mdix auto" CLI command not present for WS-X6196-RJ21" |
CSCsu91725 |
Cisco IOS |
Bus crash problem due to cipSecGlobalStats MIB query |
CSCsu95237 |
Cisco IOS |
SSO switchover,clear packet seen on the wire exposing the inner IP pkt |
CSCsu97020 |
Cisco IOS |
policer on flexwan/multilink is dropping even CIR is not reached |
CSCsu99270 |
Cisco IOS |
CPUHOG observed when configuring more vlan interfaces |
CSCsv05263 |
Cisco IOS |
Sup32 crashes when dumping r2d2 registers |
CSCsv07858 |
Cisco IOS |
IfIndex for unconfigured VLAN on 7613 |
CSCsv09249 |
Cisco IOS |
VSS after dual-active recovery MEC on standby chassis UDLD error disable |
CSCsv14886 |
Cisco IOS |
Failure to send RADIUS state attribute |
CSCsv17989 |
Cisco IOS |
interface in SIP200 show "admin down" when it is physical down |
CSCsv20339 |
Cisco IOS |
MN history table is flooded with multiple (~500) add/delete entries |
CSCsv20768 |
Cisco IOS |
After SSO s/wover, atm clock config changes to line and PTB to UNSTABLE |
CSCsv20920 |
Cisco IOS |
telnet from a GRE tunnel to real address for DNS vserver fails |
CSCsv22779 |
Cisco IOS |
VRF-PBR: Packets dropped with reflexive acl |
CSCsv24742 |
Cisco IOS |
PfR exit link is OOP when interface counter wraps |
CSCsv30679 |
Cisco IOS |
Sup detetes Vlans from Sup IDSM Config on startup / failover |
CSCsv32101 |
Cisco IOS |
QoS: memory corruption traceback when using access-list with time range |
CSCsv37543 |
Cisco IOS |
GRE/IPsec misconfig is only resovled through module or chassis reload |
CSCsv38928 |
Cisco IOS |
IGMP Snooping does not send out Global query on 2nd TCN < 35 seconds |
CSCsv43991 |
Cisco IOS |
FWSM's internal portchannel on the cat6k side goes down after upgrading |
CSCsv44923 |
Cisco IOS |
MAC move behind phone leads to lost connectivity with MAB |
CSCsv52426 |
Cisco IOS |
GRE Recirc index is 0x0 in adjacency hence encap operation fails on DFC |
CSCsv57235 |
Cisco IOS |
duplex is changing automatically on WS-X6148-RJ-45 |
CSCsv57305 |
Cisco IOS |
VSS: software forced reload with 100Mbps SFPs in supervisor uplink ports |
CSCsv58279 |
Cisco IOS |
Reload due to Address Error with multicast configuration |
CSCsv60643 |
Cisco IOS |
sup4 when toggled 10g mode the config is not synced to standby sup |
CSCsv64079 |
Cisco IOS |
SXF7: Patching fails with WiSM Card on Cat6500 |
CSCsv66706 |
Cisco IOS |
IDSM port-channel Allowed-Vlan statements lost on reload |
CSCsv66827 |
Cisco IOS |
Clearing the SSH session from a different vty session crashes the box. |
CSCsv73299 |
Cisco IOS |
L2 multicast forwarding broken with DHCP snooping & TTL rate-limiter |
CSCsv74607 |
Cisco IOS |
Pid 21: Process "IPC Seat Manager" stack 0x4732A474 savedsp 0x5002AE98 |
CSCsv75511 |
Cisco IOS |
VSS:NAM on standby switch can't reach netwk after unconfig re-config... |
CSCsv76509 |
Cisco IOS |
Cat6k/MSTP in compat mode BPDUs sent in VLAN1 regardless of config |
CSCsv85551 |
Cisco IOS |
SP crash due to consume all scp triggered by OIR loop when PS go off |
CSCsv86288 |
Cisco IOS |
Sending a hello response with a session-id element causes a crash |
CSCsv92872 |
Cisco IOS |
10GE link on Sup720-10GE takes more than 30sec to go down during crash |
CSCsw17478 |
Cisco IOS |
PVT HOSTS- ports programmed with incorrect rdt index upon bootup |
CSCsw18793 |
Cisco IOS |
VRF-PBR: TCAM adjacency not programmed with multiset policy order after |
CSCsw25255 |
Cisco IOS |
Rapid PVST : Slow convergence unless debug spanning event is turned on |
CSCsw31607 |
Cisco IOS |
LTL index incorrect in PI MET table |
CSCsw39798 |
Cisco IOS |
Sup32 failover causes line protocol down to IP phone with dot1x config |
CSCsw41168 |
Cisco IOS |
%ALIGN-3-SPURIOUS at sm_get_portEntPhyIndex |
CSCsw41439 |
Cisco IOS |
W21,VSL,SNMP,cvsCoreSwitchPreempt,cvsCoreSwitchPriority not SSO aware. |
CSCsw43953 |
Cisco IOS |
Card not identified SIP Is OIR'd during Standby SUP bootup |
CSCsw45396 |
Cisco IOS |
when STP recovered in uplinkfast,no sent dummy multicast packets |
CSCsw48824 |
Cisco IOS |
Switchport Block Unicast - prevents RTP on same VLAN |
CSCsw51395 |
Cisco IOS |
Proper handling is required for Mac-Filter with Port-security |
CSCsw53362 |
Cisco IOS |
c2w2b: Device crashes with NAT stress test |
CSCsw59517 |
Cisco IOS |
IGMPv3 snooping drops 'Block Old Sources' report |
CSCsw73302 |
Cisco IOS |
memory leak in qm_increment_ag_policer_usage on standby-rp |
CSCsw82732 |
Cisco IOS |
VPN-SPA internal vlan interface wedged in SXH4 |
CSCsw87352 |
Cisco IOS |
6748's port can not forwarding traffic - port src index wrong |
CSCsw87563 |
Cisco IOS |
packets with multicast mac and unicast ip are software routed by cat6500 |
CSCsw90798 |
Cisco IOS |
Bus error crash after configuring vlan name change |
CSCsw98231 |
Cisco IOS |
SDBY stuck @ CEF RRP RF Client(5025) after ISSU RV |
CSCsx16206 |
Cisco IOS |
Traffic loss issue from SFM capable modules to other device through DEC |
CSCsx37615 |
Cisco IOS |
VSS: rem comm standby-rp sh plat hardware capacity may reset switch |
CSCsx39263 |
Cisco IOS |
TCAM entries are not installed for TCP intercept after SSO |
CSCsx70229 |
Cisco IOS |
Add the symbols back in SXH throttle which were removed by CSCsw82732 |
CSCsx76308 |
Cisco IOS |
HA client crashing attempting to free unassigned memory |
CSCsx83443 |
Cisco IOS |
crypto debug condition leaks messages which lead to high cpu. |
CSCsy22802 |
Cisco IOS |
MPLS VPN broken, vrf connection (permit missing for internal vlan acl) |
CSCsy24691 |
Cisco IOS |
entPhysicalTable has power-input 3 Sensor for 6kW DC PS1 and not PS2 |
CSCsy79691 |
Cisco IOS |
RP crash with dot1x critical authentication configured |
CSCsy83830 |
Cisco IOS |
IOS-RLB crashes while deleting the username sticky |
CSCsy96102 |
Cisco IOS |
FM-4-MPLS_RSVD_VLAN_ERROR-failed to remove feature when vrf delete |
CSCsr27727 |
Content |
Cat6K experiences a reload after %SYS-2-ASSERTION_FAILED: message |
CSCsx40747 |
Content |
Router hangs while doing ip casa configurations |
CSCed33145 |
Infrastructure |
line vty exec-timeout not working properly, def causes spur mem acc |
CSCef82896 |
Infrastructure |
When removing the user name from auth dialog, http crashes |
CSCek62770 |
Infrastructure |
bundles need to include CW_ strings |
CSCin79116 |
Infrastructure |
show memory summary could push the CPU util to 100% |
CSCsb98906 |
Infrastructure |
Memory Leak with bgp regexp deterministic configuration |
CSCsc86307 |
Infrastructure |
c3845 crashed @ show_systat |
CSCsd55059 |
Infrastructure |
polling CISCO-FLASH-MIB slows down GSR |
CSCse41523 |
Infrastructure |
bootldr config caused stbyPRE reset if file does not exist on stby-bootf |
CSCse49151 |
Infrastructure |
3800 clock slip over times verified in lab |
CSCsh66245 |
Infrastructure |
Lowest memory is too low after reload on Cisco 10000 |
CSCsj24186 |
Infrastructure |
%SYS-2-NOBLOCK messages from Pool Manager process |
CSCsj67434 |
Infrastructure |
The CLI: 'parser config cache interface' does not work |
CSCsm27493 |
Infrastructure |
procmib_server port has to send rpc reply only for RPC requests. |
CSCso29361 |
Infrastructure |
cfg added under interface range vlan not being added in redundant sup |
CSCsq19159 |
Infrastructure |
RP crashes in chassismib_add_sub_card_entry after linecard reload |
CSCsv80900 |
Infrastructure |
W21:: EARL-SPSTBY-2-SWITCH_BUS_IDLE & PF_ASIC-SPSTBY-3-ASIC_DUMP @boot |
CSCsv86766 |
Infrastructure |
Signature fail while copy, causing system:/running-config to be deleted |
CSCsw35917 |
Infrastructure |
SP syslog messages not sent as SNMP traps by RP's SNMP agent |
CSCsw61555 |
Infrastructure |
Router Crashes after doing SSO |
CSCsx32841 |
Infrastructure |
ceImageDescription may exceed 255 characters |
CSCsx95675 |
Infrastructure |
interface config disappear after "wr mem" |
CSCsy55455 |
Infrastructure |
Crash at saaComponentGet |
CSCec72958 |
IPServices |
Software forced crash when translating LDAP packet |
CSCef58137 |
IPServices |
Router Crash after high CPU, when IPNAT configured with route-map |
CSCek10384 |
IPServices |
7200 NAT dropping Out to In ESP Packets |
CSCsh49973 |
IPServices |
NAT-ALG corrupts offset value of DNS PTR response |
CSCsj41479 |
IPServices |
DHCP Services should not be enabled by default in IOS |
CSCsj76907 |
IPServices |
IPv6 UDP sockets may incorrectly show "--any--" for local address |
CSCsk16821 |
IPServices |
DHCP does not NAK after DHCPREQUEST from unknown client. |
CSCsm89795 |
IPServices |
Orbitty repeatedly Crashes - Succeptible to Denial of service attacks |
CSCso02053 |
IPServices |
NAT does not add dynamic aliases after reload. |
CSCso04657 |
IPServices |
SSLVPN service stops accepting any new SSLVPN connections |
CSCso39062 |
IPServices |
C2W2: %SYS-3-INVMEMINT: Invalid memory action message & TB's with PAT. |
CSCso54027 |
IPServices |
Spurious memory access in ttcp_rcv_stats |
CSCsq14311 |
IPServices |
7200 crash - ipnat_unlock_parent_entry (PPTP) |
CSCsq81365 |
IPServices |
MFI: UDP forwarded-protocols from VRF are leaked into global table |
CSCsq92440 |
IPServices |
Router Crash with igmp static grp classmap for 10k grps on 10 subints |
CSCsu10108 |
IPServices |
TFTP Server function is not working in 7600 router |
CSCsu64215 |
IPServices |
ip tcp adjust-mss command results in packet loss for non-TCP traffic |
CSCsu72176 |
IPServices |
Crash:Process Deadlock in Standby while reloading UUT with DHCP configs |
CSCsu95319 |
IPServices |
IGMP report was not sent to helper address. |
CSCsv16987 |
IPServices |
nat pool size more than 16 bit long should not be configured |
CSCsv86201 |
IPServices |
Modular IOS : max sockets overflow |
CSCsw16698 |
IPServices |
DHCP database could not be locked DHCPD process could not lock semaphore |
CSCsw51864 |
IPServices |
CHUNKFREE error and crash when changing NAT config |
CSCsw68135 |
IPServices |
Removing static nat with route-map cause Address Error |
CSCsw73391 |
IPServices |
ip igmp limit gets stuck |
CSCsx09343 |
IPServices |
Name resolution triggers pager in non-interactive mode. |
CSCsx23602 |
IPServices |
crash after 'clear ip nat trans *' |
CSCsx32283 |
IPServices |
Malformed L field in LDAP crashes 6k with NAT |
CSCsx74657 |
IPServices |
Many issues with NAT/Multicast feature |
CSCsy26750 |
IPServices |
6k Crash with ipnat_ldap_fixup (Redundancy Checks needed) |
CSCsy45371 |
IPServices |
NAT: two static nat entry related issues |
CSCsw81485 |
LegacyProtocols |
Unconfiguring IPX crashes the switch |
CSCsu10229 |
Management |
The cdpCacheAddress mib not providing GLOBAL_UNICAST Address |
CSCsw66153 |
Management |
Native vlan not displayed in show cdp neighbor detail |
CSCsr50099 |
MPLS |
show ip explicit-paths command incorrectly displays source route type |
CSCsv00773 |
MPLS |
Loose Path Reopt not applied when link costs changed |
CSCsv41456 |
MPLS |
Tracebacks seen at IFMGR-3-DUP_IFINDEXifDescr"Virtual-Access2-mpls layer |
CSCsw35638 |
MPLS |
FRR Interoperability issue between Juniper PLR and IOS MP |
CSCsb77148 |
Multicast |
sh ip mpacket x.x.x.x quality output is wrong after counter wraps around |
CSCsr82895 |
Multicast |
watchdog timeout : RP Crash @ igmp_rejoin_groups during RP Switchover |
CSCsu86494 |
Multicast |
Assert flag is not cleared after PIM neighbor loss |
CSCsu95080 |
Multicast |
mld_processs block forever in the init_process when parsing config |
CSCsv29659 |
Multicast |
RP configured inside the nat not shown on uut outside the nat |
CSCsx15396 |
Multicast |
Mcast IIF stays up while physical interface is down |
CSCsx28948 |
Multicast |
I/O Memory leak on 7200 |
CSCsx58861 |
Multicast |
Crash due to Stack for iGMP process running low |
CSCsf07760 |
PPP |
MLP: Crashes/buffer leaks when large number of sessions come up at once |
CSCsr81271 |
PPP |
Invalid VCD error messages upon PVC flap |
CSCsu70011 |
PPP |
ipv6 static route pointing to multilink (flexwan) dissapears after sso |
CSCee63182 |
QoS |
Router crashes while implementing rate-limit |
CSCek75808 |
QoS |
MF: Crash observed at qos_show_policymap_interface_all |
CSCsl94263 |
QoS |
Router crash at stile_update_fast_flag due to random-detect dscp-base |
CSCsm97014 |
QoS |
Connectivity breaks for QOS + header compression on virtual templates |
CSCsr05501 |
QoS |
% NBAR Error: hwidb could not found shows up when reload |
CSCsv85791 |
QoS |
Flexwan+/PA-MC-2T3+ introduce 5+ seconds delay on egress |
CSCed71294 |
Routing |
Multicast multipath does not work in the vrf context |
CSCee30355 |
Routing |
Memory leak at ip_multicast_ctl |
CSCef65457 |
Routing |
EIGRP and RIP advertise null0 static routes after they are removed |
CSCej49366 |
Routing |
Removing default-metric under EIGRP deletes routes erroneously |
CSCsb15164 |
Routing |
Security holes while configuring a standard ACE with host address |
CSCsd25753 |
Routing |
BGP Aggregated supernet routes not Advertised properly |
CSCse68877 |
Routing |
CEF/BGP table MPLS label mismatch YW3 Non Multi-path |
CSCsg68717 |
Routing |
A weird behavior in maxpath configuration in ebgp+ibgp case |
CSCsh34417 |
Routing |
BGP Distance not updated following failover to a path with a greater dis |
CSCsh54161 |
Routing |
dune, Nov image goes unstable - creates eigrp routing loops |
CSCsi70484 |
Routing |
OSPF SPF running constantly if LSID conflicts & prefix filter used. |
CSCsj13911 |
Routing |
Cat3750:EIGRP does not receive reply for query between some Vlan |
CSCsj42399 |
Routing |
Redistributed static covered by network statement sets metric to 0 |
CSCsk11930 |
Routing |
Not able to reconfigure the numbered ip extcommunity-list |
CSCsk35688 |
Routing |
Aggregate routes not processed if child routes are deleted pre-maturely |
CSCsk80250 |
Routing |
BGP has to handle the return value REXP_DONTKNOW of regexec_hybrid |
CSCsk87526 |
Routing |
T/B ipv6_rib_process_changeQ after shut cmd applied Int. running RIPng |
CSCsl32318 |
Routing |
OSPF: new fix for CSCsk36324 SPF loop |
CSCsl48075 |
Routing |
Floating static route behaves incorrectly in 6vPE |
CSCsl49628 |
Routing |
VRF is not getting deleted in 'sh vrf' output |
CSCsl51616 |
Routing |
v6-vrf-lite config doesn't sync properly with standby |
CSCsm57494 |
Routing |
BGP update is not sent after reloading opposite router |
CSCsm91959 |
Routing |
Code review: aggregation child routes can miss aggregation logic |
CSCsm95129 |
Routing |
"no ip next-hop-self eigrp" not working when redistribute from BGP |
CSCsm96901 |
Routing |
Unable to ping between vrfs through transparent bridge |
CSCso39597 |
Routing |
StbyRP crashed @ bgp_vpnv4_bulk_sync_mpls_lbl_binding during bulk sync |
CSCso51519 |
Routing |
Paths with same Nexthop selected as multipaths in some sequence |
CSCso55151 |
Routing |
ADJ not freeing memory under IPv6 ND stress test |
CSCso90107 |
Routing |
SNMP: bgpPeertable and cbgpPeertable shows only results for ipv4 peers |
CSCsq24935 |
Routing |
Switch crash due to unsupported bgp/ipv6 command |
CSCsq43831 |
Routing |
Stack overflow due to recursion in FIB |
CSCsq97517 |
Routing |
C2W2: Mago: CEF on RP is not in sync with SP after reboot. |
CSCsr01403 |
Routing |
cefswitching2.1:More time taken(12 mts) to converge after Adjacency flap |
CSCsr11662 |
Routing |
EIGRP active routes never go to SIA, queries not sent |
CSCsr50704 |
Routing |
dmzlink-bw programs wrong traffic share count in routing table |
CSCsr51801 |
Routing |
upon router reload some of the route-maps not permitting the prefixes. |
CSCsr67361 |
Routing |
I/O memory leaks when BGP neighbor points to a local address |
CSCsr86174 |
Routing |
aggregate-address under address-family does not appear in conf |
CSCsr90248 |
Routing |
"aggregate-address advertise-map" not updated dynamically |
CSCsu06447 |
Routing |
EIGRP:static route redistribution not working with distribution-list |
CSCsu11161 |
Routing |
Neighbor x.x.x.x default-originate issues seen in 12.2 code |
CSCsu12040 |
Routing |
PE with CsC configuration sends wrong labels to SPE |
CSCsu63996 |
Routing |
OSPF flaps after SSO switchover causes traffic loss after SSO switchover |
CSCsu76993 |
Routing |
EIGRP:Routes not tagged with match source redistribution-source |
CSCsv01474 |
Routing |
'ip rip advertise' command lost after interface flap/clear ip route |
CSCsv05009 |
Routing |
%OSPF-4-FLOOD_WAR: error during heavy flaps for type-5 and type-7 LSAs |
CSCsv27607 |
Routing |
BGP: Outbound route-map updating withdraw only one member |
CSCsv85052 |
Routing |
Crash observed when "ispf" is issued in vty with ip routing disabled |
CSCsv89643 |
Routing |
OSPF: MAC address of next hop unresolved on ptp eth by adjacency bringup |
CSCsv97472 |
Routing |
CSCso62166_dcq_issue_rn_walktree_timed_locking is changed |
CSCsw24286 |
Routing |
TE tunnel bandwidth command breaks isis topology |
CSCsw24826 |
Routing |
OSPF crash during type-9 maxage |
CSCsw28893 |
Routing |
Cost no longer showing with each eigrp route after IOS upgrade |
CSCsw65441 |
Routing |
ARP packets drops due to excessive ARP requests sourced from SVI |
CSCsw65933 |
Routing |
Prefix not learned from PE to CE |
CSCsw79397 |
Routing |
Device crashing at bgp_command_af_specific |
CSCsx06457 |
Routing |
BGP may modify routes it does not own |
CSCsx15841 |
Routing |
aggregate-address does not NVGEN upon switchover on cat6k |
CSCsx17446 |
Routing |
Tunnel route and a non-tunnel (IGP) route with same metric (TE metric) |
CSCsx51596 |
Routing |
TCAM ACL entry not correct after removing IP accounting |
CSCsx99015 |
Routing |
crash if OSPF redistributes another OSPF and interface bw changes |
CSCsy15150 |
Routing |
33SXH5: Traceback @ isis_router when default interface configured |
CSCsy45838 |
Routing |
show ip ospf border-router crashing router |
CSCea11368 |
Security |
CRL fetch using ldap fails if vrf configured in trustpoint |
CSCeh75136 |
Security |
TACACS+ rem_addr field empty after first SSH authen attempt fails |
CSCsc91824 |
Security |
SSH from router disconnects vty session if there is no matching cipher |
CSCsv20285 |
Security |
Whitney:Authentication to the CA server failed using ION. |
CSCsx15430 |
Security |
Verbose name lookup calls in IP context causes PKI to block due to pager |
CSCsx17447 |
Security |
IOS not including HOST header in HTTP CRL request |
CSCsy16177 |
Security |
scp:copy to router over sshv2 fails with invalid checksum error |
CSCsy22311 |
Security |
SCP b/w IOS routers fails while the client is receiving file from server |
CSCsc67488 |
WAN |
ARP Req from Frame Relay causes %IP-4-ZERO_ADDR: Zero MAC address Error |
CSCso62193 |
WAN |
Standby resets due to parser return error "no frame-relay vc-bundle" |
Caveats Resolved in Release 12.2(33)SXH4
Resolved Infrastructure Caveats
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both “show” and “configure” commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
– An enable password is not present in the device configuration
– Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
– No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implemented:
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
– Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
no ip http server no ip http secure-server
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link: http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127
Customers are also advised to review the “Management Plane” section of the document entitled “Cisco Guide to Harden Cisco IOS Devices” for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Other Resolved Caveats in Release 12.2(33)SXH4
|
|
|
|
CSCef97900 |
AAA |
AAAA-3-DROPACCTLOWMEM warning message somewhat misleading |
CSCin45879 |
AAA |
Router reloaded with radius reorder & dead server & server-private |
CSCsl29214 |
AAA |
AAA server change leads to bus error crash after "show run" is issued |
CSCsl47365 |
AAA |
TACACS+ authorization should ignore unknown attribute |
CSCsu21040 |
AAA |
Enable authentication prompts for username/password instead of just pass |
CSCsu42152 |
AAA |
authorization fails if fallback method is "if-authenticated" |
CSCek37984 |
Cisco IOS |
Inconsistent BERT behaviour observed on TE1 SPA |
CSCek40773 |
Cisco IOS |
CE-CE connectivity broken on MPLS VPN with GRE tunnel in VPN core |
CSCek71010 |
Cisco IOS |
TB seen at bgp_oer_notify_pep bgp_oer_remove_path bgp_bestpath_old |
CSCse12518 |
Cisco IOS |
MET optimized update can cause blackholing and duplicates |
CSCsh57238 |
Cisco IOS |
SXF6:sh int cmd on 6148 cards display zero o/p drops even with qos drops |
CSCsj04201 |
Cisco IOS |
%MRIB_PROXY-2-MRIB_RP_FAILED_GET_IPC: RP failed allocating IPC buffer |
CSCsj06641 |
Cisco IOS |
LI: Traceback found in creating entry in cTap2StreamTable |
CSCsj32493 |
Cisco IOS |
IPSEC: Incorrect IPSec connection info in InvalidSPI testing |
CSCsj51113 |
Cisco IOS |
crash in ether_cfm_tm_send |
CSCsj90758 |
Cisco IOS |
UUT with BGP/DMVPN crashes after restarting iprouting.iosproc |
CSCsk19866 |
Cisco IOS |
Unable to boot boomerang image on sup720 |
CSCsk32209 |
Cisco IOS |
Crash seen on a stand-alone router while generating RSA keys |
CSCsk34832 |
Cisco IOS |
Memory leak in HTTP CORE PID 174 |
CSCsk73838 |
Cisco IOS |
After fabric tiemout is seen, line card did not recover using earl patch |
CSCsk78390 |
Cisco IOS |
Naxos crashes while trying to fpd upgrade granikos |
CSCsk89852 |
Cisco IOS |
VS2: MEC (LACP) members flap when native subinterface is configured |
CSCsk94870 |
Cisco IOS |
VS2: TB @ ether_extract_addr |
CSCsl02190 |
Cisco IOS |
ICMPv6 to all node multicast address fail. |
CSCsl18525 |
Cisco IOS |
Standby-SP doesn't have mfib table |
CSCsl27957 |
Cisco IOS |
%EC-SP-5-CANNOT_BUNDLE2 is seen after inserting WS-SVC-FWM-1 |
CSCsl32940 |
Cisco IOS |
Router crashes while reloading Naxos |
CSCsl37513 |
Cisco IOS |
SYS-2-MOD_TEMPSENSORFAIL:Module w/ X6148A-GE-45AF and CatOS |
CSCsl39691 |
Cisco IOS |
Config Sync:Bulk-sync failure due to Servicing Incompatibility after SSO |
CSCsl71704 |
Cisco IOS |
VS2:RACL not applied on MEC after disabling netflow & chng flowmask |
CSCsm08087 |
Cisco IOS |
Arp unresolved after sh/nosh of egress int ;route-map applied at ingress |
CSCsm08971 |
Cisco IOS |
SEA:Soft reload occurs everytime after issue show cmd's and T/B with mz |
CSCsm11898 |
Cisco IOS |
IOS:SLB: Incorrect NAT Translation when Nat client is enabled |
CSCsm19550 |
Cisco IOS |
sup720 rx intr should check tx descriptor exhaustion |
CSCsm22385 |
Cisco IOS |
V4 VPN traffic stops after toggling agg. label between vpn-cam and tcam |
CSCsm26063 |
Cisco IOS |
C2W2:Active RP Crash on sh/no sh of intf with ipv6 address configured |
CSCsm28287 |
Cisco IOS |
Active RP crash on shutdown of GRE tunnel followed by switchover |
CSCsm40606 |
Cisco IOS |
WS-X6724 SFP get's reboots again and again with TestSynchedFab Failed |
CSCsm43962 |
Cisco IOS |
Cat6k L2TP packet looped through blocked port |
CSCsm48287 |
Cisco IOS |
Drop counters for VPLS VC not incrementing |
CSCsm64424 |
Cisco IOS |
C2W1: Copy command generates spurious authorization requests |
CSCsm65386 |
Cisco IOS |
WS-X6516A-GBIC card resets on SSO. |
CSCsm66602 |
Cisco IOS |
SIP 400 loses VPLS VC entry on shutting down the MPLS TE tunnel |
CSCsm75286 |
Cisco IOS |
bgp route-map doesn't work correctly when deleted part of sequences |
CSCsm79344 |
Cisco IOS |
Bogus "TCAM MASK entry capacity exceeded" message |
CSCsm82472 |
Cisco IOS |
DAI: L2-Portchannel formed for member's DAI trust mismatch |
CSCsm84267 |
Cisco IOS |
Tracebacks & %CPU_MONITOR-SP-6-NOT_HEARD: messages with NAT. |
CSCsm85936 |
Cisco IOS |
UUT cpu at 40% with bi-dir traffic across a single tunnel |
CSCso00864 |
Cisco IOS |
Standby sup crashed on configuing local-address command for cry map |
CSCso05920 |
Cisco IOS |
cpmCPUMemoryFree incorrect for Posix memory |
CSCso18683 |
Cisco IOS |
IP DSCP Re-circulation not working as expected after issu runversion. |
CSCso27956 |
Cisco IOS |
TCAM ASSERT FAILURE on LI stress with add/removal of lots of streams |
CSCso28275 |
Cisco IOS |
Traffic polarization within a MEC on VSS. |
CSCso28791 |
Cisco IOS |
MAC_MOVE-SP-4-NOTIF seen for L2TP packets over dot1q tunnel |
CSCso29141 |
Cisco IOS |
DFC installs drop index for MAC-address |
CSCso29226 |
Cisco IOS |
IP source guard is not supported on ether channel member |
CSCso30038 |
Cisco IOS |
A OIL is not registerd properly in mroute table with static igmp group |
CSCso32193 |
Cisco IOS |
IPv6 software switched in Egress replication mode |
CSCso35250 |
Cisco IOS |
unexpected reload while communicating with CNS server |
CSCso39818 |
Cisco IOS |
Ingress Marking not working on SIP-600 on linecard reset/ toggle mlsqos |
CSCso48665 |
Cisco IOS |
vlan filter can't be removed totally |
CSCso49344 |
Cisco IOS |
Egress policing policy not programmed in SIP-600 after system reload. |
CSCso57020 |
Cisco IOS |
VSS: After sso, the RBH values on orphan PO flips w/o link/po flapping |
CSCso57886 |
Cisco IOS |
unrestricted while loop when looking for EOS flag in the packet |
CSCso60528 |
Cisco IOS |
C2W2: FWSM - Standby FWSM PO shows down and links go down eventually |
CSCso66357 |
Cisco IOS |
Classification on nbar fails on removing pmap from other pvc on ATM M2P |
CSCso71955 |
Cisco IOS |
Alignment errors with netflow on Interface, crash on 7600/6500 |
CSCso72178 |
Cisco IOS |
W2:TestCapture,TestTrap & TestIPv6FibShortcut diag failed ondemand&boot |
CSCso72541 |
Cisco IOS |
%MFIB_STATS-DFC2-2-MFIB_STATS_LC_FAILED_GET_COUNTERS for Sip 600 |
CSCso74559 |
Cisco IOS |
C2W2: Mago IOS "test Crash" create crashinfo file on bootflash only |
CSCso85133 |
Cisco IOS |
DOM tranceiver "voltage" values are always Zero in SUP4 |
CSCso86544 |
Cisco IOS |
Afer SSO, new active SP crashes @ pm_vlan_get_portlist |
CSCso88042 |
Cisco IOS |
Wism module Allowed-Vlan statements lost on reload |
CSCso88772 |
Cisco IOS |
sp-inband tx capture causes primary SUP to hang |
CSCso93708 |
Cisco IOS |
IPsec-HA:RFclient timingout on7200 running 12.4(15)Tx, AdvSecurity fse |
CSCso98143 |
Cisco IOS |
Router crash at pm_platform_private_alloc_and_reserve_vlan |
CSCsq04075 |
Cisco IOS |
C2W2:DHCP Snooping entries not cleared after removing IP Source Guard |
CSCsq04274 |
Cisco IOS |
Memory leak observed on l2_vlan_stat_mem_allocate during vlans creation |
CSCsq14259 |
Cisco IOS |
TX Flowcontrol goes on when link negotiation is disabled |
CSCsq15308 |
Cisco IOS |
timer not stopped properly for eem policy scripts |
CSCsq21051 |
Cisco IOS |
W2: Heathland mode change doesn't work after the second SSO switchover |
CSCsq26223 |
Cisco IOS |
WS-X6348-RJ-45 Blackholing traffic/reset continously |
CSCsq36972 |
Cisco IOS |
Portchannel does not form. Log messages indicate misconfig. |
CSCsq37376 |
Cisco IOS |
Packet Buffer Capture May Crash a 6500 in IOS |
CSCsq44850 |
Cisco IOS |
c2w2 : TB seen at %PM-3-INTERNALERROR: Port Manager Internal Software Er |
CSCsq46590 |
Cisco IOS |
Packet loss during SSO failover on ECMP supervisor uplinks |
CSCsq51231 |
Cisco IOS |
ALIGN-3-SPURIOUS: Spurious memory access made @ idbman_get_port_swidb |
CSCsq51249 |
Cisco IOS |
Monitor session removal may affect traffic through WS-X6148A-RJ-45 |
CSCsq51378 |
Cisco IOS |
ATM PA Interface shows up/up after force redundancy, no cables connected |
CSCsq53085 |
Cisco IOS |
VS: 15 seconds down time upon module reset |
CSCsq56747 |
Cisco IOS |
Active SP CPU 100% after SSO switchover with 080527 ION image |
CSCsq59297 |
Cisco IOS |
port-channel IDB gets mixed up |
CSCsq61089 |
Cisco IOS |
VS2: physical OIR of 6708 causes 16 seconds interruption |
CSCsq63727 |
Cisco IOS |
WS-X6748-GE-TX - input and output errors seen during auto negotiation |
CSCsq67001 |
Cisco IOS |
Standy switch reloaded by auto qos on MEC standby member port |
CSCsq73317 |
Cisco IOS |
MAB authorization failed with port-security |
CSCsq77043 |
Cisco IOS |
EEM long hostname prevents tcl cli_open from functioning |
CSCsq77381 |
Cisco IOS |
W2: Diag - TestL3Capture2 failed after LV-SSO |
CSCsq78513 |
Cisco IOS |
VSS: Etherchannel counters incorrect |
CSCsq78956 |
Cisco IOS |
strcpy of binary can cause mem corruption |
CSCsq79253 |
Cisco IOS |
Pinnacle interrupts not re-enabled after memory inconsistency detected |
CSCsq80270 |
Cisco IOS |
Cat 6k crashes randomly after IPSec SPA module is inserted. |
CSCsq80891 |
Cisco IOS |
VSS switches reload at the same time after VSL link failure |
CSCsq81116 |
Cisco IOS |
c2w2:Device crash @ oer_cc_free_message while unconfiguring |
CSCsq81235 |
Cisco IOS |
Cannot configure a vrf again when deleted using 'no ip vrf' command |
CSCsq82663 |
Cisco IOS |
SLB router CPU usage is high with GE interface |
CSCsq82991 |
Cisco IOS |
IPSG Pacl entry appears after the ISSU RV or SSO |
CSCsq83219 |
Cisco IOS |
Standby SP crashed at sp_reset_slcp after "redundancy reload peer" |
CSCsq83789 |
Cisco IOS |
LTL for unknow unicast is wrongly programmed for some L3 interfaces |
CSCsq84116 |
Cisco IOS |
Cisco 7604 with OC3, Flexwan crashes into ROMMON |
CSCsq85139 |
Cisco IOS |
VS2: Can not establish session to standby NAM |
CSCsq85850 |
Cisco IOS |
Opnext GLC-LH-SM :remote port stays up when local RX cable is removed |
CSCsq89415 |
Cisco IOS |
"no bert" indicates "abort request" instead of "stopped" |
CSCsq91258 |
Cisco IOS |
L2 entry purged from hardware when in use by L3 shortcut |
CSCsq94136 |
Cisco IOS |
Burst of traffic cause anti-replay check to fail |
CSCsq94366 |
Cisco IOS |
Mem leak in rrp_update_peer_info_on_rp |
CSCsq97640 |
Cisco IOS |
Resetting Standby Sup4 multiple times causes lincecard switchbus timeout |
CSCsq98887 |
Cisco IOS |
Packet drop on applying and removing ACL on tunnel interface with pim |
CSCsr02723 |
Cisco IOS |
MDEBUG:Spurious memory access detected at env_sensor_get_update |
CSCsr02816 |
Cisco IOS |
ISSU tracebacks seen on SP during runversion at MsgReceive.S:14 |
CSCsr06914 |
Cisco IOS |
fm_slb_inbad_send():Invalid Flowmask errors upgrading to 12.2(33)SXH2a |
CSCsr07565 |
Cisco IOS |
TCAM didn't reprogram after removing dynamic ACE |
CSCsr08985 |
Cisco IOS |
CMM ports going to shutdown state on reload in Whitney 1 |
CSCsr09554 |
Cisco IOS |
Move SIBYTE SB_RMON_OVRFL messages under debug |
CSCsr13633 |
Cisco IOS |
%PM-3-INTERNALERROR: Port Manager Internal Software E |
CSCsr18656 |
Cisco IOS |
BPDU bit is over written when 2nd PCL lookup is enabled. |
CSCsr18924 |
Cisco IOS |
kernel idle hook thread in IOS-Base taking 50% CPU |
CSCsr20679 |
Cisco IOS |
VSL PO as SPAN source and Orphan PO as SPAN destination not allowed |
CSCsr26663 |
Cisco IOS |
C2W2: GLBP 800 peers with default timers flap after SSO |
CSCsr37131 |
Cisco IOS |
buginf calls in l2trace when 'debug l2trace' is disabled |
CSCsr45495 |
Cisco IOS |
PBR with deny statements : TCAM running out of masks |
CSCsr45851 |
Cisco IOS |
ifOperStatus for Control Plane Interface is always down |
CSCsr48938 |
Cisco IOS |
UNBL:bootldr image can't boot on SupW |
CSCsr49669 |
Cisco IOS |
Match protcol arp doesnt work in whitney1 earlier it was working for Roc |
CSCsr51799 |
Cisco IOS |
pa-mc-8t1 interface down after stopping BERT prematurely |
CSCsr55523 |
Cisco IOS |
WCCP service group ID is zero in ACL TCAM Adjacency |
CSCsr58773 |
Cisco IOS |
VS2: After SSO, VSL member stuck in "w" state, and MEC errors |
CSCsr63831 |
Cisco IOS |
show platform hardware capacity fabric - incorrect % and time-SXH3 |
CSCsr66588 |
Cisco IOS |
Netflow SLB aging parameter values are not synced to SP after reload |
CSCsr72427 |
Cisco IOS |
WS-X6148-45AF/WS-F6K-FE48-AF %ILPOWER-5-ILPOWER_MISCONFIG after reload |
CSCsr75094 |
Cisco IOS |
MDEBUG: Spurious Memory Access on SSO |
CSCsr78910 |
Cisco IOS |
time not updated in 'System returned to ROM by reload' in show version |
CSCsr81962 |
Cisco IOS |
C2W1: Monitor session servicemodule causes internal loop on SUP720-10GE |
CSCsr82501 |
Cisco IOS |
Change global function to static breaks install patch feature in SXH |
CSCsr93467 |
Cisco IOS |
c2w2:Traceback seen while doing "switch accept mode virtual " |
CSCsr96283 |
Cisco IOS |
High CPU due to add/del SPAN configs |
CSCsr99933 |
Cisco IOS |
FWLB: High purge rate causes CPU to increase by 15% |
CSCsu03297 |
Cisco IOS |
RE: Fabric force bus-mode does not work anymore |
CSCsu03772 |
Cisco IOS |
Dot1q native vlan tagging is not working with "switchpot nonegotiate" |
CSCsu05800 |
Cisco IOS |
C2W2: need to extend the wait time for bus sync after sso |
CSCsu22349 |
Cisco IOS |
Removing ACL or service policy from vrf interface drops traffic |
CSCsu24825 |
Cisco IOS |
SUP32 unstable to communicate with all neighbors after reload |
CSCsu29117 |
Cisco IOS |
PE send traffic back to EoMPLS tunnel after lsp path changed |
CSCsu31651 |
Cisco IOS |
VSS: Traffic dropped on non-bundled port if RBH=0 |
CSCsu33221 |
Cisco IOS |
"Flood in diag inband driver" messages followed by silent reload. |
CSCsu37481 |
Cisco IOS |
Netflow Incorrect Octet value with packet-based sampling |
CSCsu44534 |
Cisco IOS |
Sup NSF/SSO causes 4 sec traffic loss over EC with uplink ports. |
CSCsu45210 |
Cisco IOS |
Upgrade 12.2SXF-> 12.2SXH with Port-Security causes standby boot loop |
CSCsu46124 |
Cisco IOS |
SVI ifInMulticastPkts ifOutMulticastPkts are always zero |
CSCsu48150 |
Cisco IOS |
Enhancement to Me_Kr register dumps from CSCsg21809 |
CSCsu49002 |
Cisco IOS |
ciscoIpMRouteBps sometimes indicates wrongful value |
CSCsu55635 |
Cisco IOS |
Load values of PO members with Fixed algo get 0 during bootup on Standby |
CSCsu57958 |
Cisco IOS |
DHCP-Snooping not intercepting DHCP messages from the Server |
CSCsu59556 |
Cisco IOS |
Traceback seen @ fibidb_init |
CSCsu63335 |
Cisco IOS |
"Failed to find process pid" error message on 12.2(33)SXH3 |
CSCsu64581 |
Cisco IOS |
Last port of T3/E3 SPA connected back to back does not ping |
CSCsu68698 |
Cisco IOS |
No syslogs and stack on console when SP crashes due RP boot timeout |
CSCsu69177 |
Cisco IOS |
C2W2: Traffic drop after SSO on SUP4 P router w/ IP and MPLS traffic |
CSCsu72496 |
Cisco IOS |
%PM-3-INTERNALERROR: Port Manager Internal Software Error |
CSCsu72884 |
Cisco IOS |
Modifying match criteria frm v6 to v4 doesnt change tcam label state |
CSCsu73128 |
Cisco IOS |
C2W2-ION-080922: Crash on Plain IPSec tunnel setup |
CSCsu76070 |
Cisco IOS |
duplicate packets when lawful intercept is enabled |
CSCsu81785 |
Cisco IOS |
6500 can no longer receive the ACL as filter ID from |
CSCsu82768 |
Cisco IOS |
Crash at pclc_g2_fw_offline_notification after SSO |
CSCsu91714 |
Cisco IOS |
IGMP-JOIN is lost from SUP to MSFC |
CSCsu94880 |
Cisco IOS |
Bus error crash at fm_format_inband_adj_data |
CSCsu95605 |
Cisco IOS |
Route-map with "match route-type local" not functioning properly |
CSCsv30359 |
Cisco IOS |
HSRP: CPU hog when no failover bound to crypto |
CSCsv34415 |
Cisco IOS |
Diag failure on power-cycle puts VSS switches in rommon |
CSCsv43802 |
Cisco IOS |
High CPU utilization triggers crash in diags. |
CSCsq31981 |
Content |
WCCP: redirection does not work with CEF and ip accounting |
CSCsh45091 |
Infrastructure |
Port fix for CSCed94684 for ws-c3750-24p |
CSCsh63508 |
Infrastructure |
disk0:/sys/cpmbit/base is busy, try again later msg on stby SP on SSO. |
CSCsi88974 |
Infrastructure |
LI: Malloc failure on setting MD src interface as Loopback interface |
CSCsj06593 |
Infrastructure |
CPU hog msgs for RFSS worker process and Async write process |
CSCsj52992 |
Infrastructure |
CPU hogs when configuring snmp-server host |
CSCsj54606 |
Infrastructure |
end of summer-time can be set earliar than start of summer time |
CSCsk91176 |
Infrastructure |
PXF crash causes IPC timeout to all linecards in the chassis |
CSCsm01126 |
Infrastructure |
PRE-B crashes while in progress to standby cold-config |
CSCsm14366 |
Infrastructure |
Empty crash file generated on wan module crash at boot-up |
CSCsm32392 |
Infrastructure |
memory corruption crash at nv_ifs_open and nv_ifs_close |
CSCsm47417 |
Infrastructure |
W2:seting ceExtSysBootImageList cause "wr mem" not working correctly |
CSCsm78184 |
Infrastructure |
Switchover failed with %C10KISSU-3-GET_MSG_MTU messages |
CSCso21611 |
Infrastructure |
Crash at internal idb counter increment function |
CSCsq03621 |
Infrastructure |
Timestamps in "show rmon events" wrap at 2^32-1 milliseconds (7+ weeks) |
CSCsq16325 |
Infrastructure |
Incomplete serial interface command creates interface |
CSCsq34676 |
Infrastructure |
Modular IOS: show process cpu sorted triggers unexpected reload |
CSCsq35093 |
Infrastructure |
XDR-6-XDRIPCNOTIFY: Message not sent to slot 1/0 (1) because of IPC |
CSCsq60922 |
Infrastructure |
Modular IOS:Router crashed with SNMP copy and with format in console |
CSCsr50834 |
Infrastructure |
CPU HOG after changing logging buffered up to 50MB |
CSCsr60789 |
Infrastructure |
W1.3: VSL crash after preemptive switchover in ifs_open_file_decrement |
CSCsr64361 |
Infrastructure |
Standby continously resetting due to SNMP RF client notification timeout |
CSCsu37266 |
Infrastructure |
Modular IOS: tcp.proc terminated due to signal SIGSEGV |
CSCsi66366 |
IPServices |
All transport protocols are displayed in running config for VTY |
CSCsj83854 |
IPServices |
Incorrect static nat entries programmed in nat table |
CSCsm35794 |
IPServices |
Ignoring Coup after changing HSRP active router's priority |
CSCsm79082 |
IPServices |
RP crash at dispatch_thread_pool when restarting tcp.proc |
CSCsq60504 |
IPServices |
Modular IOS Sup720: crashed with tcp timeout logs |
CSCsq90529 |
IPServices |
Issue with active ftp on the SXH1 |
CSCsq97870 |
IPServices |
Router crash with 'show standby' if group deleted from 2nd terminal |
CSCsr08771 |
IPServices |
Crash seen @ dhcpd_pool_nvgen and dhcpd_copy_bootfile |
CSCsr55990 |
IPServices |
HSRP mac dynamic on routed pseudowire after reload on active router |
CSCsu21716 |
IPServices |
No unsolicited igmp report sent for mroute-proxy |
CSCsg87930 |
LAN |
i82543 driver should not increase input queue drop counter |
CSCsr76818 |
LAN |
input queue wedge on SP due to VTP packets |
CSCsh33167 |
LegacyProtocols |
Dlsw transparent cache holds MAC address for disconnected circuit |
CSCsq79032 |
Management |
Excessive remote registry invocation on 'waiting_on_switchover' registry |
CSCsq84595 |
Management |
high # of remote reg. invocation (35 rpc/sec) 'get_unidirectional_mode' |
CSCsr93672 |
Management |
Native vlan is not getting displayed in "show cdp neighbors" output |
CSCuk57502 |
Management |
CDP does not report IPv6 addresses for Modular IOS. |
CSCsm70668 |
MPLS |
OIR over E3:POS impacting complete Traffic with biscuit tunnel |
CSCso21506 |
MPLS |
Import Map under vrf blocks bgp aggregate prefix |
CSCsq46044 |
MPLS |
Error MFI_LABEL_BROKER-3-DELETE_MOI_FAIL and LSD_CLIENT-3-PCHUNK2 |
CSCsq78822 |
MPLS |
Cannot clear specific LDP neighbor, when router-id not in bound address |
CSCsq91960 |
MPLS |
failed to delete vrf when it is 32 characters long |
CSCsq93004 |
MPLS |
Possible memory corruption with TE auto-tunnel primary and subinterface |
CSCsr40433 |
MPLS |
mpls te - explicit path with loose nhops - re-optimization failure |
CSCsu62667 |
MPLS |
LSP ID change after SSO due to failure in signalling recovered LSP |
CSCsm77608 |
Multicast |
IP Multicast packets are Process switched. |
CSCsr09312 |
Multicast |
crash when doing mrm stop |
CSCsr36971 |
Multicast |
Memory Leak @ PIM process |
CSCsr49316 |
Multicast |
Crash ipv6_static_route_find after configured & executed show ipv6 rpf x |
CSCsu02051 |
Multicast |
S,G expiry timer change is not allowed in Whitney1 |
CSCsu71983 |
Multicast |
Memory Leak @ PIM process |
CSCsq37078 |
PPP |
Input errors incrementing on Multilink 5 in admin down state |
CSCsg18894 |
QoS |
Queue-limit command should be allowed in conjunction with priority |
CSCsl62963 |
QoS |
Router Crashes, Reconfigure a Policy -af_police_remove_coloraware |
CSCsm00570 |
QoS |
cwpa2 crashes at hqf_cwpa_pak_enqueue_local |
CSCsm28515 |
QoS |
Marking not happening on FlexWAN interface with SXH after oir/reload |
CSCsu03813 |
QoS |
Upgrading from rockies to w2 deletes the police action from pmap |
CSCsg90755 |
Routing |
Standby keeps reloading due to PRC mismatch in IPv4 MDT AF config sync |
CSCsi68795 |
Routing |
PE wrongly assigns local label to a vpnv4 confederation prefix |
CSCsj39016 |
Routing |
warn_assert failed:../fib/fib_table.c:2947 tal_tree_get_item_count_nonf |
CSCsj78403 |
Routing |
clear ip bgp causes crash to RR client with conditional route injection |
CSCsk86150 |
Routing |
w/ BGP auto-summary enabled, networks are lost from BGP after EIGRP flap |
CSCsk86476 |
Routing |
OSPF fails in MTU-mismatch setup when mtu-ignore is configured |
CSCsm26130 |
Routing |
BGP with auto-summary not injecting locally orig. route into BGP table |
CSCsm30569 |
Routing |
CEF path fragmentation broken for static IPSec VTI |
CSCsm50741 |
Routing |
Removal of DCbitless LSA causes problems |
CSCsm72604 |
Routing |
OSPF remaining summary route when dual OSPF process redistributing |
CSCso08786 |
Routing |
Standby reloads due to config sync failure on inherit peer-policy cmd. |
CSCso54167 |
Routing |
BGP peer stuck with table version 0 |
CSCso80951 |
Routing |
BGP peers with same policy fall into different update-group with SOO |
CSCso93535 |
Routing |
Upon removing a VRF, BGP route timers in other VRF's get reset |
CSCsq05602 |
Routing |
TE tunnels are down but still show in the forwarding table |
CSCsq13938 |
Routing |
reload on 'show ip bgp vpnv4' when import src delinked by BGP deconfig |
CSCsq36206 |
Routing |
MDT tunnels not getting created on 7206 Device |
CSCsq38431 |
Routing |
OSPF "summary address" is executed, even if subnet is becoming small |
CSCsq49201 |
Routing |
Password in BGP peer-session template not inherited |
CSCsr67562 |
Routing |
Support for running ispf with nodes having overload bit configured |
CSCsr83639 |
Routing |
Bus error crash when removing BGP configuration |
CSCsr96042 |
Routing |
ASR: IOSD crashes at bgp_vpn_import_walker while unconfiguring vrf |
CSCsu03167 |
Routing |
SXF15: IPv4/v6 BGP routes not cleared when source routes is gone |
CSCsu24087 |
Routing |
Cisco7609 crashes after "clear ip bgp neighbor x.x.x.x soft in" |
CSCsu36709 |
Routing |
Unable to boot IOS image on PE (vrf-enabled) router - software fault |
CSCsu40881 |
Routing |
Secondary EIGRP address on VRF not added/deleted properly to EIGRP topo |
CSCeg49153 |
Security |
PKI: crl checking takes too long to timeout if the server is down |
CSCsd81870 |
Security |
Teraterm + TTSSH2 does not work in SSH Ver.2 |
CSCsf17406 |
Security |
Large CRLs can cause memory leaks |
CSCsg48392 |
Security |
Resuming SSH Session Fails After Disconnecting Another One (Not Console) |
CSCso48959 |
Security |
user not reported by "login on-success log" feature for SSH logins |
CSCsq58748 |
Security |
IPSEC: IKMP process can get blocked by some PKI OCSP requests |
CSCsq60016 |
Security |
Router crashes when entering a long RSA key string |
CSCsr85093 |
Security |
SXF15: SSH session fails withRSA signature verification failed after SSO |
CSCsr86489 |
Security |
C6k: SCP file copy causes RP crash during authorization of user |
CSCsg32308 |
WAN |
copy/paste of ntp-authentication-key statement is not possible |
CSCsq18856 |
WAN |
FR SVCs cannot be setup |
CSCsq47900 |
WAN |
OIR operation on POS interfaces with APS result in ALIGN error |
Caveats Resolved in Release 12.2(33)SXH3a
Resolved Infrastructure Caveats
Symptom: The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server functionality to be used by other Cisco IOS features that require it to function. For example, embedded device managers available for some Cisco IOS devices need the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a prerequisite.
One of the functionalities provided by the Cisco IOS HTTP server and the Cisco IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC Server. The WEB_EXEC module allows for both “show” and “configure” commands to be executed on the device through requests sent over the HTTP protocol.
Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally configured enable password (configured by using the enable password or enable secret commands) as the default authentication mechanism for any request received. Other mechanisms can also be configured to authenticate requests to the HTTP or HTTPS interface. Some of those mechanisms are the local user database, an external RADIUS server or an external TACACS+ server.
If an enable password is not present in the device configuration, and no other mechanism has been configured to authenticate requests to the HTTP interface, the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any command received without requiring authentication. Any commands up to and including commands that require privilege level 15 might then be executed on the device. Privilege level 15 is the highest privilege level on Cisco IOS devices.
Conditions: For a Cisco IOS device to be affected by this issue all of the following conditions must be met:
– An enable password is not present in the device configuration
– Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
– No other authentication mechanism has been configured for access to the Cisco IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the local user database, RADIUS (Remote Authentication Dial In User Service), or TACACS+ (Terminal Access Controller Access-Control System)
The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.
Workaround: Any of the following workarounds can be implemented:
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an enable password
Customers requiring the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server must configure an authentication mechanism for any requests received. One option is to use the enable password or enable secret commands to configure an enable password. The enable password is the default authentication mechanism used by both the Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has been configured.
In order to configure an enable password by using the enable secret command, add the following line to the device configuration:
Replace mypassword with a strong password of your choosing. For guidance on selecting strong passwords, please refer to your site security policy. The document entitled “Cisco IOS Password Encryption Facts” explains the differences between using the enable secret and the enable password commands to configure an enable password. This document is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.shtml
– Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco IOS HTTPS server by configuring an authentication mechanism other than the default
Configure an authentication mechanism for access to the Cisco IOS HTTP server or the Cisco IOS HTTPS server other than the default. Such authentication mechanism can be the local user database, an external RADIUS server, an external TACACS+ server or a previously defined AAA (Authentication, Authorization and Accounting) method. As the procedure to enable an authentication mechanism for the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco IOS releases and considering other additional factors, no example will be provided. Customers looking for information about how to configure an authentication mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are encouraged to read the document entitled “AAA Control of the IOS HTTP Server”, which is available at the following link: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
– Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server functionality
Customers who do not require the functionality provided by the Cisco IOS HTTP server or the Cisco IOS HTTPS server can disable it by adding the following commands to the device configuration:
no ip http server no ip http secure-server
The second command might return an error message if the Cisco IOS version installed and running on the device does not support the HTTPS server feature. This error message is harmless and can safely be ignored.
Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server may impact other features that rely on it. As an example, disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any embedded device manager installed on the device.
Further Problem Description: In addition to the explicit workarounds detailed above it is highly recommended that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS server to only trusted management hosts. Information on how to restrict access to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP addresses is available at the following link:
http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127
Customers are also advised to review the “Management Plane” section of the document entitled “Cisco Guide to Harden Cisco IOS Devices” for additional recommendations to secure management connections to Cisco IOS devices. This document is available at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Other Resolved Caveats in Release 12.2(33)SXH3a
|
|
|
|
CSCsu03167 |
Routing |
SXF15: IPv4/v6 BGP routes not cleared when source routes is gone |
Caveats Resolved in Release 12.2(33)SXH3
Resolved IPServices Caveats
A router that has DHCP server enabled could reload after receiving a malformed UDP packet.
Workaround: None
Resolved Security Caveats
Symptoms: Devices running Cisco IOS may reload with the error message “System returned to ROM by abort at PC 0x0” when processing SSHv2 sessions. A switch crashes. We have a script running that will continuously ssh-v2 into the 3560 then close the session normally. If the vty line that is being used by SSHv2 sessions to the device is cleared while the SSH session is being processed, the next time an ssh into the device is done, the device will crash.
Conditions: This problem is platform independent, but it has been seen on Cisco Catalyst 3560, Cisco Catalyst 3750 and Cisco Catalyst 4948 series switches. The issue is specific to SSH version 2, and its seen only when the box is under brute force attack. This crash is not seen under normal conditions.
Workaround: There are mitigations to this vulnerability: For Cisco IOS, the SSH server can be disabled by applying the command crypto key zeroize rsa while in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair. Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS may also be disabled via removing SSH as a valid transport protocol. This can be done by reapplying the transport input command with ‘ssh’ removed from the list of permitted transports on VTY lines while in configuration mode. For example: line vty 0 4 transport input telnet end
If SSH server functionality is desired, access to the server can be restricted to specific source IP addresses or blocked entirely using Access Control Lists (ACLs) on the VTY lines as shown in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/swacl.html
More information on configuring ACLs can be found on the Cisco public website: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
Resolved Unknown Caveats
Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.
Cisco has released free software updates that address this vulnerability.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-mfi
Other Resolved Caveats in Release 12.2(33)SXH3
|
|
|
|
CSCdu79630 |
AAA |
Username on vty not displayed if accounting is not configured |
CSCsg18288 |
AAA |
Enable authentication ignores Tacacs+ configuration in rare situation |
CSCsl10068 |
AAA |
AAA api migration in login.c, exec.c. |
CSCsl45701 |
AAA |
TACACS+ per VRF authen failing: Address already in use |
CSCsl57645 |
AAA |
tacacs-server directed-request fails for enable authentication on 6500 |
CSCso87641 |
AAA |
Tacacs unable to connect to server |
CSCso95426 |
AAA |
Exposure of Radius-Keys in debugs. |
CSCsq98160 |
AAA |
No communication between SW and AAA with IPBase image |
CSCsr26098 |
AAA |
SSH/Telnet failed with IPBase image on Sup32 with AAA server |
CSCei33231 |
ATM |
ATM PVC bundle protected group test failed with bumping exhausted |
CSCek74474 |
ATM |
no/default proto ip inarp cmd ineffective until ATM VC bounced. |
CSCsh98378 |
ATM |
Router crashes at atm_create_vp_db |
CSCsi72854 |
ATM |
Inconsistent IMA CLI after router reload. |
CSCsk72676 |
ATM |
Pvc not coming up after removing vc-class from it |
CSCin67287 |
Cisco IOS |
NxDS0 BERT capability on PA-MC-8TE1+ |
CSCsc24015 |
Cisco IOS |
Parser loops infinitely for match route-type [ext |
CSCsc85962 |
Cisco IOS |
Replaying Main Mode packet causing IKE SA deletion |
CSCsd69625 |
Cisco IOS |
EZVPN:IOS C876 Client can't connect to ASA using digi certs and noXauth |
CSCse31572 |
Cisco IOS |
Bus error at crypto_ikmp_config_authenticated |
CSCse53517 |
Cisco IOS |
WiSM: Tracebacks seen after SSO switchover |
CSCsg22830 |
Cisco IOS |
Standby not coming up after sso switchover |
CSCsg87747 |
Cisco IOS |
RECV_PVID_ERR message received with bringing up etherchannel trunk |
CSCsh61002 |
Cisco IOS |
SPA-5X1GE: GE-port not transmitting after 'shut/no shut' and vica versa |
CSCsi49150 |
Cisco IOS |
%PM-SP-4-PORT_BOUNCED: Port Gi9/3 was bounced by Consistency Check IDBS |
CSCsi63649 |
Cisco IOS |
%SYS-3-TIMERNEG:Cannot start timer with negative offset,TTY Background |
CSCsi85453 |
Cisco IOS |
cfg-sync failed if switchport config is pasted on active & stby restart |
CSCsi94738 |
Cisco IOS |
8xCHT1/E1 SPA modules not in entAliasMappingIdentifier |
CSCsj37398 |
Cisco IOS |
Properly initialize the Tycho register AC_QOS_DEFAULT_EGRESS (0x334) |
CSCsj43677 |
Cisco IOS |
Active Sup720 crash when removing Standy supervisor |
CSCsj49293 |
Cisco IOS |
POS Interface Output Rate (200 mbps) > Line rate (155 Mbps) |
CSCsj78820 |
Cisco IOS |
MEM leak in Crypto IKMP process(crypto_ikmp_author_get_attributes) |
CSCsj85897 |
Cisco IOS |
SPA-TE1-Linkrec's out of sync between SPA and LC |
CSCsj86153 |
Cisco IOS |
Modular IOS CPU load oscillates even under constant load |
CSCsj91738 |
Cisco IOS |
Non-ip packet with mcast-mac addr cause high CPU with VPN-SPA VRF mode. |
CSCsj94539 |
Cisco IOS |
Spurious Alarms in PA-MC-8TE1+ may cause router crash |
CSCsj98198 |
Cisco IOS |
When we have only 1 flow in TT, flows are not exported to MC |
CSCsj98492 |
Cisco IOS |
Pak subblock handlers need to be part of packet library |
CSCsk19817 |
Cisco IOS |
shut/no shut causes pm failed get pm mp semaphore |
CSCsk67457 |
Cisco IOS |
BCP-MLP:Traffic stops flowing making one link shut on multilink |
CSCsk77462 |
Cisco IOS |
IETF Class attribute is missing in radius accounting record |
CSCsk88273 |
Cisco IOS |
Traceback seen @edisms on clearing counter on Active SP |
CSCsk93366 |
Cisco IOS |
lte_rp_get_lte_update_xdr_size/fib_upd_consume_rec_meets_upd_rec crash |
CSCsl04386 |
Cisco IOS |
%BIT-STDBY-4-OUTOFRANGE : Traceback on Bootup. |
CSCsl06059 |
Cisco IOS |
Router crash at route_map_vrf_af_change_nh |
CSCsl11335 |
Cisco IOS |
MVPN-MIB:Entries obtained from "ciscoMvpnBgpMdtUpdateTable" is incorrect |
CSCsl11868 |
Cisco IOS |
With IP CEF enabled ACL is not denying packets as intended.. |
CSCsl17798 |
Cisco IOS |
Etherchannel state inconsistent between active and standby |
CSCsl28371 |
Cisco IOS |
SPA-IPsec-2G VRF: L2 loop and broadcast storm may occur on default vlans |
CSCsl34481 |
Cisco IOS |
IPV6-MCAST:router crashes while unconfiguring ipv6 mcast routing |
CSCsl35325 |
Cisco IOS |
MRIB client remains after a linecard removal |
CSCsl39710 |
Cisco IOS |
cat6000 mac-address-table does not add entries for local fwsm mac.. |
CSCsl40528 |
Cisco IOS |
VS2: Port-channel fails to forward unicast packets after switchover. |
CSCsl53494 |
Cisco IOS |
C7600-SSC-400: Error message display incorrect product name |
CSCsl53727 |
Cisco IOS |
Add UDLD interface counters for debugging purpose |
CSCsl61164 |
Cisco IOS |
Router may crash @ipflow_fill_data_in_flowset when changing flow version |
CSCsl69123 |
Cisco IOS |
SIP-400:QoS:Police drops MPLSCP, CDPCP negotiation packets - SRA,SRB |
CSCsl70667 |
Cisco IOS |
12.2(33)SRB2: LC crash at fib_fib_feature_space_xdr_decode |
CSCsl72912 |
Cisco IOS |
VS2: WS-X6708 DFC crash in local_cb1(Segment violation) |
CSCsl80682 |
Cisco IOS |
SPA crashes if crypto acl changed |
CSCsl89890 |
Cisco IOS |
VS2: crash in psecure-process_timer |
CSCsl93559 |
Cisco IOS |
Unsupported ISL encap CLI option should be disabled on 6716 |
CSCsl94393 |
Cisco IOS |
OPNEXT / Sup32 uplink port stays up when far-end port down. |
CSCsl98238 |
Cisco IOS |
QoS statistics-export only exports to directly-connected destinations |
CSCsm04256 |
Cisco IOS |
CPUHOG and crash after 'show memory detailed all statistics' issued |
CSCsm24906 |
Cisco IOS |
IPV6 neighbour discovery not working on SVI intf under VRF |
CSCsm32363 |
Cisco IOS |
Netflow SLB sw-installed entries not aging out |
CSCsm37673 |
Cisco IOS |
Traffic from SSLM service module not going over multi-module etherchanne |
CSCsm54873 |
Cisco IOS |
EEM some time are not triggered properly |
CSCsm56279 |
Cisco IOS |
C2W2: Important enhancements to "test swi vir ltl index" CLI |
CSCsm59039 |
Cisco IOS |
Message "ME_AR#0 WARNING: Cannot FLUSH Dic#0" seen for WS-X6708A-10 LC |
CSCsm59384 |
Cisco IOS |
DPD not deleting IKE SA's |
CSCsm59926 |
Cisco IOS |
RP receives 2 copies of each PIM register with MVPN |
CSCsm59949 |
Cisco IOS |
vtp3:with 4k vlan HA reload/sso causes the standby to reload continuosly |
CSCsm69112 |
Cisco IOS |
Multicast output drop w/ IGMP snooping @ near line rate 1Gbps |
CSCsm69827 |
Cisco IOS |
%SYS-2-MALLOCFAIL:Process= "GraphIt" in SXH1_fc3 |
CSCsm70707 |
Cisco IOS |
WS-X6748-SFP shutdown(Could not set appropriate Switching mode) |
CSCsm70774 |
Cisco IOS |
Router crashes at cfg_kron_plcy_sbmd_cmd. |
CSCsm71537 |
Cisco IOS |
divide by 0 crash in oer_br_update_iface_counters |
CSCsm72807 |
Cisco IOS |
DHCP packets can get corrupted in an SSO environment |
CSCsm75020 |
Cisco IOS |
EARL7 Additional ECC Error Handling enhancements |
CSCsm76111 |
Cisco IOS |
10G ports generate CRC errors when using CISCO-FINISAR transceivers |
CSCsm77171 |
Cisco IOS |
Router crash when "ip flow" enabled. |
CSCsm77923 |
Cisco IOS |
C6k: Invalid vlan iface order in config after new vlan iface addition |
CSCsm82264 |
Cisco IOS |
VS2: Entire VSS system goes down after restarting call-home process |
CSCsm82958 |
Cisco IOS |
radius sticky entry deleted even if the idle timer is not 0 |
CSCsm84257 |
Cisco IOS |
crash in ipflow_periodic context due to watchdog timeout |
CSCsm86027 |
Cisco IOS |
B2B failover,ace_tunnel_compare:Invalid address_type, router crashed |
CSCsm94421 |
Cisco IOS |
Configuring STP cost in an etherchannel to the defaulthas no effect |
CSCsm99170 |
Cisco IOS |
Memory Leak seen in fw_lcp process |
CSCsm99690 |
Cisco IOS |
Netflow: Crash with aggregation caches and export to MPLS VPN |
CSCso00793 |
Cisco IOS |
ITP-76: Flexwan Memory version "VI4DP647228EBK-MD" causes reload |
CSCso05127 |
Cisco IOS |
WS-X6708-10GE crashes following upgrade to 12.2(33)SXH1 and 12.2(33)SXH2 |
CSCso08224 |
Cisco IOS |
WS-X6148-45AF port link takes 8 or more seconds to come up |
CSCso13950 |
Cisco IOS |
implementation of cmasModuleActionNotif in CSICO-MODULE-AUTO-SHUTDOWN-M |
CSCso16973 |
Cisco IOS |
VC in PE2 stays UP even after disabling ip cef globally |
CSCso17569 |
Cisco IOS |
VPN-SPA: WAN interface mtu incorrectly programmed on the SPA |
CSCso19924 |
Cisco IOS |
VPN SPA Module: Performance degradation on none-fragmented packets |
CSCso20519 |
Cisco IOS |
Cheronia: Fix SMB drive strength programming. |
CSCso20978 |
Cisco IOS |
EEM cron timer events save internal timer names to the config |
CSCso22754 |
Cisco IOS |
MAB/802.1X interop busted |
CSCso31506 |
Cisco IOS |
IPv6 AH Extension Headers Punted to Software on PFC-3B & 3C |
CSCso37640 |
Cisco IOS |
DHCP snooping ACL's are not getting programmed after switchover. |
CSCso38151 |
Cisco IOS |
Error/Traceback after power fail. %SPA-3-SW_ERROR: spa_get_card_info: |
CSCso39444 |
Cisco IOS |
The new Active supervisor will crash after SSO @ fib_path_list_lock_memo |
CSCso39518 |
Cisco IOS |
fh_policy_dir.proc process crash when activate 0E patch |
CSCso43539 |
Cisco IOS |
power converter failure reported before power was on |
CSCso44072 |
Cisco IOS |
High CPU due to multicast traffic getting punted to software |
CSCso46210 |
Cisco IOS |
VS: NAM on Standby switch not able to configure SPAN session |
CSCso50175 |
Cisco IOS |
% ENT_API-4-NOPORT: Traceback seen after switchover |
CSCso51417 |
Cisco IOS |
Enabling Gigabit ports on RSP720 cause send/receive of BFD packets fail |
CSCso52097 |
Cisco IOS |
IPV6 :Missing second Netflow shortcut after route change |
CSCso53741 |
Cisco IOS |
VPNSPA does not handle duplicate IPSec SA correctly in nested tunnel |
CSCso54131 |
Cisco IOS |
After SSO BPDU are being dropped |
CSCso55072 |
Cisco IOS |
Crash occurs during execution of TCL code in ESM handler |
CSCso56644 |
Cisco IOS |
EEM2.3::%SYS-3-CPUHOG: EEM ED Interface |
CSCso59288 |
Cisco IOS |
On enabling oob, aging is changed to 3 times is not shown in cli output |
CSCso62526 |
Cisco IOS |
c7600 RSP720: stdby RSP relods upon no flow-sampler interface commad |
CSCso65821 |
Cisco IOS |
wrr-queue map configuration propagates to all ports on a 6408 |
CSCso68840 |
Cisco IOS |
eou inactivity timer over rides reauth timer from ACS |
CSCso71355 |
Cisco IOS |
PVLAN - 6500 - Multicast flood broken from pvlan port to promiscuous |
CSCso75657 |
Cisco IOS |
Unable to configure cwan int in SSO - standby doesn't support cmd |
CSCso82039 |
Cisco IOS |
C2W2: Active console is getting locked for 2.5 mins during sso. |
CSCso84567 |
Cisco IOS |
6500 with WCCP and CoPP punts non-TCP packets into CoPP policy. |
CSCso85859 |
Cisco IOS |
RP crashs when using 'show memory detailed' |
CSCso87348 |
Cisco IOS |
Corruption in subflow code |
CSCso87838 |
Cisco IOS |
HSRP: with aggressive timers HSRP peer flaps when "wr mem" |
CSCso89823 |
Cisco IOS |
Pos interface "rxload" and "input bytes" counters incorrectly increment |
CSCsq00884 |
Cisco IOS |
"mls qos trust" cmd lost under port-channel interface when upgrading IOS |
CSCsq03475 |
Cisco IOS |
W2: Memory corruption caused by env object after being freed. |
CSCsq04355 |
Cisco IOS |
Fix in CSCso81632 is not complete |
CSCsq04673 |
Cisco IOS |
SIGSEGV in ios-base and syslog_pubinfo_enqueue |
CSCsq09228 |
Cisco IOS |
CHSTM1 SPA: Linkup/down traps not generated and snmp set not working |
CSCsq19146 |
Cisco IOS |
FPD creation for new pegasus rx (1.6) FPA image for Sip-1 CR |
CSCsq20970 |
Cisco IOS |
ATM option missing, while configuring T1 controller for mode atm |
CSCsq33790 |
Cisco IOS |
Switch crashes when authenticating a user with Filter-Id attribute |
CSCsq34245 |
Cisco IOS |
IPC Open Port Errors observed with SIP-400 |
CSCsq39079 |
Cisco IOS |
SPA-IPSEC-2G Crash under load due to IKE session establishment |
CSCsq46327 |
Cisco IOS |
Ca6k SXH : 2 crypto maps in same redundant standby grp: RRI not deleted |
CSCsq47140 |
Cisco IOS |
67xx module may not come online |
CSCsq47305 |
Cisco IOS |
High CPU on SP when both VSL PO are source interface |
CSCsq51286 |
Cisco IOS |
Memory Leak Occuring in QM Process on RP when a port is shut/no shut |
CSCsq53822 |
Cisco IOS |
Monitor session removal may affect traffic through WS-X6148A-RJ-45 |
CSCsq60553 |
Cisco IOS |
Create cwslc-rommon3.bin for cwpa2 to accomodate release Rommon (1.8) |
CSCsq62351 |
Cisco IOS |
C2W2:SUPW: GOLD EEM cannot crash switch immdediately as recovery action |
CSCsq63019 |
Cisco IOS |
Router Crash when "Clear Crypto Sessions" is issued on EzVPN server |
CSCsq63681 |
Cisco IOS |
c7600 Router crashing due to freed pointer in cfib invoked by Netflow |
CSCsq74300 |
Cisco IOS |
Set interface change for CSCsk63775 needs to be backed out |
CSCsq75704 |
Cisco IOS |
FW2 FE PA Interface stays up/down with no conn and goes up/up after sso |
CSCsq76749 |
Cisco IOS |
System Crash when inserting 10G Cards |
CSCsq77464 |
Cisco IOS |
mls rate-limit unicast cef receive value re-written upon TCAM exception |
CSCsq87431 |
Cisco IOS |
tracebacks seen on issuing sh mls qos ip command |
CSCsq87833 |
Cisco IOS |
platform ipv6 acl ahp command rejected during bootup |
CSCsq90487 |
Cisco IOS |
ME6524 running modular IOS images require 512 MB DRAM in SP in SXH3 |
CSCsq94150 |
Cisco IOS |
VSS system crash on show command during the initial conversion |
CSCsr12976 |
Cisco IOS |
High CPU in ION ios-base process |
CSCsr28305 |
Cisco IOS |
Packet drops on L2 portchannel on WS-X6708-10G |
CSCek58956 |
Infrastructure |
Need process_ok_to_reschedule check in process_may_suspend |
CSCsa97971 |
Infrastructure |
IOS SLB TCP probe state toggles |
CSCsb06920 |
Infrastructure |
SYS-3-MGDTIMER: Running timer -Process= SAA Event Processor |
CSCsd37499 |
Infrastructure |
%IFS-3-FSMAX: Failed to add ?, maximum filesystems 64 msg with Traceback |
CSCsh96179 |
Infrastructure |
IPSLA pathEcho probe doesn't complete for all hops |
CSCsj52693 |
Infrastructure |
ospf neighbor flap with fast hellos and 16 neighbors |
CSCsk70446 |
Infrastructure |
NRT: tracebacks @ data_inconsistency_error - 7200 for HTTP config. |
CSCsk99687 |
Infrastructure |
crash seen during ISSU runversion in ipc_open_port |
CSCsl60092 |
Infrastructure |
Active SP crashed @ipc_fragment_cleanup with VSL shut/no shut test |
CSCsm49218 |
Infrastructure |
Missing traceback for jump to zero exceptions |
CSCsm77199 |
Infrastructure |
DATACORRUPTION-1-DATAINCONSISTENCY HTTP_FIND_FLASH_FILE |
CSCsm89735 |
Infrastructure |
Router crashes on giving show idb after sessions are down in PPPOE-ipv6 |
CSCso02960 |
Infrastructure |
%RTT-4-DuplicateEvent causes trackbacks after upgrading to 12.2(33)SXH |
CSCec51750 |
IPServices |
Router reloads do to bus error. and illegal access to low address |
CSCeh69721 |
IPServices |
%SCHED-3-CORRUPT:Schedulerevent magic corrupted by TFTP Server |
CSCsb85982 |
IPServices |
Router reloads@ add_or_create_more_soc_buckets |
CSCsi42225 |
IPServices |
We need improvement for ip igmp limit command |
CSCsk83505 |
IPServices |
%L3_MGR-3-REQ_SEND:error packet allocation after Remote HL HW reset |
CSCsk96976 |
IPServices |
DHCP Option 66 adds more quotation marks around URL after reload. |
CSCsl51945 |
IPServices |
HSRPv6: Config Sync and stanby resets with standby 1 ipv6 <> |
CSCsm59037 |
IPServices |
no service dhcp command causes switch to reload |
CSCsm70580 |
IPServices |
c2w2:ciscoFtpClientMIB: ftp_fs.proc extra processes can deadlock & crash |
CSCsm92206 |
IPServices |
Router crashes when set the range of interfaces to default configs |
CSCso68344 |
IPServices |
Switch acting as DHCP server crashes on issuing no service dhcp command. |
CSCso91230 |
IPServices |
%LINK-2-INTVULN: errors with MLPPP and HWIC-4ESW |
CSCsq14698 |
IPServices |
crash when using nat with multicast traffic |
CSCsq48201 |
IPServices |
c7300:Bridge IRB-Router crash and traffic flow issue |
CSCsq67478 |
IPServices |
SSH session hangs |
CSCsl54243 |
LAN |
7600 SIP-400 crash after removing sub-ints; lc_deencap_dot1q_vlan |
CSCeh97382 |
Management |
Device reset when polling IKE/IPSEC MIB |
CSCsk38681 |
Management |
VS2: remote registry call messages ~ cdp2.iosproc:1 |
CSCsq79132 |
Management |
Excessive remote registry invocation on 'proto_on_swidb' registry |
CSCsj50412 |
MPLS |
Improper handling of remote binding wrt route info |
CSCsk42307 |
MPLS |
MPLS-TE CBTS: Sending out OSPF hellos over master tunnel. |
CSCso53377 |
MPLS |
All TE Lsps does not recover after SSO switchover |
CSCek75931 |
Multicast |
LNS: %SYS-3-CPUHOG When sessions have multicast |
CSCsk26429 |
Multicast |
Router configured for IGMP Proxy may not send IGMP Join |
CSCsl10316 |
Multicast |
ipv6 pim join-prune-interval 10 sets the interval to 20 seconds. |
CSCsl20158 |
Multicast |
SNMP:msdpPeer counters should be able to compare with CLI counters. |
CSCsl92316 |
Multicast |
LNS: %SYS-3-CPUHOG when clear l2tp tunnel, sessions have multicast |
CSCsm17426 |
Multicast |
RP-bit not cleared on s,g; traffic outage for 4 minutes |
CSCsm44620 |
Multicast |
Shutdown interface present in PIM interface list |
CSCsm48322 |
Multicast |
IPv6 Multicast RP ignores embedded RP register messages |
CSCsm53766 |
Multicast |
Reload due to Address Error with multicast configuration |
CSCsq09962 |
Multicast |
7600 : crash at "pim_proxy_empty_rd" |
CSCsq14151 |
Multicast |
RPF of (S,G) is set to NULL, When (S, G, R) entry is convered to (S, G) |
CSCse40966 |
PPP |
MLP links down after SSO switchover if aaa new-model cfged |
CSCek63203 |
QoS |
CEOP:VH:Ctrl+C while display show policy int cause console freeze |
CSCsm29181 |
QoS |
Crash when NBAR applied to sub-interface |
CSCsm49062 |
QoS |
cwan2: show queueing interface reports double count for wfq drops |
CSCek36995 |
Routing |
0.0.0.0 default route increasing on rip DB with object tracking |
CSCse65277 |
Routing |
MU:default isis metric maximum returns parser error |
CSCsf06946 |
Routing |
Removing loopback interface causes continuous standby RP reloading |
CSCsi87894 |
Routing |
RIP advertise default route after 'no default-information originate' |
CSCsi98730 |
Routing |
CEF/BGP table MPLS label mismatch in IOS 12.4(6)T5 |
CSCsj21785 |
Routing |
TE tunnel does not reoptimize after mtu change |
CSCsj56281 |
Routing |
BGP inherit peer-policy not working after router reload |
CSCsk37659 |
Routing |
Vrf route table does not get updated once pppox sessions are up. |
CSCsl04835 |
Routing |
BGP conditional route injection not removing routes from iBGP peers |
CSCsl06336 |
Routing |
removing 'maximum-paths import 6' causes duplicate paths in VRF table |
CSCsl20856 |
Routing |
standby HSRP flaps with ospf mib polling/aggressive timers/nostandby sso |
CSCsl30331 |
Routing |
Prefixes permitted despite the deny action on route-map continue |
CSCsl72774 |
Routing |
Memory leak in CEF consistency checker |
CSCsl84712 |
Routing |
Error- %OSPF-4-FLOOD_WAR: Process 123 re-originates LSA ID 10.55.122.148 |
CSCsl92283 |
Routing |
Unable to add into routing table if static route use interface + gateway |
CSCsm04442 |
Routing |
Router crash at rip_find_sum_idb |
CSCsm39159 |
Routing |
ARP HA cpu hog on stby while bringing up stby with large arp tables |
CSCsm43938 |
Routing |
stby resets when large config/arp table to sync over to it |
CSCsm45634 |
Routing |
BGP VPNv4 route is not actived immediately after receving update |
CSCsm47111 |
Routing |
FIB: Accessing freed memory while dequeuing |
CSCsm91801 |
Routing |
ASBR not updating metric in LSA-5 redistributing from 2-nd OSPF process |
CSCsm96785 |
Routing |
"nsf cisco" under router ospf config does not work, but "nsf ietf" works |
CSCso00383 |
Routing |
MVPN: New style PE doesn't send RD Type 2 MDT update |
CSCso27510 |
Routing |
Removing SVI with IPv6 address with 'no int vlan' crashes the router |
CSCso30199 |
Routing |
ISIS topology broken after a force-switchover when ispf is enabled |
CSCso62166 |
Routing |
Crash @ bgp_netlist_validate when ibgp established with metric |
CSCso63693 |
Routing |
ISIS: Maximum circuit limit (255) has reached with passive-interface def |
CSCso64274 |
Routing |
0.0.0.0/0 redistributed entry not removed RIP DB after deleting command |
CSCso73076 |
Routing |
can not delete ACE enties in ACL |
CSCso89675 |
Routing |
Device crash @ ip2access_add_pbacl_item with largre PBACL configuration |
CSCsq62703 |
Routing |
Router crashed with TLB (load or instruction fetch) exception |
CSCsq75944 |
Routing |
crashes in ipflow_ager, ipflow_sub functions, ipflow_periodic |
CSCeh48777 |
Security |
tunnel interface fluctuates between UP/DOWN state during ipsec rekey |
CSCir01449 |
Security |
Sync damage of CSCin74155 fix |
CSCsb58633 |
Security |
SCP server gives files with invalid checksum on some router platforms |
CSCsb80803 |
Security |
SSH Process: SCHED-3-UNEXPECTEDEVENT error message |
CSCse12154 |
Security |
Bus error crash after executing secure copy (scp) |
CSCsk75078 |
Security |
rcv client_input_channel_req: channel 0: unknown channel |
CSCsl61311 |
Security |
New SSH sessions with RSA key sometimes fails after changing hostname |
CSCsm57122 |
Security |
Scp and ssh failing with certain ssh clients |
CSCsl90285 |
WAN |
POS-APS: CWPA-3-NODISPATCH messages seen when configuring APS |
Caveats Resolved in Release 12.2(33)SXH2a
|
|
|
|
CSCsl45701 |
AAA |
TACACS+ per VRF authen failing: Address already in use |
CSCso87641 |
AAA |
Tacacs unable to connect to server |
CSCsh61002 |
Cisco IOS |
SPA-5X1GE: GE-port not transmitting after 'shut/no shut' and vica versa |
CSCsm69827 |
Cisco IOS |
%SYS-2-MALLOCFAIL:Process= "GraphIt" in SXH1_fc3 |
CSCso05127 |
Cisco IOS |
WS-X6708-10GE crashes following upgrade to 12.2(33)SXH1 and 12.2(33)SXH2 |
CSCso53516 |
Cisco IOS |
VSS: Incorrect fpoe programming causing unicast traffic blackhole |
Caveats Resolved in Release 12.2(33)SXH2
Resolved Security Caveats
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange.
Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability.
This advisory is posted at
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080924-ssl.
Resolved Unknown Caveats
Symptoms: A device that is running Cisco IOS software may crash during processing of an Internet Key Exchange (IKE) message.
Conditions: The device must have a valid and complete configuration for IPsec. IPsec VPN features in Cisco IOS software that use IKE include Site-to- Site VPN tunnels, EzVPN (server and remote), DMVPN, IPsec over GRE, and GET VPN.
Workaround: Customers that do not require IPsec functionality on their devices can use the no crypto isakmp enable command in global configuration mode to disable the processing of IKE messages and eliminate device exposure.
If IPsec is configured, this bug may be mitigated by applying access control lists that limit the hosts or IP networks that are allowed to establish IPsec sessions with affected devices. This assumes that IPsec peers are known. This workaround may not be feasible for remote access VPN gateways where the source IP addresses of VPN clients are not known in advance. ISAKMP uses port UDP/500 and can also use UDP/848 (the GDOI port) when GDOI is in use.
Further Problem Description: This bug is triggered deep into the IKE negotiation, and an exchange of messages between IKE peers is necessary.
If IPsec is not configured, it is not possible to reach the point in the IKE negotiation where the bug exists.
Other Resolved Caveats in Release 12.2(33)SXH2
|
|
|
|
CSCee66606 |
AAA |
per-group deadtime is nvgend as 60x user input |
CSCee89849 |
AAA |
Router reloaded at vtemplate_build_command_strings |
CSCsc98046 |
AAA |
TACACS Accounting isn't sending stop time in the stop packet. |
CSCsd48175 |
AAA |
AAA/TACACS not failing over to second server |
CSCsg14301 |
AAA |
AAA/TACACS spurious memory accesses in tplus_handle_req_timeout |
CSCsj88665 |
Access |
Bus error with PA-MC-2T3+ when deleting channel-group |
CSCsl41784 |
Access |
ION: ARP Input memory leak with "mobile ip arp" |
CSCsd84347 |
ATM |
PVC stops sending OAM loopback if AIS/RDI received |
CSCsj84931 |
ATM |
CEOP: after OIR with atm local switching and ima, router crashes |
CSCeb69473 |
Cisco IOS |
connect '/terminal-type' command memory corruption |
CSCeh08262 |
Cisco IOS |
Show tech SP output should honor redirect applied |
CSCek53174 |
Cisco IOS |
dhcp snooping cannot scale beyond 225 bindings |
CSCek66116 |
Cisco IOS |
B2B: IKEA trans 0x17; opcode 0x53; param 0x41 msg displayed forever |
CSCek71816 |
Cisco IOS |
CE-CE ping fail after restore ASBR-PE vrf |
CSCek78874 |
Cisco IOS |
KMI:Out of order deletes cause sync issues |
CSCsb87956 |
Cisco IOS |
loop in the state IKE_CONFIG_MODE |
CSCsh17328 |
Cisco IOS |
WS-SVC-WISM-1-K9 reports 0.0 in entPhysicalVendorType |
CSCsh84657 |
Cisco IOS |
STP Loopguard: Ability to disable loopguard for Po270 and higher for FWM |
CSCsh97395 |
Cisco IOS |
IDSM: Monitor config was removed after RPR switchover |
CSCsi52382 |
Cisco IOS |
radius attribute 5 nas-port not sent in access-request for RA VPN users |
CSCsi97434 |
Cisco IOS |
A router may crash when ipsec is established |
CSCsj48453 |
Cisco IOS |
AW: CAT6k does not forward multicast traffic to WISM in L3 mode |
CSCsj68951 |
Cisco IOS |
Diag Minor Error: TestVslStatus by shut down one side Sup4 uplink |
CSCsj87584 |
Cisco IOS |
call-home inventory full needs show ipdrom switch all for VSS |
CSCsj91961 |
Cisco IOS |
Ifnums of channels for E3 dont match on active and stdby |
CSCsk16240 |
Cisco IOS |
C2W1: active not responding msgs seen om reload with 41patches |
CSCsk21354 |
Cisco IOS |
PAT : Missing second Netflow shortcut after route change. |
CSCsk27081 |
Cisco IOS |
ifHCInOctets and ifHCOutOctets on GE-WAN interfaces wrap up at 2^32 |
CSCsk32872 |
Cisco IOS |
Wrong API usage, can lead to crash. |
CSCsk33740 |
Cisco IOS |
replay window size of 1024 causes IPSec Policy Check and Replay Failure |
CSCsk41134 |
Cisco IOS |
ISAKMP SA neg not successful for in tunnel mode w/ RSA-SIG |
CSCsk44233 |
Cisco IOS |
While raising the interrupt level, bgp_route_map_inform tries to suspend |
CSCsk58040 |
Cisco IOS |
WS-X6148A-GE-45AF retains previous modules MACs after OIR |
CSCsk80552 |
Cisco IOS |
Shut and no shut of interface causes the delay in forming rp mapping |
CSCsk82370 |
Cisco IOS |
RP crash and tracebacks in crypto related process |
CSCsk83089 |
Cisco IOS |
Increase maximum aggregate policer > 10Gbps |
CSCsk84925 |
Cisco IOS |
ipv4:SSM mroute not created due to ip mr-cache on IIF, traffic hits MSFC |
CSCsk97144 |
Cisco IOS |
wait for remote process DiagCard7/-1creation times out with 1018 ION |
CSCsl06577 |
Cisco IOS |
Linking bootflash to bootdisk failed after pcmcia_driver.proc restart |
CSCsl12827 |
Cisco IOS |
Handling Transit IpSec in VRF mode |
CSCsl18765 |
Cisco IOS |
6500-7600 : SPAN of EoMPLS port causes packet reflection or loop |
CSCsl19708 |
Cisco IOS |
Naxos : Disable Telesto Internal TERMINATION For Reference Clock, PB RAM |
CSCsl27236 |
Cisco IOS |
%SYS-3-CPUHOG: Task is running for (126000)msecs, causes RP crash. |
CSCsl32344 |
Cisco IOS |
Group of 4 ports on 6708 stops passing traffic |
CSCsl34515 |
Cisco IOS |
VS2:after SSO with preemption, port security is broken |
CSCsl43540 |
Cisco IOS |
VS2:snmp mac notification for port channel on DFC linecard doesn't work |
CSCsl51380 |
Cisco IOS |
Sup720 and Sup32 TCAM & SSRAM Consistency Checkers refinement |
CSCsl51395 |
Cisco IOS |
slot_earl_icc_shim_addr:device crash with hw-module reset |
CSCsl52092 |
Cisco IOS |
DHCP db agent considers port-channel interface (poX) as invalid |
CSCsl53037 |
Cisco IOS |
Mail action does not separate headers from body |
CSCsl53845 |
Cisco IOS |
sup720/SXH: dummy packet send over inband when sw netflow is used |
CSCsl58673 |
Cisco IOS |
EEM Prevents VTY telnet to MCP router |
CSCsl58924 |
Cisco IOS |
Standby SP crashed due to TestAclDeny failure on bootup/switchover |
CSCsl59553 |
Cisco IOS |
SIP-400: bursty traffic causes packet drop even in low rates |
CSCsl63311 |
Cisco IOS |
6500 May Experience High CPU due to NAT traffic |
CSCsl70016 |
Cisco IOS |
WS-X6516A-GBIC card in switch 2 goes down frequently in vsl |
CSCsl70404 |
Cisco IOS |
Memory leak on SUP - CMFI Process |
CSCsl71339 |
Cisco IOS |
Prevent ssa interrupts from corrupting sfp i2c accesses |
CSCsl72752 |
Cisco IOS |
VS2: after preempted switchover, interface states are out of sync |
CSCsl74456 |
Cisco IOS |
VPN-SPA : TCAM not programmed on POS sub-interface after a reload |
CSCsl74976 |
Cisco IOS |
Punted MPLS-tagged traffic causes control plane instabilities |
CSCsl75136 |
Cisco IOS |
Cat6k with Sup32 failed to boot up after power cycle. |
CSCsl75719 |
Cisco IOS |
sxf13 show int tunnel with blank display |
CSCsl75836 |
Cisco IOS |
VS2: MCAST LTL T/B's observed, when removing VLAN / SVI used for mcast |
CSCsl76647 |
Cisco IOS |
VPN SPA Cannot clear SA using conn-id with CLI |
CSCsl79219 |
Cisco IOS |
mvpn : bidir shadow entries not installed |
CSCsl83211 |
Cisco IOS |
Sup32 running ION image fails to bootup after a power-cycle. |
CSCsl84317 |
Cisco IOS |
Active crashes on applying acl to EoMPLS subif on SIP-600 |
CSCsl89069 |
Cisco IOS |
Zamboni crashed at illegal event/state combinationin CfgMonInd, clear sa |
CSCsl89176 |
Cisco IOS |
Cat6k may crash when vlanTrunkPortEntry is polled via snmp |
CSCsl89425 |
Cisco IOS |
BFD sessions dont scale |
CSCsl91085 |
Cisco IOS |
system/iprouting.iosproc crash after activate 39 dummy/restart patches |
CSCsl92286 |
Cisco IOS |
60 second multicast traffic loss as VSS standby chassis initializes |
CSCsl94301 |
Cisco IOS |
VS2: Mac learning in linecard gets disabled by pre-emption switchover. |
CSCsl97653 |
Cisco IOS |
bcm2_5421_isr bcm2_num: 1 messages seen in the log |
CSCsm01399 |
Cisco IOS |
Bus idle recovery may cause 10GE interface to remain down |
CSCsm04824 |
Cisco IOS |
OER Top Talker Functionality broken on s3223 |
CSCsm05486 |
Cisco IOS |
mtu mis probram in adj thru tunnel interface after b2b failover |
CSCsm08419 |
Cisco IOS |
debounce timer issue on sup32 10GE uplink and 6708 |
CSCsm11717 |
Cisco IOS |
VS2:On reloading standby chassis T/Bs on SP console for 1 minute |
CSCsm13389 |
Cisco IOS |
RRI is not called be if QM rekey timer expiry forces SA deletion |
CSCsm15350 |
Cisco IOS |
vpnspa crashed at assert failure in l2-mcpu.c on line |
CSCsm20994 |
Cisco IOS |
kron job daily reoccurences fail after new year |
CSCsm21126 |
Cisco IOS |
C7600-SSC-400: Resync fabric interface on fabric error |
CSCsm22935 |
Cisco IOS |
Problem in c6k_power_get_ilpower_daughterboard_used_pwr |
CSCsm24904 |
Cisco IOS |
Bridge-mib timing out dot1dBasePortIfIndex |
CSCsm26415 |
Cisco IOS |
Traceback seen when show platform cfm issued for fwd_vlan 0 |
CSCsm27017 |
Cisco IOS |
VS2: power configuration is not synced to standby |
CSCsm30858 |
Cisco IOS |
PIM register packets upmarked to TOS 6 by PTcam redirection |
CSCsm32493 |
Cisco IOS |
Backout of CSCsh94882 |
CSCsm33528 |
Cisco IOS |
Rekey packet loss for pure ipsec |
CSCsm34871 |
Cisco IOS |
Need to support enhanced PoE feature |
CSCsm35364 |
Cisco IOS |
SPA-IPSEC-2G get reload automatically by RP |
CSCsm44309 |
Cisco IOS |
L2 Po - new member was not included in mapped ucast flood &mcast indices |
CSCsm44413 |
Cisco IOS |
RP not added into LTL index when bridge-group is configured |
CSCsm46682 |
Cisco IOS |
HL: VACL capture functionality not working with the latest sierra |
CSCsm48564 |
Cisco IOS |
Need to exclude RxErrors from being monitored by LinkErrorMonitoring HM |
CSCsm49103 |
Cisco IOS |
I/O Memory Leak when running show mls cef command |
CSCsm49440 |
Cisco IOS |
RRI: Need to support remote-peer option when source proxy == peer |
CSCsm51299 |
Cisco IOS |
Code divergence caused a need for a second fix for CSCsl27236. |
CSCsm56293 |
Cisco IOS |
Sup4:DFC only mode, create bus stall condition-the switch still crash |
CSCsm59488 |
Cisco IOS |
Fix backwards compatibility for multicast egress netflow cli |
CSCsm70349 |
Cisco IOS |
BPDU traffic over Eompls is not switched on 3C system |
CSCsm81399 |
Cisco IOS |
No Such Instance error from many SNMP objs for 1xOC48 POS/RPR SPA |
CSCsm82169 |
Cisco IOS |
VSS: heathland interfaces are err-disabled on standby chassis |
CSCsm82382 |
Cisco IOS |
7600 standby RP memory leaking cause CEF disable |
CSCsm83893 |
Cisco IOS |
W2: "sh mls cef adj mpls detai"l after SSO freeze RP causeT/B, reboot |
CSCsm83948 |
Cisco IOS |
CISCO7609 returns sysObjectId as ciscoProducts.402 (which is cisco7606) |
CSCsm92183 |
Cisco IOS |
c2w1: Heathland card is not coming up due to diag failure |
CSCsm95456 |
Cisco IOS |
Duplicate L3 packets with 6708 and DEC |
CSCsm96243 |
Cisco IOS |
Switch crashes on executing sh tcam interface acl with include option |
CSCsm96610 |
Cisco IOS |
OOB-MAC-SYNC is on, need to change internally the cam aging to 480 Sec |
CSCsm97836 |
Cisco IOS |
Memory leak VSL Manager |
CSCsm98256 |
Cisco IOS |
Berytos got power down due to TestMacNotification and TestFabricCh0Healt |
CSCso02208 |
Cisco IOS |
VS2: crash when provisioning LI stream |
CSCso12903 |
Cisco IOS |
RE MET address check missing while running MET patch on IO bus timeout |
CSCso25489 |
Cisco IOS |
CSCsg03804 - Time Based ACL Issue not fixed |
CSCsl29993 |
Content |
WCCP Should Mark Client 'NOT Usable' with Missing L2 Adjacency |
CSCsl65335 |
Content |
WCCP: reload following ACL update |
CSCsm12247 |
Content |
WCCP: hash assignment may be lost after service group change |
CSCsm32473 |
Content |
WCCP: system reload with path splitting and output redirection |
CSCsm35350 |
Content |
WCCP GRE return breaks IPsec traffic AND/OR creates phantom packet count |
CSCsm53427 |
Content |
WCCP: multicast + appliance shutdown leads to high CPU |
CSCsa57468 |
Infrastructure |
rttmon-mib does not return getnext value when queried via snmp |
CSCse07265 |
Infrastructure |
No syslog message generated for IP SLA timeout condition |
CSCsj54596 |
Infrastructure |
logging userinfo command no longer accepted |
CSCsj83417 |
Infrastructure |
BOOM: addto_mempool_pc_array() message seen with show memory command |
CSCsk06492 |
Infrastructure |
snmp-server drop vrf-traffic implementation in 12.2 SRB train |
CSCsk13725 |
Infrastructure |
GSR: rttmon-mib does not return getnext value when queried via snmp |
CSCsk37278 |
Infrastructure |
BFD clients flaps when boot string is removed from "show running". |
CSCsk75310 |
Infrastructure |
UDP Echo: control message not sent out of correct interface. |
CSCsl33908 |
Infrastructure |
show ver truncates system's running image name to 64 chars |
CSCsl58963 |
Infrastructure |
Manual OIR of pcmcia flash card crashes dosfs proc in Sup720 |
CSCsl70722 |
Infrastructure |
Router crash polling rttmon mib with active IP SLA probes |
CSCsg60447 |
IPServices |
7200: BVI stops receiving CLNS/ISIS packets |
CSCsi78892 |
IPServices |
Configuring bridge-group makes CPUHOG message. |
CSCsj29841 |
IPServices |
Port forwarding breaks NAT-overload on a 6509 |
CSCsj93195 |
IPServices |
RP crashes at ipv4fib_les_switch_wrapper on configuring crypto map |
CSCsk06539 |
IPServices |
bus error while unconfiguring static SSM mappings via TFTP. |
CSCsk39022 |
IPServices |
Modular IOS: ip directed-broadcast not working |
CSCsk39926 |
IPServices |
Unable to route local FTP traffic over VRF with IOS image |
CSCsl10348 |
IPServices |
Crash writing to or from ftp/tftp server in modular IOS |
CSCsl23788 |
IPServices |
Dlsw+ peer waits in AB_PENDING or WAIT_WR status with modular IOS |
CSCsk94676 |
LegacyProtocols |
dlsw with tbridge, COMMON_FIB-4-FIBIDBMISMATCH |
CSCsk41552 |
Management |
T/B %SCHED-3-THRASHING of cdp2.iosproc process_wait_for_event |
CSCsj34456 |
MPLS |
LDP change by CSCsi69278 causes inconsistent mplsLdpEntityIndex value. |
CSCsk57114 |
MPLS |
CPUHOG process = SNMP ENGINE, PWMIB, GetNext of cpwVcMplsNonTeMappin |
CSCsl39233 |
MPLS |
eBGP in VRF-lite not working in images without MPLS. |
CSCsd14706 |
Multicast |
PIMV2 router send PIMV1 RP-reachable messages loading recieve router CPU |
CSCsg95192 |
Multicast |
no ip rp-address <ACL name> causes an address error |
CSCsj88725 |
Multicast |
Wrong (S,G) RPF after route change, no upstream join |
CSCsl27840 |
PPP |
Router may Crash / Hang, Module Reset @ Shut ATM member + MLPOA |
CSCsi73132 |
QoS |
Multicast DSCP value not copied to PIM-SM RP-register packet |
CSCsk63794 |
QoS |
FlexWAN WS-X6582-2PA + T3+ Serial PA may crash/reload |
CSCea90941 |
Routing |
IOS Ignores EIGRP Stub Command In Startup-Config at Initial Power On |
CSCeg25475 |
Routing |
Distribute-list configured in ipv4 acts in vpnv4 address-family |
CSCse53019 |
Routing |
redistribution not triggered when BGP as-path/community changes |
CSCsg80259 |
Routing |
BGP Routes do not re-populate follwing reload of Secodary Route Reflect |
CSCsh12493 |
Routing |
BGP overlapping VRF route not installed in RIB after add/del of VRF |
CSCsh92749 |
Routing |
ISIS: ADJ del triggers both LSP and SPF |
CSCsi51431 |
Routing |
JQL:SIERRA:SP HighCPU/LCboot up fail with largeACL cfg after sw reload |
CSCsk34344 |
Routing |
Wrong share-count 1:10 via confed-external BGP peers using dmzlink-bw |
CSCsl07297 |
Routing |
SXF11: BGP "no neighbor" command caused Address Error exception. |
CSCsl47915 |
Routing |
Redistribution of ospf in rip with prefix-list not working properly |
CSCsl57457 |
Routing |
ISIS NSF switchover failure - similar to CSCsl28278 |
CSCsl83415 |
Routing |
Rtr crash in show cmd: new updgrp add enlarges Nbr bitfield size for Tbl |
CSCsl94410 |
Routing |
Back out the CSCsj17879 for all non ERF branch |
CSCsm23764 |
Routing |
CEF RF progression error if RRP reloads mid CEF sync |
CSCsm27979 |
Routing |
router may crash for "address error exception" doing sh ip route vrf |
CSCsm64516 |
Routing |
OSPF MD5 Key Does Not Accept Whitespace Character |
CSCso22098 |
Routing |
OSPF down on RPR+ switchover on core router |
CSCin91851 |
Security |
Support keyboard-interactive authentication method |
CSCsj45031 |
Security |
Cat6k unable to SCP files from Tectia ssh server |
CSCsl98498 |
Security |
Tunnel int is going down with mode ipip decapsulate-any |
CSCsj68446 |
WAN |
NTP will not sync - NTP packets received but ignored by NTP process. |
Caveats Resolved in Release 12.2(33)SXH1
Resolved AAA Caveats
Symptoms: Router reloads after authentication attempt fails on console.
Conditions: Occurs while performing AAA accounting. The accounting structure was freed twice, which results in crash. Occurs when the aaa accounting send stop-record authentication failure command is configured, which sends a stop record for authentication failure.
Workaround: Remove the aaa accounting send stop-record authentication failure command.
Resolved Infrastructure Caveats
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled “PRP crash by show ip bgp regexp”, which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp
This is the Cisco Product Security Incident Response Team (PSIRT) response to a vulnerability that was reported on the Cisco NSP mailing list on August 17, 2007 regarding the crash and reload of devices running Cisco IOS after executing a command that uses, either directly or indirectly, a regular expression. The original post is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043002.html
The Cisco PSIRT posted a preliminary response on the same day and is available at the following link:
http://puck.nether.net/pipermail/cisco-nsp/2007-August/043010.html
Preliminary research pointed to a previously known issue that was documented as Cisco bug ID CSCsb08386 (registered customers only), and entitled “PRP crash by show ip bgp regexp”, which was already resolved. Further research indicates that the current issue is a different but related vulnerability.
There are no workarounds available for this vulnerability. Cisco will update this document in the event of any changes.
The full text of this response is available at
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20070912-regexp
Symptoms: Syslog displays password when copying the configuration via FTP.
Conditions: This symptom occurs when copying via FTP. The Syslog message displays the password given by the user as part of syntax of FTP copy.
Workaround: There is no workaround.
Resolved Routing Caveats
Symptoms: A few seconds after OSPF adjacencies come up, a router crashes because of a bus error.
Conditions: This symptom is observed on a Cisco router that functions as an ISR that is configured for OSPF.
Workaround: Add area 0 in the OSPF VRF processes.
Alternate Workaround: Enter the no capability transit command in the OSPF VRF processes.
Resolved Unknown Caveats
Symptom: Bus error crash (signal 10) seen after the following error message:
%MCAST-SP-6-GC_LIMIT_EXCEEDED: MLD snooping was trying to allocate more Layer 2 entries than what allowed (7744)
Conditions: This has been observed on a Catalyst6500 running IOS version 12.2(18)SXF1.
Workaround: A workaround exist to disable ipv6 mld snooping via the command no ipv6 mld snooping.
There is no negative impact of implementing the workaround as long as there is no IPV6 multicast traffic in the network.
Other Resolved Caveats in Release 12.2(33)SXH1
|
|
|
|
CSCek58496 |
AAA |
Mem alloc at aaa_test_setup_auth_req/aaa_test_setup_acct_req leaked |
CSCsh59019 |
AAA |
Avoiding AAA client hangs, if a protocol subsystem is not present. |
CSCsi99473 |
AAA |
TACACS authorization fails with 'request for nonexistent server' msg. |
CSCsj34688 |
AAA |
AAA: adding static route cfg does not trigger acct msg to tacacs server |
CSCsj89305 |
AAA |
RADIUS/NAS-IP address is sent out as 0.0.0.0 |
CSCsj97165 |
AAA |
%AAA-3-BADMETHODERROR: Router crash @ aaa_get_new_acct_reg_type. |
CSCsl33966 |
AAA |
C6509 : attribute 32 nas-Id not sent for Auth (missed by CSCsf30451). |
CSCsm06740 |
AAA |
Memory Leak in AAA accounting and Virtual Exec |
CSCef67942 |
Access |
AS leaking memory under IP input - regcomp |
CSCsi00099 |
Access |
Spurious Memory Access Error @ ct3sw_check_freedm_fifo |
CSCsj37071 |
Access |
PA-MC-E3 will not recover after workload stress |
CSCek61180 |
ATM |
crash @ write_to_url, doprintc_core, atm_remove_vc |
CSCin90065 |
ATM |
ATM pvc trap may not always be generated or generated continously |
CSCsb67229 |
ATM |
Ip add config on p2p interface tries to reflect it on all p2p int. |
CSCse13374 |
ATM |
IMA ports on 7600 always initialized to default clocking on bootup. |
CSCse98383 |
ATM |
Bandwidth not changed on IMA group when one member link is made down. |
CSCsj57084 |
ATM |
Voice packets in LLQ experience latency |
CSCdu70318 |
Cisco IOS |
Feature Request: VRF-lite PBR |
CSCdz55178 |
Cisco IOS |
QoS profile name of more then 32 chars will crash the router. |
CSCek34097 |
Cisco IOS |
with about 100 subints configd rtr crashes at ipv6 multicast-rout |
CSCek36017 |
Cisco IOS |
Need show mac abbreviated equivalent command in IOS |
CSCek52381 |
Cisco IOS |
Killing tcp.proc leads to no thread information in LC |
CSCek75082 |
Cisco IOS |
Router crashes while unconfiguring channel-group |
CSCek76062 |
Cisco IOS |
Router crashed @ validmem_complete_interrupt. |
CSCek78066 |
Cisco IOS |
Whitney:CLI & MIB mismatch for aux-1 temperature Sensor SUP32 |
CSCek78633 |
Cisco IOS |
SSO:ESM20:TB at %MFI-3-REDISTMGR: Redistribution Manager |
CSCek79138 |
Cisco IOS |
VLAN policy not applied to bridged pkts if SVI shutdown. |
CSCin99430 |
Cisco IOS |
snmp-server sparse is not working correctly for IF-MIB |
CSCsa79984 |
Cisco IOS |
CTRLC_ENBL should be cleared when line is reset |
CSCsb29131 |
Cisco IOS |
show crypto ipsec sa identity detail causes system to reload |
CSCsc24830 |
Cisco IOS |
Far end router reload causing traceback at dmlp_update_hw_stats |
CSCsc98471 |
Cisco IOS |
show diagnostic sanity fails to check software modularity boot string. |
CSCsd88768 |
Cisco IOS |
%SYS-2-BADSHARE: Bad refcount in datagram_done fix for PA-MCX-8TE1 |
CSCse45684 |
Cisco IOS |
multicast (hsrp/ospf) coming from service modules is blackholed by vacl. |
CSCse67736 |
Cisco IOS |
Add support for XFP-ZR optics |
CSCsf01190 |
Cisco IOS |
Netflow export destination command dissapears from running config. |
CSCsf97859 |
Cisco IOS |
invalid shows in show hw-module subslot with SPA-OC192POS-LR |
CSCsg09423 |
Cisco IOS |
IPSEC SAs dont recover after rekey with 3000 IKE SAs and PKI (RSA-Sig). |
CSCsg15159 |
Cisco IOS |
Traffic to Null0 accounted with Null as dest IF |
CSCsg16417 |
Cisco IOS |
show ip slb connections firewall cmd accepts not configured FW farm name |
CSCsg19793 |
Cisco IOS |
Psecure absolute aging on DFC causes MAC inconsistency w/ Central EARL |
CSCsg21809 |
Cisco IOS |
Add bridge asic status collection support. |
CSCsg23226 |
Cisco IOS |
service counters max age does not function correctly for value 6-9 sec |
CSCsg29305 |
Cisco IOS |
hw-module subslot reload crashes the router. |
CSCsg36532 |
Cisco IOS |
DMVPN Phase 2: Black hole traffic when spoke-spoke tunnel fails |
CSCsg99914 |
Cisco IOS |
sip-200 power-cycles after BGP flap (not responding to keepalive) |
CSCsh17579 |
Cisco IOS |
Transceiver TX Power displays erroneous TX level |
CSCsh24450 |
Cisco IOS |
Memory leak from IF-MGR DB elem chunk @ im_if_db_init |
CSCsh24460 |
Cisco IOS |
ipv6 ISIS ping through doesnt return 100% success rate |
CSCsh31782 |
Cisco IOS |
Bus error crash - show crypto isakmp sa |
CSCsh34467 |
Cisco IOS |
Standby constanly reset due to RF request with large configuration. |
CSCsh49239 |
Cisco IOS |
After redundancy failover Mcast packets drop for 60-90sec on SUP uplink |
CSCsh64639 |
Cisco IOS |
VS2: [dead threads] process takes a large chunk of CPU util |
CSCsh69341 |
Cisco IOS |
SLB: Incorrect feature execution in ssv |
CSCsh80130 |
Cisco IOS |
Add warning/comments to interfaces when Auto Lag is used for interface |
CSCsh82046 |
Cisco IOS |
SIERRA: sup4 standby crashes at sstrncpy during bootup. |
CSCsh85531 |
Cisco IOS |
E1 channels down after PE reload |
CSCsh88532 |
Cisco IOS |
Auto-LAG EtherChannel not configurable; doesn't trust QoS.. |
CSCsh91974 |
Cisco IOS |
PIM CLI causes RP crash when issued under control-plane subconfig prompt |
CSCsh97848 |
Cisco IOS |
Sierra: LACP pdus should be untagged. |
CSCsh99583 |
Cisco IOS |
VTP's Local updater ID uses EOBC though up state SVIs exist |
CSCsi00136 |
Cisco IOS |
IKE does not process more than 2 NAT-D payload |
CSCsi05265 |
Cisco IOS |
SYS-2-GETBUF: Bad getbuffer -Process= LSDp Input Proc |
CSCsi06759 |
Cisco IOS |
SIP 200: SNMP-3-DVR_DUP_REGN_ERR |
CSCsi09942 |
Cisco IOS |
VTP3: Print warning message when the vlan name exceeds 20 characters |
CSCsi11874 |
Cisco IOS |
Sup720 DFC forwarding some packets to MSFC instead of hw switching |
CSCsi12416 |
Cisco IOS |
Native vlan traffic disruption in etherchannel standalone (I) mode |
CSCsi23021 |
Cisco IOS |
WiSM in Slot 13 cause Duplicate IP message and loss of access |
CSCsi24069 |
Cisco IOS |
Collect additional debug info for Modular IOS kernel crashes |
CSCsi39631 |
Cisco IOS |
Show mpls l2transport vc detail using incorrect packet counters |
CSCsi42270 |
Cisco IOS |
IOS-SLB Radius Server LB may not mark a real as failed |
CSCsi48280 |
Cisco IOS |
PRE3 Mcast: Switchover not shown from default to data MDT |
CSCsi49436 |
Cisco IOS |
Netflow API needs to be extended to provide peer AS information |
CSCsi50028 |
Cisco IOS |
dot1x port moves authorize->guest, radius attributes and zombie MAC held |
CSCsi65363 |
Cisco IOS |
Not able to run to t1 loopback when using a PA-MC-T3 with flexwan |
CSCsi70426 |
Cisco IOS |
Traceback seen when router received a craft EAP id-response frame |
CSCsi71940 |
Cisco IOS |
System crashed with auto-qos negative test with traffic. |
CSCsi74194 |
Cisco IOS |
18SXF: Egress SPAN may cause high CPU |
CSCsi76842 |
Cisco IOS |
Line protocol remains down on changing from frame-relay to hdlc/ppp. |
CSCsi79991 |
Cisco IOS |
VACL capture not supported for the GE-WAN or GigabitEthernet on SIP-400 |
CSCsi81885 |
Cisco IOS |
Trunk negotiation fails when Po is configured with Min_links.. |
CSCsi82337 |
Cisco IOS |
Policy routing punts incoming packets to process with VRF select enabled |
CSCsi87837 |
Cisco IOS |
IF-MIB does not support gig interfaces on SPA-IPSEC-2G |
CSCsi90816 |
Cisco IOS |
show policy-map interface caused sup32 crash.. |
CSCsi91324 |
Cisco IOS |
MCAST packet drop when other interface goes down on DFC |
CSCsi93273 |
Cisco IOS |
Leak in Big buffer pool on SIP card with NetFlow-export version 9 |
CSCsi98587 |
Cisco IOS |
Excessive MET refs and memleak after ipv4 stress, crash follows. |
CSCsi99234 |
Cisco IOS |
RP crash at validblock with %SYS-6-BLKINFO: Corrupted redzone blk |
CSCsi99875 |
Cisco IOS |
BOOM: spa_eeprom_read_bit on BOOTUP |
CSCsi99991 |
Cisco IOS |
When CMM is rebooted, FE goes into ErrDisabled state |
CSCsj00385 |
Cisco IOS |
logging event link-status default negates existing interface config |
CSCsj01961 |
Cisco IOS |
ifindex table size from nvram sould be validated before malloc |
CSCsj02971 |
Cisco IOS |
12.2SRB - signed/unsigned error in code for 'show ip cache aggregation a |
CSCsj03212 |
Cisco IOS |
blade get into bad b2b state if it is not b2b ready |
CSCsj04905 |
Cisco IOS |
IOS-SLB: FWLB sticky config not get removed |
CSCsj05519 |
Cisco IOS |
Standby NSE crashed IDBINDEX_SYNC-3-IDBINDEX_ENTRY_LOOKUP |
CSCsj08713 |
Cisco IOS |
Disable bfd on SVI interfaces |
CSCsj10375 |
Cisco IOS |
802.1X: VLAN Changing on port causes link to go down |
CSCsj10744 |
Cisco IOS |
Input queue wedged with Inband Edit Packets on SIP-400 |
CSCsj11561 |
Cisco IOS |
Inconsistent MTU for Adj. entries used by MLS Netflow and MLS CEF |
CSCsj11771 |
Cisco IOS |
VS2: transceiver_rp_oir_online takes ~6s during reg_invoke_oir_online |
CSCsj13444 |
Cisco IOS |
rsp720-10ge: PBR next-hop information lost on RPR switchover. |
CSCsj14557 |
Cisco IOS |
Bogus Port channel 345 is created on simultaneous boot sometimes |
CSCsj14847 |
Cisco IOS |
crypto connect command dropped after reload on unchannelized 2CT3+. |
CSCsj16292 |
Cisco IOS |
DATACORRUPTION-1-DATAINCONSISTENCY: copy error |
CSCsj17048 |
Cisco IOS |
WS-X6708: show flow control shows send admin/oper state as desired |
CSCsj17485 |
Cisco IOS |
Router crashed on doing a show cry isa pro while deleting them |
CSCsj18494 |
Cisco IOS |
Leak +MN to pfc to avoid flooding due to tx span. |
CSCsj27352 |
Cisco IOS |
RX Priority q-limit is set to default after reload |
CSCsj28026 |
Cisco IOS |
WhitneyVS: Unable to mibwalk clcFdbVlanInfoTable.. |
CSCsj28753 |
Cisco IOS |
IF-MIB::ifHCOutUcastPkts is incorrect on ESM20G |
CSCsj29657 |
Cisco IOS |
Degradation in TPS - Whitney IOS image. |
CSCsj32493 |
Cisco IOS |
IPSEC: Incorrect IPSec connection info in InvalidSPI testing |
CSCsj34267 |
Cisco IOS |
SP crashes due to segmentation violation with 400 igmp groups/vrf |
CSCsj34552 |
Cisco IOS |
ip address of vlan interface not programmed into spa-ipsec-2g |
CSCsj35776 |
Cisco IOS |
Some of the VCs are INACTIVE after SPA OIR |
CSCsj36689 |
Cisco IOS |
Corruption in block allocated by svclc_config |
CSCsj38796 |
Cisco IOS |
LC/SP crash @ label_entry_get_inlabel |
CSCsj42303 |
Cisco IOS |
6K installs ffff.ffff.ffff in CAM table under very specific conditions |
CSCsj48589 |
Cisco IOS |
BGP route (injected by OER) remains in Routing table after path is clear |
CSCsj51666 |
Cisco IOS |
ip ssh ver 2 command missing in 12.2(25)EWA |
CSCsj56703 |
Cisco IOS |
SSO failover causes RSTP forwarding and physical interfaces blocking. |
CSCsj58538 |
Cisco IOS |
Lots of prowler/patriot interface go down for few second during sso swov |
CSCsj61811 |
Cisco IOS |
process restart pcmcia_driver.proc on SP crashes the SP |
CSCsj64453 |
Cisco IOS |
HSRP support in protocol policing |
CSCsj66829 |
Cisco IOS |
Switch crash with clear ip igmp snoop stat and show ip igmp snoop st |
CSCsj66987 |
Cisco IOS |
ifAlias for Subintf Reports the Previous Value if Description Deleted |
CSCsj67096 |
Cisco IOS |
Issue w/NATed traffic on PortChannel (WS-X6408 and WS-X6516) on Sup720 |
CSCsj72251 |
Cisco IOS |
BOOTP replies dropped if DHCP snooping is enabled |
CSCsj72438 |
Cisco IOS |
Control plane instability and %EARL-DFC3-2-SWITCH_BUS_IDLE: Switching bu |
CSCsj75636 |
Cisco IOS |
Crash in SP observed when per-port igmp statistics cleared |
CSCsj77885 |
Cisco IOS |
%HA_EM-7-FMS_POLICY_MAX_ENTRIES message because of teminal length limit |
CSCsj78751 |
Cisco IOS |
ES20: shut & no shut on ZR XFP causes the port to stay down |
CSCsj80655 |
Cisco IOS |
timer value overflows when the specified val is larger than a long val |
CSCsj81067 |
Cisco IOS |
IPSec VPN SPA: OLD-CISCO-CHASSIS-MIB does not return cardType |
CSCsj81502 |
Cisco IOS |
show pagp clis are not displaying the correct information. |
CSCsj83102 |
Cisco IOS |
crash upon card type configuration on WS-X6582-2PA / PA-MC-8TE1+ |
CSCsj84641 |
Cisco IOS |
some patches failed to commit during install commit of 41 patches. |
CSCsj85930 |
Cisco IOS |
t/b slot_earl_icc_shim_addr tm_send_message on changing to rpr |
CSCsj86854 |
Cisco IOS |
SPAN does not reset FPOE (to SP) when converting to distributed |
CSCsj87584 |
Cisco IOS |
call-home inventory full needs show ipdrom switch all for VSS |
CSCsj88208 |
Cisco IOS |
DOM not working for LR+ and ER+ Xenpaks |
CSCsj88221 |
Cisco IOS |
class-default should not police BPDUs |
CSCsj89470 |
Cisco IOS |
Bus Error crash in Netflow on 7200 running netflow and L2TP |
CSCsj89905 |
Cisco IOS |
EEM applet hangs if system prompt is changed |
CSCsj90252 |
Cisco IOS |
SYS-3-CPUHOG IP RIB Update seen on Active RP |
CSCsj91795 |
Cisco IOS |
Appl TCs are not monitored when 12.2SRB BR is used with 12.4(15)T1 MC. |
CSCsj95733 |
Cisco IOS |
Packet loss between sup4 uplink to 65xx modules |
CSCsk02456 |
Cisco IOS |
TBs found @ pm_assert_fail.. |
CSCsk02962 |
Cisco IOS |
Supervisor Reload after SSO switchover on Multicast MET reconstruction. |
CSCsk03679 |
Cisco IOS |
VS2: show mls nde intermittently causes ALIGN-3-SPURIOUS T/B's |
CSCsk06769 |
Cisco IOS |
shut on L2 int cause packets to loop back on T1 int causing traffic loss |
CSCsk09155 |
Cisco IOS |
spa-ipsec-2g remains in Initialization state |
CSCsk18206 |
Cisco IOS |
TCAM adjacency hardware programming problem with PBR and NAT. |
CSCsk20346 |
Cisco IOS |
P router crash due to no EOBC buffer and illegal access to low address |
CSCsk23521 |
Cisco IOS |
EARL-SPSTBY-2-SWITCH_BUS_IDLE is seen with SW switched traffic |
CSCsk24272 |
Cisco IOS |
SUP720-3B RP Crash due to I/O Buffer Leak by NDE w/ NAM 127.0.0.x Addr |
CSCsk26973 |
Cisco IOS |
Memory leak in nhrp_cache_delete for incomplete cache entries |
CSCsk30146 |
Cisco IOS |
Router crashed %DUMPER-3-PROCINFO: pid = 12315: (sbin/ios-base) SIGBUS |
CSCsk33661 |
Cisco IOS |
show platform hardware capacity should include LTL usage. |
CSCsk33724 |
Cisco IOS |
DOM does not work anymore for cwdm gbic/sfp |
CSCsk33740 |
Cisco IOS |
replay window size of 1024 causes IPSec Policy Check and Replay Failure |
CSCsk34237 |
Cisco IOS |
Egress multicast replication broken due to wccp. |
CSCsk37675 |
Cisco IOS |
IKE stuck after several hours of IKE SA rekey. |
CSCsk38024 |
Cisco IOS |
VS2: EtherChannel state on standby is incorrect due to out of order FEC |
CSCsk41374 |
Cisco IOS |
device crash seen when auth-proxy enabled on the LPIP vlan. |
CSCsk43058 |
Cisco IOS |
Port channel to WiSM controller suspended after upgrading to 12.2(33)SXH |
CSCsk43673 |
Cisco IOS |
C2W1: Network RF client takes too long to process switchover.. |
CSCsk45585 |
Cisco IOS |
Heathland: On bootup MPLS not supported on platform message |
CSCsk55012 |
Cisco IOS |
setting portDuplex from 'full' to 'full' may cause standby reset. |
CSCsk55423 |
Cisco IOS |
7600's SPD implementation allow COS 5 or above in Extended headroom |
CSCsk58810 |
Cisco IOS |
should NOT allow enable port-security on negotiating trunk interface. |
CSCsk60874 |
Cisco IOS |
show tech needs 'show diagnostic results' and 'show diagnostic events'. |
CSCsk60912 |
Cisco IOS |
MPLS forwarding table empty on standby RP. |
CSCsk62017 |
Cisco IOS |
multicast (hsrp/ospf) coming from service modules is blackholed by vacl. |
CSCsk64860 |
Cisco IOS |
Config rollback to data file causes system to stuck at delete file mode. |
CSCsk65482 |
Cisco IOS |
clear ip slb CLI is defined with wrong privilege level |
CSCsk65860 |
Cisco IOS |
IOS-SLB:Security ACL breaks Client traffic |
CSCsk67801 |
Cisco IOS |
WiSM:WiSM interfaces in manual LAG get shutdown at reload |
CSCsk68656 |
Cisco IOS |
AB76: MFI push issu client msg type 5020 V1 MTU differ btwn SRB1/SRC |
CSCsk70087 |
Cisco IOS |
Sup720 TLB exception created by fill_earl_vlan_stats_hdr. |
CSCsk73627 |
Cisco IOS |
WS-X6548-GE-TX powered down due to keep alive polling feature |
CSCsk78396 |
Cisco IOS |
Router may crash if SNMP walk on cefcModuleTable. |
CSCsk80934 |
Cisco IOS |
Add errmsg to clearly indicate if lc reset due to power convertor failur |
CSCsk82459 |
Cisco IOS |
VS2: continuous msg - Flooding detected in diag inband driver caused SSO |
CSCsk82877 |
Cisco IOS |
METROPOLIS #0 cnt=1 reg:[1B0]kic_kic_int 02 |
CSCsk83524 |
Cisco IOS |
L3 physical interface input drop counter is incorrect. |
CSCsk83646 |
Cisco IOS |
BX10 ports don't link-up after Centaurus resets.. |
CSCsk83683 |
Cisco IOS |
VRF-Lite aware PBR feature does not work after reload/SSO swover |
CSCsk84944 |
Cisco IOS |
unidirectional Ethernet UDE is broken on WS-6704 after SW upgrade |
CSCsk85987 |
Cisco IOS |
VS2: After 2 x SSO, SVI was down and multicast join didn't work |
CSCsk86381 |
Cisco IOS |
KMI memory leak in 'IPSEC key engine' when delete p2 failed |
CSCsk87262 |
Cisco IOS |
Switch crashes when polling port security MIB for SIP or Flexwan |
CSCsk88173 |
Cisco IOS |
mac-address-table static with disable-snooping break on reboot |
CSCsk88760 |
Cisco IOS |
122SR:Routers crashes on unconfiguring vlan in the LACP mode |
CSCsk89100 |
Cisco IOS |
6196-RJ-21 Dropping all ingress frames with CRC counter incremented. |
CSCsk89335 |
Cisco IOS |
After SSO switchover, see 6K DC power supplies mismatched. |
CSCsk91267 |
Cisco IOS |
Module fails to come up with (FRU-power failed) |
CSCsk93587 |
Cisco IOS |
TestFabricCh0Health test failure with unidir traffic via Ch1on Berytos |
CSCsl04500 |
Cisco IOS |
OBFL process causing 6708 high CPU |
CSCsl04687 |
Cisco IOS |
DFC3C pps counter does not work |
CSCsl06110 |
Cisco IOS |
DHCP snooping agent: parse failures when importing the DB |
CSCsl08912 |
Cisco IOS |
Vlan access list not working when have "xconnect vfi #" under the SVI |
CSCsl13477 |
Cisco IOS |
SSO not working with crypto maps terminating at same peer address. |
CSCsl23758 |
Cisco IOS |
WS-X6548-RJ-45: Wrong value of the output counter on show interface |
CSCsl26981 |
Cisco IOS |
PBACL config causes hostname change when you downgrade to Rockies image |
CSCsl26998 |
Cisco IOS |
Switch crashes on applying PBR with next-hop verify-availability |
CSCsl41230 |
Cisco IOS |
IPSec SPA breaks IPSec if interesting traffic uses TCP ports |
CSCsl70148 |
Cisco IOS |
PIM enabled p2p Crypto GRE Tunnels not installed in Hardware |
CSCsl70634 |
Cisco IOS |
67xx EC tx/rx traffic dependency resulting in low throughput |
CSCsl94488 |
Cisco IOS |
Smartports CLI missing in sup32 ipbase image |
CSCsm17983 |
Cisco IOS |
Memory corruption by l3_mgr_e7_fmask_init_platform |
CSCsi05906 |
Content |
WCCP:appliance failover does not update TCAM adjacency |
CSCsi10700 |
Content |
WCCP:copy TOS value from inner to outer GRE packet |
CSCsi91658 |
Content |
Wccp stops layer 2 redirection when dscp is present in the redirect acl |
CSCsj09149 |
Content |
WCCP: no redirection following change in configuration |
CSCsj48440 |
Content |
WCCP: L2 return traffic is software switched |
CSCsk14208 |
Content |
WCCP does not work after OIR or Reboot |
CSCsl04908 |
Content |
WCCP: shutdown of appliance i/f leads to c6k reload |
CSCsb95806 |
Infrastructure |
Incorrect 64bit counter on 1Gb MPLS interface via SNMP. |
CSCsc33389 |
Infrastructure |
When snmp-server host is deleted, the trap is not sent to other hosts |
CSCsc84077 |
Infrastructure |
IOS CLI will stop accepting octal by default |
CSCsd52019 |
Infrastructure |
cieIfStateChangeReason and locIfReason support broken. |
CSCsf30779 |
Infrastructure |
Add CLI for section keyword in show run output modifiers |
CSCsh25151 |
Infrastructure |
memory leak seen with reflexive ACL and NAT/PAT |
CSCsh48919 |
Infrastructure |
Embedded spaces in DOSFS dirs/file names cause crash in some platforms |
CSCsh81291 |
Infrastructure |
Exodus Mayflower C10K ISSU fails at loadversion |
CSCsj37635 |
Infrastructure |
Incorrect source IP address is used for IP SLA icmp-echo with VRF |
CSCsj58223 |
Infrastructure |
Bus Error after 'show memory'. |
CSCsj80951 |
Infrastructure |
*Neutrino* proc reported memory Freed/Holding is incorrect |
CSCsj83924 |
Infrastructure |
Porting command show history all to mainlines |
CSCsj83966 |
Infrastructure |
Syslog traps cause CPUHOG when lot of interface come up at same time.. |
CSCsk10335 |
Infrastructure |
Traceback @ ipc_send_message_blocked during bootup. |
CSCsk27147 |
Infrastructure |
SNMP stops responding while polling from CISCO-MEMORYPOOL-MIB |
CSCsk38461 |
Infrastructure |
Show platform hardware command getting rejected. |
CSCsk67272 |
Infrastructure |
CPU HOG while polling ciscoFrameRelayMIB. |
CSCsl09867 |
Infrastructure |
Exec-timeout not working at more prompt when using Modular IOS |
CSCsl13216 |
Infrastructure |
warm upgrade is not working. |
CSCsl53110 |
Infrastructure |
VSS: Stby rp crashes on boot |
CSCeh56158 |
IPServices |
NAT outside source translation fails for GRE packets. |
CSCsg97662 |
IPServices |
Cant disable skinny (tcp 2000). |
CSCsh92986 |
IPServices |
Very long latency for RSH traffic going through FWSM. |
CSCsi16903 |
IPServices |
IGMPv3 mode 4 group report with {} source list gets translated to mode 6 |
CSCsi28444 |
IPServices |
DHCP server has parse problems with x in bootfile |
CSCsi42717 |
IPServices |
saa_vrf_test_udpe & saa_vrf_test_itter generate an unexpected error mess |
CSCsi57927 |
IPServices |
FTP session hangs TCP in closewait after CLI times out.. |
CSCsj07951 |
IPServices |
Memory Corruption when Autoinstall over FR |
CSCsj62846 |
IPServices |
Need to differentiate IPv4 and IPv6.. |
CSCsj89544 |
IPServices |
TCP retransmissions get dropped below IP layer.. |
CSCsk07170 |
IPServices |
MD5 validation error shows IPv4 address but should IPv6 address |
CSCsk10604 |
IPServices |
Syn pkts destined to VRF fail to match the default TCB in table |
CSCsk29013 |
IPServices |
IGMP groups in the vrf not rejoined after executing a cle ip mr vrf |
CSCsk80935 |
IPServices |
SXF12, SNMP response being broadcast. |
CSCsk81396 |
IPServices |
NAM process crash in 12.2SXF. |
CSCsk82821 |
IPServices |
The UUT not able to receive the Large ICMP message. |
CSCsl00350 |
IPServices |
ARP entry not created for nat translated IP. |
CSCsl06431 |
IPServices |
Modular IOS: Memory leak in udp.proc |
CSCsc77148 |
LegacyProtocols |
Router crash while issuing show ipx cache command. Cleanup SA warnings. |
CSCsh34949 |
LegacyProtocols |
DLSW router crash with Bus Error |
CSCsj98895 |
LegacyProtocols |
v2-single-tcp peer connection is established on a non confg/prom peer |
CSCsg05873 |
Management |
Buffer leak with SNA Focalpoint PU consuming middle buffers with NMVTs |
CSCsk36618 |
Management |
Device crash with cdp traffic @ 200 pkts/sec and clear cdp table |
CSCsi75566 |
MPLS |
Packets dropped on FRR backup tunnel if protected intf is dot1q |
CSCsi99825 |
MPLS |
7613 crashed on SNMP ENgine |
CSCsj55865 |
MPLS |
Traceback seen @ lsd_rewrite_create and lsd_frr_co_req |
CSCsk14113 |
MPLS |
LDP change in advertise-tag for access list stop advertising some prefix |
CSCsk57589 |
MPLS |
TB:%LFD-3-INVINSTALLER & %BGP_MPLS-3-VPN_REWRITE(seen on bootup) |
CSCec55244 |
Multicast |
PIMv6: Spurious access at pim_ipv6_hello_addr_adv_size |
CSCek26940 |
Multicast |
Need to unhide interval for send-rp-discovery |
CSCsh56720 |
Multicast |
CPUHOG/Watchdog timeout when using igmp static group class-map cmd |
CSCsi01481 |
Multicast |
%PIM_PROT-3-SHUTDOWN_ERR seen at unconfig ipv6 pim rp-addr. |
CSCsi97586 |
Multicast |
MGX-RPM-XF-512 reset after customer deleted multicast vpn and vpn vrf |
CSCsj16861 |
Multicast |
Dynamically overwritten bidir RP doesn't get removed from HW |
CSCsj64230 |
Multicast |
bidir DF election should not be restarted on a downstream interface |
CSCsk49073 |
Multicast |
%DUMPER-3-PROCINFO... SIGSEGV when running Extranet MVPN |
CSCef54653 |
PPP |
Members inactive in a multilink bundle except the first member.. |
CSCse28421 |
PPP |
%AAAA-3-BADSTR error when Multilink interface goes down. |
CSCek49107 |
QoS |
Router crashes @ traffic_shape_dequeue_shim. |
CSCek78675 |
QoS |
SIP200 crash at hqf_cwpa_pak_enqueue_local during qos test. |
CSCse18146 |
QoS |
SIP1-CT3: SIP1 crashed after switchover @giant_node_process. |
CSCsg98040 |
QoS |
QoS applied to int with dot1q trunk does not match MPLS EXP on 12.2S |
CSCsk09651 |
QoS |
Router may reload with shaping policy on MLPPPoFR.. |
CSCec43841 |
Routing |
EIGRP: IP next-hop incorrect on spokes when using no next-hop-self |
CSCek33384 |
Routing |
Tunnels stay down after cutover at MPLS head test cases |
CSCek75079 |
Routing |
Problem in type7 to type5 translation if summary-addr configured |
CSCek76776 |
Routing |
ip interface settings persistent after deleting/adding sub-interface |
CSCek78315 |
Routing |
Access to NULL ptr with debug ip ospf hello. |
CSCek79264 |
Routing |
static route tracked by track-object not installed into routing tabl. |
CSCsa73179 |
Routing |
Memory corruption/crash when 'no default-information orig' under RIP |
CSCsc73725 |
Routing |
EIGRP packet pacing should have lower minimum value |
CSCsd34114 |
Routing |
IPv6 Localpools allows more than one prefix per user |
CSCse42362 |
Routing |
EIGRP next hop not updated on spoke, in a dual hub/dual path dmvpn topo |
CSCsf27220 |
Routing |
Router crashes on traffic with NHRP |
CSCsg12385 |
Routing |
No IPv6 uRPF subblock control decode function |
CSCsg16778 |
Routing |
router may crash at bgp_update_nbrsoo after deleting BGP neighbor. |
CSCsg25995 |
Routing |
N/w configured are not seen in mbgp table with nbr nlri unicast multi |
CSCsg63932 |
Routing |
IPv6 Static issue with same path from two clients |
CSCsg72029 |
Routing |
setting M bit in RA supresses autoconfig bit |
CSCsg94088 |
Routing |
OSPF route map not matching community-list / ipv6 redistributing bgp |
CSCsh20656 |
Routing |
TCP header compression elicits upstream retransmissions from Fritz |
CSCsh38140 |
Routing |
CEF drops when using CEF LB paths and active link recovers from failure |
CSCsh54797 |
Routing |
high CPU in collection process after bringing up pppoe sessions twice. |
CSCsh57509 |
Routing |
RIPv2 does not delete redundant paths with different next hops. |
CSCsh80008 |
Routing |
BGP: soft reconfiguration inbound and neighbor weight has no effect |
CSCsh82953 |
Routing |
EIGRP pece routes missing extcomm attrs after redistribution to BGP. |
CSCsh87744 |
Routing |
IPv6 mcast: RPF fails even while MBGP has default route |
CSCsh88825 |
Routing |
bgp: advertisement-interval not nvgened for peer-groups |
CSCsi09698 |
Routing |
BGP adv connected prefixes suppressed by IP Event Dampening after reload |
CSCsi15183 |
Routing |
change MTU value causes %DUAL-3-INTERNAL in ipigrp2_add_item_dest |
CSCsi17002 |
Routing |
IPv6 PBR policy routes to non-attached destination |
CSCsi25729 |
Routing |
ISIS doesn't enable BFD except after micro reload |
CSCsi27696 |
Routing |
oldest ebgp bestpath not retained in eibgp multpath cases |
CSCsi33147 |
Routing |
OSPFv3: prefix lsa does not re-originate after interface comes up. |
CSCsi41109 |
Routing |
Traffic loss and High RP CPU with SPA OIR with a large configuration |
CSCsi47635 |
Routing |
deleted sub-interface shows up on next config sub-interface |
CSCsi48304 |
Routing |
Multi-source redistributing makes ospfv3 external db corrupt |
CSCsi53353 |
Routing |
BGP TTL Hack breaks ipv6 neighbor |
CSCsi58303 |
Routing |
eigrp resync peer graceful-restart repeatedly after reload. |
CSCsi58867 |
Routing |
CPUHOG After show ip route static or show ip route connected |
CSCsi62017 |
Routing |
%XDR-DFC3-6-XDRLCDISABLEREQUEST: Client XDR Interrupt Priority Client |
CSCsi80057 |
Routing |
RIP default-information originate with route-map not working correctly. |
CSCsj00161 |
Routing |
IPv6 may load balance between summary discard and reachability paths. |
CSCsj04761 |
Routing |
No space between 'any' and 'eq' after configuring ipv6 acl |
CSCsj06265 |
Routing |
Switch crashes when doing clear ip ospf process |
CSCsj09838 |
Routing |
RR some prefix might not be sent after bgp neighbor flaps. |
CSCsj10185 |
Routing |
CPU hog in ospfv3_clean_partial_spfQ and ospf_clean_partial_spfQ |
CSCsj17820 |
Routing |
Hub crashes during unconfiguration due to program counter error |
CSCsj17950 |
Routing |
ISIS redistributed static routes might not be advertised |
CSCsj25841 |
Routing |
default not sent using neighbor default-originate conditionally w/route |
CSCsj25940 |
Routing |
%SYS-2-NOTQ: unqueue didn't find 6433F698 in queue. |
CSCsj32013 |
Routing |
GSR crashing with bgp_vpnv4_purge_one_import. |
CSCsj36133 |
Routing |
Invalid header length BGP notification when sending withdraw |
CSCsj37111 |
Routing |
IPv4 inconsistencies & %FIB-4-FIBXDRINV upon reset LC |
CSCsj53361 |
Routing |
ISIS flaps after NSF/SSO of peer with 16 neighbor,5k routes and traffic. |
CSCsj54395 |
Routing |
router crash when iphc configured with SLIP encap |
CSCsj64154 |
Routing |
c7600 - %SIP200_MP-4-PAUSE: Non-master CPU is suspended for too long |
CSCsj71306 |
Routing |
mfibv4: HA: BGP MDT update is injected into standby.. |
CSCsj72039 |
Routing |
Prefix not in ISIS database if serial interface and passive |
CSCsj80615 |
Routing |
BGP not sending prefix with expected next hop to the peers.. |
CSCsj85485 |
Routing |
EIGRP NSF - MSFC switchover causes hello's to be sent over passive intf |
CSCsj89636 |
Routing |
isis convergance time delay with equal paths |
CSCsj97484 |
Routing |
32kEVC: ESM LC OIR crash causes RP to crash when LC comes up. |
CSCsj99269 |
Routing |
BGP: VPNv4 general scanner runtime close to 1 hour at boot time. |
CSCsk21328 |
Routing |
6504 crashes in IPV6 |
CSCsk26719 |
Routing |
show ip access crash with per-user acl |
CSCsk27077 |
Routing |
router crash observed while clearing virtual access interface |
CSCsk29853 |
Routing |
ospf takes almost 10 minutes to flash Stale, self-originated LSAs |
CSCsk33115 |
Routing |
OSPF virtual-link fails to come up during IETF GR & RIB entries deleted |
CSCsk35970 |
Routing |
BGP Router/Scanner causes high CPU utilization when using BGP multipath |
CSCsk35985 |
Routing |
OSPFv3: router crashes for "show ipv6 ospf lsdb" after redist of routes |
CSCsk36324 |
Routing |
OSPF: spf calculation goes into loop causing high CPU. |
CSCsk38877 |
Routing |
PE_PUNT_UNRECOGNIZED should be an OUTPUT_FEATURE. |
CSCsk46195 |
Routing |
Arp entry does not age out with private vlans and no ip sticky-arp |
CSCsk48182 |
Routing |
BGP: Router crashes @ bgp_netlist_validate |
CSCsk66339 |
Routing |
ISIS fails remove native path from local RIB / del path from global RIB |
CSCsk89546 |
Routing |
RIB and FIB not updated after shut TE LB path |
CSCsl13950 |
Routing |
VS2:XDR_LC traceback seen on Standby-RP on bootup. |
CSCsl18176 |
Routing |
OSPF SPF calculation with TE metric absolute picks wrong egress. |
CSCsl28278 |
Routing |
OSPF-Route/CEF entry lost after SSO on the neighbor |
CSCsl71540 |
Routing |
Router crash after using cmd 'sh ip bgp x.x.x.x [bestpath |
CSCsh72664 |
Security |
DMVPN: OSPF neighbor flap and traceback @ tunnel_oqueue.. |
CSCsj60938 |
Security |
SCP with redirect option locks up console or VTY line. |
CSCsj78065 |
Security |
tunnel_trace CPUHOG in Net Background process |
CSCsk00054 |
Security |
mGRE fragmentation into tunnel broken |
CSCei22295 |
WAN |
Traceback is seen at fr_svc_teardown_calls |
CSCsc38968 |
WAN |
Frame-relay EEK failure does not keep subinterface down |
CSCsi70599 |
WAN |
Standby reloads due to Config Sync: Line-by-Line sync verifying failure |
Feedback