- Open and Resolved Bugs
- Using the Bug Search Tool
- Resolved Bugs—Cisco IOS Release 15.4(3)S9
- Resolved Bugs—Cisco IOS Release 15.4(3)S8
- Open Bugs—Cisco IOS Release 15.4(3)S8
- Resolved Bugs—Cisco IOS Release 15.4(3)S7
- Open Bugs—Cisco IOS Release 15.4(3)S7
- Resolved Bugs—Cisco IOS Release 15.4(3)S6a
- Open Bugs—Cisco IOS Release 15.4(3)S6
- Resolved Bugs—Cisco IOS Release 15.4(3)S6
- Open Bugs—Cisco IOS Release 15.4(3)S5
- Resolved Bugs—Cisco IOS Release 15.4(3)S5
- Open Bugs—Cisco IOS Release 15.4(3)S4
- Resolved Bugs—Cisco IOS Release 15.4(3)S4
- Open Bugs—Cisco IOS Release 15.4(3)S3
- Resolved Bugs—Cisco IOS Release 15.4(3)S3
- Resolved Bugs—Cisco IOS Release 15.4(3)S2
- Resolved Bugs—Cisco IOS Release 15.4(3)S1
- Open Bugs—Cisco IOS Release 15.4(3)S
- Resolved Bugs—Cisco IOS Release 15.4(3)S
Bugs for Cisco IOS Release 15.4(3)S
Open and Resolved Bugs
Bugs describe unexpected behavior in Cisco IOS software releases. Severity 1 bugs are the most serious bugs; severity 2 bugs are less serious. Severity 3 bugs are moderate bugs, and only select severity 3 bugs are included in this section.
In this section, the following information is provided for each bug:
- Symptoms—A description of what is observed when the bug occurs.
- Conditions—The conditions under which the bug has been known to occur.
- Workaround—Solutions, if available, to counteract the bug.
Note If you have an account on Cisco.com, you can also use the Bug Toolkit to find select bugs of any severity. To reach the Bug Toolkit, log in to Cisco.com and go to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl. (If the defect that you have requested cannot be displayed, this may be due to one or more of the following reasons: the defect number does not exist, the defect does not have a customer-visible description yet, or the defect has been marked Cisco Confidential.)
This section consists of the following subsections:
- Using the Bug Search Tool
- Resolved Bugs—Cisco IOS Release 15.4(3)S9
- Resolved Bugs—Cisco IOS Release 15.4(3)S8
- Open Bugs—Cisco IOS Release 15.4(3)S8
- Resolved Bugs—Cisco IOS Release 15.4(3)S7
- Open Bugs—Cisco IOS Release 15.4(3)S7
- Resolved Bugs—Cisco IOS Release 15.4(3)S6a
- Open Bugs—Cisco IOS Release 15.4(3)S6
- Resolved Bugs—Cisco IOS Release 15.4(3)S6
- Open Bugs—Cisco IOS Release 15.4(3)S5
- Resolved Bugs—Cisco IOS Release 15.4(3)S5
- Open Bugs—Cisco IOS Release 15.4(3)S4
- Resolved Bugs—Cisco IOS Release 15.4(3)S4
- Open Bugs—Cisco IOS Release 15.4(3)S3
- Resolved Bugs—Cisco IOS Release 15.4(3)S3
- Resolved Bugs—Cisco IOS Release 15.4(3)S2
- Resolved Bugs—Cisco IOS Release 15.4(3)S1
- Open Bugs—Cisco IOS Release 15.4(3)S
- Resolved Bugs—Cisco IOS Release 15.4(3)S
Using the Bug Search Tool
The Cisco Bug Search Tool enables you to filter the bugs so that you only see those in which you are interested. In addition to being able to search for a specific bug ID, or for all bugs in a product and release, you can filter the open and/or resolved bugs by one or more of the following criteria:
For more information about how to use the Cisco Bug Search Tool, including how to set email alerts for bugs and to save bugs and searches, see Bug Search Tool Help & FAQ.
Note You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. if you do not have one, you can register for an account.
To use the Cisco Bug Search Tool:
1. In your browser, navigate to the Cisco Bug Search Tool.
2. If you are redirected to a Log In page, enter your registered Cisco.com username and password and then, click Log In.
3. To search for a specific bug, enter the bug ID in the Search For field and press Enter.
4. To search for bugs related to a specific software release, do the following:
a. In the Product field, choose Series/Model from the drop-down list and then enter the product name in the text field. If you begin to type the product name, the Cisco Bug Search Tool provides you with a drop-down list of the top ten matches. If you do not see this product listed, continue typing to narrow the search results.
b. In the Releases field, enter the release for which you want to see bugs.
The Cisco Bug Search Tool displays a preview of the results of your search below your search criteria. You can mouse over bugs to see more content about a specific bug.
5. To see more content about a specific bug, you can do the following:
– Mouse over a bug in the preview to display a pop-up with more information about that bug.
– Click on the hyperlinked bug headline to open a page with the detailed bug information.
6. To restrict the results of a search, choose from one or more of the following filters:
|
|
---|---|
A predefined date range, such as last week or last six months. |
|
The bug severity level as defined by Cisco. For definitions of the bug severity levels, see Bug Search Tool Help & FAQ |
|
The rating assigned to the bug by users of the Cisco Bug Search Tool. |
|
Resolved Bugs—Cisco IOS Release 15.4(3)S9
Table 1 Resolved Bugs—Cisco IOS Release 15.4(3)S9
Resolved Bugs—Cisco IOS Release 15.4(3)S8
Table 2 Resolved Bugs—Cisco IOS Release 15.4(3)S8
Open Bugs—Cisco IOS Release 15.4(3)S8
Table 3 Open Bugs—Cisco IOS Release 15.4(3)S8
Resolved Bugs—Cisco IOS Release 15.4(3)S7
Table 4 Resolved Bugs—Cisco IOS Release 15.4(3)S7
Open Bugs—Cisco IOS Release 15.4(3)S7
Table 5 Open Bugs—Cisco IOS Release 15.4(3)S7
Resolved Bugs—Cisco IOS Release 15.4(3)S6a
This is a special release in Cisco IOS software that addresses Cisco Product Security Incident Response Team (PSIRT) caveats.
Table 6 Resolved Bugs—Cisco IOS Release 15.4(3)S6a
|
|
---|---|
NTP leap second addition is not working during leap second event |
Open Bugs—Cisco IOS Release 15.4(3)S6
Table 7 Open Bugs—Cisco IOS Release 15.4(3)S6
Resolved Bugs—Cisco IOS Release 15.4(3)S6
Table 8 Resolved Bugs—Cisco IOS Release 15.4(3)S6
Open Bugs—Cisco IOS Release 15.4(3)S5
Table 9 Open Bugs—Cisco IOS Release 15.4(3)S5
|
|
---|---|
ATM 3xOC3 SPA failed to program with IFCFG_CMD_TIMEOUT error |
Resolved Bugs—Cisco IOS Release 15.4(3)S5
Table 10 Resolved Bugs—Cisco IOS Release 15.4(3)S5
Open Bugs—Cisco IOS Release 15.4(3)S4
Table 11 Open Bugs—Cisco IOS Release 15.4(3)S4
Resolved Bugs—Cisco IOS Release 15.4(3)S4
Table 12 Resolved Bugs—Cisco IOS Release 15.4(3)S4
Open Bugs—Cisco IOS Release 15.4(3)S3
Table 13 Open Bugs—Cisco IOS Release 15.4(3)S3
Resolved Bugs—Cisco IOS Release 15.4(3)S3
Table 14 Resolved Bugs—Cisco IOS Release 15.4(3)S3
Resolved Bugs—Cisco IOS Release 15.4(3)S2
Table 15 Resolved Bugs—Cisco IOS Release 15.4(3)S2
Resolved Bugs—Cisco IOS Release 15.4(3)S1
All resolved bugs for this release are available in the Cisco Bug Search Tool through the fixed bug search.
This search uses the following search criteria and filters:
|
|
---|---|
Open Bugs—Cisco IOS Release 15.4(3)S
This section describes possibly unexpected behavior by Cisco IOS Release 15.4(3)S. All the bugs listed in this section are open in Cisco IOS Release 15.4(3)S. This section describes only severity 1, severity 2, and select severity 3 bugs.
Symptom: A Cisco switch may crash after issuing the no ip dhcp pool command.
Conditions: This symptom occurs when DHCP is configured.
Workaround: There is no workaround.
Symptom: IPv6 default route does not get redistributed into EIGRP without metrics.
Conditions: This symptom occurs when redistribute static is issued without mentioning metrics.
Workaround: Mention metrics when issuing the redistribute static command under EIGRP.
Symptom: Incremental memory leaks are observed.
Conditions: This symptom occurs under the following conditions:
– TFTP server should not be reachable which is mentioned in the DHCP database.
– Remove and add the DHCP pool.
Workaround: There is no workaround.
Symptom: The Default static route tag value does not get updated on OSPF.
Conditions: This symptom occurs under the following conditions:
1. Add static default route with tag value.
2. Configure OSPF with redistribue static and default-information originate.
The tag value does not get updated.
Workaround: Create a separate route map for updating the tag value. Route map should be tagged with the default-information originate command under OSPF.
Symptom: An unexpected process restart occurs after running the following commands in quick succession:
Conditions: This symptom occurs when service instances are configured on the interface with encapsulation and bridge-domain configuration under the interface. Spanning tree must also be configured before running the commands.
Workaround: Leave a 10 second gap between entering the above mentioned commands.
Symptom: A Cisco router gets crashed.
Conditions: This symptom occurs under the following conditions:
1. Configure the below CLI and make sure that the SCP server IP is unreachable:
2. Wait for 60 seconds or the following message:
3. Make SSH connect from this device to the other device and exit from that connection so as to be back to the original device (optional).
5. The following message appears:
6. The router would hang or crash. If not, run any show command (show ip int br).
7. If all the above conditions are met, wait for the router to crash. Cisco ISR routers take around 5-10 minutes to crash and Cisco ASR routers crash immediately most of the times.
Workaround: Use FTP or TFTP with “ip dhcp database”. Do not use SCP with “ip dhcp database”.
Symptom: TE FRR paths are lost after an SSO.
Conditions: This symptom occurs under the following conditions:
1. TE tunnels are configured between PE1 and PE2.
2. TE NSR is configured on PE1 and FRR node protection is configured on PE1.
Before SSO, the FRR database shows the FRR paths and after SSO the FRR paths are lost.
Resolved Bugs—Cisco IOS Release 15.4(3)S
Symptom: A Cisco router reloads at snmp_free_variable_element while using SNMPv3 commands.
Conditions: This symptom occurs while using SNMPv3 commands.
Workaround: There is no workaround.
Symptom: A Cisco ATM router configured with ATM PVC Range commands report the following error when attempting to configure a PVC Range:
Unable to configure PVC Range. Possibly multiple users configuring IOS simultaneously.
Conditions: This problem occurs randomly and even if there are no multiple sessions accessing the pvc-range at the same time.
Workaround: There is no workaround.
Symptom: A Cisco switch may reload when configured for SNMP.
Conditions: This symptom is observed when SNMP inform hosts are configured.
Workaround: Remove the SNMP host configurations for SNMP informs.
Symptom: After removing the encapsulation on MFR member interface, tracebacks are observed.
Conditions: This symptom is observed when serial interface is configured with FR MLP configuration.
Workaround: There is no workaround.
Symptom: Customer faced crash on 6509 after configuring WCCP.
Conditions: Customer configured WCCP with hash assignment and enabled port hashing and it will happen during redirection if packet are software switched.
Workaround: The possible workarounds are:
1. Disable port-hashing if we are using hash-assignment.
2. Use mask-assignment method.
Symptom: A Cisco router crashes with the following message:
Conditions: This symptom occurs when a router acts as the mid point for MPLS-TE tunnels and performs an ERO expansion. In case the ERO expansion fails (due to IGP race conditions or inter-AS scenario) and backup tunnels are in use (for MPLS-TE FRR feature), the router may crash.
Workaround: Configure the head-ends to perform a full ERO computation to avoid mid points performing any ERO expansion. This can be done using the dynamic path option or by using the explicit path that specifies strict hops for each node along the desired LSP path (using "loose" hops or partial strict hops can lead to this issue).
Symptom: A router randomly crashes either due to memory corruption at bgp_timer_wheel or memory chunks near bgp_timer_wheel (For example, BFD event chunks if BFD is configured or AtoM Manager chunks if LDP is configured). A crash occurs right after an LDP neighbor is up in the L2VPN setup.
Conditions: This symptom occurs when vpls bgp signaling is unconfigured and then reconfigured. Both L2VPN and BGP are unconfigured and reconfigured after all L2VPN and BGP data structures are fully deleted (about 3 minutes for 5 BGP VPLS prefixes). For the repro on file, OSPF (for IGP) is also unconfigured and reconfigured. Both LDP and BGP signalling are affected by this bug.
Workaround: Avoid unconfiguring and reconfiguring BGP L2VPN.
Symptom: The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
Cisco has released free software updates that address these vulnerabilities.
There are no workarounds to mitigate these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
Conditions: See the published Cisco Security Advisory.
Workaround: See the published Cisco Security Advisory.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-2111 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: When a switchover is triggered before the converge of a unicast (and multicast), the MFIB is not in “running state”, and is held in the initializing state forever.
Conditions: This symptom occurs when a switchover is triggered before the converge of the unicast.
Workaround: Switchover after the converge of the unicast.
Symptom: A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
Cisco has released free software updates that address these vulnerabilities.
There are no workarounds to mitigate this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled publication includes six Cisco Security Advisories. All advisories address vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security Advisory lists the Cisco IOS Software releases that correct the vulnerability or vulnerabilities detailed in the advisory as well as the Cisco IOS Software releases that correct all Cisco IOS Software vulnerabilities in the March 2014 bundled publication.
Individual publication links are in Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication at the following link:
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
Conditions: See published Cisco Security Advisory.
Workaround: See published Cisco Security Advisory.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-2112 has been assigned to document this issue.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: A buffer leak is observed on a Cisco router.
Conditions: This symptom occurs while using SSLVPN.
Workaround: There is no workaround.
Symptom: The standby RP crashes.
Conditions: Memory corruption occurs in certain cases when the following commands are executed in quick succession. It leads to a crash later when the memory is accessed. The issue is seen only with on-demand PVCs and when the commands are copied and pasted or executed using a script or tool.
Workaround: Do not execute the commands in quick succession.
Symptom: Prompt is provided for configure replace command when file prompt quiet is configured.
Conditions: This symptom is observed when “file prompt quiet” has been configured.
Workaround: Use “force” along with the configure replace command.
Symptom: UDP based entries are not deleted from the flowmgr table resulting in crash, or poor system response, with CPU hog messages being shown.
Conditions: Affected Platforms - images
Device is configured with UDP services that originate from the device. This includes but not limited to the following features:
Workaround: If you suspect that you are affected by this bug, please do the following, for confirmation:
The output of this command will show many lines entries holding with the same port numbers. Disabling the feature that is being held in the flows until an upgrade can be performed, is a workaround.
A reload is required to clear the held flows.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-6704 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6704
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: VSS standby crashes due to LBL sync on issuing the below parser command:
Conditions: This symptom occurs in a VSS with parser view configuration.
Workaround: Remove the “parser view” configuration.
Symptom: A Cisco router may crash upon importing a prefix into VRF after applying no ipv4 multicast multitopology under “vrf definition” for that VRF.
Conditions: This symptom occurs while initially configuring the VRF. address-family ipv4/6 multicast vrf must be configured under “router bgp” mode before import route-targets are configured under “vrf definition” mode.
Workaround: There is no workaround.
More Info: If the crash does not occur, it is likely that importing of the prefix will not work.
Symptom: Delay between VPN convergence and BGP-based MDT tunnel creation after router reload may cause multicast traffic loss.
Conditions: In a BGP MVPN setup utilizing MDT SAFI, problem is seen upon BGP exiting read-only mode. VPN prefixes will be advertised immediately, whereas MDT prefixes are advertised after a BGP scanner run.
Workaround: There is no workaround.
Symptom: The Cisco router crashes when using CCP 2.6 and 2.7 to provision the device.
Conditions: This symptom is observed under normal condition.
Workaround: There is no workaround.
Symptom: An active RP crashes during FIB sync because of memory overrun when the standby sup becomes unavailable.
Conditions: This symptom occurs when redundant RPs are configured in SSO mode and the standby RP becomes unavailable (for instance because of crash or physical removal). The issue occurs only on Cisco 7600 RSP 720, Cisco 7600 Series Supervisor Engine 720, and Cisco 7600 platforms where the tableid “ISSU FOF LC” support is enabled. As of 03/17/2014, the tableid “ISSI FOF LC” feature is only supported on SY releases. This issue does not impact Cisco ASR 1000 Series platforms.
Workaround: There is no workaround.
Symptom: Upgrading hardware platform from Cisco 2811 Integrated Services Router to Cisco 2911 Integrated Services Router introduces periodic, intermittent delay in the delivery of STUN packets to OEM (Motorola) equipment.
Conditions: This symptom occurs while upgrading hardware platform from Cisco 2811 Integrated Services Router to Cisco 2911 Integrated Services Router.
Workaround: There is no workaround.
Symptom: When CU executes “show tech” or any show commands which gives a long output using putty, the SSH2 putty closes prematurely.
Conditions: This symptom is observed when “term length 0” is enabled. The putty session closes prematurely while executing “show tech show memory”.
Workaround: Redirect the output to a file.
Symptom: A Cisco 3945 voice gateway running Cisco IOS Release 15.2(4)M3 or Cisco IOS Release 15.2(4)M4 may have a processor pool memory leak in the CCSIP_TCP_SOCKET process.
Conditions: This symptom is seen on slow TCP connections, where the response is slow and frequent transmission errors are observed.
Workaround: There is no workaround.
Symptom: CCD unable to unpublish hosted DN patterns on forwarders running service-routing code. This can result in stale or duplicate routes in remote cluster’s Learned Pattern table.
Conditions: This symptom is observed during disabling the advertising service, resetting the CCD sip trunk, rebooting a cluster, or a cluster losing connection to all SAF forwarders may trigger this defect.
Workaround: No workaround for preventing duplicate or stale routes, these routes can be purged from a remote cluster by resetting that cluster’s requesting service or configuring a temporary Blocked Learn Pattern that matches the affected patterns.
Symptom: A memory leak is seen in the MALLOCLITE process:
Conditions: This symptom is observed while parsing to header, Gateway gets errors as below:
The correct response for the above should have been to send 400 Bad Request The request cannot be fulfilled due to bad syntax
The memory associated with the above is not getting released is the side effect of the above.
Workaround: There is no workaround.
Further Problem Description: This issue was not seen on versions earlier than 15.3X
Packet of Disconnect (POD) functionality does not work after upgrading router from Cisco IOS Release 15.1 to 15.2 code. POD fails with following error:
Conditions: This symptom is observed under the following conditions:
1. When PoD with just username is sent
2. IOS device is configured for packet of disconnect
3. IOS device is running Cisco IOS Release 15.2 Mainline code
Workaround: Downgrade router back to Cisco IOS Release 15.1 release of code.
1. IPDT gets enabled on all bundle ports including RSL port due to which FEX does not come up after a reload, link flap, or SSO. FEX RSL channel members will be in ?u? state, that is unsuitable for a part of the etherchannel.
2. IPDT also gets enabled on the Service module (FWSM) internal port-channel and there is no way to recover them other than removing NMSP (as internal port-channels are non-configurable and non-accessible).
Conditions: This symptom occurs after a reload with “NMSP” protocol.
Workaround: Apply “attachment-suppress” on the port first and bundle the port later. There is no workaround in the case of FWSM internal port-channel.
Symptom: A warning message is displayed.
Conditions: This issue occurs while unconfiguring video monitoring.
Workaround: There is no workaround.
Symptom: Exception is seen on 3945E with whitelisted scansafe traffic.
Conditions: This symptom is observed when there is a lot of whitelisted traffic going through the ISR box.
Workaround: Disable whitelisting.
Symptom: Router running out of memory after an upgrade to Cisco IOS Releases 15.3(1)S, 15.3(3)S, and 15.4(1)S.
Conditions: This symptom is observed when huge number of route server (approximately more than 700) contexts configures in the router.
Workaround: Perform the following workaround:
1. Reduce the number of Route server contexts.
2. Downgrade the IOS version to 15.2(4)S or lower release.
Symptom: Static SGACL permissions are not updated for authentication server assigned SGT.
Conditions: This symptom is seen with an authentication server assigned SGT.
Workaround: Use manual SGT or dynamic SGACL.
Symptom: IOSd crashes following an OIR of an eToken.
Conditions: This symptom occurs during OIR activity on either USB port of a single eToken.
Workaround: Do not OIR an eToken.
More Info: When an eToken is inserted, files on the eToken need to be recursively scanned to build up the master file directory structure. This recursive scanning and building the database can take a very long time depending on the eToken contents. When dual IOSd redundancy mode is enabled, this process appears to take almost twice as long and can easily go over 10 seconds to trip off the IOSd watchdog timeout. Fix is to allow other processes to take over CPU so watchdog timeout will not happen.
Symptom: CFT was reporting two flows for incoming packets on a dialer interface.
Conditions: PPPoE on underlying physical interface with ip nat outside configured on the dialer interface.
Workaround: There is no workaround.
Symptom: After SSO, egress WCCP stops working in hardware, as netflow does not get installed.
Conditions: When GRE redirection and hash assignment used for egress redirection and if the tunnel created takes the source address as the WCCP egress interface’s IP address.
Workaround: Create loopback interface and assign highest IP address to it, so that the tunnel created takes this IP address as tunnel source address.
Symptom: On receiving a BGP update from a neighbor, the router will send an illegal network notification and flap the session.
Conditions: This symptom occurs when the prefix received is a Leaf A-D route (RFC 6514) with an S-PMSI route serving as the Route Key.
Workaround: There is no workaround.
Symptom: After a switchover, QoS policy map in standby is not synced as in the case of active.
Conditions: This symptom occurs after a switchover.
Workaround: There is no workaround.
Symptom: A Cisco ASR 1000 Series router crashes at __be_slaComponentProcessEvent when ip sla udp-jitter is unconfigured.
Conditions:This symptom occurs when 1000+ IP SLA udp-jitter is configured and then all unconfigured immediately.
Workaround: There is no workaround.
Symptom: Customer experienced crash on ASR-1001 during normal operation.
Conditions: This symptom is not observed under any specific condition.
Workaround: There is no workaround.
Symptom: Sessions do not get cleared. They get stuck in WT_ST state.
Conditions: This symptom occurs when sessions are closed in bulk mode by shutting any trunk link or during a clear all session from DUT.
Workaround: There is no workaround.
More Info: The memory leak issue and WT_ST are related. Along with memory leak, sessions are not cleared on active RP They get stuck in WT_ST state.
Symptom: A crash was seen in the periodic accounting process due to the stale reference of the attribute list with AAA accounting DB (this specific attribute list is used by the periodic accounting process for sending the interim accounting records).
Conditions: This symptom occurs with Policy Component allocate AAA attribute list handle. This handle reference is shared among multiple components for processing. A component can free the attribute list using this handle. AAA does not validate the handle before usage. The policy will not share the same attribute handle reference with other components. The policy will share a copy of the attribute list to other components so that the component does not refer the same handle.
Workaround: There is no workaround.
Symptom: Mroute states never expire on egress PE without any active downstream receivers.
Conditions: This symptom occurs in an IPv6 multicast running in a VRF scenario and during unconfiguration of such a loopback interface that has MLD joins on it.
Workaround: There is no workaround.
Symptom: VCs remain down on ISSU from previous Cisco XE3.12 to Cisco XE3.12 Release.
Conditions: This symptom is observed under the following conditions:
1. VPLS BGP Signalling is configured
2. VC’s are established in the Active RP
Workaround: There is no workaround.
No new PPPoE sessions can be established anymore.
Conditions: The conditions to this symptom are unknown.
Workaround: Reload the device.
Symptom: A router might see PPPoE-sessions in the WAITING_FOR_STATS (or WT_ST) status.
Conditions: This symptom was observed by specific users or because of using a specific profile or service like ShellMaps and Radius. The system is configured as BRAS aggregating PPPoEoA or -oE-sessions.
Workaround: There is no workaround.
Symptom: Invalid LSAs are not flushed by the router which has their Advertising Router ID. Specifically, Router LSAs which do not have LSID of 0 will not be flushed if the router does not re-originate them, and any LSA with a type that the router does not recognize.
Lingering LSAs could lead to incorrect routing in some very obscure instances. For example, stale Router LSA fragments from two neighboring routers would need to remain in the network. There would not be a routing problem if only one router’s stale Router LSA fragment was allowed to linger.
Conditions: There are several possible scenarios that could lead to this symptom. One example is that a router is configured with many interfaces attached to an OSPFv3 instance such that it originates more than one Router LSA fragment. Then the router is reloaded before the configuration is saved, and after the reload it does not reoriginate some of the Router LSA fragments.
Workaround: There is no workaround.
Symptom: A FlexVPN Scale rate degradation occurs due to more CPU consumed by static processes.
Conditions: This symptom occurs under the following conditions:
1. Configure UUT to be the flexvpn server which can scale upto 10K sessions.
2. Configure IKEv2 Authorization policy.
3. Try to bring up the flexvpn 10K sessions and monitor the CPU usage.
Workaround: Remove IKEv2 authorization policy. In such a case, IKEv2 routing and mode configuration cannot be verified.
Symptom: Continuous trace backs on the PTF console is observed and PTF crashes during a soak.
Conditions: This symptom occurs under the following conditions:
1. Create an MDS profile as attached.
2. Leave the setup for soak for 12 hours.
Workaround: Reload ACT and SBY PTF.
Symptom: A router may crash in an OSPF process during reconfiguration.
Conditions: This symptom occurs under the following conditions:
1. Configure the router with “ipfrr” in area 0.
2. Connect router to area 0 through two links. For some route one interface is the primary path, and the second is the repair path.
3. Configure router as ABR, that is, have a non-zero area with a neighbor. Do not configure “ipfrr” in the non-zero area. Quickly remove the IP address from both the interfaces in area 0 and router the may crash.
Workaround: Changes to the reconfiguration procedure will avoid the crash.
– Shutdown the interface before removing the IP
– Remove the IP from one interface in area 0, wait for a few seconds and remove the IP address from the second interface in area 0.
Symptom: When LNS switches off while the sessions keep on establishing at LAC, LAC finds the l2tp db memory exhausted after sometime. Due to this, it fails to update the session in the database and during this period a crash is observed.
Conditions: This symptom occurs when LAC tries to add l2tp session in the database and fails to do so. In order to handle this error condition, LAC frees the l2tp and l2x session twice. This double free is the reason for crash.
Workaround: There is no workaround.
Symptom: An “sg subrte conte” chunk leak occurs while roaming.
Conditions: This symptom occurs after an account-logoff and if service permit is configured in control policy. In case of a service permit, the subscriber remains unauth and is redirected to the portal once again. Post successful second account logon and the subscriber session is cleared by timeout or cli, the leak is seen and the same client will not be able to create the session once again. The leak is seen after simulating for the second time account-logon. And if service permit is configured.
In case of service disconnect configured under account-logoff, account-logon is not a practical scenario as the portal is not reachable for the client.
Workaround: Use service disconnect for event account-logoff.
Symptom: DPSS packet injects fails to work.
Conditions: This has been observed to occur when the onePK application name contains space characters, for example, white space and tab.
Workaround: Rename the application with no white-spaces.
Symptom: Cisco IOS-XE RP2-based platforms are unable to reach 4000 IPSec tunnels with DMVPN EIGRP.
Conditions: This symptom occurs when DMVPN with EIGRP is used on Cisco IOS-XE RP2 platforms.
Workaround: Use previous Cisco IOS XE images (such as Cisco IOS XE Release 3.11).
Symptom: Error messages and tracebacks are printed to the console.
Conditions: This symptom occurs when IGP times out while Standby RP becomes NSR Active.
Workaround: Enable NSR under IGP to ensure no timeout occurs.
Symptom: The Cisco 7600 router providing layer2 EoMPLS services may stop forwarding ingress and egress traffic for an xconnect for which a backup peer config has been applied.
Conditions: This symptom occurs in Cisco 7600 routers running Cisco IOS Release 15.2(4)S4a with ES+ cards (access or core facing) and xconnect configured under a service instance.
Workaround: Clear the xconnect on the Cisco 7600 router side. Clearing on the remote size does not have an effect.
Symptom: A router may crash and reload with BGP related traceback in an extremely rare timing condition while running “show ip bgp vpnv4 vrf XXXX nei A.A.A.A”.
Conditions: While making BGP related changes such as moving the same neighbor with quick operation of “no neighbor x.x.x.x” and then “neighbor x.x.x.x” across VRFs. Imediately after this if we type a “show ip bgp vpnv4 vrf XXXX nei A.A.A.A” - on a Cisco router running IOS and BGP, then in extremely rare timing condition the router may crash. The possibility of this to happen increases if the configuration and unconfiguration is done from one console and the show operation done from other console.
Workaround: When doing configuration and un-configuration and then show, its better to serialize the operation rather than aggressively use multiple consoles to do all actions at the same time.
Symptom: In VPLS using BGP signaling with Inter AS, when a PE on another AS is reachable through multiple ASBRs, the PW destination and the next hop PE address of some or all of the PWs in the standby RP remains as the non-preferred ASBR address instead of the preferred ASBR address.
Conditions: This symptom occurs under the following conditions:
1. BGP L2VPN NLRIs received first from an ASBR becomes a less preferred ASBR on receiving NLRIs for the same VE-IDs from a more preferred ASBR.
2. NLRI received from the more preferred ASBR has the same values (VEID, VBO, VBS, Label Base, MTU and CW) as the ones received previously from the other ASBR.
Workaround: Bring up the BGP session with the more preferred ASBR first. This would cause no updates to existing NLRIs even if received from other less preferred ASBRs.
Symptom: ASR IOSd crash occurs with the following error:
Conditions: This symptom occurs when changes are made through RADIUS.
Workaround: There is no workaround.
Symptom: When an RP switchover is done (which is head end for 500 TE tunnel and tail end for 500 TE tunnels), the RSVP label is assigned to the TE tunnel change and this in turn causes a traffic loss of 45 seconds on the pseudowire which is directed through these tunnels.
Conditions: This symptom occurs under the following conditions:
– TE RID under the IGP is configured as a loopback other than the first one.
Workaround: Configure the TE router ID under the IGP to be the first loopback interface.
Symptom: Router generates tracebacks or crashes depending on platforms when show application ip route command is used concurrently with application route deletion.
Conditions: This symptom is observed when the show application ip route command is issued when JAVA onePK SDK is handling route replace operations.
1. Use show ip route command to display the application routes and not show application ip route command.
2. Use onePK GET ROUTE API to get the status of application added route.
3. Use show application ip route only when there is no route delete is in progress.
Symptom: A Cisco ISR router crashes due to stack overflow in the “ADJ background” process. The following syslog may be seen just before the crash:
Can also cause crash due to memory corruption, would show messages like
current memory block, bp = 0x3B727044, memorypool type is Processor data check, ptr = 0x3B727074
Conditions: The conditions to this symptom are unknown.
Workaround: There is no workaround.
Symptom: Leaking IPv6 routes is observed from a VRF table into the global table using BGP. These routes consist of the following:
1. BGP routes learned from the VRF IPv6 BGP peer.
2. Redistributed static and connected routes.
The BGP routes leak fine, but the redistributed static and connected routes have an issue. After the redistributed routes leak, the exit interface shows “null0”. Sometimes instead of showing the exit interface as “null0”, it shows a random interface which is a part of VRF and has IPv6 enabled on it.
Conditions: This symptom occurs with IPv6 redistributed connected and static routes into BGP VRF (could also be redistributed from other protocols as well but have not been tested).
Workaround: There is no workaround.
Symptom: A Cisco IOS router may crash using LDAP while performing TLS operations.
Conditions: This symptom was observed in Cisco IOS Release 15.3(3)M1.4. Other versions can be affected as well.
Workaround: There is no workaround.
More Info: LDAP is used in IOS SSLVPN deployment to authenticate users.
Symptom: An IOSd crash is observed during a configuration replace.
Conditions: This symptom occurs on configuration with a port-channel interface.
Workaround: There is no workaround.
Symptom: Since the ASR fails to send MM6 [being a responder] in the absence of a valid certificate, IKE SAs start leaking and hence get stuck in MM_KEY_EXCH state. Multiple MM_KEY_EXCH exist for a single Peer on the ASR, however the Peer does not retain any SAs for ASR in this case. Along with CAC for in-negotiation IKE SAs, these stuck SAs block any new SAs or IKE rekeys even after renewing the certificates on the ASR.
Conditions: This symptom is observed under the following conditions:
– ASR acting as IKEv1 termination point [sVTI for example] and is a responder.
– IKE authentication mode is RSA-SIG [Certificates].
– On the ASR, the ID-Certificate is either Expired or Not-present for a given sVTI tunnel
– The ASR also has a IKE in-negotiation CAC of a certain value.
Workaround: Perform the following workarounds:
1. Manually delete stuck SAs by using: clear crypto isakmp 12345, where 12345 is conn_id of a stuck SA. Repeat this for each stuck SA
2. Temporarily increase CAC to accommodate new SA requests: crypto call admission limit ike in-negotiation-sa 60
More Info: Found and Tested in Cisco Release XE 3.7.4 or Cisco IOS Release 15.2(4)S4.
Symptom: Syncing dual-stack iWAG session to STANDBY does not occur.
Conditions: This symptom occurs when IPv4 and IPv6 FSOL is received from same client at ISG together (or very less time gap) for a dual-stack session. In this case, the session does not sync to STANDBY for the previous IPv6 FSOL and ISG gets a new IPv4 FSOL.
Workaround: There is no workaround.
Symptom: A router crash is observed.
Conditions: This symptom occurs while performing VRRP and VRRS-related configuration changes.
Workaround: Unconfigure the ip pim redundancy <> command before deleting the subinterface or disabling PIM on an interface.
Symptom: No IPv6 global unicast address is assigned to PPP Virtual access interfaces and to IPv6 over IP/GRE tunnel interfaces.
Conditions: Virtual access interface is configured using the command “ipv6 address autoconfig”.
Workaround: There are no workarounds.
Symptom: An IPv6 MFIB entry is not removed after the mroute expires.
Conditions: This symptom occurs only with the partitioned MDT profile for mLDP. The PE router could get into a trouble state if it receives traffic first and then almost immediately after that receives an MLD join on the same interface for the same group.
Workaround: Remove VRF context and then reconfigure it.
Symptom: Using LISP set tags on routes imported to the RIB when exporting LISP routes from the RIB to BGP fails.
Conditions: This symptom occurs when redistribute list route-map is used under bgp with a route-map that contains match tag.
Workaround: There is no workaround.
Symptom: 3560CG box memory is showing as low as 3.15MB.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptom: After a reload, ip pim sparse-mode is gone on interface lisp 0.x (x denoted the LSIP interface number).
Conditions: This symptom occurs after a reload.
Workaround: There is no workaround.
Symptom: Alignment errors are observed after upgrading to Cisco IOS Release 15.2(4)M5.
Conditions: This symptom does not occur under specific conditions.
Workaround: There is no workaround.
Symptom: The following alignment errors are seen after a PPPoE session establishment for the first time after a reboot:
Conditions: This symptom occurs when pppoe-client ppp-max-payload is configured under the Ethernet interface.
Workaround: There is no workaround.
Symptom: Localhost not reflected in “show call history voice last 2”.
Conditions: This symptom is observed when UUTs are loaded with c2900-universalk9-mz.SPA.153-3.M1.9.
Workaround: There is no workaround.
Symptom: Router crashes while getting NTP status.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
Symptom: A crash occurs due to multicast stack overflow memory corruption.
Conditions: This symptom may occur when PIM is enabled on a LISP interface and Auto-RP is also enabled.
Workaround: Configure no ip pim autorp before any other PIM or LISP configuration.
Symptom: The router hangs after loading an image.
Conditions: This symptom occurs with the latest whales-universal-mz mcp_dev image.
Workaround: There is no workaround.
Symptom: This bug can stop traffic from being forwarded by an upstream router when the ip pim join-prune-interval command is configured on the downstream router’s upstream LISP interface.
Conditions: This symptom occurs when the ip pim join-prune-interval command is configured with a value greater than the default on a LISP interface.
Workaround: There is no workaround.
Symptom: Local circuit keeps DOWN state.
Conditions: This symptom is observed when L2TPv3 session is configured.
Workaround: There is no workaround.
Symptom: Ping fails with tunnel protection applied.
Conditions: Tunnel protection applied on GRE tunnel interface, using IKEv1 to negotiate IPsec SAs and remote node (IKEv1 responder) behind NAT.
Workaround: The users can switch to IKEv2.
Symptom: Shut primary static router and secondary static is not installed automatically.
Conditions: This symptom is seen on the sites where the BFD state of the backup static route is marked as “U” in the output of “show ip static route bfd”.
Workaround: Reinstall the default backup static route.
Symptom: Router-solicitation (RS) messages are dropped on the switch port that have IPv6 RA guard enabled. On removing RA guard, RS messages go through.
Affected releases: 151-2.SG2 and 152-1.E.bin
Unaffected releases: 150-2.SG.bin
Conditions: This symptom occurs when “ipv6 nd raguard” is enabled.
Workaround: There is no workaround.
Symptom: When upgrading from Cisco IOS XE Release 3.2S to Cisco IOS XE Release 3.9S, the DHCP server NACKs the client while sending renew. This worked in Cisco IOS XE Release 3.2S and not in Cisco IOS XE Release 3.9S.
Conditions: This symptom occurs when the DHCP server is provisioned to give out an IP address using a host pool (where the MAC address is tied to IP address). After the client gets the IP address, it downloads the configurations from the TFTP server and update the new MAC address after which when the client sends a renew, the DHCP server NACKs the client till the binding is present.
Workaround: There is no workaround. Downgrade to Cisco IOS XE Release 3.2S.
Symptom: BFD session not established upon RP Switchover and back.
Conditions: This symptom is observed during RP switchover and switchback.
Workaround: There is no workaround.
Symptom: Map-requests are forwarded to sites whose locators do not match the configured allowed-locator policy.
Conditions: This symptom is observed when the {ipv4 | ipv6} map-resolver allowed-locator registered is configured, and allowed-locator configuration is present under “site”.
Workaround: There is no workaround.
Symptom: A Cisco router reloads unexpectedly.
Conditions: This symptom occurs when the following conditions are reproduced:
1. Configure a subinterface with IPv6.
2. Configure OSPFv3 on the subinterface.
3. Configure IPSec authentication for OSPFv3 on the subinterface.
Workaround: Unconfigure the OSPFv3 IPSec authentication configuration before removing the subinterface.
Symptom: Image installation fails for K10.
Conditions: This symptom occurs after trying to install a tar image on K10. Installation of a bin image fails.
Workaround: Reboot the switch.
Symptom: Local CAC displaying all information about each flows. This may impact show output for customer in a set up where we could possibly have large number of flows.
Conditions: This symptom is observed in a scaled configuration.
Workaround: There is no workaround.
Symptom: Removing an Ethernet service instance which is a member of a bridge domain may cause the router to reload.
Conditions: This symptom is observed when the last service instance is removed from the bridge domain and there are still members of the bridge domain which are not service instances (such as VFIs).
Workaround: Completely unconfigure the bridge domain and reconfigure it.
Symptom: Duplicate records are exported from MMA.
Conditions: This symptom occurs in the following topology:
Set the configuration at the UUT to export all the records to the collector. At the exporter, duplicate records are noticed.
Workaround: There is no workaround.
Symptom: Prior to receiving a label via the Label Distribution Protocol (LDP), the output of show mpls l2transport vc detailed and show l2vpn atom vc detailed fail to properly indicate the lack of a remote binding.
Conditions: This symptom has been observed in Cisco IOS Release 15.4(02)S.
Workaround: There is no workaround.
Symptom: A Cisco router crashes.
Conditions: This symptom occurs on deleting a subcriber’s session in attempting state by a COA script as shown below:
Workaround: Do not use the COA script for deleting the subscriber’s session.
Symptom: Rtfilter prefixes are sent with incorrect next-hop equal to next-hop of the default static route in GRT instead of BGP router-id.
Conditions: This symptom occurs with a default static route present in GRT pointing, for example, to the next-hop known behind the connected interface.
Workaround: Replace the default static route with a more specific static route or remove static and clear BGP.
Symptom: Link-OAM breaks after link flap between the Cisco Catalyst 4500-X Series Switch and the Cisco ASR 9000 Series Router. With an interface with LACP + Link-OAM configuration when the connection between the Catalyst 4500-X Series Switch(IOS XE) and Cisco ASR 9000 Series Router(IOS XR) flaps, the link does not restore due to the following deadlock : LACP PDU does not start unless OAM starts on the Cisco ASR 9000 Series Router side and Link-OAM PDU does not start unless LACP starts on the Catalyst 4500-X Series Switch side.
With the above scenario after a link flap the link gets stuck in (suspended) LACP state on the Catalyst 4500-X Series Switch and non-connected state on Cisco ASR 9000 Series Router. The link has to be restored with manual reconfiguration in a particular sequence to avoid the above dead lock.
Conditions: This symptom occurs due to a combination of Link-OAM and LACP between a Catalyst 4500-X Series Switch and a Cisco ASR 9000 Series Router.
Workaround: Manually restart the link-OAM session and toggle LACP. To restore the link, change the configuration sequence on the Catalyst 4500-X Series Switch side in such a way that the LACP packet goes ahead first and then the Link-OAM PDU.
Disable EFD on the Cisco ASR 9000 Series Router side.
Toggle OAM on the Cisco ASR 9000 Series Router side.
Symptom: Flow-ids are not synced on the standby for some of the IMA VCs on an HA setup.
Conditions: This symptom occurs when an HA router is reloaded with IMA VCs enabled on it.
Workaround: There is no workaround.
Symptom: The Cisco Catalyst 6500 Supervisor Engine 2T with CLNS routing configured crashes after show clnbs route.
Conditions: This symptom occurs when CLNS routing is configured.
Workaround: There is no workaround.
Symptom: When an access-list is applied to an interface using onePK, the “ip access-group” configuration will appear in the running configuration. When the app terminates, this configuration is removed. Additionally, any manually configured access-group for that interface is removed.
Conditions: This occurs when using onePK 1.1.0. The ACL lifetime need not be set to persistent.
Workaround: There is no workaround.
Symptom: Configurations dynamically applied to the virtual-access interface might be lost over the reconnection while using the autoreconnect feature on Cisco Anyconnect on the ASR platform.
For example, the interface after initial connection establishment would have a QOS service policy applied:
After reconnection the INPUT-POLICY is missing:
Conditions: This symptom is observed with configurations being applied from the user AAA profile over radius authentication. Affected parameters observed are QOS service policies and access-group.
1. Do not use the reconnect feature.
2. Apply the configurations directly to the virtual-template (if this is an option).
Symptom: An ISG will stop processing CoAs for a subscriber session when CoAs are received in rapid succession. The received CoAs are queued but never processed.
Conditions: This symptom occurs when multiple CoAs for a single subscriber session are received in short time (milliseconds).
Workaround: The subscriber session needs to be reset to recover. There is no workaround known yet to avoid the situation from happening.
Symptom: A vulnerability in IKE module of Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to affect already established Security Associations (SA)..
The vulnerability is due to a wrong handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted Main Mode packet to an affected device. An exploit could allow the attacker to cause dropping of valid, established IKE Security Associations on an affected device.
Conditions: Device configured to process IKE request that already has a number of established security associations.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C CVE ID
CVE-2014-2143 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-2143
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: CPU hog followed by crash.
Conditions: This issue occurs while running udp IP SLA applications.
Workaround: There is no workaround.
Symptom: If the terminal adjacency of a lisp interface is removed and then re-added, the lisp interface MTU may remain at the invalid value of 65535. This can be seen in the show cef interface <intf> internal command output.
IPsec will obtain the MTU value from CEF and LISP, and the incorrect MTU will cause drops of large packets.
IPSEC MTU incorrectly computed - causing packet drops on large packets traversing from “inside” to “outside” are dropped.
Conditions: This symptom is observed in the following Cisco C800 Series: Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.3(3)XB12, RELEASE SOFTWARE (fc2)
Workaround: A workaround is to toggle the IP MTU config on the lisp interface. Use “show run lisp0.1” to determine the MTU. Then use “ip mtu <mtu>” to first set it to a lower value, and then to set it back to the original value.
In 153-3.XB12, the MTU is as follows:
Symptom: Locator ID Separation Protocol (LISP) local EID database locator configured through the “database-mapping <eid-prefix> ipv6-interface <interface> priority <priority> weight <weight>” command uses deprecated IPv6 address on specified interface.
Conditions: Multiple IPv6 addresses available on an interface with the lexicographically first address being deprecated.
Workaround: There is no workaround.
Symptom: The following messages are seen continuously on t_base_4 image:
Conditions: The issue is seen after configuring the router with Medianet.
Workaround: There is no workaround.
Symptom: On a Cisco ASR 1001 router running Cisco IOS Release 15.3(1)S, a crash occurs when the “show ip ei vrf X topo X.X.X.X/X” command is executed. The X.X.X.X/X must be in “FD is infinity” status in EIGRP as CSCtz01338.
asr1001_bew_03# show ip ei vrf
Conditions: This symptom occurs when X.X.X.X/X is in “FD is infinity” status in EIGRP.
Workaround: There is no workaround.
1. Standby RP will have out-of-sync entries. With MPLS-TE NSR enabled, the standby RP will have out-of-sync entries which will result in flapping of the path-protected LSP of the tunnel after an SSO.
2. Leaking an LSP. A third LSP will be signaled and leaked (there is no management of the LSP). There are supposed to be two LSPs at steady state (primary and path protected), but with this defect, there will be primary, path protected, and leaked LSP.
Conditions: This symptom occurs with a reoptimization of a tunnel that has failed with path protection enabled.
Workaround: There is no workaround.
Symptom: A Cisco device crashes every 2-3 days when the SNMPSET operation is used to create guest users.
Conditions: This symptom occurs when guest users are created through SNMPSET operations at a very high rate.
Workaround: There is no workaround.
Symptom: A config-sync failure occurs due to the address-family ipv6 unicast vrf command during the immediate unconfiguration and reconfiguration of VRF definition.
Conditions: This symptom occurs with attached running configurations.
Workaround: There is no workaround.
Symptom: Removing explicitly configured queue-limit configuration via “no queue-limit” on a user-defined class may not actually remove the preconfigured queue-limit parameter from PD.
Conditions: This symptom is observed when an explicitly created queue-limit is removed.
Workaround: Reconfigure queue-limit with a desired (or default) value.
Symptom: Traffic loss of about 200-500 ms is observed.
Conditions: This symptom is observed on an RLFA cutover.
Workaround: There is no workaround.
Symptom: Convergence on Local link failure with rLFA is higher than one second.
Conditions: Configure rLFA and perform local link failure. The problem is likely seen when configuring a small spf-interval value.
Workaround: Do not configure too small spf-interval.
Symptom: CSR1000V router running XE3.11 (15.4(1)S) working as Route Reflector.
The route-reflector is advertising prefixes with incorrect subnet masks to ibgp peers and route-reflector clients. The incorrect prefixes are not present in the bgp table of the route-reflector itself, however they do get installed in the bgp table of the router receiving the update.
Conditions: This symptom is observed when BGP route reflector uses the additional paths feature.
Workaround: Disable additional path feature either globally under address-family or per neighbor.
Symptom: A higher layer app such as LISP ends up using a deprecated IPv6 address as returned by the IPv6 service even if a valid address exists for an interface.
Conditions: This symptom occurs when multiple IPv6 addresses are available on an interface with the lexicographically first address being deprecated.
Workaround: There is no workaround.
Symptom: High traffic loss is observed with setups having BGP and microloop avoidance combination.
Conditions: This symptom occurs with the following combination:
2. Cisco IOS XE Release 3.11 code (or newer) that enables microloop avoidance by default.
Workaround: Disable the microloop avoidance feature. For example, in ISIS, execute the following commands:
However, there will be some traffic loss due to the lack of microloop avoidance.
Symptom: QoS Egress Marking does not work for GRE Tunnels.
Conditions: This symptom is observed under the following conditions:
– The issue happens for fragmented packet.
– The issue is found on Cisco IOS Release 15.3(3)M2.
Workaround: There is no workaround.
Symptom: A router crashes due to RMON.
Conditions: This symptom occurs on activation of an RMON event.
Workaround: There is no workaround.
A vulnerability in LISP control messages processing on Cisco IOS and Cisco IOS XE could allow an unauthenticated, remote attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.
The vulnerability is due to insufficient checking of certain parameters in LISP control messages on ITR. An attacker could exploit this vulnerability by sending malformed LISP control messages to ITR. An exploit could allow the attacker to cause a vulnerable device to disable CEF forwarding and eventually drop traffic passing through.
Conditions: Malformed messages can only be generated by a device that is already registered to a LISP system: a valid ETR or ALT.
Workaround: There is no workaround.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2014-3262 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3262
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: After a switchover, standby device crashes with traceback.
Conditions: At present, this is observed only on advipservices images in mtrose branches.
Workaround: There is no workaround.
Symptom: BFD goes down and remains in Admindown state.
Conditions: This symptom occurs after applying ACL chaining and flapping of the interface.
Workaround: There is no workaround.
More Info: An IPv4 BFD neighbor remains in admindown state on the PE. The ACE configured in ACL for BFD is matched and the receive counters on BFD neighbors are incremented but the BFD is still down.
This issue occurs only after ACL chaining is applied.
Symptom: A router may crash after or during the execution of the show ipv6 ospf rib command.
Conditions: This symptom occurs when many routes or route paths are present in the OSPFv3 rib. The OSPFv3 rib is significantly recomputed during execution of commands.
Workaround: Limit the use of the show ipv6 ospf rib command.
Symptom: An Mroute entry on FHR is stuck in a registering state in MVPNv4. show ip mroute vrf <vpn-name> -->> shows the mroute entry in registering state
Conditions: This symptom occurs when the source address of the encapsulation tunnel for PIM registers on the FHR is one of the interfaces that is not in the same VRF as the register tunnel itself.
Workaround: There is no workaround.
Symptom: MVPN traffic is unexpectedly terminated since the last-hop PIM router does not send an “SG Join” message on the MDT tunnel.
Conditions: This symptom occurs when the same IP address is used for the MDT tunnel IP address on the last-hop PIM router and the source IP address of multicast traffic.
Workaround: There is no workaround.
Symptom: An IOSD crash occurs due to “Process = Virtual Exec”.
Conditions: This symptom occurs when the show ip cef internal command and routing table is cleared in parallel.
Workaround: When clearing the routing table (for example, clear ip ospf process) avoid running ip cef-related show commands in parallel.
Symptom: A Cisco router crashes.
Conditions: Set the VTY Service Set maximum response to a small number, for example, 10, and then send multiple commands separated by newline using the same write, for example, “show ver\nshow ver\n”.
Workaround: Set Maximum response to a bigger number.
Symptom: A Cisco router stops forwarding traffic when an SSLVPN session is established and stops responding.
Conditions: This symptom occurs with SSLVPN and DTLS enabled. Cisco ISR-G2 platforms may experience a Queue Wedge.
Workaround: Disable DTLS by configuring no svc dtls under policy group.
Symptom: A traceback is seen while removing IPv6 unicast-routing configuration.
Conditions: This symptom occurs when ISIS IPv4 is not enabled and ISIS is runs on IPv6 multitopology mode.
Workaround: There is no workaround.
More Info: The traceback is generated due a warning message that the adjacency database is not empty when ISIS is switching out of the IP mode.
Symptom: IOS-XE running router may reload when unconfiguring BGP along with other removal operations in a scaled setup.
Conditions: BGP is configured with 1Million+ nets and 4000 VRFs. Then the bgp instance is removed using “no router bgp <>”
Workaround: Shut down the bgp neighbor sending big scale nets to remove the nets first from BGP and RIB. Then remove the BGP using “no router bgp <>”.
Symptom: If a Cisco IOS box does not support Ethernet Y.1731 delay DMM version 1 (DMMv1), but supports DMM version 0 (DMM), it will not respond to a box trying to run a DMMv1 session.
Conditions: This symptom occurs with an initiator box running DMMv1 to a Cisco IOS box that supports DMM but does not support DMMv1. Rather than responding as though it were receiving DMMs version 0, as is the required behavior, the session will be rejected.
Workaround: All boxes that support DMMv1 will also support DMM version 0, so this can be used between two boxes instead. The normal DMM version 0 restrictions apply in this case.
Symptom: An xTR changes its RLOC, map-request packets from that new RLOC are dropped on the MS/MR due to policy violation, for example:
Conditions: This symptom is observed when {ipv4|ipv6} map-resolver map-request validate source registered is configured on the MS/MR and the xTR RLOC is updated, for example, by DHCP when the {ipv4|ipv6}-interface configuration is used in the database-mapping configuration. Both the new and the old RLOC must have been valid.
Workaround: Remove and re-add database-mapping configuration on xTR, possibly using EEM script on address change Remove “{ipv4|ipv6} map-resolver map-request validate source registered” configuration on MS/MR clear lisp site <name> on the MS.
Symptom: Router crashes when removing address-family from VRF definition, or when removing the VRF definition.
Conditions: This symptom is observed when PIM is configured for the LISP interface associated with the VRF.
Workaround: Unconfigure LISP for the VRF, or remove PIM configuration from the LISP interface associated with the VRF, before removing VRF configuration.
Conditions: Multicast traffic is label switched in the mpls P2MP tree and replicated at branch bud nodes along the P2MP tree. The error condition is observed at a bud node, where the replicated traffic is dropped with the error.
Workaround: There is no workaround.
Symptom: Memory leaks are observed on the node.
Conditions: This symptom occurs with flaps in the REP segment generating TCNs that are being sent into a different REP segment.
Workaround: There is no workaround.
Symptom: NTLM may not work properly.
Conditions: This symptom occurs when the LDAP server goes down and comes up.
Workaround: Add a new server as a part of the AAA group server ldap adgroup.
Conditions: This symptom is observed with command “sh frr-manager client client-name <name> det” when the client with the specified name does not exist.
Workaround: There is no workaround.
Symptom: BFD OSPF client does not react at interface events on a remote endpoint.
Conditions: This symptom occurs under the following conditions:
– BFD is enabled - OSPF is enabled
– One of the devices where BFD is enabled is running Cisco IOS Release 15.3(3)M2
Workaround: There is no workaround.
1. CPOS-based PPP serial interface is UP/DOWN; but HDLC is UP/UP; loopback local for PPP is also UP/DOWN.
2. From debug, the following output is seen:
Conditions: This symptom occurs with PPP serial interface flapping.
Workaround: Chassis reload can temporarily make PPP interface UP/UP, but the problem will reoccur after a few days.
Symptom: High CPU is seen due to a PIM process after an SSO to standby RP. Huge PIM hello bursts can be seen from the router facing the issue. The severity and duration of high CPU can increase with the uptime of the active route processor.
Conditions: This symptom occurs due to an SSO.
Workaround: Disable PIM auto-rp “no ip pim auto-rp” if the CLI is available.
Symptom: The Cisco ASR 1000 Series Router crashes.
Conditions: This symptom occurs with duty cycle testing with a lot of negative events.
Workaround: There is no workaround.
Symptom: While evaluating the Cisco IOS Release 15.3(3)S3 early release image, the following error message was observed when using the CoPP configuration given below which matches based on precedence only as shown:
Upon occurrence, the entire CoPP policy map is not loaded. There is a concern that some field devices on the current release (Cisco IOS Release 15.0(1)S6) may have the above configuration and as such is prone to this error (CoPP installation failure during upgrade).
Conditions: This symptom occurs while evaluating the Cisco IOS Release 15.3(3)S3 early release image.
Workaround: There is no workaround.
Symptom: While testing ISSU from XE310<->XE311 with ikev2_dvti and GRE features, packet drops is observed after a switchover.
Conditions: This symptom is observed during upgrade to Cisco IOS Release 3.11 and downgrade to Cisco IOS Release XE 3.10.
Workaround: There is no workaround.
Symptom: Performing an ISSU upgrade with the CEF table consistency checkers enabled may result in a crash on “issu runversion”.
Conditions: This symptom occurs with a Cisco Catalyst 6500 Series Switch running Cisco IOS Release 15.1(02)SY.
Workaround: Turn off the CEF table consistency checkers before performing an ISSU upgrade.
Symptom: Traffic flow is not as expected when IPv6 policing is enabled on UUT.
Conditions: This symptom is observed on loading the Cisco IOS Release 15.4(2.10)T image.
Workaround: There is no workaround.
Symptom: BGP fails to apply an inbound route map on prefixes after a switch over.
Conditions: This symptom occurs when NSR is enabled and RP switchover is performed twice.
Workaround: Enable the knob “bgp sso route-refresh-enable” or manually do a soft refresh to get the routes back from NSR peers on the new active RP.
Symptom: A vulnerability in PPPoE processing code of Cisco IOS XE could allow an unauthenticated, adjacent attacker to cause a reload of the affected device and eventually a denial of service (DoS) condition.
The vulnerability is due to improper processing of certain malformed PPPoE packets. An attacker could exploit this vulnerability by sending a malformed PPPoE packet to an IOS XE ASR1000 device, configured with PPPoE termination. An exploit could allow the attacker to cause a reload of the affected device and eventually a denial of service (DoS) condition.
Conditions: Cisco ASR 1000 with IOS XE, configured for PPPoE termination.
Workaround: There is no workaround.
Further Problem Description: A device crashing, may print the following messages on the console:
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2014-3284 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3284
Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: When PW’s remote peer is ALU, it takes 5 to 10 minutes for the PWs to come up.
Conditions: This symptom occurs when Provision PW is done first on the ALU and then on the Cisco router.
Workaround: Provision PW on the Cisco router first.
Symptom: A Cisco ASR 1001 router running Cisco IOS Release 15.2(4)S4 acting as a route server crashes when clear bgp ipv4 unicast * is executed.
Conditions: This symptom occurs when a router is configured as as route server and a command executed in an IPv4 table is reset via clear bgp ipv4 unicast *.
Workaround: Do not execute command clear bgp ipv4 unicast *. Instead, one could use the clear ip bgp * to hard reset all the BGP tables.
Symptom: With loss of traffic on primary flow in MoFRR, the secondary flow may not be treated as primary since it is random and the new flow may become the primary.
Conditions: This symptom occurs in ECMP or TI flow based MoFRR and when there is a loss of primary flow.
Workaround: There is no workaround.
Symptom: While using PfR, traffic classes oscillate from controlled to default to uncontrolled when probe creation fails for alternate external interfaces (due to lack of parent route).
Conditions: This symptom does not occur under specific conditions.
Workaround: Configure monitor mode active or monitor mode both instead of monitor mode fast.
Symptom: Crash occurs when IKEv2 attempts to clean up its contexts when it times-out waiting for received Certificate to be Validated by PKI component.
Conditions: Authentication with certificates and PKI component’s response to certificate validation is delayed.
Workaround: There is no workaround.
Symptom: An error message is logged in during QoS configuration during an FPM test.
Conditions: This symptom occurs due to a policy with FPM class.
Workaround: There is no workaround.
Symptom: The RP crashes due to “%SYS-2-CHUNKBADMAGIC” in checkheaps.
Conditions: This symptom does not occur under specific conditions.
Workaround: There is no workaround.
Symptoms: A stack overflow and boot loop can occur when configuring OSPFv3 for IPv6 using a non-broadcast network type on IOS XE
Conditions: SVI or Layer-3 Interface using the ospf non-broadcast network type.
Workaround: Remove the non-broadcast network configuration.
Further Problem Description: This issue was found during a security audit of the product.
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco’s security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: A vulnerability in the Autonomic Network Discovery Packets of Cisco IOS XE could allow an unauthenticated, adjacent attacker to receive arbitrary data from other traffic passing through the device
The vulnerability is due to uninitialized memory used in packet creation. An attacker could exploit this vulnerability by capturing packets on the segment.
Conditions: Device configured with default configuration.
Workaround: Not applicable or available.
PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:C
No CVE ID has been assigned to this issue. Additional information on Cisco’s security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom: The following error message is seen:
Conditions: This symptom occurs while updating the running configuration using any type of remote file transfer (via SNMP or copy command). When the source IP resolves to a DNS hostname longer than 63 bytes, an error message will be seen. There is no impact to the system. The running configuration will update as expected.
Workaround: Copy the file to a local storage first and then copy it from the local storage to the running configuration.
Symptom: A Cisco router or switch may crash while issuing the show logging command.
Conditions: This symptom occurs while issuing the show logging command. Let the output of the show logging command remain at the more prompt in the trap logging session. While changing the logging host command in a different session, resume the output of the show logging command. There is a chance that both actions at the same time will make the device crash.
Workaround: Do not make changes to the logging host command while the output of the show logging command is still outstanding.
Symptom: A Cisco ASR router crashes.
Conditions: This symptom occurs under the following conditions:
Configure a DHCP database as follows: ip dhcp database tftp://192.168.50.100/dhcp write-delay 60 timeout 30 The router is unable to write the database as TFTP is not installed on 192.168.50.100 or TFTP IPis not reachable (both scenarios leading to crash). After a few seconds the router gets crashed.
Workaround: There is no workaround.
Symptom: The black hole should not drop TC when TC is learnt at the beginning.
Conditions: This symptom occurs when the black hole is added in the class as follows: class http sequence 10 match application http policy custom priority 1 one-way-delay threshold 100 path-preference SP1 fallback blackhole
The HTTP traffic is added. When the TC is learning, it is uncontrolled and hence during this time traffic will be dropped. The dropping will start at the TC learnt and end at the TC controlled. The duration will be a minimum of 30s.
Workaround: There is no workaround.
Conditions: This symptom occurs when the image is loaded and left without aborting the setup dialogue box.
Workaround: This issue has been fixed.
Symptom: RSVP HA Services leaks memory on the standby RP. Standby RP eventually hits the “out of memory” condition and will reload. There is no traffic impact as the active RP is not affected.
Conditions: This symptom occurs when the mpls traffic-eng nsr command is configured.
Workaround: There is no workaround.
More Info: The leak is specific to MPLS-TE tunnel tails. A small memory block is leaked whenever a tunnel tail is setup or torn.
Symptom: Duplicate cookies are observed in every access request.
Conditions: This symptom occurs when multilogon or logoff is performed on the same session.
Workaround: Tear down the session during the logoff event. Do not configure any delay on the account logoff event.
Symptom: A FlexVPN client router may report alignment errors and experience high cpu utilization in IKEv2 FlexVPN process.
Conditions: The tunnel interface in use with the FlexVPN client configuration must flap while the client is processing an IKEv2 redirect. The high cpu utilization is seen only if the client is configured to auto connect.
Workaround: Remove and reconfigure the IKEv2 client configuration block.
Symptom: IPv4 and IPv6 traffic will be dropped after performing an SSO.
Conditions: This symptom occurs when you perform an SSO with ISIS as NSR configured, and MPLS-TE as GR configured.
Workaround: Change ISIS to non-NSR.
Symptom: Platform-specific images do not build.
Conditions: This symptom occurs when any platform-specific image is built.
Workaround: This issue is fixed.
Symptom: A router running Cisco IOS experiences an unexpected reload after removing OSPF IPFRR or OSPF Remote LFA from the configuration.
Conditions: This symptom occurs when the router was configured for OSPF IPFRR and, possibly, OSPF Remote LFA and IPFRR and (or) rLFA configuration commands are being removed at the same time when IPFRR SPF is running on the router.
Workaround: There is no workaround.
More Info: This symptom occurs if IPFRR SPF is running at the time the configuration is being removed.
Symptom: A crash is observed due to a corrupted stack in AAA. This issue was observed on a Cisco ASR 1000 router when an authentication request was sent from IKE (crypto) with a password expiry feature configured.
Conditions: The symptom is seen with the password expiry feature. The configuration needed is:
Workaround: Remove the configuration.
More Info: With “aaa authentication login userauthen passwd-expiry group radius” configured, over a period of time, there is AAA stack corruption because of a value read from a wrong offset in the memory. It is not specific to any platform.
Symptom: A Cisco device hangs.
Conditions: This symptom occurs after a save and reload with intent configured.
Workaround: There is no workaround.
3. Save and reload the device.
Symptom: When a CEM interface is configured, the router crashes when it is unconfigured without logging out of the CEM configuration mode.
Conditions: This symptom occurs when a CEM interface is configured and unconfigured.
Workaround: Exit from the submode before performing no xconnect.
Symptom: When an Any Transport over MPLS (AToM) xconnect is configured on a dual-RP system, memory leaks may be observed on the standby RP.
Conditions: This symptom is observed when a label advertisement is received from the peer and checkpointed to the standby RP.
Workaround: There is no workaround.
Symptom: A crash is observed with the following error messages:
Conditions: This symptom occurs after a switchover from the active RP to the standby RP and the device has 1000 PPPoA sessions. Call Admission Control (CAC) is also configured.
Workaround: Remove CAC configurations. For example:
call admission new-model call admission limit 1000 call admission cpu-limit 80
Symptom: A loss of service-group configuration under a subinterface is observed.
Conditions: This symptom occurs only when the router is reloaded. It is not seen with a particular LC reload where the interface exists.
Workaround: There is no workaround.
Symptom: ISIS IPv6 distribute-list filters of the form:
router isis address-family ipv6 distribute-list prefix-list {name} in {interface}
should be removed from the configuration when the specified interface is deleted or is no longer enabled for IPv6. In some cases this is not happening, which can cause errors when a saved configuration is used during a subsequent reboot.
On systems with a redundant RP, configuration sync will fail because the distribute-list command will be rejected by the standby RP.
Conditions: This symptom is observed when using ISIS to route IPv6 traffic.
Workaround: Ensure that IPv6 is enabled on any interfaces referenced by ISIS IPv6 distribute-list commands. This can be accomplished either by configuring one or more IPv6 addresses on the interface, or by using the command “ipv6 enable”.
Symptom: A traceback is observed consistently during a cleanup.
Conditions: This symptom occurs when MPLS-TP tunnels are configured and unconfigured.
Workaround: There is no workaround.
Symptom: In Cisco IOS Release 15.4(3)S or Cisco IOS XE Release 3.13S, the ISIS summary-address and summary-prefix commands are not synchronized to the standby RP.
Conditions: The symptom is seen on a router with redundant RPs.
Workaround: There is no workaround.
Symptom: Estimated Channel Egress Bandwidth gets accounted incorrectly with fast-monitor enabled per DSCP.
Conditions: This symptom occurs when fast-monitor gets enabled for a specific DSCP channel.