Release 2.5 Caveats

Caveats describe unexpected behavior in Cisco IOS XE Release 2. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.

This section contains open and resolved caveats for the current Cisco IOS XE maintenance release.

The Dictionary of Internetworking Terms and Acronyms contains definitions of acronyms that are not defined in this document:

http://www.cisco.com/en/US/docs/internetworking/terms_acronyms/ita.html

This section consists of the following subsections:

Open Caveats—Cisco IOS XE Release 2.5.2

Resolved Caveats—Cisco IOS XE Release 2.5.2

Open Caveats—Cisco IOS XE Release 2.5.1

Resolved Caveats—Cisco IOS XE Release 2.5.1

Open Caveats—Cisco IOS XE Release 2.5.0

Open Caveats—Cisco IOS XE Release 2.5.2

This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.2

CSCsu59515

Telnet inside host from outside the host fails when port 23 is statically allocated on a Cisco ASR 1000 Router.

Workaround: None

CSCsx56362

BGP selects paths which are not the oldest paths for multipath on a Cisco ASR 1000 Router. This causes BGP to unnecessarily flap from multipath to non-multipath as a result of route flaps.

This condition has been observed when:

BGP is configured

More than one equally-good route is available

BGP is configured to use less than the maximum available number of multipaths

Workaround: There is no workaround.

Further problem description: The selection of non-oldest paths as multipaths is only problematic in releases which include CSCsk55120, because in such releases it causes unnecessary changes in whether paths are considered multipaths.

CSCsz36180

When enabling passive header compression on interface where active header compression is enabled doesn't get reflected in show running configuration of interface. Though its get updated in show frame-relay map command output. Also, the header compression is not working as desired after this configuration. Ideally if both side are configured for Passive, compression should not happen. In this case compression is happening though sh frame relay map command shows both interfaces are configured as passive on the ASR 1000 Router Series.

This has been seen, when the following command is used:

frame-relay map ip <ip> <dlci> compress passive 
frame-relay map ip <ip> <dlci> compress active 

When the same ip and dlci values are used on the ASR 1000 Router this does not take effect.

Workaround: To do no frame-relay map ip <ip> before changing the header-compression from active to passive.

CSCsz53438

When ip header compression is configured on the ASR 1000 Router, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.

This has been seen, when IPHC is configured on the ASR 1000 Router, but not on the router to which it is directly connected.

Workaround: Is to enable IPHC on both routers.

CSCta26678

Unable to add vrf configuration after removal of the same vrf on the ASR 1000 Router Series.

This has been seen, when ODR is present on the Cisco  ASR 1000 Router.

The router should function normally after the router has been reloaded.

There are no known workarounds.

CSCta60589

On the ASR 1000 Router, when there are files in the tracelog directory doing a wildcard search could potentially result in a CPUHOG message.

This has been seen, when there are a large number of files in the directory the wild card is being applied on the ASR 1000 Router.

Workaround: Is to avoid doing wildcards on directories with large number of files.

CSCtb07144

Shutting an interface having a large number of vlans while there is a significant number of multicast entries and interfaces in the MFIB database can take a significant amount of time on the ASR 1000 Router Series.

This has been seen when there are a large number of vlans configured on the interface that is being shutdown. A significant number of entries and interfaces present in the MFIB database.

Workaround: None

CSCtb24959

The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:

the router has been configured for rp agent

and candidate there are a large number of rp's

initiating the clear ip pim rp-map command

Workaround: Is not to apply the clear ip pim rp-map command one after the other.

CSCtb33587

NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:

%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED) 
 
   

This may cause temporary packet drops or forwarding to less specific routes.

The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.

Workaround: Is to wait after the holddown timer expires, the problem will be cleared.

CSCtb40529

At switchover, the old active takes 2 reboots to become standby for the ASR 1000 Router Series.

This may occur, when scaled setup with switchover has been configured on the ASR 1000 Router.

Workaround: None

CSCtb66050

On the ASR 1000 Router Series running Session Border Controller (SBC), a traceback is observed on doing an ISSU sub-package upgrade from release 2.5 image to a later image. This traceback is thought to be largely benign and doesn't affect normal operation. Upgrade is successful, calls can be made and media can be set up through SBC.

This traceback is only observed upon ISSU upgrade from release 2.5 image and only with a sub-package upgrade. The traceback is not seen on performing a consolidated update.

Workaround: Use a consolidated update procedure instead of sub-package upgrade, when possible.

CSCtb71415

There are occasional CPPOSLIB-3-ERROR_NOTIFY: F1 logs from the ASR 1000 standby FP20. The show plat soft firewall f1 stati output displays zone-binding ASR 1000 errors may be seen on the ASR 1000 Router console (but not on the active F0). This may occur, when running longevity stress tests incorporating per-subscriber firewall, with redundant RP2 and Topology:

stateful PPPoE---LAC--10GbE---LNS---L4-7servers
vanilla PPPoE------|                        |---10GE --tgen
 
   
There are 32000 total sessions:
- 12000 are stateful and flapping periodically
- 15000 are vanilla across 3GE ports passing random traffic up 1500B packets at 
1.6Gbps upstream total, 2.8Gbps downstream total
- 2500 PSFW sessions just periodically flapping
- 2500 vanilla PPPoE session periodically flapping
 
   
Zones are being downloaded via RADIUS.  VFR, uRPF on V-T and/or via RADIUS.
 
   

Workaround: No workaround available at this time. In additon the error actually happens during zone unbinding.

CSCtb79598

When you configure a PVC ASR 1000 with QoS enabled, the QoS will not work as expected on the ASR 1000 Router Series.

The only happens, when you unconfigure ancp neighbor associated with the PVC before you delete the PVC on the ASR !000 Router.

Workaround: None

CSCtb79850

Interface flap may close when pending channels for the atm spa are configured on the ASR 1000 Router Series.

This may occur, when the interface flap has pending channels on the atm spa.

Workaround: None

CSCtb85661

On doing multiple switchovers or after ISSU completion followed by a failover, the hardware programming of bidirectional entries doesn't show the correct dest_index (0xFFFF) leading to drop in traffic on the ASR 1000 Router Series.

Workaround: The dest_index can be set to the correct value using a test cli and traffic resumes.

CSCtb98877

On the ASR 1000 Router Series subsequent call fails after a SIP Session Refresh timeout occurs after an HA switchover in CUBE enviroment.

This occurs in a back to back CUBE environment:

CUCM1 - SIP - CUBE1 - SIP - CUBE2 - SIP - CUCM2
 
   

The CUCM SIP Refresh is set to 90 seconds, and a call is made. HA switchover occurs on CUBE1, and the call is disconnected as expected. The same call is made again, but the originating endpoint on CUCM1 gets a Busy tone, while the terminating endpoint on CUCM2 gets Ringing tone.

CUBE2 sends a 503 Internal error with the following cause code:
Reason: Q.850;cause=38 - [Network out of order]
 
   

Workaround: None

CSCtc17366

Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.

Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.

CSCtc19914

The Embedded Services Processor (ESP) has been reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.

When using the following scripts this condition has been seen:

1. Configuring large mVRF's on PE

2. Configuring large Loopbacks on PE, one for each of the VRF

3. Configuring and unconfiguring large static RP addresses multiple times rapidly.

Workaround: None

CSCtc21042

Chassis-manager process on RP2 gets stuck and the ASR 1000 Router becomes unresponsive to user commands. All the FPs and CCs keep rebooting, with console logs showing repeated FP code downloads.

No particular scenario is known. This problem may caused by OBFL logging of messages on RP2.

Workaround: Is to disable onboard logging of messages on RPs as shown in this following example:

hw-module slot r0/r1 logging onbaord disable

 
   
    Router#hw-module slot r0 logging onboard disable
 
   
    To verify that onboard logging has been disabled:
     Router#sh logging onboard slot r0 status         
     Status: Disabled
 
   

Note This command is not saved in the config so is not preserved across router reloads.


CSCtc41808

When trying to change ipsec tunnel configuration by changing tunnel mode between SVTI and GRE, iosd crash is observed on the ASR 1000 Router Series.

Workaround: None

CSCtc50830

When reloading an active RP just before it goes to rommon mode the ASR 1000 Router dumps a core and crash file pointing to Redundancy FSM.

This condition happens after IPNAT client reloads the standby RP and synchronizing active with standby.

Workaround: None

CSCtc55049

The ASR 1000 Router may crash and reload following a reboot or initial boot from a power-up.

The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.

Workaround: None. However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.

CSCtc72052

The ASR 1000 Router is unable to configure Dynamic Nat Pool with prefix length 14 or less.

This happens when Nat Pool is configured with a lower prefix lengths. This configuration is rejected on the ASR 1000 Router.

Workaround: Is to create a Nat Pool with prefix length 14 or higher.

CSCtc73525

The ESP board on the ASR 1000 Router Series with ATM PVCs carrying broadband sessions does not accept further config. Traffic forwarding on existing features and session is not impacted, but additional config is rejected.

This ocurrs, when BB sessions over ATM PVCs are configured. With a high number of PVCs configured, and if all PVCs are attemtped to be removed at once with the "rage" command, the ESP board may get into an error state that prevents additional config (such as bringing up new PVCs or sessions) from being accepted.

Workaround: None. However if problem manifests, a reload of the ESP is required to bring the system back to its normal state.

CSCtc99048

When VLAN-VLAN Pseudowires (PWs) redundancy is configured, when the RP switchover happens on pseudowires (PWs) from primary to backup, and the RP is switched back to primary this may not be allowed for some of the pseudowires (PWs) to forward traffic properly.

Workaround: Is to do a clear xconnect all will re-provision xconnect on all PWs, and after that all pseudowires (PWs) can forward traffic properly.

CSCtd07250

Acct-Session-Time is inaccurate or incorrect when configured with Session, Traffic-Class Service and Non-Traffic-Class Service Accounting Records on the a Cisco ASR 1000 Router.

This condition has been observed when, Acct-Session-Time displayed in session-stop records displays values much higher than the actual lifetime of a session.

In addition, despite the non-TC service having been associated as a active session, for greater than 3-4 seconds, the Acct-Session-Time, in the stop records of such services is displayed as 0.

Workaround: There is no known workaround.

CSCtd14559

L2TP-3-ILLEGAL tracebacks and PPPoX session mismatch between active and standby rps.

This error condition is noticed, when rp switchover takes place during the time frame pppox sessions are coming up. In a rare condition, session mismatch was noticed when pppox sessions were coming up for the first time with no other events taking place.

Workaround: No workaround

CSCtd26479

On ASR 1000 Router Series, the FP may crash with the following error message:

%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected 

The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.

Workaround: None

CSCtd26955

On the ASR 1000 Router Series ANCP sessions may drop with high event rate.

This condition may occur, when ANCP is configured on ATM (pvc-in-range), the on-demand (AutoVC) is created and enabled at the interface level (with vc-class) on the ASR 1000 Router.

Workaround: When all the on-demand (AutoVCs) in range is not created on ATM (pvc-in-range), create and enable create on-demand at vc level.

CSCtd45066

On the ASR 1000 Router Series the nasport id format is changed between 2.3.0, 2.4.0, 2.5.0 and 2.6.0 releases.

This condition has been observed when "nas port format d" <format> is configured on the router.

Workaround: There is no known workaround at this time.

CSCtd62837

H323 to SIP configuration, when the H323 side supports two DTMF methods, the DTMF interworking may fail on the ASR 1000 Router Series.

When performing H.323 to SIP call, the H.323 side support for H245 alphanumeric userinput and tel-event, the SIP side may just support tel-event. The H.323 side may send DTMF userinput, and the SBC may drop the userinput.

The following pd log message may appear on console:

ICC has failed to find a mechanism to pass on DTMF tones in this call.  The tones will 
not reach their destination.

This may not cause the call to fail.

Workaround: None

CSCtd87205

The Cisco ASR 1000 Router will reload, when flapping up and down VC's after configuring SSO.

This condition has been observed, when the Cisco ASR 1000 Router reloads after a large amounts of flapping has occurred, and SSO has been forced onto the router. The router may reload.

Workaround: Is to slow down the amount of flapping when doing SSO on the router..

CSCte19641

On the ASR 1000 Router Series, the CCP Driver Lockdown crash may happen.

The following console message has been observed:

%CPPDRV-3-LOCKDOWN: F0: cpp_cp:  CPP10(0) CPP Driver LOCKDOWN due to fatal error. 

This may occur, when stressing the system and activating ISG services with ocasional High Availability (HA) switchover.

Workaround: None

CSCte35998

Secure Media Call will drop during a call if both party's place the call on hold at the same time (or seconds apart) after about 15-20 seconds.

This condition may occur on a Cisco ASR 1000 Router, when running 2.5.0 release and CUCM - 7.1.3.32010-1.

Workaround: None

CSCte62859

PPP session churn on an LNS following an RP switchover may leave lingering L2TP sessions on the LNS.

This condition may occur, when session churn is combined with a too-small l2tp receive window size following an RP switchover, lingering PPP sessions can result.

Workaround: This condition is exacerbated by a too-small l2pt receive window size. Alter this setting according to the number of sessions typically seen on the the tunnel(s) where this situation is observed. Make sure both ends fo the tunnel have similar settings.

CSCte78406

On the Cisco ASR 1000 Router console the following error message has been logged on the new standby RP, when PTA sessions are established:

*Feb 2 10:21:36.635: %COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. Virtual-Access2.1 linked to wrong idb Virtual-Access2.1

This condition may occur, once PTA sessions are established when performing a RP switchover. After both RPs are synced up with flapped sessions. The error messages are logged on the new standby RP.

Workaround: None

CSCte96759

IPv6 route summary is incorrect when IPSEC is configured on the Cisco ASR 1000 Router Series.

This condition can occur when traffic is sent through 500 v6 tunnels.

Workaround: Is to remove IPSEC on all the tunnels and reconfigure them. This should bring up all the IPSECv6 routes.

CSCte98852

When broadband accounting accuracy feature (i.e. `subscriber accounting accuracy' CLI is configured) and service accounting is enabled, a duplicate session accounting start (with unique session ID) message is sent out and 2 entries are created on the AAA server.

This feature is specific to ASR 1000 Router. The issue was observed only when the accounting accuracy feature and service accounting are enabled.

Workaround: There is no workaround as the accounting accuracy may be off as much as 10-second worth of byte-counts if the features is turned off, or when the following is configured on the router:

1. `aaa accounting delay-start'and

2. aaa accounting include auth-profile [delegated-ipv6-prefix, framed-ip-address, framed-ipv6-prefix]

CSCtf01109

The NAS-IP-Address value in the accounting start changes after RP SSO. Before RP SSO, the NAS-IP-Address contains the IP address of the interface connected to the AAA server. After RP SSO, the new active RP sends out a new accounting start. This time, the NAS-IP-Address contains the loopback0 IP address. When the session disconnects, the accounting stop record contains the correct IP address.

This issue happens in redundant RP system with PPP susbcribers.

Workaround: There is no known workaround.

CSCtf05408

IP address on a loopback interface is lost on the Cisco ASR 1000 Router Series.

Workaround: Is to reconfigure the loopback interface.

CSCtf07776

The below traceback can be seen in two environments on a Cisco ASR 1000 Router:

During UUT reload

After shutting the FRR enabled interface

For example the following traceback will appear on the console:

%FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt.

-Traceback= 40DCB368 40DCB220 40DCB444 40DEC968 40D15FE4 40D1BACC 40D13BD4 40D14810

This condition has been seen on the router with TE and FRR enabled on interface during the reboot and issue.

Workaround: None

CSCtf27631

When processing MS-CHAPv2 an unexpected reload may occur on a Cisco ASR 1000 Router.

This may occur while the ASR 1000 Router is processing an MS-CHAPv2 response in a PPP environment.

Workaround: None

CSCtf41625

In the PE-CE environment, BGP is running between the PE and CE. From the PE , Advertising two prefixes through vrf static routes. These prefixes are not advertised on the CE side.

This condition can be seen only with global keyword i.e.. next_hop resolution has been applied within the RIB table.

For an example:

ip route vrf vpn1 34.2.0.0 255.255.255.0 Ethernet3/0 34.2.0.2 global

Workaround: There is no known workaround.

CSCtf44686

While running in uSBC mode the ASR 1000 Router may crash.

This condition has been observed when ping-enable is configured under an encrypted adjacency.

Workaround: None

CSCtf51373

The FP crashes on a Cisco ASR 1000 Router running 12.2(33)XNE1.

This condition may occur when running VOIP traffic.

Workaround: None

CSCtf57046

On a Cisco ASR 1000 Router poor H323 call connection success rate has been seen.

This problem is caused by a timeout when attemting to open TCP sockets for H245.

TCP sockets previously timeout after 1 second, which can be the case where there is high latency in the network, or the application with endpoint does not respond within 1 second.

Workaround: None

CSCtf57073

When H323 call setup is done correctly, but there is no audio with video is available on the Cisco ASR 1000 Router.

This condition is caused by excessive H245 message sizes. Message buffers sizes are not suffient.

Workaround: None

CSCtf57132

Poor video quality for H323 downstreams to H323 calls on the Cisco ASR 1000 Router.

This condition is caused by Bearer Capabilites in the Q931 Seup, always being changed to 64k.

Endpoints which choose to apply the bandwidth in Bearer Capabilites (not mandated) will then attempt to open both audio and video to not exceed a total bandwidth of 64k causing poor video.

Workaround: The bearer capabilites rate mutiplier is now being propagated correctly which resolves the bandwidth issues.

CSCtf57273

VRF mapping service on ISG may cause IGP to fail on downstream interface.

Workaround: None

CSCtf61700

Memory leak has been seen when Radius is processed on a Cisco ASR 1000 Router.

This happens only when Radius Server (ACS) send Access-Reject for a service profile download.

Workaround: Make sure the respective profile is configured in the ACS (Radius server) that is needed for download.

CSCtf70365

When config ED is used for EEM with some special config like virtual-template commands, it can trigger more than intended.

When certain commands are configured, this can happen.

Workaround: Is to use syslog ED instead.

Resolved Caveats—Cisco IOS XE Release 2.5.2

All the caveats listed in this section are resolved in Cisco IOS XE Release 2.5.2

CSCsd39262

A crash may happen when ACL has no match in a prefix list on a Cisco ASR 1000 Router. When a named acl is first referred by "match ip address" command, followed by a "no match ip address prefix" command which refers to the same ACL name, the router either generates an alignement error or crashs.

Workaround: There is no workaround.

CSCsq24672

A call through CUBE may not establish for a Re-Invite-based call flow. The call may drop.

This symptom is observed if the endpoint to which the CUBE is communicating sends a Re-INVITE for a call before it has received an ACK from the other call leg for the original INVITE. CUBE may not forward this Re-Invite to the other call leg, and the call will disconnect.

Workaround: There is no workaround.

CSCsw44668

Conditional debugs is not complete on the ASR 1000 Router Series. This condition is more likely to happen when debug is enabled on the tunnel, issuing shut and then no shut.

Workaround: None

CSCsx02819

When NAT traffic is flowing, if the user tries to delete NAT pool, an error message is displayed and NAT pool is not removed since it is in use. But the NAT pool is removed in the Standby. Due to this, NAT does not work after SSO switchover. In this example the following condition have been observed:

(config)#no ip nat pool <name> <start-ip> <end-ip> {netmask <netmask> | prefix-length 
<prefix-length>} 
 
   

Workaround: Is to issue the pool configuration command, after the pool gets deleted in the standby RP, prior to SSO switchover.

CSCsy49927

The IOSd restart is seen with crest proc frame that fetches the tcl shell for execution.

This is seen with crest proc that helps in configuring a scale configuration.

Workaround: None

CSCsz82950

A peer RP reloads on a Cisco ASR 1000 Router. When any configurations are done using NMS for DCTM MIB, this symptom occurs when unconfiguring the configuration that is created by DCTM MIB configuration.

Workaround: There is no workaround.

Further Problem Description: DCTM was not HA supported before. HA is supported now. If configurations are not done by using NMS, there will not be any issues.

CSCta12530

The aggregate-fragment stats are not shown on the primary or secondary link when disjoint policies using service-fragment and fragment are applied on Etherchannel member links with sub-interfaces.

The problem occurs only when using Etherchannel, with service-fragment policies applied on Etherchannel member links and fragment policies applied on Etherchannel sub-interfaces.

With this configuration, in the output of show policy-map interface <member-link> we can see that the aggregate-fragment counters may be missing from one of the member links.

Workaround: There is no known workaround.

CSCtb32892

Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed" may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.

In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.

Workaround: None

CSCtb33439

Hub or spoke crashes when the spoke tunnel is shut or unshut on a Cisco ASR 1000 Router.

This conditon may occur when applying dmvpn configs after performing a shut and no shut on the tunnel.

Workaround: None

CSCtb66770

Serial interface are not added as member links to the MLP bundle.

This condition may occur, after properly configuring a MLP bundle and its member links, flapping of the all the member link interfaces can cause links to not be re-added to the MLP bundle.

Workaround: None

CSCtb87546

Tftp server may times out sometimes or always on the ASR 1000 Router Series. This may occur when uploading or downloading files, including IOS images to tftp server.

Workaround: Is to use 2.5 pre-released images on the router in order to run the tftp operation successfully.

CSCtb89424

In rare instances, a Cisco ASR 1000 Router may crash while using IP SLA UDP Probes configured using SNMP and display an error message similar to the following:

hh:mm:ss Date: Address Error (load or instruction fetch) exception, CPU

signal 10, PC = 0x424ECCE4

This symptom is observed while using IP SLA on the router.

Workaround: There is no workaround.

CSCtc18656

When the NAT box is configured as the Rendezvous Point (RP). This does not allow for source address translation for the encap packet received from the First Hop Router.

NAT box is configured as Rendezvous Point (RP) decapsulates the packet and forwards it to NAT outside without translation which will create incorrect S,G state for a inside local source address on the downstream routers after NAT router.

Workaround: None

CSCtc21042

A chassis-manager processed on RP2 gets stuck and the router becomes unresponsive to user commands. All the FPs and CCs keep rebooting, with console logs showing repeated FP code downloads. This problem is specific to RP2. No particular scenario is known. Problem is caused by OBFL logging of messages on RP2.

Workaround: Is to disable onboard logging of messages on RPs as follows:

"hw-module slot r0/r1 logging onbaord disable"

Router#hw-module slot r0 logging onboard disable
To verify that onboard logging has been disabled:
Router#sh logging onboard slot r0 status
Status: Disabled

Note This command is not saved in the config so is not preserved across router reloads.


 
   

CSCtc48125

Duplicated ARP entry when enabling ISG. When you enable ISG for the existing DHCP users, you may see the following:

GPKC10ki01#sh arp | i aaaa.bbbb.cccc
Internet  x.x.x.x          -   aaaa.bbbb.cccc  ARPA   GigabitEthernet1/0/2.1203
Internet  y.y.y.y         16   aaaa.bbbb.cccc  ARPA   GigabitEthernet1/0/2.1203
GPKC10ki01#
 
   

(The one without the age is the ISG user and the one with an age is the DHCP learned address.)

The symptom is observed on a Cisco ASR 1000 Router when enabling ISG on existing DHCP users.

Workaround: Is to disable multiple DHCP servers. Use one DHCP server.

CSCtc50985

Output of the show ip subscriber dangling <500> at a steady state shows lots of sessions of the form:

dhcp 0000.6401.2a64 [37649] control waiting

The symptom is observed in large scale scenarios or when CPS is much higher than recommended.

Workaround: Is to clear the session on the router and reboot, if required.

Further Problem Description: In scale scenarios, the DHCP handshakes between the client, so the DHCP relay and server might take a long time. Also, the wire or DHCP server is loaded so that it drops some offers or ACKs. In this case, some sessions might be seen dangling without corresponding binding and there is no connectivity to the user.

CSCtc72651

A crash has been seen on a new RP after SSO with AToM debugs are enabled on the ASR 1000 Router Series. When enabling AToM debugs which requests VC Accouting details from MFI during SSO the router may fail.

Workaround: None

CSCtc78200

A Cisco ASR 1000 Router may crash in parse_configure_idb_extd_args routine.

This symptom is observed when running PPP sessions or when TCL is used for configuring interface range.

Workaround: As the PPP session is being established on the LNS, Cisco IOS will momentarily use one of the available VTYs from the router. After initial configuration, it is immediately released to the system pool.

When all VTY connections are in use, an RP crash will occur if a new PPP session is established and there are no free VTYs in the system.

To work around this issue, reserve several VTY connections for PPP session establishment. Since it is possible that a burst of PPP sessions tries to connect using multiple VTY connections at the same time, reserve at least 5 VTY connections. One possible solution is to use an ACL on the last 5 VTY

lines:

ip access-list extended VTY_ACL
 deny   ip any any
!
line vty 5 9
 access-class VTY_ACL in
 exec-timeout 1 0
 login authentication local1
 
   

Alternate Workaround: Do not configure "interface range" cli using ios_configfrom tclsh mode. When in tclsh mode, use normal "interface cli" in a "for loop".

CSCtc91560

High CPU utilization occurs on a Cisco ASR 1000 Router.

The symptom is observed with session churn on the router.

Workaround: There is no workaround.

Further Problem Description: CPU usage will remain high under normal conditions given a constant churn rate of approx 24 CPS, coming up and down.

CSCtc95709

During ISSU upgrade, the standby router may crash and reload after displaying the following error message:

DATACORRUPTION-1-DATAINCONSISTENCY or DATACORRUPTION DATAINCONSISTENCY

This symptom is observed during ISSU upgrade if RPs are in slots between LCs. If RPs are in slots below all LCs, or slots above all LCs, the symptom should not occur.

Workaround: Physically move RPs to the lowest slot numbers, below the LC slot numbers. Moving RPs one by one should allow continued serviceability.

CSCtd00493

For IPv6 Bi-directional entry FF03::1:0:0/96, some packet with address like FF03::1:1:1/128 or FF03::1:1:2/128, etc... In addition a Cisco ASR 1000 Router cannot find a match in CPP due to the collision lookup failure. This problem may cause the traffic to not forward the entries on the router.

Workaround: None

CSCtd02123

WRED state only shows WRED state with standard class.

In sh policy-map int, WRED state only show standard class's WRED state.

Workaround: Is to only use standard wred classes.

CSCtd22064

The ASR 1000 Router Series will crash when removing SBC configuration after a failover.

During normal call operations a failover is initiated via CLI. Normal call operations continue without issue after the failover. After stopping all calls, the SBC configuration is removed and the Cisco ASR 1000 Router will crash.

Workaround: Do not remove SBC configuration.

CSCtd24065

The output of the command show subscriber statistics shows that number of "SHDBs in use" is greater than the total number of unique subscribers for the deployment. This might contribute to issues such as an "out of IDs" message or sessions not coming up.

The symptom occurs for DHCP-initiated sessions either when:

1. Session idle times out followed by a lease expiry or you release the lease.

2. Session is cleared using the clear subscriber session command and there is a lease expiry or you release the lease.

Workaround: There is no workaround.

Further Problem Description: This can also contribute to a small amount of observed memory leak.

This problem occurs in code branches where IP session HA is not supported. In these branches, the above steps cause a SHDB handle to not be cleared properly when other datastructures are cleared.

CSCtd25688

The Cisco ASR 1000 Router crashed multiple times when using 2.6 pre-released images with the following message:

Kernel panic - not syncing: Attempted to kill init.

In some instances this problem may occur with no traffic ON.

Workaround: None

CSCtd31226

Every 10 seconds an error message has been logged on a Cisco ASR 1000 Router console:

%CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_cp: cpp_cp encountered an error

This error has been seen when using 12.2(33)XND1 release.

Workaround: There is no known workaround.

CSCtd32560

During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrade from IOS XE 2.3.2 to IOS XE 2.5.0, a loss of QoS functionality can occur on some and all targets.

Loss of QoS functionality has been observed right after RP upgrade and switchover while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure. The QoS functionality does not recover on its own and only occurs on policies that are both hierarchical (at least 2-level) and contain policers. The condition can be identified by the following command:

show platform hardware qfp active interface if-name <if_name> info | include QoS

If there is no output returned from this command then there has likely been a QoS service disruption due to this problem.

Workaround: QoS functionality can be resumed on the interface by removing and re-attaching the QoS policy. Alternately, the problem can be avoided by upgrading to IOS XE 2.4.x first (including the ESP). The upgrade path would be IOS XE2.3.2 -> IOS XE 2.4.x -> IOS XE 2.5.x.

CSCtd34644

Hub and spoke on the ASR 1000 Router  Series in DMVPN - Hub Support by QoS Class (DMVPN Phase 3) the network shows ATTN SYNC timeout and IPSEC-3-CHUNK_DESTROY_FAIL messages in steady state traffic and during dmvpn config cleanup. This is seen during scale config and configuration cleanup.

Workaround: No Workaround

CSCtd38225

When ISG is enabled and DHCP sessions re-start just around the time their leases expire, some sessions may get stuck dangling indefinitely. Sending DHCPDISCOVER message (i.e.: re-starting the CPE) will not restore the session. The affected subscriber(s) will not be able to establish a session.

This condition has been observed whenISG is enabled and DHCP sessions re-start just around the time their leases expire.

Workaround: The only known workaround is to manually clear the dangling session(s) using the clear ip subscriber dangling <time> command although this may not be a suitable workaround in a live production network.

CSCtd39778

The Cisco ASR 1000 Router may reset due to IOS failure when ZBFW is configured with more than 16 match protocols and there are large an additional no match protocl statements in ZBFW class-maps.

This has been seen, when an addition of more than 16 match protocol statements in a class-map is used for inspect policymap on the ASR 1000Router.

Workaround: Is to split the class-map with more than 16 match protocol into multiple class-maps, each with 16 or less match statements.

CSCtd42810

PPPoEoA sessions are not coming up because some VCs are in inactive state on the Cisco ASR 1000 Router Series.

This symptom has been observed when around 400 PVCs are configured with PPPoEoA sessions.

Workaround: Is to save the configuration on the LAC, then reload the LAC.

CSCtd42928

An IP DHCP ISG subscriber session is not being created for a particular subscriber on the Cisco ASR 1000 Router Series. While other subscribers are not affected.

The symptom is observed under the following conditions:

1. Scaled environment (with 20k sessions).

2. Using debugs and show commands it is determined that no session or binding exists for the subscriber, but a DPM context exists.

Workaround: There is no workaround.

Further Problem Description: In such conditions the only way to start the session for the subscriber is a reload or switchover.

CSCtd53112

IOS reload occurs when on a Cisco ASR 1000 Router when `debug cond ip nat inside source static..' command entered and NAT has never been configured on the box.

Workaround: Enter 'debug cond ip nat' commands only after NAT has been configured.

CSCtd60249

Policy-map counters are not updated randomly on a Cisco ASR 1000 Router running 12.2(33)XND2.

This condition maybe seen only when when time-based ACL is used for classification.

Workaround: Is to reconfigure the policy-map.

CSCtd66132

On a Cisco ASR 1000 Router FP reloads when changing the RP address with DMVPN Config.

This problem maybe seen on the ASR1000 Router, when changing the RP address with DMVPN Config, while sending multicast packet.

Workaround: None

CSCtd70582

Traffic Class services will remain in "show subscriber session" output under "Policy Information" after traffic class has disconnected by timer events.

Only seen when Traffic Class is disconnected through an Idle Timer or Absolute Timer expiring.

Workaround: When traffic class service is disconnected through normal (User Intervention), issue is not seen. For Timer disconnected Traffic Class services, no known workaround at this time.

CSCtd72215

Using 12.2(33)XNE CCO image the following behavior is noticed with an IPv6 enabled interface. Basically, toggling "ipv6 unreachable" config on an interface leads to unreachables being permanently disabled :

1. Confirm that by default interface responds with ICMPv6 unreachable message when traffic with unknown destination is sent.

2. Configure "no ipv6 unreachables" on interface and it is observed that ICMPv6 unreachables are no longer sent.

3. Configure "ipv6 unreachables" on interface ... expect to see unreachables being generated again however this is not the case.

This condition may happen after configuring "no ipv6 unreachables" and the inablity to configure back to ipv6 unreachables.

Workaround: Is to reload IOS Software.

CSCtd73567

The ASR 1000 Series Router may reload unexpectedly while reassembling a fragmented ip packet.

Workaround: None

CSCtd75461

When the same destination ip address is used in multiple netflow exports, of the following syntax, ip flow export destination<ip-address><port>, only the first configured export port will be used to send 1 copy of the export packets. If different destination ip addressses are used, this problem is not seen.

Additionally, if a destination ip address is configured with an unintended port number, and the user then configures the same statement with the intended port number, both flow exports will show up in the config and in the output of <CmdBold>show ip flow export<noCmdBold>, and if you then delete the first entry, we will still continue to send exports to the originally configured port number for that ip address.

Workaround: If you can configure two ip addresses on that same destination host, and use separate export statements for sending those packets, then this could be a feasible workaround.

CSCtd77312

L2TP resync will fail under some conditions on the ASR 1000 Router Series.

This condition has been see before RP swichover occurs, when LAC has sent some L2TP control packets which have not been acknowledged yet.

Workaround: There is no known workaround.

CSCtd80007

The standby routing processor crashes during an SSO when TE Auto-Tunnel Backup is enabled on a Cisco ASR 1000 Router.

The symptom has been observed during an SSO only on a new Standby RP when TE Auto-Tunnel Backup is in use.

Workaround: Is to disable TE Auto-Tunnel backup.

CSCtd83822

Increasing memory usage of `reflector.sh' and `droputil.sh' process may occur on the ASR 1000 Router Series.

Workaround: None

CSCtd84427

After RP2 Switchover, some of the adjacency do not come up on the Cisco ASR 1000 Router Series.

This condition has been seen when manual switchover on the RP2 has occurred.

Workaround: None

CSCtd90979

When configuring hierachical QoS policy-map with precent based rate configuration, the rate calcultion might be wrong when the QoS policy is applied to 10 GigabitEthernet interface.

The translation from percent to absolute value (in Kbps) might be wrong when QoS policy is applied to 10 GigabitEthernet interface.

Workaround: To change from using the percent rate to the absolute rate in BPS (bits per second0 in parent shaper would avoid running into this issue.

CSCte02973

Routing protocols like EIGRP may be dropped in the global table.

The symptom is observed when multicast is configured for a VRF and no multicast is configured for the global table.

Workaround: Is to enable ip multicast routing and create a loopback interface with ip pim sparse-mode enabled.

Further Problem Description: The problem should not occur for MVPN since this is not a valid configuration, as multicast in the core is a requirement. However, it can occur for a feature called MVPN-lite, where multicast traffic is routed between VRF tables without the tunneling and therefore without the requirement for multicast in the global table.

CSCte05357

The ASR 1000 Router may crash, when bringing up PPPoE sessions after segmentation faults are configured. This has been seen, when bringing up PPPoE with AAA authorization on VRF and PPP configuration with virtual templates is configured on the router.

Workaround: None

CSCte05638

Cannot copy WebEx application logs from WebEx Node SPA console with Vegas shell commands.

When connection to WebEx Data Center fails, the WebEx support team might need to look at the WebEx application log files to identify the problem.

There is no mechanism today for customer to copy this logs files out of the WebEx Node SPA.

Workaround: None

CSCte07457

The ASR 1000 Router is showing only zero counters for qos service-policies (as per the show policy-map interface) when applied on Ethernet based interfaces (FE and GigE) after a reload.

Workaround: None

CSCte08145

CPP reset on sending malformed GRQ on the Cisco ASR 1000 Router.

This condition has been seen after malformed GRQ has passes through the ASR 1000 Router, where router is performing ALG. The CPP will reset after some time period.

Workaround: There is no workaround as of now.

CSCte19782

When ESP traffic is traversing NAT with inside static configs, the traffic initiated from the outside hosts willl not work.

This condition happens with NAT inside static configuration, the ESP traffic iniitated from the outside network will be passing through the NAT box untranslated.

Workaround: There is no known workaround.

CSCte20245

ESP is observed to reload while trying to bringup PPPoEoA sessions during an RP Switchover.

This condition has been observed, when PPPoEoA sessions are setup during RP switchover this may cause ESPs to reload.

Workaround: Setup sessions after RP switchover has happened.

CSCte20928

ESP20 restarts when loading the config on the RP2.

This issue has been seen when loading config on a blank box with ESP20 and RP2.

Workaround: None

CSCte29294

On the Cisco ASR 1000 Router the ESP may crash, when doing High Availibility (HA) switchover in LNS environment.

This has been seen, when LNS has been configured with traffic.

Workaround: There is no workaround.

CSCte40621

On a Cisco ASR 1000 Router when adding pinhole, after modify has failed with an ER=421 error message.

For example: "AddIssue-NG.pcap" contains failed pattern with following order:

ADD (pinhole/user1a)

ADD (pinhole/user2a)

Modify (pinhole/user1a)

ADD (poinhole/ser2v) -> failed with ER=421

Workaround: None

CSCte43708

On a Cisco ASR 1000 Router a crash can occur when using QFP.

This instance may occur when QFP is forwarding an IP fragment while doing ip virtual-reassembly, which is enabled by NAT.

Workaround: None

CSCte45106

Crash in QoS cpp_cp process when memory is running to slow on the Cisco ASR 1000 Router Series . The following conditions have been observed:

1. Establish 25k PPPoE PTA ISG sessions with traffic classes, port bundle, l4r, accounting and QoS.

2. Send traffic through the sessions.

3. Make sure that all the idbs are used.

4. Keep trying to establish PPPoE sessions.

5. FP crash should be observed.

Workaround: Keep memory from running low.

CSCte45509

The ASR 1000 Router cannot take over PPP and L2TP sessions when ISSU has been loaded .

During ISSU step, Active RP image is a previous version and Standby RP image is 12.2(33)XND3.

The following traceback occurred and cannot create ppp sessions on Standby RP:

%SYS-2-LINKED: Bad enqueue of xxx in queue xxx -Process= "RADIUS"

Therefore all PPP sessions is lost at the time of RP switchover.

Workaround: There is no workaround.

CSCte46020

When using a nas-port-format which is different from default encoding 4/1/3, the NAS-Port-ID and NAS-Port radius attributes do not reflect the requested encoding. This is for sessions which originate on ATM interfaces only, i.e. PPPoEoA.

Depending on physical interface location, the NAS-Port-ID and NAS-Port radius attributes may not be represented correctly.

Workaround: Physically move (if possible) the interfaces into ports which can be correctly encoded with 4/1/3 bit distribution.

CSCte46218

Traffic is not forwarded through GRE or multipoint GRE tunnels with "tunnel key 0". This condition is seen when tunnel key is configured via "no tunnel key" and then reconfigured via "tunnel key 0" on a GRE or mGRE tunnel, traffic will received tunnel packets will be dropped.

Workaround: After removing tunnel key configuration, configure "tunnel key" with non-zero value or delete and recreate tunnel interface.

CSCte50523

The H.323 Fast-Slow interworking feature was added in an earlier release of DC SBC, however, the feature is being deprecated.

This affects the following cli:

#config t

Enter configuration commands, one per line. End with CNTL/Z.

(config)#sbc <name>

(config-sbc)#sbe

(config-sbc-sbe)#adj h323 ADJA

(config-sbc-sbe-adj-h323)#start ?

fast H.323 Fast start for outgoing calls on this adjacency

slow is no longer an option meaning Fast Start requests on this adjacency will not be converted to Slow Start.

Workaround: This is a deprecation of a cli and no work around is needed.

CSCte50685

NAT DNS ALG TTL not set to 0. Failover from primary ASR to secondary will cause application failure because of invalid dns cache entries from old nat. By setting the TTL to 0 the client will rerequest dns information.

Workaround: None

CSCte50721

During stateful NAT sync of H323 information from primary to standby, the standby crashes.

This condition occurs when Cisco ASR 1000 Router with dual RP and ESP configured.

Workaround: Is to disable H323 with the following commands when H323 ALG is not required:

no ip nat service h225

no ip nat service ras

CSCte51283

Traffic on a priority class receives more bandwidth than what has been configured.

This condition has been observed when configuring "priority percent" on a QOS service-policy, if the class-default has "fair-queue" configured, the rate on the priorit

Workaround: None

CSCte51436

Pressing Hold during a SIP-to-SIP call through CUBE(Ent) on the ASR 1000 Router results in intermittent disconnects. The phone behind the ASR CUBE hears a fast busy tone.

When CUBE dial-peers are configured with dtmf-relay of: "rtp-nte", "sip-notify rtp-nte", or none.

ASR CUBE(Ent) version from CCO: asr1000rp2-adventerprisek9.02.05.00.122-33.XNE.bin

Workaround: Is to use "sip-notify" as the dtmf-relay method.

CSCte52369

On a Cisco ASR 1000 router, the RADIUS will send a NACK for the First COA request message and Radius Authentication will fail.

This condition has been observed when the RADIUS recieves "ACCESS-ACCEPT" with `Unsupported Vendor' attribute.

Workaround: Is to send the COA request message again.

CSCte56627

Outside NAT sessions are not syncing between active and standby.

The following symptom may occur:

1. Sessions may not be sync properly to standby OR

2. ession deletes may not be sync properly to standby (session that would be deleted on standby, will not be deleted).

The following conditons may occur:

1. On ASRNAT when there is an inside mapping and outside static mapping configuration.

2. When there is a very high burst of session aging occurs.

Workaround: None

CSCte58825

There is a crash upon conducting an snmpwalk from "enterprise mib oid 1.3.6.1.4.1".

The symptom is observed on a Cisco ASR 1000 Series Aggregation Services router that is running Cisco IOS Release 12.2(33)XNE.

Workaround: Configure SNMP view to exclude ipsecpolmap as follows:

snmp-server view <view name> iso included

snmp-server view <view name> ipsecpolmaptable excluded

CSCte60069

During the scale testing with ModelF applied on PTA, reparenting operation results in FP crash. Also CPUHOG and TIMEHOG tracebacks observed. The following conditions have been seen:

1. On PTA, bring up 24K IPv4 sessions, 2PQ+2CQ (modelf)

2. remove grandparent shaper and3)add the shaper back. When this instance occurs, FP crashes a tracebacks are observed.

Workaround: Without the fix for this ddts, avoiding reparenting with large number of vlans with sessions will resolve the issue.

Open Caveats—Cisco IOS XE Release 2.5.1

This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.1

CSCsz36180

When enabling passive header compression on interface where active header compression is enabled doesn't get reflected in show running configuration of interface. Though its get updated in show frame-relay map command output. Also, the header compression is not working as desired after this configuration. Ideally if both side are configured for Passive, compression should not happen. In this case compression is happening though sh frame relay map command shows both interfaces are configured as passive on the ASR 1000 Router Series.

This has been seen, when the following command is used:

frame-relay map ip <ip> <dlci> compress passive 
frame-relay map ip <ip> <dlci> compress active 

When the same ip and dlci values are used on the ASR 1000 Router this does not take effect.

Workaround: To do no frame-relay map ip <ip> before changing the header-compression from active to passive.

CSCsz53438

When ip header compression is configured on the ASR 1000 Router, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.

This has been seen, when IPHC is configured on the ASR 1000 Router, but not on the router to which it is directly connected.

Workaround: Is to enable IPHC on both routers.

CSCta26678

Unable to add vrf configuration after removal of the same vrf on the ASR 1000 Router Series.

This has been seen, when ODR is present on the Cisco  ASR 1000 Router.

The router should function normally after the router has been reloaded.

There are no known workarounds.

CSCta60589

On the ASR 1000 Router, when there are files in the tracelog directory doing a wildcard search could potentially result in a CPUHOG message.

This has been seen, when there are a large number of files in the directory the wild card is being applied on the ASR 1000 Router.

Workaround: Is to avoid doing wildcards on directories with large number of files.

CSCta65347

CME is changing the media direction attribute as "INACTIVE" instead of "RECVONLY"on the ASR1000 Router Series.

Only in this instance the resume fails, when CCM/CME scenario's from h323 legcalls are used and there is no media on the ASR 1000 Router.

Workaround: None

CSCtb07144

Shutting an interface having a large number of vlans while there is a significant number of multicast entries and interfaces in the MFIB database can take a significant amount of time on the ASR 1000 Router Series.

This has been seen when there are a large number of vlans configured on the interface that is being shutdown. A significant number of entries and interfaces present in the MFIB database.

Workaround: None

CSCtb24959

The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:

the router has been configured for rp agent

and candidate there are a large number of rp's

initiating the clear ip pim rp-map command

Workaround: Is not to apply the clear ip pim rp-map command one after the other.

CSCtb32892

Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed " may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.

In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.

Workaround: None

CSCtb33587

NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:

%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED) 

This may cause temporary packet drops or forwarding to less specific routes.

The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.

Workaround: Is to wait after the holddown timer expires, the problem will be cleared.

CSCtb40529

At switchover, the old active takes 2 reboots to become standby for the ASR 1000 Router Series.

This may occur, when scaled setup with switchover has been configured on the ASR 1000 Router.

Workaround: None

CSCtb56852

RP resets when we delete DMVPN Tunnel on hub router .

In 1hub and 1000 spokes scenario, when we delete dmvpn tunnel on hub causes RP reset on hub router.

Workaround: None

CSCtb66050

On the ASR 1000 Router Series running Session Border Controller (SBC), a traceback is observed on doing an ISSU sub-package upgrade from release 2.5 image to a later image. This traceback is thought to be largely benign and doesn't affect normal operation. Upgrade is successful, calls can be made and media can be set up through SBC.

This traceback is only observed upon ISSU upgrade from release 2.5 image and only with a sub-package upgrade. The traceback is not seen on performing a consolidated update.

Workaround: Use a consolidated update procedure instead of sub-package upgrade, when possible.

CSCtb71415

There are occasional CPPOSLIB-3-ERROR_NOTIFY: F1 logs from the ASR 1000 standby FP20. The show plat soft firewall f1 stati output displays zone-binding ASR 1000 errors may be seen on the ASR 1000 Router console (but not on the active F0).

This may occur, when running longevity stress tests incorporating per-subscriber firewall, with redundant RP2 and Topology:

stateful PPPoE---LAC--10GbE---LNS---L4-7servers
vanilla PPPoE------|                        |---10GE --tgen
 
   
There are 32000 total sessions:
- 12000 are stateful and flapping periodically
- 15000 are vanilla across 3GE ports passing random traffic up 1500B packets at 
1.6Gbps upstream total, 2.8Gbps downstream total
- 2500 PSFW sessions just periodically flapping
- 2500 vanilla PPPoE session periodically flapping
 
   
Zones are being downloaded via RADIUS.  VFR, uRPF on V-T and/or via RADIUS.

Workaround: No workaround available at this time. In additon the error actually happens during zone unbinding.

CSCtb79598

When you configure a PVC ASR 1000 with QoS enabled, the QoS will not work as expected on the ASR 1000 Router Series.

The only happens, when you unconfigure ancp neighbor associated with the PVC before you delete the PVC on the ASR !000 Router.

Workaround: None

CSCtb79850

Interface flap may close when pending channels for the atm spa are configured on the ASR 1000 Router Series.

This may occur, when the interface flap has pending channels on the atm spa.

Workaround: None

CSCtb98877

On the ASR 1000 Router Series subsequent call fails after a SIP Session Refresh timeout occurs after an HA switchover in CUBE enviroment.

This occurs in a back to back CUBE environment:

CUCM1 - SIP - CUBE1 - SIP - CUBE2 - SIP - CUCM2

The CUCM SIP Refresh is set to 90 seconds, and a call is made. HA switchover occurs on CUBE1, and the call is disconnected as expected.

The same call is made again, but the originating endpoint on CUCM1 gets a Busy tone, while the

terminating endpoint on CUCM2 gets Ringing tone.

CUBE2 sends a 503 Internal error with the following cause code:

Reason: Q.850;cause=38 - [Network out of order]

Workaround: None

CSCtc16232

When the L2 MAC address of an Ethernet interface is changed on the ASR 1000 Router Series, the final RA is not sent to the remote endpoint.

The expected behaviour is that when the L2 MAC address is changed, on the ASR 1000 Router is to send a final RA to the endpoint indicating the change.

Workaround: None

CSCtc17366

Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.

Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.

CSCtc19914

The Embedded Services Processor (ESP) has been reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.

When using the following scripts this condition has been seen:

1. Configuring large mVRF's on PE

2. Configuring large Loopbacks on PE, one for each of the VRF

3. Configuring and unconfiguring large static RP addresses multiple times rapidly.

Workaround: None

CSCtc21042

When MVPN is configured the cman fp crashes and the ESP20 continues to reboot while crypto traffic runs for several hours without triggering any events on the ASR 1000 Router.

This has been seen, when crypto traffic passes through the system for several hours before this crash takes place.

Workaround: None

CSCtc41808

When trying to change ipsec tunnel configuration by changing tunnel mode between SVTI and GRE, iosd crash is observed on the ASR 1000 Router Series.

Workaround: None

CSCtc50830

When reloading an active RP just before it goes to rommon mode the ASR 1000 Router dumps a core and crash file pointing to Redundancy FSM.

This condition happens after IPNAT client reloads the standby RP and synchronizing active with standby.

Workaround: None

CSCtc55049

The ASR 1000 Router may crash and reload following a reboot or initial boot from a power-up.

The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.

Workaround: None. However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.

CSCtc71338

When configuring a 10k line ACL (production-out) on the interface, the FP process crashes on the ASR 1000 Route Series.

The production-out will show as follows:

interface GigabitEthernet0/3/4
 ip address 1.10.4.1 255.0.0.0
 ip access-group production-out in
 ip access-group production-out out
 speed 100
 no negotiation auto
 cdp enable
 service-policy output test

Workaround: None

CSCtc72052

The ASR 1000 Router is unable to configure Dynamic Nat Pool with prefix length 14 or less.

This happens when Nat Pool is configured with a lower prefix lengths. This configuration is rejected on the ASR 1000 Router.

Workaround: Is to create a Nat Pool with prefix length 14 or higher.

CSCtc73525

The ESP board on the ASR 1000 Router Series with ATM PVCs carrying broadband sessions does not accept further config. Traffic forwarding on existing features and session is not impacted, but additional config is rejected.

This ocurrs, when BB sessions over ATM PVCs are configured. With a high number of PVCs configured, and if all PVCs are attemtped to be removed at once with the "rage" command, the ESP board may get into an error state that prevents additional config (such as bringing up new PVCs or sessions) from being accepted.

Workaround: None. However if problem manifests, a reload of the ESP is required to bring the system back to its normal state.

CSCtc90996

While under load for extended periods of time, a condition may ocurr that causes a large amount of stale call legs to exhibit on the ASR1000 Router Series. These stale call legs can consume enough memory on the platform to cause a crash due to memory outage. It has been observed with 2000 active calls at 20 CPS for an extended period of time.

Workaround: To avoid a runaway condition, the use of the command max-conn on the dial-peers of the platform is capable of holding back the amount of stale call legs. While the condition occurs that triggers the event, max-conn has the side effect of not permitting calls to be established over this dial-peer. Eventually it will clear and calls may continue.

CSCtc95709

During ISSU upgrade on the ASR 1000 Router Series, there may be two symptoms:

1. Error message DATACORRUPTION-1-DATAINCONSISTENCY or DATACORRUPTION DATAINCONSISTENCY printed out

2. Standby may crash and reload

This problem may occur, during ISSU upgrade, while RP's are configured for slots between LC's. When RP's are in slots below all LC's, or slots above all LC's, the problem should not occur.

Workaround: Is to physically move RP's to the lowest slot numbers, below the LC's slot numbers. Moving RP's one by one should allow for continued serviceability.

CSCtc99048

When VLAN-VLAN Pseudowires (PWs) redundancy is configured, when the RP switchover happens on pseudowires (PWs) from primary to backup, and the RP is switched back to primary this may not be allowed for some of the pseudowires (PWs) to forward traffic properly.

Workaround: Is to do a clear xconnect all will re-provision xconnect on all PWs, and after that all pseudowires (PWs) can forward traffic properly.

CSCtd11492

Policy on some of the tunnels may continue to stay in a suspended state for typically 4 to 5 minutes on the ASR 1000 Router Series.

This may occur when tunnels are configured, after executing shut/no shut command on the ASR 1000 Router.

Workaround: None

CSCtd14559

L2TP-3-ILLEGAL tracebacks and PPPoX session mismatch between active and standby rps.

This error condition is noticed, when rp switchover takes place during the time frame pppox sessions are coming up. In a rare condition, session mismatch was noticed when pppox sessions were coming up for the first time with no other events taking place.

Workaround: No workaround

CSCtd24611

When Standby FP is out of memory on the ASR 1000 Router Series, the cpp_cp tracebacks and FMFP-3-OBJ_DWNLD_TO_CPP_FAILED messages may appear on the console.

This text is similar to the following that is printed on the console, the cpp-cp_Fx-0.log error message:

cpp_qos_policer_event:1766:EVENT fail to allocate a feature object 0xc (Cannot 
allocate memory)
 
   

This instance can happen when the following has occurred:

1. Bringup the ASR with RLS6 image

2. Initiate 32k PPPoE sessions and send traffic

3. Start a script which changes the QoS on the PPPoEoQinQ sessions through CoA

4. Start a script which flaps 4000 PPPoEoA sessions once in every 20mins. cpp_cp tracebacks and FMFP-3-OBJ_DWNLD_TO_CPP_FAILED messages are seen after sometime.

Workaround: None

CSCtd26479

On ASR 1000 Router Series, the FP may crash with the following error message:

%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected 

The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.

Workaround: None

CSCtd26955

On the ASR 1000 Router Series ANCP sessions may drop with high event rate.

This condition may occur, when ANCP is configured on ATM (pvc-in-range), the on-demand (AutoVC) is created and enabled at the interface level (with vc-class) on the ASR 1000 Router.

Workaround: When all the on-demand (AutoVCs) in range is not created on ATM (pvc-in-range), create and enable create on-demand at vc level.

CSCtd31447

On the ASR 1000 Router Series may crash when reloading the QoS configuration.

This has been seen when switch over is performed on the ASR 1000 under traffic load.

Workaround: None

CSCtd32560

During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrade from IOS XE 2.3.2 to IOS XE 2.5.0, a loss of QoS functionality can occur on some and all targets.

Loss of QoS functionality has been observed right after RP upgrade and switchover while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure. The QoS functionality does not recover on its own and only occurs on policies that are both hierarchical (at least 2-level) and contain policers. The condition can be identified by the following command:

show platform hardware qfp active interface if-name <if_name> info | include QoS

If there is no output returned from this command then there has likely been a QoS service disruption due to this problem.

Workaround: QoS functionality can be resumed on the interface by removing and re-attaching the QOS policy. Alternately, the problem can be avoided by upgrading to IOS XE 2.4.x first (including the ESP). The upgrade path would be IOS XE2.3.2 -> IOS XE 2.4.x -> IOS XE 2.5.x.

CSCtd39409

IOSD crash on the ASR 1000-WATCHDOG: Process = L2TP mgmt daemon has been seen on the ASR 1000 Router Series.

This condition has been seen, when flapping on LNS firewall sessions over time happens on the router.

Workaround: None

CSCtd39778

The Cisco ASR 1000 Router may reset due to IOS failure when ZBFW is configured with more than 16 match protocols and there are large an additional no match protocl statements in ZBFW class-maps.

This has been seen, when an addition of more than 16 match protocol statements in a class-map is used for inspect policymap on the ASR 1000Router.

Workaround: Is to split the class-map with more than 16 match protocol into multiple class-maps, each with 16 or less match statements.

CSCtd47503

On ASR 1000 Router Series, the FP may reboot itself with the following traceback message:

%CPPHA-3-FAULT: F0: cpp_ha:  CPP:0 desc:CPP Client process failed: FMAN-FP det:HA 
class:CLIENT_SW sev:FATAL id:1 cppstate:RUNNING res:UNKNOWN flags:0x0 cdmflags:0x0     
%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected     
%CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_cp:  cpp_cp encountered an error -Traceback= 

This may occur under stress conditions, when sending Change of Authorization (COA) pushes to deactivate and activate ISG services after RP switchover.

Workaround: None

CSCtd56393

IPsec polo transactions are not complete and spd map id is missing ASR 1000 Router Series. When reconfigurating DMVPN Phase3 hierarchial topology to a single hub (DMVPN Phase )topology this polo issue has been seen.

To recover from the state, ASR 1000 Router will need to be reloaded.

In addition, after multiple spoke extremely high scaling tests [config, removal], and changing from hierarchial topology to single hub topology this same problem has been observed.

Workaround: None

CSCtd62837

H323 to SIP configuration, when the H323 side supports two DTMF methods, the DTMF interworking may fail on the ASR 1000 Router Series.

When performing H.323 to SIP call, the H.323 side support for H245 alphanumeric userinput and tel-event, the SIP side may just support tel-event. The H.323 side may send DTMF userinput, and the SBC may drop the userinput.

The following pd log message may appear on console:

ICC has failed to find a mechanism to pass on DTMF tones in this call.  The tones will 
not reach their destination.

This may not cause the call to fail.

Workaround: None

CSCtd73567

The ASR 1000 Series Router may reload unexpectedly while reassembling a fragmented ip packet.

Workaround: None

CSCtd83047

When scaling ODR to 700 routes are missing in fman rp process on a Cisco ASR 1000 Series Router.

This may occur when the ASR 1000 router is configuring a large number of ODRs.

Workaround: Is to configure no more than 700 routes.

CSCtd89804

A Cisco ASR 1000 Router will bring up sessions very slow, when l2tp tunnel receive-window is set to 4 on LAC and LNS.

This may happen, when the receive-window value is low on LAC & LNS.

When the value is left at 4 on the (UUT) LAC and changed to 100 on the LNS, then the CPS is not slow on the router.

Workaround: Is to leave the receive-window value to 4, as expected on the LAC (UUT) change the value on the LNS to a higher number such as 100.

CSCtd90979

When configuring hierachical QoS policy-map with precent based rate configuration, the rate calculation may be wrong, the QoS policy is applied to 10 GigabitEthernet interface on the ASR 1000 Router Series.

This has been observed, when the translation from percent to absolute value (in Kbps) might be wrong and the QoS policy is applied to 10 GigabitEthernet interface on the router.

Workaround: Is to change from using the percent rate to the absolute rate in BPS (bits per second) in parent shaper would avoid running into this issue.

CSCte05357

The ASR 1000 Router may crash, when bringing up PPPoE sessions after segmentation faults are configured.

This has been seen, when bringing up PPPoE with AAA authorization on VRF and PPP configuration with virtual templates is configured on the router.

Workaround: None

CSCte14955

An unexpected reload may happen on the ASR 1000 Router Series.

This has seen, when BGP VPNv4 is configured and a neighbor is flapping on the router.

Workaround: None

CSCte19606

On the ASR 1000 Router a lot of messages may flood the console.

The following message is observed on the router console:

%INTERFACE_API-3-IFNUMTOIDBERROR: Error occurred while using the ifnum to idb table 
for interface Virtual-Access5562, if number 0, during Element Insertion  
%COMMON_FIB-2-IF_NUMBER_ILLEGAL: Attempt to create CEF interface for 
Virtual-Access5562 with illegal if_number: 0  %IDBINDEX_SYNC-3-IDBINDEX_ASSIGN: Failed 
to assign an index to IDB type 21, for interface "" (rc=11) -Process= "VTEMPLATE 
Background Mgr", ipl= 0, pid= 111

This may occur under stress conditions, when sending Change of Authorization (COA) pushes to deactivate and activate ISG services with ocasional RP switchover.

Workaround: None

CSCte19641

On the ASR 1000 Router Series, the CCP Driver Lockdown crash may happen.

The following console message has been observed:

%CPPDRV-3-LOCKDOWN: F0: cpp_cp:  CPP10(0) CPP Driver LOCKDOWN due to fatal error. 

This may occur, when stressing the system and activating ISG services with ocasional High Availability (HA) switchover.

Workaround: None

CSCte33491

The sessions may fail to established on LNS with per-subscriber firewall when configured with zone membership on the ASR 1000 Router Series.

This may occur when LNS is configured with virtual templates that contain zone membership and uRPF configurations. RADIUS config includes virtual-framentation re-assembly (VFR) and alternate zone membership. In addition, the subscribers may have the RADIUS-directed changes applied to the virtual access interface on the router.

Workaround: Potential work-around is to remove VFR from RADIUS config, since it is automatically configured with firewall.

CSCte58825

The ASR 1000 Series Router running release Version 12.2(33)XNE may crash upon snmpwalk from enterprise mib oid 1.3.6.1.4.1.

The conditions are that the ASR 1000 Series Router is running release Version 12.2(33)XNE (that is, Cisco IOS XE Release 2.5.0).

Workaround: Configure the SNMP view to exclude ipSecPolMap as follows:

snmp-server view <view name> iso included 
snmp-server view <view name> ipSecPolMapTable excluded 
snmp-server community <community string> view <view name> RO
 
   

Resolved Caveats—Cisco IOS XE Release 2.5.1

All the caveats listed in this section are resolved in Cisco IOS XE Release 2.5.1

CSCin99554

The ASR 1000 Router may hang, when stopping a core dump in progress by pressing the CTRL SHIFT 6 keys.

This symptom has been observed, only when RCP is used for a core dump.

Workaround: Do not use RCP for a core dump.

CSCsc98813

When using a route-map to set the metric for redistributed static routes, initially the RIP table looks correct on on the ASR 1000 Router. In addition, after sending the second update this changes the hop count for other routes in the RIP table that have not been redistributed on the router.

Workaround: Instead of using a route-map, use the metric command on the redistribution line, however this will not allow for any filtering.

CSCsq42904

On the ASR 1000 Router Series, when there are 1000 characters on the console, if there are more to display, the display is truncated.

The problem happens when you have a large number of interfaces and the output of "show zone security" is larger than 1000 characters.

Workaround: The workaround is to show all interfaces and get the zone membership from the interface.

Further Problem Description: The root cause of the problem is that the display buffer for this command is limited with 1000 characters.

CSCsr40074

On the ASR 1000 Router Series the output of show ip virtual-reassembly command does not obey terminal length settings and can continue on.

This will only happen, when there are alot of virtual access interfaces configured on the router.

For example, in the following sequence in per-subscriber firewall, when there are hundreds or thousands of virtual access interfaces, the output can render the console useless.

Workaround: There is no workaround.

CSCsx10028

A core dump may fail to write or write very slowly (less than 10KB per second).

The symptom has been observed, when the cause of the crash has occurred, after the memory corruption has happened on the ASR 1000 Router.

This may occur, when the memory pool has corrupted and the memory cannot be used to write to the core dump. This issue will most likely cause the router to fail. (IO memory corruption crashes should not have this problem.)

Workaround: There is no workaround.

Further Problem Description: When increasing the default size for the exception memory region to 256K to make sure it has enough memory to handle writing core dumps. This means that it is no longer be necessary to adjust the default size for the exception memory region as per the core dump instructions on CCO.

CSCsx59262

OSPF Neighbors on the ASR 1000 Router may bounce after changing the config-register.

This condition may occur, after OSPF interfaces and are configured with fast hellos. In addition, when OSPF neighbors is configurated and the value 'config-register' is changed this may cause the router to bounce.

Workaround: Is to use Bi-directional Forwarding (BFD).

CSCsx83443

Iskmp debug messages from all peers are shown in the term monitor enable tty and vty's

even though debug crypto condition peer ipv4 x.x.x.x is set. This is seen on the ASR 1000 Router Series when using peer ip based debug condition. In addition, when using peer ip based debug condition on the router.

Workaround: None

Further Problem Description: Only a subset of the messages are shown.

CSCsy45371

The clear ip nat tr * command removes corresponding static NAT entries from the running configuration, but removing static NAT running configuration does not remove the corresponding NAT cache.

This may occur, when NAT commands are entered while router is processing around 1 Mb/s NAT traffic.

Workaround: Is to stop the network traffic while configuring NAT.

CSCsz56462

Configuring cdp run does not bring up cdp on the interfaces.

This may only happens, when the default behaviour of a platform is to have CDP disabled.

Workaround: Is to configure cdp enable on required interfaces.

CSCsz59469

On the ASR 1000 Router Series, when the software version of the Active and Standby RP do not match, the Standby RP can reload indefinitely.

This may occur, when different versions of software are on the Active and Standby RP.

Workaround: Is to load compatible versions of software on the Active and Standby RP.

CSCsz66060

When saving the half duplex vrf configuration and after rebooting the ASR 1000 Router, the half duplex vrf configuration does not apply to the router, anymore.

This problem only happens, after half duplex vrf has been configured and when the ASR 1000 Router has been rebooted.

Workaround: Is to re-enter the half duplex vrf configuration again.

CSCsz66060

When saving the half duplex vrf configuration and after rebooting the ASR 1000 Router, the half duplex vrf configuration does not apply to the router, anymore.

This problem only happens, after half duplex vrf has been configured and when the ASR 1000 Router has been rebooted.

Workaround: Is to re-enter the half duplex vrf configuration again.

CSCta73008

Authenticate-req packets recieved out of phase is getting processed and reply has sent on the ASR 1000 Router Series.

This may occur, when the PPPoE session is UP after the Authenticate-Req with wrong ID/username has injected, while getting processed by the other end and a reply has been sent. This will cause a bit CPU usage and Non-RFC compliance.

Workaround: None

CSCtb13421

The GM may not register on a Cisco ASR 1000 Router Series.

This symptom has been observed, when a crypto map with local-address is configured and applied on multiple interfaces, after one of these interfaces are then shut.

Workaround: Is to disable local-address for the crypto map.

CSCtb18426

The multicast error messages and tracebacks can sometimes be observed when configuring/unconfiguring multicast on an interface using commands with this format [no]ip pim on a Cisco ASR 1000 Router Series.

Usually most multicast configuration have been removed when leaving the last interface still configured on the router. When unconfiguring multicast on the last interface followed by reconfiguring multicast on an interface may result in the multicast error messages being generated. The problem is most likely to occur, when making the configuration changes to virtual interfaces e.g Loopback and Tunnel.

Workaround: A workaround would be to introduce a time delay between completely unconfiguring multicast and reconfiguring it.

Further Problem Description: The problem is a consequence of disabling and quickly re-enabling multicast as a result of interface configuration changes. The multicast processes take a finite time to stop and start and can sometimes experience a condition when clean-up of internal data structures is performed under usual conditions. In this case the error messages are generated and full recovery is achieved. There is no known functional or performance impact.

CSCtb37492

PIM assert does not occur on a upstream router on which the source address is NATed.

NATed and a downstream router constantly exchange assert/prune message due to the fact that the "source-field" of assert-msg is not subject to NAT in the NATed router.

This occurs when more than one link exists between the two routers.

Workaround: None

CSCtb40999

AutoVC behavior is different in standby after SSO on the ASR 1000 Router Series has been configured.

This has been seen, when AutoVC is configured in a range, and a pvc-in-range is configured for no autovc. In addition, after doing SSO, the VC is in IN state.

AutoVC should not be displayed in "show atm vc" if it is configured in range.

Workaround: None

CSCtb74547

The ASR 1000 Router Series DMVPN HUB reloads when processing IPSEC key engine.

This conditions happens when dual DMVPN with shared tunnel protection feature is enabled.

Workaround: None

CSCtb86811

On the ASR 1000 Router Series the following error message may state:

"%MFI_LABEL_BROKER-3-MULTIPLE_BIND"

within Standby mode, after initiating the configure replace command.

This may occur, when there are large vrf scalability configurations, after static routes are in use in conjunction with encapsulation ppp and mpls label mode all-vrfs protocol all-afs per-vrf.

Workaround: There is no workaround for this specific command sequence and configuration.

CSCtc03750

SSO switchover may fail, when secondary reloads continuously happens on the ASR 1000 Router Series.

This has been seen, when L2VPN and L3VPN with Traffic engineering is configured and SSO has been issued SSO on the router.

CSCtc12334

The ASR 1000 Router Series may fail when initiating "clear ip bgp " command.

This command deletes all bgp neighbor relationships and clears bgp RIB.

This can occur when the following has been configured:

1. Need to have MDT configured on the router

2. Need to issue "clear ip bgp " command

Workaround: None

Further Problem Description: clear ip bgp * is not a command to be used by any operator in a production network the impact is wide and huge.

CSCtc21191

MSDP SA messages are not being forwarding to peers when MSDP is up after traffic starts on a Cisco ASR 1000 Router.

Workaround: Is to start MSDP before traffic starts on the router.

CSCtc24325

On a Cisco ASR 1000 Router the protocol ppp dialer is getting nv-gened, when dial-pool number is configured on the interface. This command is currently not there in vc-class mode. As a result of this line by line sync to standby fails and standby resets.

The problem has been seen, when dial pool number is configured on the router.

Workaround: None

CSCtc39018

On a Cisco ASR 1000 Router the show hw-module subslot X/Y transceiver Z command shows incorrect voltage.

Workaround: No known workaround.

CSCtc40677

When the distribute list is applied to the virtual template the distribute-list applied to the virtual-template interface is not effective for the virtual-access interfaces spawned by that template.For example, when the ASR 1000 router (hub) is configured as:

router eigrp 1
 redistribute static metric 10000 100 255 1 1500
 network 10.0.0.0
 no auto-summary
 distribute-list prefix TEST out Virtual-Template1!
ip route 0.0.0.0 0.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0!
ip prefix-list TEST seq 10 permit 0.0.0.0/0
ip prefix-list TEST seq 20 permit 10.0.0.0/8

For example:on the branch site when connected to a Virtual-accessinterface will show as:

ranch#sh ip route eigrp
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, *15:56:44.397 BRU Wed Oct 7 2009
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
D       10.0.0.0/8 [90/46251776] via 10.12.0.2, 00:00:06, Dialer1
D       10.1.1.0/24 [90/46228736] via 10.12.0.2, 00:00:06,Dialer1
D       10.2.2.0/24 [90/46354176] via 10.12.0.2, 00:00:06, Dialer1
D*EX 0.0.0.0/0 [170/46251776] via 10.12.0.2, 00:00:06, Dialer1

For example: note that there is no filtering applied.

In rare conditions this error may have occurred on the ASR 1000 router (hub) running 12.2(33)XND1 or later releases.

Workaround: Is to configure the distribute-list for the specific virtual-access interface used for the connections on the hub.

CSCtc43110

Under H.323 call scenarios, outgoing H.323 signaling packets (TCP) are marked with a non-zero DSCP value, even though no QoS is configured for H.323 calls. This happens under all H.323->H.323 and SIP->H.323 scenarios when SBC creates a downstream H.323 calls.

Workaround: There is no workaround with SBC configuration. QoS can be re-marked when MQC policy is placed on the outbound physical interfaces of the ASR 1000 Series Router.

Workaround: None

CSCtc65431

VPN routes are not added after deleting and then reconfiguring VRF on a Cisco ASR 1000 Router.

This may occur, when vrf is deleted and added back onto the router.

Workaround: Is to do clear ip bgp * or clear ip bgp x.x.x.x.

CSCtc69100

PCD shows incorrect 'memory requested' output when activated on a Cisco ASR 1000 Router.

This may occur, when PCD is configured with the following buffer-size and num-buffer:

! base configuration
per-call buffer-size debug 1000
per-call export primary harddisk: secondary harddisk:
per-call trigger sip-message 487

!

asr10-rp2(config)#per-call num-buffer 3000
asr10-rp2(config)#per-call active deb
 70 percent of the largest available memory block on the router =
        2061936265 bytes
 Total PCD memory requested by user = 18446744072414584320 bytes
 Not enough memory available on the router.
asr10-rp2(config)#per-call shut

Workaround: None

CSCtc69991

When the Cisco ASR 1000 Router is configured as DMVPN spoke may throw tracebacks.

This may happen, when ODR is configured as the overlay routing protocol and shut/no shut is done on the tunnel interface.

Workaround: Is to use EIGRP as the overlay routing protocol.

CSCtc76353

Multilink fails to come up after SSO/PPP Bad Bind messages have been seen when enabling debug PPP negotiation on the ASR 1000 Router Series.

This problem has been observed, when MLP is configured between two boxes, and only the PEER is configured for MCMLP.

Workaround: Is to configure both boxes for MCMLP.

CSCtc78938

After configuring 6RU Superpackage for ISSU, when loading an image in 2.5.0 Release to the Router1-RP1 and the image in 2.5.0 Release to the Router2-RP1 for a PE router, some ATMoMPLS Pseudowires fail to download to FMAN-FP and QFP. This configuration may cause all traffic sent through these pseudowires to drop.

In the failed state, the router has the following symptoms:

1. the following command shows packets dropped in the Disabled row:

 
   
1k-60-2#sh pl ha qfp act stat drop clea | ex _0_
----------------------------------------------------------------
Global Drop Stats                         Packets        Octets
----------------------------------------------------------------
  Disabled                               48770         3627820  
 
   

2. the following command shows some ATM interfaces have packet drop:

1k-60-2#sh platform ha q act int all stat dr su cl
----------------------------------------------------------------
Drop Stats Summary:
note: 1) these drop stats are only updated when PAL
         reads the interface stats.
 
   
Interface                                       Rx Pkts             Tx Pkts
---------------------------------------------------------------------------
ATM0/1/0.378                                       1518                   0
ATM0/1/0.422                                       1518                   0
ATM0/1/0.1129                                       824                   0

3. the following command shows that no xconnect configure on the affected ATM interface in qfp side:

1k-60-2#show plat hard qfp act feat xcon cl int ATM0/1/0.1129
 % Error: Unable to get xconnect config interface=ATM0/1/0.1129
 
   

4. sh platform software atom fp active xconnect shows fewer entries than sh platform software atom rp active xconnect.

 
   
1k-60-2#sh platform software atom fp active xconnect
ATOM/Local Cross-connect table, Number of entries: 7712
 
   
1k-60-2#sh platform software atom rp active xconnect
Number of xconnect entries: 7736

The root cause of the issue is when ATM PVC is downloaded to FMAN on the PE router. In addition when XConnect has been downloaded due to the long delay in setting up ATM PVC in IOSD shim layer. The problem only happens with ATMoMPLS, and only when ATM PVC is being set up with XConnect being pre-configured on it. An example scenario is ISSU.

Workaround: There are a couple of workarounds for this issue.

1. When the problem happens, remove xconnect and then add back xconnect on these affected ATM interfaces. You can find out such interfaces with sh platform ha q act int all stat dr su cl when traffic is on. Another way is to find the affected interfaces is to run show plat hard cpp act feat xcon cl int INTERFACE_NAME. If it has the following sample output while it has xconnect configured in IOS, then it is affected:

1k-60-2#show plat hard cpp act feat xcon cl int ATM0/1/0.1129
% Error: Unable to get xconnect config interface=ATM0/1/0.1129

2. When the problem happens, run clear xconnect all, which will re-provision xconnect. This command may take several miniutes to fully re-provision xconnect on all configured interfaces.

3. To remove xconnect configure before ISSU, and then add it back after ISSU completes.

CSCtc80502

On the Cisco ASR 1000 Router the following traceback message has been seen:

FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt message seen with tracebacks

This has been observed during ISSU upgrade from 2.4.2 up to 2.5.0 releases.

Workaround: There is no workaround.

CSCtc81949

Service policy application on the standby LNS fails, while its successful on the active.

If static ip route is configured on the LAC to the l2tp tunnel interface on the LNS, the FIB next hop does not get configured on the standby LNS and hence QOS application fails.

Workaround: To do a LAC reload to resolve this problem.

CSCtc85586

L2TP High Availability (HA) functionality does not work and the standbyRP does not see L2TP sessions.

This happens when the active RP does not have any VPDN/L2TP configuration before the standby RP is brought up.

Workaround: The workaround is to restart the standby RP.

Further Problem Description: This problem can be avoided by configuring "vpdn enable" on the active RP before bringing up the standby RP.

CSCtc88760

CPU hog and trace back when using sh ip bgp vpnv4 x.x.x.x/y on the Cisco ASR 1000 Router.

Workaround: None

CSCtc91594

High CPU utilization Session churn may happen on the ASR 1000 Router Series.

Workaround: The following global configuration has helped in reducing the CPU:

no parser command serializer
ip routing protocol purge interface

Further Problem Description: CPU will remain high under normal conditions given a constant churn rate of approx 24cps coming up and down.

CSCtc95423

Router crashes when quickly unconfiguring and reconfiguring crypto maps on a Cisco ASR 1000 Router.

This may only occur, when crypto is turned on while SAs are still being deleted in the background and duplicate SAs may be created, which may cause the router to crash.

Workaround: Before re-applying crypto maps, wait until all SAs on the router are deleted before turning crypto back on.

CSCtc96161

DMVPN is working fine for a ~week and then one of spokes appears to be no longer able to pass traffic to other spokes. IPSEC tunnel between the spokes can be established at IOS level, but cannot be programmed into hardware and traffic is not getting through.

This problem is only seen when there are more spoke to spoke dynamic tunnels and the dynamic tunnels are flapping frequently for a long period of time.

Workaround: Reduce the frequency of dynamic tunnel flapping by increasing NHRP hold down timer to avoid tearing down dynamic tunnels too often. This can reduce the chance of hitting the problem. But when the problem happens, the affected spoke has to be reloaded.

CSCtc97134

GetVPN Fail-Close feature does not work with vrf-lite configuration on the ASR 1000 Router Series.

This may occur, when Fail-Close map has been configured on vrf.

Workaround: None

CSCtc97794

The ASR 1000 Router Series may crash, while removing encap pppoeoqinq sub interface under traffic.

This may occur, when removing encap pppoeoqing sub interface with traffic loaded. This condition may Could happen randomly.

Workaround: None

CSCtd00479

When ISIS is configured for NSF IETF, if the restarting router is a DIS on the LAN, then after switchover, the ISIS database and topology could be incorrect. This resulted in incorrect routing table.

This can occur, when ISIS is configure for NSF IETF and switchover happens.

Workaround: Is to use NSF CISCO is possible, or disable NSF.

CSCtd05318

Watchdog exception crash on "MRIB Transaction"may be observed on a new active RP when RP switchover is initiated.

This may occur, when RP switchover is triggered under a scaled scenario in the router config with approximately 1K EBGP peers with 500 K Unicast routes and f300 mVRF's with 1K Multicast routes.

Workaround: None

CSCtd08733

On the ASR 1000 Router, when show hw-module subslot <x/y> entity returns card-status as partial for 12in1 SPA interface.

This has been observed when ENTITY-MIB does not have entries for 4XT SERIAL SPA4XT-SERIAL SPA for the main module.

Workaround: No workaround.

Further Problem Description: No impact on functionality. The following condition may only occur:

1. When show hw-module subslot <x/y> entity returns card-status as partial.

2. ENTITY-MIB does not have entries for 4XT SERIAL SPA except main module entity.

CSCtd16888

Sessions may hang indefinitely, until the Cisco ASR 1000 Router is rebooted.

Workaround: None

CSCtd19446

The ip vrf forwarding command may be disallowed in template mode on the ASR 1000 Router Series.

Workaround: Is to configure the command without template mode, when possible.

CSCtd23529

A LNS doing L2TP HA could reload at l2tp_l2x_session_get_acct/micro_block_get when L2TP sessions are being brought up and a RP switchover is done.

When RP switchover is being done on LNS while L2TP sessions are being brought up.

The following error message traceback may be oberved just before the reload:

%L2TUN-3-ILLEGAL: Error inserting session_socket_db entry, socket_hdl=...

When a control packet for the session comes in during a very small time window just after this traceback, the router may reload. Since this time window is very small, generally this crash will not be observed after the above traceback.

Workaround: None.

CSCtd31638

When radius-server attribute 31 append-circuit-id is configured for PPPoE, PPPoEQinQ, PPPoEvlan interfaces, nas-port-id should also be appended along with circuit-id.

This will occur only, when radius-server 31 attribute append-circuit-id is configured.

Workaround: None.

CSCtd32406

The vtemplate interface associated distribute list does not work.

This may happen, when configuring distribute-list with a vtemplate interface under the router configuration sub mode.

Workaround: None.

CSCtd33642

Flow/Service Accounting records are missing if "delay-star" is configured on a Cisco ASR 1000 Router.

This may occur, when "aaa delay-start" is configured on the router.

Workaround: Removing delay-start will result in accounting records generating.

CSCtd34011

When a dialer interface configured for PIM goes down, the following message can be seen in the logs every minute:

%PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Dialer1

Those 0.0.0.0 neighbors will also appear under show ip pim neighbor command and will not expire.

This problem is observed when using a dialer interface configured with PIM.

Workaround: Is to performing a shutdown and then no shutdown on the dialer interface clears the 0.0.0.0 neighbor entries.

CSCtd35091

The input queue on ISG's access interface gets filled up increasingly causing the interface to wedge. When l2 connected IP session for a client exists on the ISG and traffic from that client comes in with a different IP address than the one used to identify the session, this traffic is dropped and interface wedging is observed.

Workaround: There is no workaround. A reload of the box is required.

CSCtd40245

The Cisco ASR 1000 Router may crash with a traceback pointing to `ess_stats_poll_message_create'.

When FP goes down for any reason, and at the same time PPPoE session goes down or ISG service log off happens, the RP will also crash, after "subscriber accounting accuracy" is configured. This problem is only applicable to release 2.5.0.

Workaround: Is to remove "subscriber accounting accuracy" configuration.

CSCtd42366

Sum of total packet/bytes counts with multiple services logon/logoff may exceed total packages/bytes count of the session. This issue can be seen, when Non-TC service A and Non-TC service B are applied alternatively on a PPPoX session during a session life time. Packets count for service A plus packets count for service B would exceed total packets count for PPPoX session.

With continuous traffic sending to a PPPoX session, Non-TC service A is removed immediately followed by another Non-TC service B (essentially it is the same accounting criteria as service A) or within 10 seconds. Then the session is brought within 10 seconds.

Workaround: Is to apply Service B after 10 seconds then do a Service A removal. Another way to avoid this problem is to install default iedge session accounting. Adding services on top of iedge accounting would not see this issue.

Sum of total packet/bytes counts with multiple services logon/logoff may exceed total packages/bytes count of the session. This issue can be seen when Non-TC service A and Non-TC service B are applied alternatively on a PPPoX session during a session life time. Packets count for service A plus packets count for service B would exceed total packets count for PPPoX session.

With contiguous traffic sending to a PPPoX session, Non-TC service A is removed immediately followed by another Non-TC service B (essentially it is the same accounting criteria as service A) or within 10 seconds. Then the session is brought within 10 seconds.

Workaround: Service B is applied after 10 seconds of Service A removal. Another way to avoid this problem is to install default iedge session accounting. Adding services on top of iedge accounting would not see this issue.

CSCtd43841

Two framed-ipv6-prefix are present in accounting stop when following CLI's are enabled:

aaa accounting include authprofile framed-ip-address

aaa accounting include authprofile framed-ipv6-prefix

aaa accounting include authprofile delegated-ipv6-prefix

The above CLIs are needed when all the following 3 conditions are met:

1. Dual Stack Server and

2. "aaa accounting delay-start"is configured and

3. either ipv4 or ipv6 negotiation fails.

These CLIs are needed to include the IPv4 and IPv6 attributes in the accounting record sent. Only in such scenario, framed-ipv6-prefix may be present twice in accounting records.

Workaround: On dual stack server with "aaa accounting delay-start", need to ensure that both IPv4 and IPv6 negotiation are successful for the accounting records to be sent. In such case, there is no need to include above mentioned CLI's (in symptom).

CSCtd47813

Traffic loss may be seen after rekey between the Cisco ASR 1000 Router Series acting as GMs when modifying KS ACL. This may only occur, when a more specific permit statement has been added. In addition, when permit ip any any has been applied this will result in traffic loss when rekeying the router.

Workaround: Is to keep permit ip any as the last acl in the KS ACL set.

CSCtd48203

On a Cisco ASR 1000 Router, after the last cache engine in a WCCP service group goes away, packets start getting dropped instead of being forwarded to original destination.

This problem occurs when the last cache engine present in a WCCP service group becomes unavailable.

Workaround: To overcome this problem, remove the global service group definition of the service group whose all CEs have become unavailable by using the following CLI conf t:

conf t
 no ip wccp <web-cache | service-group-id>
   (or)
Remove the redirect in config from the interfaces on which the service group is 
attached, like
conf t
 int <interface name>
 no ip wccp <web-cache | service-group-id> redirect in 
 
   

CSCtd50125

GetVPN on the Cisco ASR 1000 GM fails to download the TEK information in the hardware [ debug crypto ipsec output below] *Nov 27 02:20:38.323: IPSEC(download associate flow):

flow_info: in_flow_id: 2400005F, out_flow_id 24000060
    out_flow_enable: 0
    acl_line_num 1
    sadb_root_local_add: 172.16.0.1
    local_proxy: , remote_proxy:
    in_spi: 35EB57B0, out_sp
*Nov 27 02:20:43.341: IPSEC(crypto_ipsec_create_transform_sas): Failed to attach 
flowid to hw
*Nov 27 02:20:43.342: IPSEC(delete_sa): deleting SA,                                         
  (sa) sa_dest= 172.16.0.1, sa_proto= 50,                                                    
    sa_spi= 0xD2A8F435(3534287925),
    sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2093    sa_lifetime(k/sec)= 
(0/115),
  (identity) local= 172.16.0.1, remote= 0.0.0.0,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Nov 27 02:20:43.342: IPSEC(update_current_outbound_sa): updated peer 0.0.0.0 current 
outbound sa to SPI 3751CFC3
*Nov 27 02:20:43.342: IPSEC(delete_sa): deleting SA,

This condition has been observer, when IPv6 configured on the crypto map local address,

Workaround: Is to disable IPv6 and reload the box.

CSCtd54611

The system console may not response on the ASR 1000 Router Series.

This symptom has been observed on a Cisco ASR 1000 Router Series, when the router functions as an IP Security (IPSec) termination and aggregration router. In addition, when a self-signed cerificate is configured during Forwarding Processor (FP) is out of service on the router.

Workaround: There is no workaround. The console will be back to service when FP is active, or when the request gets timeout (around 480 seconds).

CSCtd55219

Potential traffic loss on NSF switchover on a Cisco ASR 1000 Router.

The following debug has been observed:

00:11:31: BGP(base): waited 0s for the first peer to establish

You should instead see:

00:03:54: BGP(base): will wait 60s for the first peer to establish

^^^^^^^^^^^^^

Workaround: None.

CSCtd90265

IP Security (IPSec) functionality stops working. Route Processor (RP) CPU rate can be high.

This symptom is observed on a Cisco ASR1000 series router when functions as an IP Security (IPSec) termination and aggregration router, and when super package In-Service Software Upgrade (ISSU) was performed with IPSec traffic running.

Workaround: There is no workaround.

CSCte18684

PPPoE sessions are likely torn down, when user profile contains "lcp:interface-config".

This may occur due to pending state returns from virtual-template cloning, when multiple aaa attributes are parsed from lcp:interface-config user profile.

Workaround: There is no work around when this configuration is applied on a PPPoE Session.

CSCte29294

On the Cisco ASR 1000 Router the ESP may crash, when doing High Availibility (HA) switchover during LNS tests.

This has been seen, when LNS has been configured with traffic.

Workaround: There is no workaround.

Open Caveats—Cisco IOS XE Release 2.5.0

This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.0

CSCsu03501

BRR across Vlans works fine on the ASR 1000 Router Series. However, BRR error across class queues sharing same logical interface is in the range 8-10%. This can cause throughput drop to a Class Queue, only when total traffic to interface is above line rate


NoteThis is not interface throughput drop. Total interface throughput is normal). This error in CQ brr is within limits for most cases (1PQ/4CQ, 2PQ/4CQ and 2PQ/6CQ). Error in CQ brr for 12CQ and 2PQ is noticeable when total traffic on the interface is above line rate.

Workaround: None

CSCsw44668

Conditional debugs is not complete on the ASR 1000 Router Series. This condition is more likely to happen when debug is enabled on the tunnel, issuing shut and then no shut.

Workaround: None

CSCsx59262

The OSPF neighbors on ASR 1000 Router Series bounce after changing the config-register. When OSPF interfaces are configured with fast hellos, the OSPF neighbors on ASR 1000 Router Series bounces, when value 'config-register' is changed.

Workaround: Is to use BFD.

CSCsx83443

Iskmp debug messages from all peers are shown in the term monitor enable tty and vty's

even though debug crypto condition peer ipv4 x.x.x.x is set. This is seen on the ASR 1000 Router Series when using peer ip based debug condition,

Workaround: None

CSCsz16142

When ACL sequence is configured on the ASR 1000 Router Series the RP SWO will not change.

Workaround. None

CSCsz24691

Traffic forward rate is incorrect after changing to "match none" for class multiple criteria. When the ASR 1000 Router Series is configured as the following:

class-map multiple_criteria
no match ip precedence 2
no match ip dscp 16
no match access-group name multiple_criteria_acl
no match protocol ip
no match not protocol gre
 
   

Workaround: Is to remove all filters.

CSCsz53438

On the Cisco Systems ASR1000 Router Series, if IP header compression is configured on the ASR 1000, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.

This condition occurrs when IPHC is configured on the AR1000 Router Series, but not on the router to which it is directly connected to.

Workaround: Is to enable IPHC on both routers.

CSCsz66060

When saving half duplex vrf configuration then rebooting the router, the half duplex vrf configuration does not apply to the ASR1000 Router Series. This is a rare condition that only happens when the router has been rebooted, after saving half duplex vrf configuration.

Workaround: Is to re-enter the half duplex vrf configuration again.

CSCta17502

If shared IPSec profile has been applied on a tunnel interface, then the tunnel source cannot be modified without removing tunnel protection from the interface.

The basic condition being enforced is that if there are two tunnels sharing the same ipsec shared profile, then their tunnel sources must be the same.

Workaround: None

CSCta65347

CME is changing the media direction attribute as "INACTIVE"instead of "RECVONLY"on the ASR1000 Router Series.

Only in this instance the resume fails, when CCM/CME scenario's from h323 legcalls are used and there is no media on the ASR 1000 Router.

Workaround: None

CSCta76312

On the ASR 1000 Router Series the console gets stuck.

This condition only happens when using the following:

downloading a huge config,

after unconfiguring the config

then doing a config replace.

Workaround: None

CSCtb07144

When issuing a shut command an interface that is configured with vlan that has IGMP joined can take about a minute on the ASR1000 Router Series. In this condition the console hangs after issuing the shut command, and the traffic does not stop right away after shutting the interface on the router.

Workaround: None

CSCtb13789

Tracebacks are seen while initiating config and unconfig when dmvpn tunnel is configured on the ASR 1000 Router Series. This condition will happen when using config and unconfig when dmvpn tunnel is configured.

Workaround: None

CSCtb24959

The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:

the router has been configured for rp agent and candidate

there are a large number of rp's

initiating the clear ip pim rp-map command

Workaround: Is not to apply the clear ip pim rp-map command one after the other.

CSCtb32892

Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed" may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.

In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.

Workaround: None

CSCtb33587

NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:

%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED) 

This may cause temporary packet drops or forwarding to less specific routes.

The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.

Workaround: Is to wait after the holddown timer expires, the problem will be cleared.

CSCtb70115

Bgp state in the show ip bgp vpnv4 show command in all of the summaries are in NoNeg state instead of Active and Idle state. This instance happens when the neighbor has no session in established state in any of the address-families.

Workaround: Is to configure the show ip bgp vpnv4 all nei <address> show command

CSCtb72095

When the service policy is removed after the vlan has been re-attached, the session policy will be re-parented to the main interface but it will not re-parent back to the subinterfaces. This instance is only seen when there are vlans and sessions configured on the subinterfaces.

Workaround: There is no workaround for this. The only option is to reload the router back to it's orginally state.

CSCtb72734

DHCP OFFER not reaching the client with unicast flag set on the ASR 1000 Router Series. This occurs only on the ASR 1000 Router Series where creation/removal of ARP entry does not maintain sequential ordering as a result packet could arrive at forwarding plane after the ARP entry has already been removed, or before ARP entry has been created.

Workaround: None

CSCtb74547

The ASR 1000 Router Series DMVPN HUB reloads when processing IPSEC key engine.

This conditions happens when dual DMVPN with shared tunnel protection feature is enabled.

Workaround: None

CSCtb75027

MVPN traffic has been dropped while enabling nat on the core interface using cli "ip nat outside" on the ASR 1000 Router Series. This instance occurs when mVPN and NAT features are configured together on the router.

Workaround: As of now, there is no workaround . The other option is to remove NAT on the core interface to receive the mVPN traffic.

CSCtb80765

The sub-interface flap on the ASR 1000 Router Series may close on the port channels prior to configuring the ATM SPA. This conditon occurs when the sub-interface flap closes, when the port channels prior to configuring the ATM SPA.

Workaround: None

CSCtb86811

On the ASR 1000 Router Series the following error message may state:

"%MFI_LABEL_BROKER-3-MULTIPLE_BIND"

within Standby mode, after initiating the configure replace command.

This may occur, when there are large vrf scalability configurations, after static routes are in use in conjunction with encapsulation ppp and mpls label mode all-vrfs protocol all-afs per-vrf.

Workaround: There is no workaround for this specific command sequence and configuration.

CSCtb87546

Tftp server may times out sometimes or always on the ASR 1000 Router Series. This may occur when uploading or downloading files, including IOS images to tftp server.

Workaround: Is to use 2.5 pre-released images on the router in order to run the tftp operation successfully.

CSCtb96600

All new calls dropped after RP2 switcover on ASR 1004 RP2_ESP20 router. This may occur after intiating RP2 switchover when the cli "redundancy force-switchover" happens on the router.

Workaround: None

CSCtc12334

The ASR 1000 Router Series may fail when initiating "clear ip bgp " command.

This command deletes all bgp neighbor relationships and clears bgp RIB.

This can occur when the following has been configured:

1. Need to have MDT configured on the router

2. Need to issue clear ip bgp command

Workaround: None

CSCtc16232

When the L2 MAC address of an Ethernet interface is changed on the ASR 1000 Router Series, the final RA is not sent to the remote endpoint.

The expected behaviour is that when the L2 MAC address is changed, on theASR 1000 Router is to send a final RA to the endpoint indicating the change.

Workaround: None

CSCtc17366

Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.

Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.

CSCtc19914

The Embedded Services Processor (ESP) is reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.

When using the following scripts this condition has been seen:

1. Configuring large mVRF's on PE

2. Configuring large Loopbacks on PE, one for each of the VRF

3. Configuring and unconfiguring large static RP addresses multiple times rapidly.

Workaround: None

CSCtc22109

The PPPoEoA sessions when established over ATM VP tunnel may time out on the ASR 1000 Router Series. Only in this instance, a problem can occur when PPPoEoA sessions are established over ATM VP tunnel on the router. When when PPPoEoA sessionst are established directly on ATM VC, the sessions works fine.

Workaround: None.

CSCtc30420

CPP tracebacks are logged after configuring the ASR 1000 Series Router as an RP2 with IPSec DMVPN Spoke. Only in this condition, when unconfiguring DMVPN on the router and reconfiguring it again, CPP tracebacks are logged.

Workaround: Is to reload the router.

CSCtc33471

CPUHOG message has been seen indicating MFIB_mrib_read as the offending process after a clear ip mroute command is issued on the ASR 1000 Router Series. This conditions happens when there arelarge scaled configurations and there are a huge number of forwarding interfaces on the same multicast forwarding entries.

Workaround: There is no known workaround.

CSCtc33511

When sending very low policing value for the rate, less than 500 bps, from dynamic clients such as Radius, will crash the ASR 1000 Router Series. This condition may happen when a policing rate is set to lower than 500 bps on the router.

Workaround: None

CSCtc33821

IOS may crash when configuring MPLS over Generic Routing Encapsulation (MPLSoGRE) on the ASR 1000 Router Series. Only in this condition, when MPLSoGRE is configured and one GRE tunnel interface is shutdown after the address has been removed and another GRE tunnel is added the IOS may crash on the router.

Workaround: None

CSCtc42960

On the ASR 1000 Router Series memory leaks have been seen when using PPPoX sessions. This may occur when memory leaks have been observed with PPPoX sessions in scaled scenario's.

Workaround: None

CSCtc43110

Under H.323 call scenarios, outgoing H.323 signaling packets (TCP) are marked with a non-zero DSCP value, even though no QoS is configured for H.323 calls. This happens under all H.323->H.323 and SIP->H.323 scenarios when SBC creates a downstream H.323 calls.

Workaround: There is no workaround with SBC configuration. QoS can be re-marked when MQC policy is placed on the outbound physical interfaces of the ASR 1000 Series Router. ASR 1000 Series Router. CSCtc44472

After SSO of the RP with 660 VRF aware NAT configuration the FP crashes on the ASR 1000 Router Series. This conditions happens when RP has VRF and NAT configured on the router.

Workaround: None

CSCtc52358

When a previous "logging buffer" is done on the ASR 1000 Series Router as subsequent cli is on .

Workaround: Is to do another "logging buffer" the the previous one will be released.

CSCtc54042

The ASR 1000 Router Series may crash and reload following a reboot or initial boot from a power-up.

The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.

Workaround: None

However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.

CSCtc69991

When the Cisco ASR 1000 Router has been configured as a DMVPN spoke it may throw tracebacks. This can happen when ODR is configured as the Overlay Routing protocol and shut/no shut is done on the tunnel interface.

Workaround: Is to use eigrp as the overlay routing protocol.

CSCtc70661

The ASR1000 Router Series ESP may unexpectedly reload during sequences of repeated configuration change which also cause "flapping" of large numbers of auto-vcs. This may be seen with 4k active auto-vcs when the config on the PVCs is changed from PTA to L2TP multiples times.

Workaround: None.

In addition, can be timing related and has been seen so far in cases of scripted config changes from: PTA-> L2TP. It has not been seen in cases of changing the config from PTA-> PTAor from L2TP -> L2TP

CSCtc71004

During Change of Authorization (CoA), a message may show that an Access Control List reference

failed to download. This behaviour may be seen on ASR1000 images where a series of CoA requests rapidly cause

Traffic Classes to be applied and removed. It may be more likely to happen when there are more

Traffic Classes applied to a session.

WorkAround: None

In addtion, If this message is seen, the session will likely be torn down, and have to be brought back up on the router.

CSCtc71338

When configuring a 10k line ACL (production-out) on the interface, the FP process crashes on the ASR 1000 Route Series.

The production-out will show as follows:

interface GigabitEthernet0/3/4
 ip address 1.10.4.1 255.0.0.0
 ip access-group production-out in
 ip access-group production-out out
 speed 100
 no negotiation auto
 cdp enable
 service-policy output test

Workaround: None

CSCtc72651

A crash has been seen on a new RP after SSO with AToM debugs are enabled on the ASR 1000 Router Series. When enabling AToM debugs which requests VC Accouting details from MFI during SSO the router may fail.

Workaround: None

CSCtc73657

ASR 1000 Router Series may fail when core file points to the Range Inheritance . This condition may happen, when PVC is locked or PVC teardown Fails in CPP on the router. In addditon, when the Range has been deleted and the PVC has not been removed from the common code.

The Range's stale pointer should be cleaned up on the router.

Workaround: None

CSCtc76353

ASR 1000 Router Series may fail when core file points to the Range Inheritance . This condition may happen, when PVC is locked or PVC teardown Fails in CPP on the router. In addditon, when the Range has been deleted and PVC will not be removed from the common code . Note: The Range's stale pointer should be cleaned up

Workaround: None

CSCtc76598

MFIB_IPv4 sub-block not removed from virtual access interface on the ASR 1000 Router Series. The error is shown when pppoe session is established on the router.

Workaround: None

CSCtc79444

On the ASR 1000 Router Series config bulk sync failure has been seen.

This condition may happen, when configuring" static-ipfrr ipv4-nexthop Loopback0 1.1.1.1 backup Loopback1 1.1.1.2" and removing the loopback 0 in current active, followed by doing a first switchover and a sync failure on the router. This is due to the command as being shown as active.

Workaround: Is to remove the ipfrr static route if the loopback is removed on the router.

CSCtc80502

FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt message has been seen with tracebacks on the ASR 1000 Router Series.

This has been observed during ISSU upgrades starting from release 2.4.2 and up to 2.5.

Workaround: None

CSCtc81949

On the ASR 1000 Router Series Service policy application on the standby LNS fails, while its successful on the active. If static ip route is configured on the LAC to the l2tp tunnel interface on the LNS, the FIB next hop does not get configured on the standby LNS and hence QOS application fails.

Workaround: Is to reload the LAC resolves the problem.

CSCtc85586

L2TP HA functionaity may not work and STANDBY is not seen with L2TP sessions on the ASR 1000 Router Series. This condition may happen, when ACTIVE does not have any VPDN/L2TP configuration before

STANDBY is brought up on the router.

Workaround: Is to restart STANDBY.

Further Problem Description:

This problem can be avoided by configuring "vpdn enable" on the ACTIVE before bringing up STANDBY on the ASR 1000 Router Series.

CSCtc86490

Error message stating "Can't install service policy with empty name" is shown on the ASR 1000 Router Series. This condition hay occur, when an invalid service policy is pushed from the DBS on to the VC, the error message is shown and the policy on the VC doesn't fall to the default on the router.

Workaround: None.

CSCtc90996

While under load for extended periods of time, a condition may ocurr that causes a large amount of stale call legs to exhibit on the ASR 1000 Router Series. These stale call legs can consume enough memory on the platform to cause a crash due to memory outage. It has been observed with 2000 active calls at 20 CPS for an extended period of time.

Workaround: To avoid a runaway condition, the use of the command max-conn on the dial-peers of the platform is capable of holding back the amount of stale call legs. While the condition occurs that triggers the event, max-conn has the side effect of not permitting calls to be established over this dial-peer. Eventually it will clear and calls may continue.

CSCtc96161

DMVPN is working fine for a week and then one of spokes appears to be no longer able to pass traffic to other spokes. IPSEC tunnel between thespokes can be established at IOS level, but cannot be programmed into hardware and traffic is not getting through. This problem is only seen when there are more spoke to spoke dynamic tunnels and the dynamic tunnels are flapping frequently for a long period of time.

Workaround: Is to reduce the frequency of dynamic tunnel flapping by increasing NHRP hold down timer to avoid tearing down dynamic tunnels too often. This can reduce the chance of hitting the problem. But when the problem happens, the affected spoke has to be reloaded.

CSCtd00644

The ASR 1000 Router Series may restart ungraceful with scaled config. When there is scaled config and sessions are flapping frequently, only on rare instances the ASR 1000 Router Series may restart ungracefully. This problem may also timing related, so it may not happen with every time sessions flaps.

Workaround: None

CSCtd05318

Watchdog exception crash on "MRIB Transaction" may be observed on a new active RP when RP switchover is initiated on ASR 1000 Series Router. This happens when a RP switchover Trigger under a scaled scenario of router config with approximately 1K EBGP peers with 500 K Unicast routes + 300 mVRF's with 1K Mcast routes.

Workaround: None

CSCtd14048

After ISSU loads the 2.5 images, ISG PPPoE Sessions will not be established on the ASR 1000 Router Series. In this conditon there is no ISG PPPoE Session established on the router.

Workaround: None

CSCtd17197

The serial interface with "frame-relay" encapsulation goes down and can no longer forward traffic, when "keepalive" is configured along this interface. The serial interface has both "frame-relay" encapsulation and keepalive configured.

Workaround: Configure "no keepalive" on the serial interfaces of both sides when we use "frame-relay" encapsulation on the interfaces.

CSCtd26479

On ASR 1000 Router Series, the FP may crash with the following error message:

%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected 
 
   

The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.

Workaround: None

CSCtd32560

During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrades from 2.3.2 to 2.5, observed loss of QoS functionality. This condition happens when loss of QoS functionality has been observed right after CC/SPA upgrade, while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure.

Workaround: Is to reverse the order of CC/SPA and FP upgrades so that FP will be running 2.5.

when CC/SPA is upgraded to 2.5.

ISSU procedure for this workaround will be:

1. Upgrade the RPAccess, RPIOS, and RPControl sub-packages in the standby bay. Once the SSO state is reached, commit the software version.

issu loadversion rp 0 file file-system:asr1000rp1-
{rpaccess,rpios,rpcontrol}*version-string*.pkg bay standby-bay force 
          issu commitversion 

2. Force a switchover from the active IOS process to the standby IOS process.

redundancy force-switchover

3. Upgrade the RPAccess, RPIOS, and RPControl sub-packages in the standby bay (a different bay than in step 1). Once the SSO state is reached, commit the software version.

issu loadversion rp 0 file file-system:asr1000rp1-
{rpaccess,rpios,rpcontrol}*version-string*.pkg bay standby-bay force 
         issu commitversion 

4. Upgrade the ESP Base sub-package and Commit the ESP Base software

issu loadversion rp 0 file file-system:asr1000rp1-esp*version*.pkg 
force 
         issu commitversion 

5. Upgrade the SIP and SPA sub-packages for each SIP on the router.Repeat this step for each SIP installed in your router before proceeding to the next step.

issu loadversion install rp 0 file file-system:asr1000rp1-
{sipbase,sipspa}*version*.pkg slot SIP-slot-number force 
         issu commitversion 

6. Upgrades all sub-packages, including the RPBase sub-package, which is the last sub-package that needs to be upgraded

         issu loadversion rp 0 file file-system:asr1000rp*version*.pkg 

7. Verify that the sub-packages are properly installed

show version installed 

8. Reload the RP. The router will continue normal operation even without a reload, so you can reload the router during scheduled maintenance or a slower traffic period.

reload 

CSCtd34284

ASR 1000 Router Series is experiencing this error message on the console:

 %IOSXE-3-PLATFORM: F1: cpp_cp: QFP:00 Thread:100 TS:00000016373874688294 
%QOS-3-INVALID_CLASS_QID: 

When the router is receiving COA in the background after a switchover.

Workaround: None

CSCtd34644

Hub and spoke on the ASR 1000 Router  Series in DMVPN - Hub Support by QoS Class (DMVPN Phase 3) the network shows ATTN SYNC timeout and IPSEC-3-CHUNK_DESTROY_FAIL messages in steady state traffic and during dmvpn config cleanup. This is seen during scale config and configuration cleanup.

Workaround: No Workaround

CSCtd38347

CPP can run out of memory and cause FPs to reload on the ASR 1000 Router Series. This condition can happen, when flapping LNS firewall sessions are running over time on the router.

Workaround: None

CSCtd39409

IOSD crash on the ASR 1000-WATCHDOG: Process = L2TP mgmt daemon has been seen on the ASR 1000 Router Series.

This condition has been seen, when flapping on LNS firewall sessions over time happens on the router.

Workaround: None

CSCtd42366

Acct_Input_Packets for non-TC service are inaccurate post CoA for short lived session on the ASR 1000 Router Series.

On the ASR 1000 Router Series where continuous traffic is being sent using an IXIA, when bringing up a PPPoX session using the dialer interface. The PPPoX session activates 2 TC and 1 non-TC service. After waiting for a few seconds, we perform a CoA-SVC_logon to a new non-TC service. This unapplies the previous non-TC service. We let the session remain up for a few more seconds, before tearing down the session. At this time, when we compare the Rx stats on the IXIA with the Acct_INput_Packets in the account records of the non-Tc services, the Acct-Input-Packets are incorrect.

Workaround: None

CSCtd43841

Two framed-ipv6-prefix are present in accounting stop when following CLI's are enabled on the ASR 1000 Router Series:

    aaa accounting include authprofile framed-ip-address
    aaa accounting include authprofile framed-ipv6-prefix
    aaa accounting include authprofile delegated-ipv6-prefix

The above CLIs are needed when all the following 3 conditions are met:

1. Dual Stack Server and

2. "aaa accounting delay-star" is configured and

3. either ipv4 or ipv6 negotiation fails.

These CLIs are needed to include the IPv4 & IPv6 attributes in the accounting record sent. Only in such scenario, framed-ipv6-prefix may be present twice in accounting records.

Workaround: Is to do the following:

On dual stack server with "aaa accounting delay-start", need to ensure that both IPv4 and IPv6 negotiation are successful for the accounting records to be sent. In such case, there is no need to include above mentioned CLI's (in symptom).

CSCtd44755

The ASR 1000 Router Series with ATM SPA, following ERR message is seen on standby RP:

Nov 21 15:57:24.192: %ATM-3-FAILCREATEVC: ATM failed to create VC(VCD=1874, VPI=1, 
VCI=1905) on
Interface ATM0/0/0.65000, (Cause of the failure: VCD# mismatched on standby-RP -reload 
standby-RP)

The ASR 1000 Router Series with ATM SPA having 32k pvc-in-range VCs configured with 32k PPPOE sessions and when these sessions are brought down followed by un-configuration of all 32K VCs in below sequence:

1. Un-configure pvc-in-range.

2. Un-configure range.

3. Un-configure sub-interface.

Workaround: Is to do the following:

ATM range VC configuration can be removed by just removing the sub-interface alone which has range VC configuration instead of removing it in above mentioned sequence.

CSCtd44966

On ASR 1000 Router Series with ATM SPA, one may see following ERR message in fman-fp_F0-0/1.log:

[aom]: (ERR): Unable to find async context for AOM

On ASR 1000 Router Series with ATM SPA, when ATM VC modify is involved and there are multiple parameters to be modified, one may see such error message in fman-fp_F0-0/1.log

Workaround: None