Release 2.5 Caveats
Caveats describe unexpected behavior in Cisco IOS XE Release 2. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious. Severity 3 caveats are moderate caveats, and only select severity 3 caveats are included in the caveats document.
This section contains open and resolved caveats for the current Cisco IOS XE maintenance release.
The Dictionary of Internetworking Terms and Acronyms contains definitions of acronyms that are not defined in this document:
http://www.cisco.com/en/US/docs/internetworking/terms_acronyms/ita.html
This section consists of the following subsections:
•Open Caveats—Cisco IOS XE Release 2.5.2
•Resolved Caveats—Cisco IOS XE Release 2.5.2
•Open Caveats—Cisco IOS XE Release 2.5.1
•Resolved Caveats—Cisco IOS XE Release 2.5.1
•Open Caveats—Cisco IOS XE Release 2.5.0
Open Caveats—Cisco IOS XE Release 2.5.2
This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.2
•CSCsu59515
Telnet inside host from outside the host fails when port 23 is statically allocated on a Cisco ASR 1000 Router.
Workaround: None
•CSCsx56362
BGP selects paths which are not the oldest paths for multipath on a Cisco ASR 1000 Router. This causes BGP to unnecessarily flap from multipath to non-multipath as a result of route flaps.
This condition has been observed when:
BGP is configured
More than one equally-good route is available
BGP is configured to use less than the maximum available number of multipaths
Workaround: There is no workaround.
Further problem description: The selection of non-oldest paths as multipaths is only problematic in releases which include CSCsk55120, because in such releases it causes unnecessary changes in whether paths are considered multipaths.
•CSCsz36180
When enabling passive header compression on interface where active header compression is enabled doesn't get reflected in show running configuration of interface. Though its get updated in show frame-relay map command output. Also, the header compression is not working as desired after this configuration. Ideally if both side are configured for Passive, compression should not happen. In this case compression is happening though sh frame relay map command shows both interfaces are configured as passive on the ASR 1000 Router Series.
This has been seen, when the following command is used:
frame-relay map ip <ip> <dlci> compress passive
frame-relay map ip <ip> <dlci> compress active
When the same ip and dlci values are used on the ASR 1000 Router this does not take effect.
Workaround: To do no frame-relay map ip <ip> before changing the header-compression from active to passive.
•CSCsz53438
When ip header compression is configured on the ASR 1000 Router, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.
This has been seen, when IPHC is configured on the ASR 1000 Router, but not on the router to which it is directly connected.
Workaround: Is to enable IPHC on both routers.
•CSCta26678
Unable to add vrf configuration after removal of the same vrf on the ASR 1000 Router Series.
This has been seen, when ODR is present on the Cisco ASR 1000 Router.
The router should function normally after the router has been reloaded.
There are no known workarounds.
•CSCta60589
On the ASR 1000 Router, when there are files in the tracelog directory doing a wildcard search could potentially result in a CPUHOG message.
This has been seen, when there are a large number of files in the directory the wild card is being applied on the ASR 1000 Router.
Workaround: Is to avoid doing wildcards on directories with large number of files.
•CSCtb07144
Shutting an interface having a large number of vlans while there is a significant number of multicast entries and interfaces in the MFIB database can take a significant amount of time on the ASR 1000 Router Series.
This has been seen when there are a large number of vlans configured on the interface that is being shutdown. A significant number of entries and interfaces present in the MFIB database.
Workaround: None
•CSCtb24959
The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:
–the router has been configured for rp agent
–and candidate there are a large number of rp's
–initiating the clear ip pim rp-map command
Workaround: Is not to apply the clear ip pim rp-map command one after the other.
•CSCtb33587
NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:
%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED)
This may cause temporary packet drops or forwarding to less specific routes.
The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.
Workaround: Is to wait after the holddown timer expires, the problem will be cleared.
•CSCtb40529
At switchover, the old active takes 2 reboots to become standby for the ASR 1000 Router Series.
This may occur, when scaled setup with switchover has been configured on the ASR 1000 Router.
Workaround: None
•CSCtb66050
On the ASR 1000 Router Series running Session Border Controller (SBC), a traceback is observed on doing an ISSU sub-package upgrade from release 2.5 image to a later image. This traceback is thought to be largely benign and doesn't affect normal operation. Upgrade is successful, calls can be made and media can be set up through SBC.
This traceback is only observed upon ISSU upgrade from release 2.5 image and only with a sub-package upgrade. The traceback is not seen on performing a consolidated update.
Workaround: Use a consolidated update procedure instead of sub-package upgrade, when possible.
•CSCtb71415
There are occasional CPPOSLIB-3-ERROR_NOTIFY: F1 logs from the ASR 1000 standby FP20. The show plat soft firewall f1 stati output displays zone-binding ASR 1000 errors may be seen on the ASR 1000 Router console (but not on the active F0). This may occur, when running longevity stress tests incorporating per-subscriber firewall, with redundant RP2 and Topology:
stateful PPPoE---LAC--10GbE---LNS---L4-7servers
vanilla PPPoE------| |---10GE --tgen
There are 32000 total sessions:
- 12000 are stateful and flapping periodically
- 15000 are vanilla across 3GE ports passing random traffic up 1500B packets at 1.6Gbps upstream total, 2.8Gbps downstream total
- 2500 PSFW sessions just periodically flapping
- 2500 vanilla PPPoE session periodically flapping
Zones are being downloaded via RADIUS. VFR, uRPF on V-T and/or via RADIUS.
Workaround: No workaround available at this time. In additon the error actually happens during zone unbinding.
•CSCtb79598
When you configure a PVC ASR 1000 with QoS enabled, the QoS will not work as expected on the ASR 1000 Router Series.
The only happens, when you unconfigure ancp neighbor associated with the PVC before you delete the PVC on the ASR !000 Router.
Workaround: None
•CSCtb79850
Interface flap may close when pending channels for the atm spa are configured on the ASR 1000 Router Series.
This may occur, when the interface flap has pending channels on the atm spa.
Workaround: None
•CSCtb85661
On doing multiple switchovers or after ISSU completion followed by a failover, the hardware programming of bidirectional entries doesn't show the correct dest_index (0xFFFF) leading to drop in traffic on the ASR 1000 Router Series.
Workaround: The dest_index can be set to the correct value using a test cli and traffic resumes.
•CSCtb98877
On the ASR 1000 Router Series subsequent call fails after a SIP Session Refresh timeout occurs after an HA switchover in CUBE enviroment.
This occurs in a back to back CUBE environment:
CUCM1 - SIP - CUBE1 - SIP - CUBE2 - SIP - CUCM2
The CUCM SIP Refresh is set to 90 seconds, and a call is made. HA switchover occurs on CUBE1, and the call is disconnected as expected. The same call is made again, but the originating endpoint on CUCM1 gets a Busy tone, while the terminating endpoint on CUCM2 gets Ringing tone.
CUBE2 sends a 503 Internal error with the following cause code:
Reason: Q.850;cause=38 - [Network out of order]
Workaround: None
•CSCtc17366
Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.
Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.
•CSCtc19914
The Embedded Services Processor (ESP) has been reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.
When using the following scripts this condition has been seen:
1. Configuring large mVRF's on PE
2. Configuring large Loopbacks on PE, one for each of the VRF
3. Configuring and unconfiguring large static RP addresses multiple times rapidly.
Workaround: None
•CSCtc21042
Chassis-manager process on RP2 gets stuck and the ASR 1000 Router becomes unresponsive to user commands. All the FPs and CCs keep rebooting, with console logs showing repeated FP code downloads.
No particular scenario is known. This problem may caused by OBFL logging of messages on RP2.
Workaround: Is to disable onboard logging of messages on RPs as shown in this following example:
hw-module slot r0/r1 logging onbaord disable
Router#hw-module slot r0 logging onboard disable
To verify that onboard logging has been disabled:
Router#sh logging onboard slot r0 status
Status: Disabled
Note This command is not saved in the config so is not preserved across router reloads.
•CSCtc41808
When trying to change ipsec tunnel configuration by changing tunnel mode between SVTI and GRE, iosd crash is observed on the ASR 1000 Router Series.
Workaround: None
•CSCtc50830
When reloading an active RP just before it goes to rommon mode the ASR 1000 Router dumps a core and crash file pointing to Redundancy FSM.
This condition happens after IPNAT client reloads the standby RP and synchronizing active with standby.
Workaround: None
•CSCtc55049
The ASR 1000 Router may crash and reload following a reboot or initial boot from a power-up.
The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.
Workaround: None. However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.
•CSCtc72052
The ASR 1000 Router is unable to configure Dynamic Nat Pool with prefix length 14 or less.
This happens when Nat Pool is configured with a lower prefix lengths. This configuration is rejected on the ASR 1000 Router.
Workaround: Is to create a Nat Pool with prefix length 14 or higher.
•CSCtc73525
The ESP board on the ASR 1000 Router Series with ATM PVCs carrying broadband sessions does not accept further config. Traffic forwarding on existing features and session is not impacted, but additional config is rejected.
This ocurrs, when BB sessions over ATM PVCs are configured. With a high number of PVCs configured, and if all PVCs are attemtped to be removed at once with the "rage" command, the ESP board may get into an error state that prevents additional config (such as bringing up new PVCs or sessions) from being accepted.
Workaround: None. However if problem manifests, a reload of the ESP is required to bring the system back to its normal state.
•CSCtc99048
When VLAN-VLAN Pseudowires (PWs) redundancy is configured, when the RP switchover happens on pseudowires (PWs) from primary to backup, and the RP is switched back to primary this may not be allowed for some of the pseudowires (PWs) to forward traffic properly.
Workaround: Is to do a clear xconnect all will re-provision xconnect on all PWs, and after that all pseudowires (PWs) can forward traffic properly.
•CSCtd07250
Acct-Session-Time is inaccurate or incorrect when configured with Session, Traffic-Class Service and Non-Traffic-Class Service Accounting Records on the a Cisco ASR 1000 Router.
This condition has been observed when, Acct-Session-Time displayed in session-stop records displays values much higher than the actual lifetime of a session.
In addition, despite the non-TC service having been associated as a active session, for greater than 3-4 seconds, the Acct-Session-Time, in the stop records of such services is displayed as 0.
Workaround: There is no known workaround.
•CSCtd14559
L2TP-3-ILLEGAL tracebacks and PPPoX session mismatch between active and standby rps.
This error condition is noticed, when rp switchover takes place during the time frame pppox sessions are coming up. In a rare condition, session mismatch was noticed when pppox sessions were coming up for the first time with no other events taking place.
Workaround: No workaround
•CSCtd26479
On ASR 1000 Router Series, the FP may crash with the following error message:
%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected
The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.
Workaround: None
•CSCtd26955
On the ASR 1000 Router Series ANCP sessions may drop with high event rate.
This condition may occur, when ANCP is configured on ATM (pvc-in-range), the on-demand (AutoVC) is created and enabled at the interface level (with vc-class) on the ASR 1000 Router.
Workaround: When all the on-demand (AutoVCs) in range is not created on ATM (pvc-in-range), create and enable create on-demand at vc level.
•CSCtd45066
On the ASR 1000 Router Series the nasport id format is changed between 2.3.0, 2.4.0, 2.5.0 and 2.6.0 releases.
This condition has been observed when "nas port format d" <format> is configured on the router.
Workaround: There is no known workaround at this time.
•CSCtd62837
H323 to SIP configuration, when the H323 side supports two DTMF methods, the DTMF interworking may fail on the ASR 1000 Router Series.
When performing H.323 to SIP call, the H.323 side support for H245 alphanumeric userinput and tel-event, the SIP side may just support tel-event. The H.323 side may send DTMF userinput, and the SBC may drop the userinput.
The following pd log message may appear on console:
ICC has failed to find a mechanism to pass on DTMF tones in this call. The tones will not reach their destination.
This may not cause the call to fail.
Workaround: None
•CSCtd87205
The Cisco ASR 1000 Router will reload, when flapping up and down VC's after configuring SSO.
This condition has been observed, when the Cisco ASR 1000 Router reloads after a large amounts of flapping has occurred, and SSO has been forced onto the router. The router may reload.
Workaround: Is to slow down the amount of flapping when doing SSO on the router..
•CSCte19641
On the ASR 1000 Router Series, the CCP Driver Lockdown crash may happen.
The following console message has been observed:
%CPPDRV-3-LOCKDOWN: F0: cpp_cp: CPP10(0) CPP Driver LOCKDOWN due to fatal error.
This may occur, when stressing the system and activating ISG services with ocasional High Availability (HA) switchover.
Workaround: None
•CSCte35998
Secure Media Call will drop during a call if both party's place the call on hold at the same time (or seconds apart) after about 15-20 seconds.
This condition may occur on a Cisco ASR 1000 Router, when running 2.5.0 release and CUCM - 7.1.3.32010-1.
Workaround: None
•CSCte62859
PPP session churn on an LNS following an RP switchover may leave lingering L2TP sessions on the LNS.
This condition may occur, when session churn is combined with a too-small l2tp receive window size following an RP switchover, lingering PPP sessions can result.
Workaround: This condition is exacerbated by a too-small l2pt receive window size. Alter this setting according to the number of sessions typically seen on the the tunnel(s) where this situation is observed. Make sure both ends fo the tunnel have similar settings.
•CSCte78406
On the Cisco ASR 1000 Router console the following error message has been logged on the new standby RP, when PTA sessions are established:
*Feb 2 10:21:36.635: %COMMON_FIB-3-FIBIDBINCONS2: An internal software error occurred. Virtual-Access2.1 linked to wrong idb Virtual-Access2.1
This condition may occur, once PTA sessions are established when performing a RP switchover. After both RPs are synced up with flapped sessions. The error messages are logged on the new standby RP.
Workaround: None
•CSCte96759
IPv6 route summary is incorrect when IPSEC is configured on the Cisco ASR 1000 Router Series.
This condition can occur when traffic is sent through 500 v6 tunnels.
Workaround: Is to remove IPSEC on all the tunnels and reconfigure them. This should bring up all the IPSECv6 routes.
•CSCte98852
When broadband accounting accuracy feature (i.e. `subscriber accounting accuracy' CLI is configured) and service accounting is enabled, a duplicate session accounting start (with unique session ID) message is sent out and 2 entries are created on the AAA server.
This feature is specific to ASR 1000 Router. The issue was observed only when the accounting accuracy feature and service accounting are enabled.
Workaround: There is no workaround as the accounting accuracy may be off as much as 10-second worth of byte-counts if the features is turned off, or when the following is configured on the router:
1. `aaa accounting delay-start'and
2. aaa accounting include auth-profile [delegated-ipv6-prefix, framed-ip-address, framed-ipv6-prefix]
•CSCtf01109
The NAS-IP-Address value in the accounting start changes after RP SSO. Before RP SSO, the NAS-IP-Address contains the IP address of the interface connected to the AAA server. After RP SSO, the new active RP sends out a new accounting start. This time, the NAS-IP-Address contains the loopback0 IP address. When the session disconnects, the accounting stop record contains the correct IP address.
This issue happens in redundant RP system with PPP susbcribers.
Workaround: There is no known workaround.
•CSCtf05408
IP address on a loopback interface is lost on the Cisco ASR 1000 Router Series.
Workaround: Is to reconfigure the loopback interface.
•CSCtf07776
The below traceback can be seen in two environments on a Cisco ASR 1000 Router:
–During UUT reload
–After shutting the FRR enabled interface
For example the following traceback will appear on the console:
%FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt.
-Traceback= 40DCB368 40DCB220 40DCB444 40DEC968 40D15FE4 40D1BACC 40D13BD4 40D14810
This condition has been seen on the router with TE and FRR enabled on interface during the reboot and issue.
Workaround: None
•CSCtf27631
When processing MS-CHAPv2 an unexpected reload may occur on a Cisco ASR 1000 Router.
This may occur while the ASR 1000 Router is processing an MS-CHAPv2 response in a PPP environment.
Workaround: None
•CSCtf41625
In the PE-CE environment, BGP is running between the PE and CE. From the PE , Advertising two prefixes through vrf static routes. These prefixes are not advertised on the CE side.
This condition can be seen only with global keyword i.e.. next_hop resolution has been applied within the RIB table.
For an example:
ip route vrf vpn1 34.2.0.0 255.255.255.0 Ethernet3/0 34.2.0.2 global
Workaround: There is no known workaround.
•CSCtf44686
While running in uSBC mode the ASR 1000 Router may crash.
This condition has been observed when ping-enable is configured under an encrypted adjacency.
Workaround: None
•CSCtf51373
The FP crashes on a Cisco ASR 1000 Router running 12.2(33)XNE1.
This condition may occur when running VOIP traffic.
Workaround: None
•CSCtf57046
On a Cisco ASR 1000 Router poor H323 call connection success rate has been seen.
This problem is caused by a timeout when attemting to open TCP sockets for H245.
TCP sockets previously timeout after 1 second, which can be the case where there is high latency in the network, or the application with endpoint does not respond within 1 second.
Workaround: None
•CSCtf57073
When H323 call setup is done correctly, but there is no audio with video is available on the Cisco ASR 1000 Router.
This condition is caused by excessive H245 message sizes. Message buffers sizes are not suffient.
Workaround: None
•CSCtf57132
Poor video quality for H323 downstreams to H323 calls on the Cisco ASR 1000 Router.
This condition is caused by Bearer Capabilites in the Q931 Seup, always being changed to 64k.
Endpoints which choose to apply the bandwidth in Bearer Capabilites (not mandated) will then attempt to open both audio and video to not exceed a total bandwidth of 64k causing poor video.
Workaround: The bearer capabilites rate mutiplier is now being propagated correctly which resolves the bandwidth issues.
•CSCtf57273
VRF mapping service on ISG may cause IGP to fail on downstream interface.
Workaround: None
•CSCtf61700
Memory leak has been seen when Radius is processed on a Cisco ASR 1000 Router.
This happens only when Radius Server (ACS) send Access-Reject for a service profile download.
Workaround: Make sure the respective profile is configured in the ACS (Radius server) that is needed for download.
•CSCtf70365
When config ED is used for EEM with some special config like virtual-template commands, it can trigger more than intended.
When certain commands are configured, this can happen.
Workaround: Is to use syslog ED instead.
Resolved Caveats—Cisco IOS XE Release 2.5.2
All the caveats listed in this section are resolved in Cisco IOS XE Release 2.5.2
•CSCsd39262
A crash may happen when ACL has no match in a prefix list on a Cisco ASR 1000 Router. When a named acl is first referred by "match ip address" command, followed by a "no match ip address prefix" command which refers to the same ACL name, the router either generates an alignement error or crashs.
Workaround: There is no workaround.
•CSCsq24672
A call through CUBE may not establish for a Re-Invite-based call flow. The call may drop.
This symptom is observed if the endpoint to which the CUBE is communicating sends a Re-INVITE for a call before it has received an ACK from the other call leg for the original INVITE. CUBE may not forward this Re-Invite to the other call leg, and the call will disconnect.
Workaround: There is no workaround.
•CSCsw44668
Conditional debugs is not complete on the ASR 1000 Router Series. This condition is more likely to happen when debug is enabled on the tunnel, issuing shut and then no shut.
Workaround: None
•CSCsx02819
When NAT traffic is flowing, if the user tries to delete NAT pool, an error message is displayed and NAT pool is not removed since it is in use. But the NAT pool is removed in the Standby. Due to this, NAT does not work after SSO switchover. In this example the following condition have been observed:
(config)#no ip nat pool <name> <start-ip> <end-ip> {netmask <netmask> | prefix-length <prefix-length>}
Workaround: Is to issue the pool configuration command, after the pool gets deleted in the standby RP, prior to SSO switchover.
•CSCsy49927
The IOSd restart is seen with crest proc frame that fetches the tcl shell for execution.
This is seen with crest proc that helps in configuring a scale configuration.
Workaround: None
•CSCsz82950
A peer RP reloads on a Cisco ASR 1000 Router. When any configurations are done using NMS for DCTM MIB, this symptom occurs when unconfiguring the configuration that is created by DCTM MIB configuration.
Workaround: There is no workaround.
Further Problem Description: DCTM was not HA supported before. HA is supported now. If configurations are not done by using NMS, there will not be any issues.
•CSCta12530
The aggregate-fragment stats are not shown on the primary or secondary link when disjoint policies using service-fragment and fragment are applied on Etherchannel member links with sub-interfaces.
The problem occurs only when using Etherchannel, with service-fragment policies applied on Etherchannel member links and fragment policies applied on Etherchannel sub-interfaces.
With this configuration, in the output of show policy-map interface <member-link> we can see that the aggregate-fragment counters may be missing from one of the member links.
Workaround: There is no known workaround.
•CSCtb32892
Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed" may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.
In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.
Workaround: None
•CSCtb33439
Hub or spoke crashes when the spoke tunnel is shut or unshut on a Cisco ASR 1000 Router.
This conditon may occur when applying dmvpn configs after performing a shut and no shut on the tunnel.
Workaround: None
•CSCtb66770
Serial interface are not added as member links to the MLP bundle.
This condition may occur, after properly configuring a MLP bundle and its member links, flapping of the all the member link interfaces can cause links to not be re-added to the MLP bundle.
Workaround: None
•CSCtb87546
Tftp server may times out sometimes or always on the ASR 1000 Router Series. This may occur when uploading or downloading files, including IOS images to tftp server.
Workaround: Is to use 2.5 pre-released images on the router in order to run the tftp operation successfully.
•CSCtb89424
In rare instances, a Cisco ASR 1000 Router may crash while using IP SLA UDP Probes configured using SNMP and display an error message similar to the following:
hh:mm:ss Date: Address Error (load or instruction fetch) exception, CPU
signal 10, PC = 0x424ECCE4
This symptom is observed while using IP SLA on the router.
Workaround: There is no workaround.
•CSCtc18656
When the NAT box is configured as the Rendezvous Point (RP). This does not allow for source address translation for the encap packet received from the First Hop Router.
NAT box is configured as Rendezvous Point (RP) decapsulates the packet and forwards it to NAT outside without translation which will create incorrect S,G state for a inside local source address on the downstream routers after NAT router.
Workaround: None
•CSCtc21042
A chassis-manager processed on RP2 gets stuck and the router becomes unresponsive to user commands. All the FPs and CCs keep rebooting, with console logs showing repeated FP code downloads. This problem is specific to RP2. No particular scenario is known. Problem is caused by OBFL logging of messages on RP2.
Workaround: Is to disable onboard logging of messages on RPs as follows:
"hw-module slot r0/r1 logging onbaord disable"
Router#hw-module slot r0 logging onboard disable
To verify that onboard logging has been disabled:
Router#sh logging onboard slot r0 status
Status: Disabled
Note This command is not saved in the config so is not preserved across router reloads.
•CSCtc48125
Duplicated ARP entry when enabling ISG. When you enable ISG for the existing DHCP users, you may see the following:
GPKC10ki01#sh arp | i aaaa.bbbb.cccc
Internet x.x.x.x - aaaa.bbbb.cccc ARPA GigabitEthernet1/0/2.1203
Internet y.y.y.y 16 aaaa.bbbb.cccc ARPA GigabitEthernet1/0/2.1203
GPKC10ki01#
(The one without the age is the ISG user and the one with an age is the DHCP learned address.)
The symptom is observed on a Cisco ASR 1000 Router when enabling ISG on existing DHCP users.
Workaround: Is to disable multiple DHCP servers. Use one DHCP server.
•CSCtc50985
Output of the show ip subscriber dangling <500> at a steady state shows lots of sessions of the form:
dhcp 0000.6401.2a64 [37649] control waiting
The symptom is observed in large scale scenarios or when CPS is much higher than recommended.
Workaround: Is to clear the session on the router and reboot, if required.
Further Problem Description: In scale scenarios, the DHCP handshakes between the client, so the DHCP relay and server might take a long time. Also, the wire or DHCP server is loaded so that it drops some offers or ACKs. In this case, some sessions might be seen dangling without corresponding binding and there is no connectivity to the user.
•CSCtc72651
A crash has been seen on a new RP after SSO with AToM debugs are enabled on the ASR 1000 Router Series. When enabling AToM debugs which requests VC Accouting details from MFI during SSO the router may fail.
Workaround: None
•CSCtc78200
A Cisco ASR 1000 Router may crash in parse_configure_idb_extd_args routine.
This symptom is observed when running PPP sessions or when TCL is used for configuring interface range.
Workaround: As the PPP session is being established on the LNS, Cisco IOS will momentarily use one of the available VTYs from the router. After initial configuration, it is immediately released to the system pool.
When all VTY connections are in use, an RP crash will occur if a new PPP session is established and there are no free VTYs in the system.
To work around this issue, reserve several VTY connections for PPP session establishment. Since it is possible that a burst of PPP sessions tries to connect using multiple VTY connections at the same time, reserve at least 5 VTY connections. One possible solution is to use an ACL on the last 5 VTY
lines:
ip access-list extended VTY_ACL
deny ip any any
!
line vty 5 9
access-class VTY_ACL in
exec-timeout 1 0
login authentication local1
Alternate Workaround: Do not configure "interface range" cli using ios_configfrom tclsh mode. When in tclsh mode, use normal "interface cli" in a "for loop".
•CSCtc91560
High CPU utilization occurs on a Cisco ASR 1000 Router.
The symptom is observed with session churn on the router.
Workaround: There is no workaround.
Further Problem Description: CPU usage will remain high under normal conditions given a constant churn rate of approx 24 CPS, coming up and down.
•CSCtc95709
During ISSU upgrade, the standby router may crash and reload after displaying the following error message:
DATACORRUPTION-1-DATAINCONSISTENCY or DATACORRUPTION DATAINCONSISTENCY
This symptom is observed during ISSU upgrade if RPs are in slots between LCs. If RPs are in slots below all LCs, or slots above all LCs, the symptom should not occur.
Workaround: Physically move RPs to the lowest slot numbers, below the LC slot numbers. Moving RPs one by one should allow continued serviceability.
•CSCtd00493
For IPv6 Bi-directional entry FF03::1:0:0/96, some packet with address like FF03::1:1:1/128 or FF03::1:1:2/128, etc... In addition a Cisco ASR 1000 Router cannot find a match in CPP due to the collision lookup failure. This problem may cause the traffic to not forward the entries on the router.
Workaround: None
•CSCtd02123
WRED state only shows WRED state with standard class.
In sh policy-map int, WRED state only show standard class's WRED state.
Workaround: Is to only use standard wred classes.
•CSCtd22064
The ASR 1000 Router Series will crash when removing SBC configuration after a failover.
During normal call operations a failover is initiated via CLI. Normal call operations continue without issue after the failover. After stopping all calls, the SBC configuration is removed and the Cisco ASR 1000 Router will crash.
Workaround: Do not remove SBC configuration.
•CSCtd24065
The output of the command show subscriber statistics shows that number of "SHDBs in use" is greater than the total number of unique subscribers for the deployment. This might contribute to issues such as an "out of IDs" message or sessions not coming up.
The symptom occurs for DHCP-initiated sessions either when:
1. Session idle times out followed by a lease expiry or you release the lease.
2. Session is cleared using the clear subscriber session command and there is a lease expiry or you release the lease.
Workaround: There is no workaround.
Further Problem Description: This can also contribute to a small amount of observed memory leak.
This problem occurs in code branches where IP session HA is not supported. In these branches, the above steps cause a SHDB handle to not be cleared properly when other datastructures are cleared.
•CSCtd25688
The Cisco ASR 1000 Router crashed multiple times when using 2.6 pre-released images with the following message:
Kernel panic - not syncing: Attempted to kill init.
In some instances this problem may occur with no traffic ON.
Workaround: None
•CSCtd31226
Every 10 seconds an error message has been logged on a Cisco ASR 1000 Router console:
%CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_cp: cpp_cp encountered an error
This error has been seen when using 12.2(33)XND1 release.
Workaround: There is no known workaround.
•CSCtd32560
During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrade from IOS XE 2.3.2 to IOS XE 2.5.0, a loss of QoS functionality can occur on some and all targets.
Loss of QoS functionality has been observed right after RP upgrade and switchover while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure. The QoS functionality does not recover on its own and only occurs on policies that are both hierarchical (at least 2-level) and contain policers. The condition can be identified by the following command:
show platform hardware qfp active interface if-name <if_name> info | include QoS
If there is no output returned from this command then there has likely been a QoS service disruption due to this problem.
Workaround: QoS functionality can be resumed on the interface by removing and re-attaching the QoS policy. Alternately, the problem can be avoided by upgrading to IOS XE 2.4.x first (including the ESP). The upgrade path would be IOS XE2.3.2 -> IOS XE 2.4.x -> IOS XE 2.5.x.
•CSCtd34644
Hub and spoke on the ASR 1000 Router Series in DMVPN - Hub Support by QoS Class (DMVPN Phase 3) the network shows ATTN SYNC timeout and IPSEC-3-CHUNK_DESTROY_FAIL messages in steady state traffic and during dmvpn config cleanup. This is seen during scale config and configuration cleanup.
Workaround: No Workaround
•CSCtd38225
When ISG is enabled and DHCP sessions re-start just around the time their leases expire, some sessions may get stuck dangling indefinitely. Sending DHCPDISCOVER message (i.e.: re-starting the CPE) will not restore the session. The affected subscriber(s) will not be able to establish a session.
This condition has been observed whenISG is enabled and DHCP sessions re-start just around the time their leases expire.
Workaround: The only known workaround is to manually clear the dangling session(s) using the clear ip subscriber dangling <time> command although this may not be a suitable workaround in a live production network.
•CSCtd39778
The Cisco ASR 1000 Router may reset due to IOS failure when ZBFW is configured with more than 16 match protocols and there are large an additional no match protocl statements in ZBFW class-maps.
This has been seen, when an addition of more than 16 match protocol statements in a class-map is used for inspect policymap on the ASR 1000Router.
Workaround: Is to split the class-map with more than 16 match protocol into multiple class-maps, each with 16 or less match statements.
•CSCtd42810
PPPoEoA sessions are not coming up because some VCs are in inactive state on the Cisco ASR 1000 Router Series.
This symptom has been observed when around 400 PVCs are configured with PPPoEoA sessions.
Workaround: Is to save the configuration on the LAC, then reload the LAC.
•CSCtd42928
An IP DHCP ISG subscriber session is not being created for a particular subscriber on the Cisco ASR 1000 Router Series. While other subscribers are not affected.
The symptom is observed under the following conditions:
1. Scaled environment (with 20k sessions).
2. Using debugs and show commands it is determined that no session or binding exists for the subscriber, but a DPM context exists.
Workaround: There is no workaround.
Further Problem Description: In such conditions the only way to start the session for the subscriber is a reload or switchover.
•CSCtd53112
IOS reload occurs when on a Cisco ASR 1000 Router when `debug cond ip nat inside source static..' command entered and NAT has never been configured on the box.
Workaround: Enter 'debug cond ip nat' commands only after NAT has been configured.
•CSCtd60249
Policy-map counters are not updated randomly on a Cisco ASR 1000 Router running 12.2(33)XND2.
This condition maybe seen only when when time-based ACL is used for classification.
Workaround: Is to reconfigure the policy-map.
•CSCtd66132
On a Cisco ASR 1000 Router FP reloads when changing the RP address with DMVPN Config.
This problem maybe seen on the ASR1000 Router, when changing the RP address with DMVPN Config, while sending multicast packet.
Workaround: None
•CSCtd70582
Traffic Class services will remain in "show subscriber session" output under "Policy Information" after traffic class has disconnected by timer events.
Only seen when Traffic Class is disconnected through an Idle Timer or Absolute Timer expiring.
Workaround: When traffic class service is disconnected through normal (User Intervention), issue is not seen. For Timer disconnected Traffic Class services, no known workaround at this time.
•CSCtd72215
Using 12.2(33)XNE CCO image the following behavior is noticed with an IPv6 enabled interface. Basically, toggling "ipv6 unreachable" config on an interface leads to unreachables being permanently disabled :
1. Confirm that by default interface responds with ICMPv6 unreachable message when traffic with unknown destination is sent.
2. Configure "no ipv6 unreachables" on interface and it is observed that ICMPv6 unreachables are no longer sent.
3. Configure "ipv6 unreachables" on interface ... expect to see unreachables being generated again however this is not the case.
This condition may happen after configuring "no ipv6 unreachables" and the inablity to configure back to ipv6 unreachables.
Workaround: Is to reload IOS Software.
•CSCtd73567
The ASR 1000 Series Router may reload unexpectedly while reassembling a fragmented ip packet.
Workaround: None
•CSCtd75461
When the same destination ip address is used in multiple netflow exports, of the following syntax, ip flow export destination<ip-address><port>, only the first configured export port will be used to send 1 copy of the export packets. If different destination ip addressses are used, this problem is not seen.
Additionally, if a destination ip address is configured with an unintended port number, and the user then configures the same statement with the intended port number, both flow exports will show up in the config and in the output of <CmdBold>show ip flow export<noCmdBold>, and if you then delete the first entry, we will still continue to send exports to the originally configured port number for that ip address.
Workaround: If you can configure two ip addresses on that same destination host, and use separate export statements for sending those packets, then this could be a feasible workaround.
•CSCtd77312
L2TP resync will fail under some conditions on the ASR 1000 Router Series.
This condition has been see before RP swichover occurs, when LAC has sent some L2TP control packets which have not been acknowledged yet.
Workaround: There is no known workaround.
•CSCtd80007
The standby routing processor crashes during an SSO when TE Auto-Tunnel Backup is enabled on a Cisco ASR 1000 Router.
The symptom has been observed during an SSO only on a new Standby RP when TE Auto-Tunnel Backup is in use.
Workaround: Is to disable TE Auto-Tunnel backup.
•CSCtd83822
Increasing memory usage of `reflector.sh' and `droputil.sh' process may occur on the ASR 1000 Router Series.
Workaround: None
•CSCtd84427
After RP2 Switchover, some of the adjacency do not come up on the Cisco ASR 1000 Router Series.
This condition has been seen when manual switchover on the RP2 has occurred.
Workaround: None
•CSCtd90979
When configuring hierachical QoS policy-map with precent based rate configuration, the rate calcultion might be wrong when the QoS policy is applied to 10 GigabitEthernet interface.
The translation from percent to absolute value (in Kbps) might be wrong when QoS policy is applied to 10 GigabitEthernet interface.
Workaround: To change from using the percent rate to the absolute rate in BPS (bits per second0 in parent shaper would avoid running into this issue.
•CSCte02973
Routing protocols like EIGRP may be dropped in the global table.
The symptom is observed when multicast is configured for a VRF and no multicast is configured for the global table.
Workaround: Is to enable ip multicast routing and create a loopback interface with ip pim sparse-mode enabled.
Further Problem Description: The problem should not occur for MVPN since this is not a valid configuration, as multicast in the core is a requirement. However, it can occur for a feature called MVPN-lite, where multicast traffic is routed between VRF tables without the tunneling and therefore without the requirement for multicast in the global table.
•CSCte05357
The ASR 1000 Router may crash, when bringing up PPPoE sessions after segmentation faults are configured. This has been seen, when bringing up PPPoE with AAA authorization on VRF and PPP configuration with virtual templates is configured on the router.
Workaround: None
•CSCte05638
Cannot copy WebEx application logs from WebEx Node SPA console with Vegas shell commands.
When connection to WebEx Data Center fails, the WebEx support team might need to look at the WebEx application log files to identify the problem.
There is no mechanism today for customer to copy this logs files out of the WebEx Node SPA.
Workaround: None
•CSCte07457
The ASR 1000 Router is showing only zero counters for qos service-policies (as per the show policy-map interface) when applied on Ethernet based interfaces (FE and GigE) after a reload.
Workaround: None
•CSCte08145
CPP reset on sending malformed GRQ on the Cisco ASR 1000 Router.
This condition has been seen after malformed GRQ has passes through the ASR 1000 Router, where router is performing ALG. The CPP will reset after some time period.
Workaround: There is no workaround as of now.
•CSCte19782
When ESP traffic is traversing NAT with inside static configs, the traffic initiated from the outside hosts willl not work.
This condition happens with NAT inside static configuration, the ESP traffic iniitated from the outside network will be passing through the NAT box untranslated.
Workaround: There is no known workaround.
•CSCte20245
ESP is observed to reload while trying to bringup PPPoEoA sessions during an RP Switchover.
This condition has been observed, when PPPoEoA sessions are setup during RP switchover this may cause ESPs to reload.
Workaround: Setup sessions after RP switchover has happened.
•CSCte20928
ESP20 restarts when loading the config on the RP2.
This issue has been seen when loading config on a blank box with ESP20 and RP2.
Workaround: None
•CSCte29294
On the Cisco ASR 1000 Router the ESP may crash, when doing High Availibility (HA) switchover in LNS environment.
This has been seen, when LNS has been configured with traffic.
Workaround: There is no workaround.
•CSCte40621
On a Cisco ASR 1000 Router when adding pinhole, after modify has failed with an ER=421 error message.
For example: "AddIssue-NG.pcap" contains failed pattern with following order:
–ADD (pinhole/user1a)
–ADD (pinhole/user2a)
–Modify (pinhole/user1a)
–ADD (poinhole/ser2v) -> failed with ER=421
Workaround: None
•CSCte43708
On a Cisco ASR 1000 Router a crash can occur when using QFP.
This instance may occur when QFP is forwarding an IP fragment while doing ip virtual-reassembly, which is enabled by NAT.
Workaround: None
•CSCte45106
Crash in QoS cpp_cp process when memory is running to slow on the Cisco ASR 1000 Router Series . The following conditions have been observed:
1. Establish 25k PPPoE PTA ISG sessions with traffic classes, port bundle, l4r, accounting and QoS.
2. Send traffic through the sessions.
3. Make sure that all the idbs are used.
4. Keep trying to establish PPPoE sessions.
5. FP crash should be observed.
Workaround: Keep memory from running low.
•CSCte45509
The ASR 1000 Router cannot take over PPP and L2TP sessions when ISSU has been loaded .
During ISSU step, Active RP image is a previous version and Standby RP image is 12.2(33)XND3.
The following traceback occurred and cannot create ppp sessions on Standby RP:
%SYS-2-LINKED: Bad enqueue of xxx in queue xxx -Process= "RADIUS"
Therefore all PPP sessions is lost at the time of RP switchover.
Workaround: There is no workaround.
•CSCte46020
When using a nas-port-format which is different from default encoding 4/1/3, the NAS-Port-ID and NAS-Port radius attributes do not reflect the requested encoding. This is for sessions which originate on ATM interfaces only, i.e. PPPoEoA.
Depending on physical interface location, the NAS-Port-ID and NAS-Port radius attributes may not be represented correctly.
Workaround: Physically move (if possible) the interfaces into ports which can be correctly encoded with 4/1/3 bit distribution.
•CSCte46218
Traffic is not forwarded through GRE or multipoint GRE tunnels with "tunnel key 0". This condition is seen when tunnel key is configured via "no tunnel key" and then reconfigured via "tunnel key 0" on a GRE or mGRE tunnel, traffic will received tunnel packets will be dropped.
Workaround: After removing tunnel key configuration, configure "tunnel key" with non-zero value or delete and recreate tunnel interface.
•CSCte50523
The H.323 Fast-Slow interworking feature was added in an earlier release of DC SBC, however, the feature is being deprecated.
This affects the following cli:
#config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)#sbc <name>
(config-sbc)#sbe
(config-sbc-sbe)#adj h323 ADJA
(config-sbc-sbe-adj-h323)#start ?
fast H.323 Fast start for outgoing calls on this adjacency
slow is no longer an option meaning Fast Start requests on this adjacency will not be converted to Slow Start.
Workaround: This is a deprecation of a cli and no work around is needed.
•CSCte50685
NAT DNS ALG TTL not set to 0. Failover from primary ASR to secondary will cause application failure because of invalid dns cache entries from old nat. By setting the TTL to 0 the client will rerequest dns information.
Workaround: None
•CSCte50721
During stateful NAT sync of H323 information from primary to standby, the standby crashes.
This condition occurs when Cisco ASR 1000 Router with dual RP and ESP configured.
Workaround: Is to disable H323 with the following commands when H323 ALG is not required:
no ip nat service h225
no ip nat service ras
•CSCte51283
Traffic on a priority class receives more bandwidth than what has been configured.
This condition has been observed when configuring "priority percent" on a QOS service-policy, if the class-default has "fair-queue" configured, the rate on the priorit
Workaround: None
•CSCte51436
Pressing Hold during a SIP-to-SIP call through CUBE(Ent) on the ASR 1000 Router results in intermittent disconnects. The phone behind the ASR CUBE hears a fast busy tone.
When CUBE dial-peers are configured with dtmf-relay of: "rtp-nte", "sip-notify rtp-nte", or none.
ASR CUBE(Ent) version from CCO: asr1000rp2-adventerprisek9.02.05.00.122-33.XNE.bin
Workaround: Is to use "sip-notify" as the dtmf-relay method.
•CSCte52369
On a Cisco ASR 1000 router, the RADIUS will send a NACK for the First COA request message and Radius Authentication will fail.
This condition has been observed when the RADIUS recieves "ACCESS-ACCEPT" with `Unsupported Vendor' attribute.
Workaround: Is to send the COA request message again.
•CSCte56627
Outside NAT sessions are not syncing between active and standby.
The following symptom may occur:
1. Sessions may not be sync properly to standby OR
2. ession deletes may not be sync properly to standby (session that would be deleted on standby, will not be deleted).
The following conditons may occur:
1. On ASRNAT when there is an inside mapping and outside static mapping configuration.
2. When there is a very high burst of session aging occurs.
Workaround: None
•CSCte58825
There is a crash upon conducting an snmpwalk from "enterprise mib oid 1.3.6.1.4.1".
The symptom is observed on a Cisco ASR 1000 Series Aggregation Services router that is running Cisco IOS Release 12.2(33)XNE.
Workaround: Configure SNMP view to exclude ipsecpolmap as follows:
snmp-server view <view name> iso included
snmp-server view <view name> ipsecpolmaptable excluded
•CSCte60069
During the scale testing with ModelF applied on PTA, reparenting operation results in FP crash. Also CPUHOG and TIMEHOG tracebacks observed. The following conditions have been seen:
1. On PTA, bring up 24K IPv4 sessions, 2PQ+2CQ (modelf)
2. remove grandparent shaper and3)add the shaper back. When this instance occurs, FP crashes a tracebacks are observed.
Workaround: Without the fix for this ddts, avoiding reparenting with large number of vlans with sessions will resolve the issue.
Open Caveats—Cisco IOS XE Release 2.5.1
This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.1
•CSCsz36180
When enabling passive header compression on interface where active header compression is enabled doesn't get reflected in show running configuration of interface. Though its get updated in show frame-relay map command output. Also, the header compression is not working as desired after this configuration. Ideally if both side are configured for Passive, compression should not happen. In this case compression is happening though sh frame relay map command shows both interfaces are configured as passive on the ASR 1000 Router Series.
This has been seen, when the following command is used:
frame-relay map ip <ip> <dlci> compress passive
frame-relay map ip <ip> <dlci> compress active
When the same ip and dlci values are used on the ASR 1000 Router this does not take effect.
Workaround: To do no frame-relay map ip <ip> before changing the header-compression from active to passive.
•CSCsz53438
When ip header compression is configured on the ASR 1000 Router, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.
This has been seen, when IPHC is configured on the ASR 1000 Router, but not on the router to which it is directly connected.
Workaround: Is to enable IPHC on both routers.
•CSCta26678
Unable to add vrf configuration after removal of the same vrf on the ASR 1000 Router Series.
This has been seen, when ODR is present on the Cisco ASR 1000 Router.
The router should function normally after the router has been reloaded.
There are no known workarounds.
•CSCta60589
On the ASR 1000 Router, when there are files in the tracelog directory doing a wildcard search could potentially result in a CPUHOG message.
This has been seen, when there are a large number of files in the directory the wild card is being applied on the ASR 1000 Router.
Workaround: Is to avoid doing wildcards on directories with large number of files.
•CSCta65347
CME is changing the media direction attribute as "INACTIVE" instead of "RECVONLY"on the ASR1000 Router Series.
Only in this instance the resume fails, when CCM/CME scenario's from h323 legcalls are used and there is no media on the ASR 1000 Router.
Workaround: None
•CSCtb07144
Shutting an interface having a large number of vlans while there is a significant number of multicast entries and interfaces in the MFIB database can take a significant amount of time on the ASR 1000 Router Series.
This has been seen when there are a large number of vlans configured on the interface that is being shutdown. A significant number of entries and interfaces present in the MFIB database.
Workaround: None
•CSCtb24959
The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:
–the router has been configured for rp agent
–and candidate there are a large number of rp's
–initiating the clear ip pim rp-map command
Workaround: Is not to apply the clear ip pim rp-map command one after the other.
•CSCtb32892
Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed " may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.
In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.
Workaround: None
•CSCtb33587
NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:
%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED)
This may cause temporary packet drops or forwarding to less specific routes.
The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.
Workaround: Is to wait after the holddown timer expires, the problem will be cleared.
•CSCtb40529
At switchover, the old active takes 2 reboots to become standby for the ASR 1000 Router Series.
This may occur, when scaled setup with switchover has been configured on the ASR 1000 Router.
Workaround: None
•CSCtb56852
RP resets when we delete DMVPN Tunnel on hub router .
In 1hub and 1000 spokes scenario, when we delete dmvpn tunnel on hub causes RP reset on hub router.
Workaround: None
•CSCtb66050
On the ASR 1000 Router Series running Session Border Controller (SBC), a traceback is observed on doing an ISSU sub-package upgrade from release 2.5 image to a later image. This traceback is thought to be largely benign and doesn't affect normal operation. Upgrade is successful, calls can be made and media can be set up through SBC.
This traceback is only observed upon ISSU upgrade from release 2.5 image and only with a sub-package upgrade. The traceback is not seen on performing a consolidated update.
Workaround: Use a consolidated update procedure instead of sub-package upgrade, when possible.
•CSCtb71415
There are occasional CPPOSLIB-3-ERROR_NOTIFY: F1 logs from the ASR 1000 standby FP20. The show plat soft firewall f1 stati output displays zone-binding ASR 1000 errors may be seen on the ASR 1000 Router console (but not on the active F0).
This may occur, when running longevity stress tests incorporating per-subscriber firewall, with redundant RP2 and Topology:
stateful PPPoE---LAC--10GbE---LNS---L4-7servers
vanilla PPPoE------| |---10GE --tgen
There are 32000 total sessions:
- 12000 are stateful and flapping periodically
- 15000 are vanilla across 3GE ports passing random traffic up 1500B packets at 1.6Gbps upstream total, 2.8Gbps downstream total
- 2500 PSFW sessions just periodically flapping
- 2500 vanilla PPPoE session periodically flapping
Zones are being downloaded via RADIUS. VFR, uRPF on V-T and/or via RADIUS.
Workaround: No workaround available at this time. In additon the error actually happens during zone unbinding.
•CSCtb79598
When you configure a PVC ASR 1000 with QoS enabled, the QoS will not work as expected on the ASR 1000 Router Series.
The only happens, when you unconfigure ancp neighbor associated with the PVC before you delete the PVC on the ASR !000 Router.
Workaround: None
•CSCtb79850
Interface flap may close when pending channels for the atm spa are configured on the ASR 1000 Router Series.
This may occur, when the interface flap has pending channels on the atm spa.
Workaround: None
•CSCtb98877
On the ASR 1000 Router Series subsequent call fails after a SIP Session Refresh timeout occurs after an HA switchover in CUBE enviroment.
This occurs in a back to back CUBE environment:
CUCM1 - SIP - CUBE1 - SIP - CUBE2 - SIP - CUCM2
The CUCM SIP Refresh is set to 90 seconds, and a call is made. HA switchover occurs on CUBE1, and the call is disconnected as expected.
The same call is made again, but the originating endpoint on CUCM1 gets a Busy tone, while the
terminating endpoint on CUCM2 gets Ringing tone.
CUBE2 sends a 503 Internal error with the following cause code:
Reason: Q.850;cause=38 - [Network out of order]
Workaround: None
•CSCtc16232
When the L2 MAC address of an Ethernet interface is changed on the ASR 1000 Router Series, the final RA is not sent to the remote endpoint.
The expected behaviour is that when the L2 MAC address is changed, on the ASR 1000 Router is to send a final RA to the endpoint indicating the change.
Workaround: None
•CSCtc17366
Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.
Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.
•CSCtc19914
The Embedded Services Processor (ESP) has been reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.
When using the following scripts this condition has been seen:
1. Configuring large mVRF's on PE
2. Configuring large Loopbacks on PE, one for each of the VRF
3. Configuring and unconfiguring large static RP addresses multiple times rapidly.
Workaround: None
•CSCtc21042
When MVPN is configured the cman fp crashes and the ESP20 continues to reboot while crypto traffic runs for several hours without triggering any events on the ASR 1000 Router.
This has been seen, when crypto traffic passes through the system for several hours before this crash takes place.
Workaround: None
•CSCtc41808
When trying to change ipsec tunnel configuration by changing tunnel mode between SVTI and GRE, iosd crash is observed on the ASR 1000 Router Series.
Workaround: None
•CSCtc50830
When reloading an active RP just before it goes to rommon mode the ASR 1000 Router dumps a core and crash file pointing to Redundancy FSM.
This condition happens after IPNAT client reloads the standby RP and synchronizing active with standby.
Workaround: None
•CSCtc55049
The ASR 1000 Router may crash and reload following a reboot or initial boot from a power-up.
The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.
Workaround: None. However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.
•CSCtc71338
When configuring a 10k line ACL (production-out) on the interface, the FP process crashes on the ASR 1000 Route Series.
The production-out will show as follows:
interface GigabitEthernet0/3/4
ip address 1.10.4.1 255.0.0.0
ip access-group production-out in
ip access-group production-out out
speed 100
no negotiation auto
cdp enable
service-policy output test
Workaround: None
•CSCtc72052
The ASR 1000 Router is unable to configure Dynamic Nat Pool with prefix length 14 or less.
This happens when Nat Pool is configured with a lower prefix lengths. This configuration is rejected on the ASR 1000 Router.
Workaround: Is to create a Nat Pool with prefix length 14 or higher.
•CSCtc73525
The ESP board on the ASR 1000 Router Series with ATM PVCs carrying broadband sessions does not accept further config. Traffic forwarding on existing features and session is not impacted, but additional config is rejected.
This ocurrs, when BB sessions over ATM PVCs are configured. With a high number of PVCs configured, and if all PVCs are attemtped to be removed at once with the "rage" command, the ESP board may get into an error state that prevents additional config (such as bringing up new PVCs or sessions) from being accepted.
Workaround: None. However if problem manifests, a reload of the ESP is required to bring the system back to its normal state.
•CSCtc90996
While under load for extended periods of time, a condition may ocurr that causes a large amount of stale call legs to exhibit on the ASR1000 Router Series. These stale call legs can consume enough memory on the platform to cause a crash due to memory outage. It has been observed with 2000 active calls at 20 CPS for an extended period of time.
Workaround: To avoid a runaway condition, the use of the command max-conn on the dial-peers of the platform is capable of holding back the amount of stale call legs. While the condition occurs that triggers the event, max-conn has the side effect of not permitting calls to be established over this dial-peer. Eventually it will clear and calls may continue.
•CSCtc95709
During ISSU upgrade on the ASR 1000 Router Series, there may be two symptoms:
1. Error message DATACORRUPTION-1-DATAINCONSISTENCY or DATACORRUPTION DATAINCONSISTENCY printed out
2. Standby may crash and reload
This problem may occur, during ISSU upgrade, while RP's are configured for slots between LC's. When RP's are in slots below all LC's, or slots above all LC's, the problem should not occur.
Workaround: Is to physically move RP's to the lowest slot numbers, below the LC's slot numbers. Moving RP's one by one should allow for continued serviceability.
•CSCtc99048
When VLAN-VLAN Pseudowires (PWs) redundancy is configured, when the RP switchover happens on pseudowires (PWs) from primary to backup, and the RP is switched back to primary this may not be allowed for some of the pseudowires (PWs) to forward traffic properly.
Workaround: Is to do a clear xconnect all will re-provision xconnect on all PWs, and after that all pseudowires (PWs) can forward traffic properly.
•CSCtd11492
Policy on some of the tunnels may continue to stay in a suspended state for typically 4 to 5 minutes on the ASR 1000 Router Series.
This may occur when tunnels are configured, after executing shut/no shut command on the ASR 1000 Router.
Workaround: None
•CSCtd14559
L2TP-3-ILLEGAL tracebacks and PPPoX session mismatch between active and standby rps.
This error condition is noticed, when rp switchover takes place during the time frame pppox sessions are coming up. In a rare condition, session mismatch was noticed when pppox sessions were coming up for the first time with no other events taking place.
Workaround: No workaround
•CSCtd24611
When Standby FP is out of memory on the ASR 1000 Router Series, the cpp_cp tracebacks and FMFP-3-OBJ_DWNLD_TO_CPP_FAILED messages may appear on the console.
This text is similar to the following that is printed on the console, the cpp-cp_Fx-0.log error message:
cpp_qos_policer_event:1766:EVENT fail to allocate a feature object 0xc (Cannot allocate memory)
This instance can happen when the following has occurred:
1. Bringup the ASR with RLS6 image
2. Initiate 32k PPPoE sessions and send traffic
3. Start a script which changes the QoS on the PPPoEoQinQ sessions through CoA
4. Start a script which flaps 4000 PPPoEoA sessions once in every 20mins. cpp_cp tracebacks and FMFP-3-OBJ_DWNLD_TO_CPP_FAILED messages are seen after sometime.
Workaround: None
•CSCtd26479
On ASR 1000 Router Series, the FP may crash with the following error message:
%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected
The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.
Workaround: None
•CSCtd26955
On the ASR 1000 Router Series ANCP sessions may drop with high event rate.
This condition may occur, when ANCP is configured on ATM (pvc-in-range), the on-demand (AutoVC) is created and enabled at the interface level (with vc-class) on the ASR 1000 Router.
Workaround: When all the on-demand (AutoVCs) in range is not created on ATM (pvc-in-range), create and enable create on-demand at vc level.
•CSCtd31447
On the ASR 1000 Router Series may crash when reloading the QoS configuration.
This has been seen when switch over is performed on the ASR 1000 under traffic load.
Workaround: None
•CSCtd32560
During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrade from IOS XE 2.3.2 to IOS XE 2.5.0, a loss of QoS functionality can occur on some and all targets.
Loss of QoS functionality has been observed right after RP upgrade and switchover while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure. The QoS functionality does not recover on its own and only occurs on policies that are both hierarchical (at least 2-level) and contain policers. The condition can be identified by the following command:
show platform hardware qfp active interface if-name <if_name> info | include QoS
If there is no output returned from this command then there has likely been a QoS service disruption due to this problem.
Workaround: QoS functionality can be resumed on the interface by removing and re-attaching the QOS policy. Alternately, the problem can be avoided by upgrading to IOS XE 2.4.x first (including the ESP). The upgrade path would be IOS XE2.3.2 -> IOS XE 2.4.x -> IOS XE 2.5.x.
•CSCtd39409
IOSD crash on the ASR 1000-WATCHDOG: Process = L2TP mgmt daemon has been seen on the ASR 1000 Router Series.
This condition has been seen, when flapping on LNS firewall sessions over time happens on the router.
Workaround: None
•CSCtd39778
The Cisco ASR 1000 Router may reset due to IOS failure when ZBFW is configured with more than 16 match protocols and there are large an additional no match protocl statements in ZBFW class-maps.
This has been seen, when an addition of more than 16 match protocol statements in a class-map is used for inspect policymap on the ASR 1000Router.
Workaround: Is to split the class-map with more than 16 match protocol into multiple class-maps, each with 16 or less match statements.
•CSCtd47503
On ASR 1000 Router Series, the FP may reboot itself with the following traceback message:
%CPPHA-3-FAULT: F0: cpp_ha: CPP:0 desc:CPP Client process failed: FMAN-FP det:HA class:CLIENT_SW sev:FATAL id:1 cppstate:RUNNING res:UNKNOWN flags:0x0 cdmflags:0x0 %IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected %CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_cp: cpp_cp encountered an error -Traceback=
This may occur under stress conditions, when sending Change of Authorization (COA) pushes to deactivate and activate ISG services after RP switchover.
Workaround: None
•CSCtd56393
IPsec polo transactions are not complete and spd map id is missing ASR 1000 Router Series. When reconfigurating DMVPN Phase3 hierarchial topology to a single hub (DMVPN Phase )topology this polo issue has been seen.
To recover from the state, ASR 1000 Router will need to be reloaded.
In addition, after multiple spoke extremely high scaling tests [config, removal], and changing from hierarchial topology to single hub topology this same problem has been observed.
Workaround: None
•CSCtd62837
H323 to SIP configuration, when the H323 side supports two DTMF methods, the DTMF interworking may fail on the ASR 1000 Router Series.
When performing H.323 to SIP call, the H.323 side support for H245 alphanumeric userinput and tel-event, the SIP side may just support tel-event. The H.323 side may send DTMF userinput, and the SBC may drop the userinput.
The following pd log message may appear on console:
ICC has failed to find a mechanism to pass on DTMF tones in this call. The tones will not reach their destination.
This may not cause the call to fail.
Workaround: None
•CSCtd73567
The ASR 1000 Series Router may reload unexpectedly while reassembling a fragmented ip packet.
Workaround: None
•CSCtd83047
When scaling ODR to 700 routes are missing in fman rp process on a Cisco ASR 1000 Series Router.
This may occur when the ASR 1000 router is configuring a large number of ODRs.
Workaround: Is to configure no more than 700 routes.
•CSCtd89804
A Cisco ASR 1000 Router will bring up sessions very slow, when l2tp tunnel receive-window is set to 4 on LAC and LNS.
This may happen, when the receive-window value is low on LAC & LNS.
When the value is left at 4 on the (UUT) LAC and changed to 100 on the LNS, then the CPS is not slow on the router.
Workaround: Is to leave the receive-window value to 4, as expected on the LAC (UUT) change the value on the LNS to a higher number such as 100.
•CSCtd90979
When configuring hierachical QoS policy-map with precent based rate configuration, the rate calculation may be wrong, the QoS policy is applied to 10 GigabitEthernet interface on the ASR 1000 Router Series.
This has been observed, when the translation from percent to absolute value (in Kbps) might be wrong and the QoS policy is applied to 10 GigabitEthernet interface on the router.
Workaround: Is to change from using the percent rate to the absolute rate in BPS (bits per second) in parent shaper would avoid running into this issue.
•CSCte05357
The ASR 1000 Router may crash, when bringing up PPPoE sessions after segmentation faults are configured.
This has been seen, when bringing up PPPoE with AAA authorization on VRF and PPP configuration with virtual templates is configured on the router.
Workaround: None
•CSCte14955
An unexpected reload may happen on the ASR 1000 Router Series.
This has seen, when BGP VPNv4 is configured and a neighbor is flapping on the router.
Workaround: None
•CSCte19606
On the ASR 1000 Router a lot of messages may flood the console.
The following message is observed on the router console:
%INTERFACE_API-3-IFNUMTOIDBERROR: Error occurred while using the ifnum to idb table for interface Virtual-Access5562, if number 0, during Element Insertion %COMMON_FIB-2-IF_NUMBER_ILLEGAL: Attempt to create CEF interface for Virtual-Access5562 with illegal if_number: 0 %IDBINDEX_SYNC-3-IDBINDEX_ASSIGN: Failed to assign an index to IDB type 21, for interface "" (rc=11) -Process= "VTEMPLATE Background Mgr", ipl= 0, pid= 111
This may occur under stress conditions, when sending Change of Authorization (COA) pushes to deactivate and activate ISG services with ocasional RP switchover.
Workaround: None
•CSCte19641
On the ASR 1000 Router Series, the CCP Driver Lockdown crash may happen.
The following console message has been observed:
%CPPDRV-3-LOCKDOWN: F0: cpp_cp: CPP10(0) CPP Driver LOCKDOWN due to fatal error.
This may occur, when stressing the system and activating ISG services with ocasional High Availability (HA) switchover.
Workaround: None
•CSCte33491
The sessions may fail to established on LNS with per-subscriber firewall when configured with zone membership on the ASR 1000 Router Series.
This may occur when LNS is configured with virtual templates that contain zone membership and uRPF configurations. RADIUS config includes virtual-framentation re-assembly (VFR) and alternate zone membership. In addition, the subscribers may have the RADIUS-directed changes applied to the virtual access interface on the router.
Workaround: Potential work-around is to remove VFR from RADIUS config, since it is automatically configured with firewall.
•CSCte58825
The ASR 1000 Series Router running release Version 12.2(33)XNE may crash upon snmpwalk from enterprise mib oid 1.3.6.1.4.1.
The conditions are that the ASR 1000 Series Router is running release Version 12.2(33)XNE (that is, Cisco IOS XE Release 2.5.0).
Workaround: Configure the SNMP view to exclude ipSecPolMap as follows:
snmp-server view <view name> iso included
snmp-server view <view name> ipSecPolMapTable excluded
snmp-server community <community string> view <view name> RO
Resolved Caveats—Cisco IOS XE Release 2.5.1
All the caveats listed in this section are resolved in Cisco IOS XE Release 2.5.1
•CSCin99554
The ASR 1000 Router may hang, when stopping a core dump in progress by pressing the CTRL SHIFT 6 keys.
This symptom has been observed, only when RCP is used for a core dump.
Workaround: Do not use RCP for a core dump.
•CSCsc98813
When using a route-map to set the metric for redistributed static routes, initially the RIP table looks correct on on the ASR 1000 Router. In addition, after sending the second update this changes the hop count for other routes in the RIP table that have not been redistributed on the router.
Workaround: Instead of using a route-map, use the metric command on the redistribution line, however this will not allow for any filtering.
•CSCsq42904
On the ASR 1000 Router Series, when there are 1000 characters on the console, if there are more to display, the display is truncated.
The problem happens when you have a large number of interfaces and the output of "show zone security" is larger than 1000 characters.
Workaround: The workaround is to show all interfaces and get the zone membership from the interface.
Further Problem Description: The root cause of the problem is that the display buffer for this command is limited with 1000 characters.
•CSCsr40074
On the ASR 1000 Router Series the output of show ip virtual-reassembly command does not obey terminal length settings and can continue on.
This will only happen, when there are alot of virtual access interfaces configured on the router.
For example, in the following sequence in per-subscriber firewall, when there are hundreds or thousands of virtual access interfaces, the output can render the console useless.
Workaround: There is no workaround.
•CSCsx10028
A core dump may fail to write or write very slowly (less than 10KB per second).
The symptom has been observed, when the cause of the crash has occurred, after the memory corruption has happened on the ASR 1000 Router.
This may occur, when the memory pool has corrupted and the memory cannot be used to write to the core dump. This issue will most likely cause the router to fail. (IO memory corruption crashes should not have this problem.)
Workaround: There is no workaround.
Further Problem Description: When increasing the default size for the exception memory region to 256K to make sure it has enough memory to handle writing core dumps. This means that it is no longer be necessary to adjust the default size for the exception memory region as per the core dump instructions on CCO.
•CSCsx59262
OSPF Neighbors on the ASR 1000 Router may bounce after changing the config-register.
This condition may occur, after OSPF interfaces and are configured with fast hellos. In addition, when OSPF neighbors is configurated and the value 'config-register' is changed this may cause the router to bounce.
Workaround: Is to use Bi-directional Forwarding (BFD).
•CSCsx83443
Iskmp debug messages from all peers are shown in the term monitor enable tty and vty's
even though debug crypto condition peer ipv4 x.x.x.x is set. This is seen on the ASR 1000 Router Series when using peer ip based debug condition. In addition, when using peer ip based debug condition on the router.
Workaround: None
Further Problem Description: Only a subset of the messages are shown.
•CSCsy45371
The clear ip nat tr * command removes corresponding static NAT entries from the running configuration, but removing static NAT running configuration does not remove the corresponding NAT cache.
This may occur, when NAT commands are entered while router is processing around 1 Mb/s NAT traffic.
Workaround: Is to stop the network traffic while configuring NAT.
•CSCsz56462
Configuring cdp run does not bring up cdp on the interfaces.
This may only happens, when the default behaviour of a platform is to have CDP disabled.
Workaround: Is to configure cdp enable on required interfaces.
•CSCsz59469
On the ASR 1000 Router Series, when the software version of the Active and Standby RP do not match, the Standby RP can reload indefinitely.
This may occur, when different versions of software are on the Active and Standby RP.
Workaround: Is to load compatible versions of software on the Active and Standby RP.
•CSCsz66060
When saving the half duplex vrf configuration and after rebooting the ASR 1000 Router, the half duplex vrf configuration does not apply to the router, anymore.
This problem only happens, after half duplex vrf has been configured and when the ASR 1000 Router has been rebooted.
Workaround: Is to re-enter the half duplex vrf configuration again.
•CSCsz66060
When saving the half duplex vrf configuration and after rebooting the ASR 1000 Router, the half duplex vrf configuration does not apply to the router, anymore.
This problem only happens, after half duplex vrf has been configured and when the ASR 1000 Router has been rebooted.
Workaround: Is to re-enter the half duplex vrf configuration again.
•CSCta73008
Authenticate-req packets recieved out of phase is getting processed and reply has sent on the ASR 1000 Router Series.
This may occur, when the PPPoE session is UP after the Authenticate-Req with wrong ID/username has injected, while getting processed by the other end and a reply has been sent. This will cause a bit CPU usage and Non-RFC compliance.
Workaround: None
•CSCtb13421
The GM may not register on a Cisco ASR 1000 Router Series.
This symptom has been observed, when a crypto map with local-address is configured and applied on multiple interfaces, after one of these interfaces are then shut.
Workaround: Is to disable local-address for the crypto map.
•CSCtb18426
The multicast error messages and tracebacks can sometimes be observed when configuring/unconfiguring multicast on an interface using commands with this format [no]ip pim on a Cisco ASR 1000 Router Series.
Usually most multicast configuration have been removed when leaving the last interface still configured on the router. When unconfiguring multicast on the last interface followed by reconfiguring multicast on an interface may result in the multicast error messages being generated. The problem is most likely to occur, when making the configuration changes to virtual interfaces e.g Loopback and Tunnel.
Workaround: A workaround would be to introduce a time delay between completely unconfiguring multicast and reconfiguring it.
Further Problem Description: The problem is a consequence of disabling and quickly re-enabling multicast as a result of interface configuration changes. The multicast processes take a finite time to stop and start and can sometimes experience a condition when clean-up of internal data structures is performed under usual conditions. In this case the error messages are generated and full recovery is achieved. There is no known functional or performance impact.
•CSCtb37492
PIM assert does not occur on a upstream router on which the source address is NATed.
NATed and a downstream router constantly exchange assert/prune message due to the fact that the "source-field" of assert-msg is not subject to NAT in the NATed router.
This occurs when more than one link exists between the two routers.
Workaround: None
•CSCtb40999
AutoVC behavior is different in standby after SSO on the ASR 1000 Router Series has been configured.
This has been seen, when AutoVC is configured in a range, and a pvc-in-range is configured for no autovc. In addition, after doing SSO, the VC is in IN state.
AutoVC should not be displayed in "show atm vc" if it is configured in range.
Workaround: None
•CSCtb74547
The ASR 1000 Router Series DMVPN HUB reloads when processing IPSEC key engine.
This conditions happens when dual DMVPN with shared tunnel protection feature is enabled.
Workaround: None
•CSCtb86811
On the ASR 1000 Router Series the following error message may state:
"%MFI_LABEL_BROKER-3-MULTIPLE_BIND"
within Standby mode, after initiating the configure replace command.
This may occur, when there are large vrf scalability configurations, after static routes are in use in conjunction with encapsulation ppp and mpls label mode all-vrfs protocol all-afs per-vrf.
Workaround: There is no workaround for this specific command sequence and configuration.
•CSCtc03750
SSO switchover may fail, when secondary reloads continuously happens on the ASR 1000 Router Series.
This has been seen, when L2VPN and L3VPN with Traffic engineering is configured and SSO has been issued SSO on the router.
•CSCtc12334
The ASR 1000 Router Series may fail when initiating "clear ip bgp " command.
This command deletes all bgp neighbor relationships and clears bgp RIB.
This can occur when the following has been configured:
1. Need to have MDT configured on the router
2. Need to issue "clear ip bgp " command
Workaround: None
Further Problem Description: clear ip bgp * is not a command to be used by any operator in a production network the impact is wide and huge.
•CSCtc21191
MSDP SA messages are not being forwarding to peers when MSDP is up after traffic starts on a Cisco ASR 1000 Router.
Workaround: Is to start MSDP before traffic starts on the router.
•CSCtc24325
On a Cisco ASR 1000 Router the protocol ppp dialer is getting nv-gened, when dial-pool number is configured on the interface. This command is currently not there in vc-class mode. As a result of this line by line sync to standby fails and standby resets.
The problem has been seen, when dial pool number is configured on the router.
Workaround: None
•CSCtc39018
On a Cisco ASR 1000 Router the show hw-module subslot X/Y transceiver Z command shows incorrect voltage.
Workaround: No known workaround.
•CSCtc40677
When the distribute list is applied to the virtual template the distribute-list applied to the virtual-template interface is not effective for the virtual-access interfaces spawned by that template.For example, when the ASR 1000 router (hub) is configured as:
router eigrp 1
redistribute static metric 10000 100 255 1 1500
network 10.0.0.0
no auto-summary
distribute-list prefix TEST out Virtual-Template1!
ip route 0.0.0.0 0.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0!
ip prefix-list TEST seq 10 permit 0.0.0.0/0
ip prefix-list TEST seq 20 permit 10.0.0.0/8
For example:on the branch site when connected to a Virtual-accessinterface will show as:
ranch#sh ip route eigrp
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, *15:56:44.397 BRU Wed Oct 7 2009
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
D 10.0.0.0/8 [90/46251776] via 10.12.0.2, 00:00:06, Dialer1
D 10.1.1.0/24 [90/46228736] via 10.12.0.2, 00:00:06,Dialer1
D 10.2.2.0/24 [90/46354176] via 10.12.0.2, 00:00:06, Dialer1
D*EX 0.0.0.0/0 [170/46251776] via 10.12.0.2, 00:00:06, Dialer1
For example: note that there is no filtering applied.
In rare conditions this error may have occurred on the ASR 1000 router (hub) running 12.2(33)XND1 or later releases.
Workaround: Is to configure the distribute-list for the specific virtual-access interface used for the connections on the hub.
•CSCtc43110
Under H.323 call scenarios, outgoing H.323 signaling packets (TCP) are marked with a non-zero DSCP value, even though no QoS is configured for H.323 calls. This happens under all H.323->H.323 and SIP->H.323 scenarios when SBC creates a downstream H.323 calls.
Workaround: There is no workaround with SBC configuration. QoS can be re-marked when MQC policy is placed on the outbound physical interfaces of the ASR 1000 Series Router.
Workaround: None
•CSCtc65431
VPN routes are not added after deleting and then reconfiguring VRF on a Cisco ASR 1000 Router.
This may occur, when vrf is deleted and added back onto the router.
Workaround: Is to do clear ip bgp * or clear ip bgp x.x.x.x.
•CSCtc69100
PCD shows incorrect 'memory requested' output when activated on a Cisco ASR 1000 Router.
This may occur, when PCD is configured with the following buffer-size and num-buffer:
! base configuration
per-call buffer-size debug 1000
per-call export primary harddisk: secondary harddisk:
per-call trigger sip-message 487
!
asr10-rp2(config)#per-call num-buffer 3000
asr10-rp2(config)#per-call active deb
70 percent of the largest available memory block on the router =
2061936265 bytes
Total PCD memory requested by user = 18446744072414584320 bytes
Not enough memory available on the router.
asr10-rp2(config)#per-call shut
Workaround: None
•CSCtc69991
When the Cisco ASR 1000 Router is configured as DMVPN spoke may throw tracebacks.
This may happen, when ODR is configured as the overlay routing protocol and shut/no shut is done on the tunnel interface.
Workaround: Is to use EIGRP as the overlay routing protocol.
•CSCtc76353
Multilink fails to come up after SSO/PPP Bad Bind messages have been seen when enabling debug PPP negotiation on the ASR 1000 Router Series.
This problem has been observed, when MLP is configured between two boxes, and only the PEER is configured for MCMLP.
Workaround: Is to configure both boxes for MCMLP.
•CSCtc78938
After configuring 6RU Superpackage for ISSU, when loading an image in 2.5.0 Release to the Router1-RP1 and the image in 2.5.0 Release to the Router2-RP1 for a PE router, some ATMoMPLS Pseudowires fail to download to FMAN-FP and QFP. This configuration may cause all traffic sent through these pseudowires to drop.
In the failed state, the router has the following symptoms:
1. the following command shows packets dropped in the Disabled row:
1k-60-2#sh pl ha qfp act stat drop clea | ex _0_
----------------------------------------------------------------
Global Drop Stats Packets Octets
----------------------------------------------------------------
Disabled 48770 3627820
2. the following command shows some ATM interfaces have packet drop:
1k-60-2#sh platform ha q act int all stat dr su cl
----------------------------------------------------------------
Drop Stats Summary:
note: 1) these drop stats are only updated when PAL
reads the interface stats.
Interface Rx Pkts Tx Pkts
---------------------------------------------------------------------------
ATM0/1/0.378 1518 0
ATM0/1/0.422 1518 0
ATM0/1/0.1129 824 0
3. the following command shows that no xconnect configure on the affected ATM interface in qfp side:
1k-60-2#show plat hard qfp act feat xcon cl int ATM0/1/0.1129
% Error: Unable to get xconnect config interface=ATM0/1/0.1129
4. sh platform software atom fp active xconnect shows fewer entries than sh platform software atom rp active xconnect.
1k-60-2#sh platform software atom fp active xconnect
ATOM/Local Cross-connect table, Number of entries: 7712
1k-60-2#sh platform software atom rp active xconnect
Number of xconnect entries: 7736
The root cause of the issue is when ATM PVC is downloaded to FMAN on the PE router. In addition when XConnect has been downloaded due to the long delay in setting up ATM PVC in IOSD shim layer. The problem only happens with ATMoMPLS, and only when ATM PVC is being set up with XConnect being pre-configured on it. An example scenario is ISSU.
Workaround: There are a couple of workarounds for this issue.
1. When the problem happens, remove xconnect and then add back xconnect on these affected ATM interfaces. You can find out such interfaces with sh platform ha q act int all stat dr su cl when traffic is on. Another way is to find the affected interfaces is to run show plat hard cpp act feat xcon cl int INTERFACE_NAME. If it has the following sample output while it has xconnect configured in IOS, then it is affected:
1k-60-2#show plat hard cpp act feat xcon cl int ATM0/1/0.1129
% Error: Unable to get xconnect config interface=ATM0/1/0.1129
2. When the problem happens, run clear xconnect all, which will re-provision xconnect. This command may take several miniutes to fully re-provision xconnect on all configured interfaces.
3. To remove xconnect configure before ISSU, and then add it back after ISSU completes.
•CSCtc80502
On the Cisco ASR 1000 Router the following traceback message has been seen:
FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt message seen with tracebacks
This has been observed during ISSU upgrade from 2.4.2 up to 2.5.0 releases.
Workaround: There is no workaround.
•CSCtc81949
Service policy application on the standby LNS fails, while its successful on the active.
If static ip route is configured on the LAC to the l2tp tunnel interface on the LNS, the FIB next hop does not get configured on the standby LNS and hence QOS application fails.
Workaround: To do a LAC reload to resolve this problem.
•CSCtc85586
L2TP High Availability (HA) functionality does not work and the standbyRP does not see L2TP sessions.
This happens when the active RP does not have any VPDN/L2TP configuration before the standby RP is brought up.
Workaround: The workaround is to restart the standby RP.
Further Problem Description: This problem can be avoided by configuring "vpdn enable" on the active RP before bringing up the standby RP.
•CSCtc88760
CPU hog and trace back when using sh ip bgp vpnv4 x.x.x.x/y on the Cisco ASR 1000 Router.
Workaround: None
•CSCtc91594
High CPU utilization Session churn may happen on the ASR 1000 Router Series.
Workaround: The following global configuration has helped in reducing the CPU:
no parser command serializer
ip routing protocol purge interface
Further Problem Description: CPU will remain high under normal conditions given a constant churn rate of approx 24cps coming up and down.
•CSCtc95423
Router crashes when quickly unconfiguring and reconfiguring crypto maps on a Cisco ASR 1000 Router.
This may only occur, when crypto is turned on while SAs are still being deleted in the background and duplicate SAs may be created, which may cause the router to crash.
Workaround: Before re-applying crypto maps, wait until all SAs on the router are deleted before turning crypto back on.
•CSCtc96161
DMVPN is working fine for a ~week and then one of spokes appears to be no longer able to pass traffic to other spokes. IPSEC tunnel between the spokes can be established at IOS level, but cannot be programmed into hardware and traffic is not getting through.
This problem is only seen when there are more spoke to spoke dynamic tunnels and the dynamic tunnels are flapping frequently for a long period of time.
Workaround: Reduce the frequency of dynamic tunnel flapping by increasing NHRP hold down timer to avoid tearing down dynamic tunnels too often. This can reduce the chance of hitting the problem. But when the problem happens, the affected spoke has to be reloaded.
•CSCtc97134
GetVPN Fail-Close feature does not work with vrf-lite configuration on the ASR 1000 Router Series.
This may occur, when Fail-Close map has been configured on vrf.
Workaround: None
•CSCtc97794
The ASR 1000 Router Series may crash, while removing encap pppoeoqinq sub interface under traffic.
This may occur, when removing encap pppoeoqing sub interface with traffic loaded. This condition may Could happen randomly.
Workaround: None
•CSCtd00479
When ISIS is configured for NSF IETF, if the restarting router is a DIS on the LAN, then after switchover, the ISIS database and topology could be incorrect. This resulted in incorrect routing table.
This can occur, when ISIS is configure for NSF IETF and switchover happens.
Workaround: Is to use NSF CISCO is possible, or disable NSF.
•CSCtd05318
Watchdog exception crash on "MRIB Transaction"may be observed on a new active RP when RP switchover is initiated.
This may occur, when RP switchover is triggered under a scaled scenario in the router config with approximately 1K EBGP peers with 500 K Unicast routes and f300 mVRF's with 1K Multicast routes.
Workaround: None
•CSCtd08733
On the ASR 1000 Router, when show hw-module subslot <x/y> entity returns card-status as partial for 12in1 SPA interface.
This has been observed when ENTITY-MIB does not have entries for 4XT SERIAL SPA4XT-SERIAL SPA for the main module.
Workaround: No workaround.
Further Problem Description: No impact on functionality. The following condition may only occur:
1. When show hw-module subslot <x/y> entity returns card-status as partial.
2. ENTITY-MIB does not have entries for 4XT SERIAL SPA except main module entity.
•CSCtd16888
Sessions may hang indefinitely, until the Cisco ASR 1000 Router is rebooted.
Workaround: None
•CSCtd19446
The ip vrf forwarding command may be disallowed in template mode on the ASR 1000 Router Series.
Workaround: Is to configure the command without template mode, when possible.
•CSCtd23529
A LNS doing L2TP HA could reload at l2tp_l2x_session_get_acct/micro_block_get when L2TP sessions are being brought up and a RP switchover is done.
When RP switchover is being done on LNS while L2TP sessions are being brought up.
The following error message traceback may be oberved just before the reload:
%L2TUN-3-ILLEGAL: Error inserting session_socket_db entry, socket_hdl=...
When a control packet for the session comes in during a very small time window just after this traceback, the router may reload. Since this time window is very small, generally this crash will not be observed after the above traceback.
Workaround: None.
•CSCtd31638
When radius-server attribute 31 append-circuit-id is configured for PPPoE, PPPoEQinQ, PPPoEvlan interfaces, nas-port-id should also be appended along with circuit-id.
This will occur only, when radius-server 31 attribute append-circuit-id is configured.
Workaround: None.
•CSCtd32406
The vtemplate interface associated distribute list does not work.
This may happen, when configuring distribute-list with a vtemplate interface under the router configuration sub mode.
Workaround: None.
•CSCtd33642
Flow/Service Accounting records are missing if "delay-star" is configured on a Cisco ASR 1000 Router.
This may occur, when "aaa delay-start" is configured on the router.
Workaround: Removing delay-start will result in accounting records generating.
•CSCtd34011
When a dialer interface configured for PIM goes down, the following message can be seen in the logs every minute:
%PIM-5-NBRCHG: neighbor 0.0.0.0 UP on interface Dialer1
Those 0.0.0.0 neighbors will also appear under show ip pim neighbor command and will not expire.
This problem is observed when using a dialer interface configured with PIM.
Workaround: Is to performing a shutdown and then no shutdown on the dialer interface clears the 0.0.0.0 neighbor entries.
•CSCtd35091
The input queue on ISG's access interface gets filled up increasingly causing the interface to wedge. When l2 connected IP session for a client exists on the ISG and traffic from that client comes in with a different IP address than the one used to identify the session, this traffic is dropped and interface wedging is observed.
Workaround: There is no workaround. A reload of the box is required.
•CSCtd40245
The Cisco ASR 1000 Router may crash with a traceback pointing to `ess_stats_poll_message_create'.
When FP goes down for any reason, and at the same time PPPoE session goes down or ISG service log off happens, the RP will also crash, after "subscriber accounting accuracy" is configured. This problem is only applicable to release 2.5.0.
Workaround: Is to remove "subscriber accounting accuracy" configuration.
•CSCtd42366
Sum of total packet/bytes counts with multiple services logon/logoff may exceed total packages/bytes count of the session. This issue can be seen, when Non-TC service A and Non-TC service B are applied alternatively on a PPPoX session during a session life time. Packets count for service A plus packets count for service B would exceed total packets count for PPPoX session.
With continuous traffic sending to a PPPoX session, Non-TC service A is removed immediately followed by another Non-TC service B (essentially it is the same accounting criteria as service A) or within 10 seconds. Then the session is brought within 10 seconds.
Workaround: Is to apply Service B after 10 seconds then do a Service A removal. Another way to avoid this problem is to install default iedge session accounting. Adding services on top of iedge accounting would not see this issue.
Sum of total packet/bytes counts with multiple services logon/logoff may exceed total packages/bytes count of the session. This issue can be seen when Non-TC service A and Non-TC service B are applied alternatively on a PPPoX session during a session life time. Packets count for service A plus packets count for service B would exceed total packets count for PPPoX session.
With contiguous traffic sending to a PPPoX session, Non-TC service A is removed immediately followed by another Non-TC service B (essentially it is the same accounting criteria as service A) or within 10 seconds. Then the session is brought within 10 seconds.
Workaround: Service B is applied after 10 seconds of Service A removal. Another way to avoid this problem is to install default iedge session accounting. Adding services on top of iedge accounting would not see this issue.
•CSCtd43841
Two framed-ipv6-prefix are present in accounting stop when following CLI's are enabled:
aaa accounting include authprofile framed-ip-address
aaa accounting include authprofile framed-ipv6-prefix
aaa accounting include authprofile delegated-ipv6-prefix
The above CLIs are needed when all the following 3 conditions are met:
1. Dual Stack Server and
2. "aaa accounting delay-start"is configured and
3. either ipv4 or ipv6 negotiation fails.
These CLIs are needed to include the IPv4 and IPv6 attributes in the accounting record sent. Only in such scenario, framed-ipv6-prefix may be present twice in accounting records.
Workaround: On dual stack server with "aaa accounting delay-start", need to ensure that both IPv4 and IPv6 negotiation are successful for the accounting records to be sent. In such case, there is no need to include above mentioned CLI's (in symptom).
•CSCtd47813
Traffic loss may be seen after rekey between the Cisco ASR 1000 Router Series acting as GMs when modifying KS ACL. This may only occur, when a more specific permit statement has been added. In addition, when permit ip any any has been applied this will result in traffic loss when rekeying the router.
Workaround: Is to keep permit ip any as the last acl in the KS ACL set.
•CSCtd48203
On a Cisco ASR 1000 Router, after the last cache engine in a WCCP service group goes away, packets start getting dropped instead of being forwarded to original destination.
This problem occurs when the last cache engine present in a WCCP service group becomes unavailable.
Workaround: To overcome this problem, remove the global service group definition of the service group whose all CEs have become unavailable by using the following CLI conf t:
conf t
no ip wccp <web-cache | service-group-id>
(or)
Remove the redirect in config from the interfaces on which the service group is attached, like
conf t
int <interface name>
no ip wccp <web-cache | service-group-id> redirect in
•CSCtd50125
GetVPN on the Cisco ASR 1000 GM fails to download the TEK information in the hardware [ debug crypto ipsec output below] *Nov 27 02:20:38.323: IPSEC(download associate flow):
flow_info: in_flow_id: 2400005F, out_flow_id 24000060
out_flow_enable: 0
acl_line_num 1
sadb_root_local_add: 172.16.0.1
local_proxy: , remote_proxy:
in_spi: 35EB57B0, out_sp
*Nov 27 02:20:43.341: IPSEC(crypto_ipsec_create_transform_sas): Failed to attach flowid to hw
*Nov 27 02:20:43.342: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.16.0.1, sa_proto= 50,
sa_spi= 0xD2A8F435(3534287925),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2093 sa_lifetime(k/sec)= (0/115),
(identity) local= 172.16.0.1, remote= 0.0.0.0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Nov 27 02:20:43.342: IPSEC(update_current_outbound_sa): updated peer 0.0.0.0 current outbound sa to SPI 3751CFC3
*Nov 27 02:20:43.342: IPSEC(delete_sa): deleting SA,
This condition has been observer, when IPv6 configured on the crypto map local address,
Workaround: Is to disable IPv6 and reload the box.
•CSCtd54611
The system console may not response on the ASR 1000 Router Series.
This symptom has been observed on a Cisco ASR 1000 Router Series, when the router functions as an IP Security (IPSec) termination and aggregration router. In addition, when a self-signed cerificate is configured during Forwarding Processor (FP) is out of service on the router.
Workaround: There is no workaround. The console will be back to service when FP is active, or when the request gets timeout (around 480 seconds).
•CSCtd55219
Potential traffic loss on NSF switchover on a Cisco ASR 1000 Router.
The following debug has been observed:
00:11:31: BGP(base): waited 0s for the first peer to establish
You should instead see:
00:03:54: BGP(base): will wait 60s for the first peer to establish
^^^^^^^^^^^^^
Workaround: None.
•CSCtd90265
IP Security (IPSec) functionality stops working. Route Processor (RP) CPU rate can be high.
This symptom is observed on a Cisco ASR1000 series router when functions as an IP Security (IPSec) termination and aggregration router, and when super package In-Service Software Upgrade (ISSU) was performed with IPSec traffic running.
Workaround: There is no workaround.
•CSCte18684
PPPoE sessions are likely torn down, when user profile contains "lcp:interface-config".
This may occur due to pending state returns from virtual-template cloning, when multiple aaa attributes are parsed from lcp:interface-config user profile.
Workaround: There is no work around when this configuration is applied on a PPPoE Session.
•CSCte29294
On the Cisco ASR 1000 Router the ESP may crash, when doing High Availibility (HA) switchover during LNS tests.
This has been seen, when LNS has been configured with traffic.
Workaround: There is no workaround.
Open Caveats—Cisco IOS XE Release 2.5.0
This section documents possible unexpected behavior by Cisco IOS XE Release 2.5.0
•CSCsu03501
BRR across Vlans works fine on the ASR 1000 Router Series. However, BRR error across class queues sharing same logical interface is in the range 8-10%. This can cause throughput drop to a Class Queue, only when total traffic to interface is above line rate
Note•This is not interface throughput drop. Total interface throughput is normal). This error in CQ brr is within limits for most cases (1PQ/4CQ, 2PQ/4CQ and 2PQ/6CQ). Error in CQ brr for 12CQ and 2PQ is noticeable when total traffic on the interface is above line rate.
Workaround: None
•CSCsw44668
Conditional debugs is not complete on the ASR 1000 Router Series. This condition is more likely to happen when debug is enabled on the tunnel, issuing shut and then no shut.
Workaround: None
•CSCsx59262
The OSPF neighbors on ASR 1000 Router Series bounce after changing the config-register. When OSPF interfaces are configured with fast hellos, the OSPF neighbors on ASR 1000 Router Series bounces, when value 'config-register' is changed.
Workaround: Is to use BFD.
•CSCsx83443
Iskmp debug messages from all peers are shown in the term monitor enable tty and vty's
even though debug crypto condition peer ipv4 x.x.x.x is set. This is seen on the ASR 1000 Router Series when using peer ip based debug condition,
Workaround: None
•CSCsz16142
When ACL sequence is configured on the ASR 1000 Router Series the RP SWO will not change.
Workaround. None
•CSCsz24691
Traffic forward rate is incorrect after changing to "match none" for class multiple criteria. When the ASR 1000 Router Series is configured as the following:
class-map multiple_criteria
no match ip precedence 2
no match ip dscp 16
no match access-group name multiple_criteria_acl
no match protocol ip
no match not protocol gre
Workaround: Is to remove all filters.
•CSCsz53438
On the Cisco Systems ASR1000 Router Series, if IP header compression is configured on the ASR 1000, but not on the corresponding router, an unexpected reload of the embedded systems processor may occur.
This condition occurrs when IPHC is configured on the AR1000 Router Series, but not on the router to which it is directly connected to.
Workaround: Is to enable IPHC on both routers.
•CSCsz66060
When saving half duplex vrf configuration then rebooting the router, the half duplex vrf configuration does not apply to the ASR1000 Router Series. This is a rare condition that only happens when the router has been rebooted, after saving half duplex vrf configuration.
Workaround: Is to re-enter the half duplex vrf configuration again.
•CSCta17502
If shared IPSec profile has been applied on a tunnel interface, then the tunnel source cannot be modified without removing tunnel protection from the interface.
The basic condition being enforced is that if there are two tunnels sharing the same ipsec shared profile, then their tunnel sources must be the same.
Workaround: None
•CSCta65347
CME is changing the media direction attribute as "INACTIVE"instead of "RECVONLY"on the ASR1000 Router Series.
Only in this instance the resume fails, when CCM/CME scenario's from h323 legcalls are used and there is no media on the ASR 1000 Router.
Workaround: None
•CSCta76312
On the ASR 1000 Router Series the console gets stuck.
This condition only happens when using the following:
–downloading a huge config,
–after unconfiguring the config
–then doing a config replace.
Workaround: None
•CSCtb07144
When issuing a shut command an interface that is configured with vlan that has IGMP joined can take about a minute on the ASR1000 Router Series. In this condition the console hangs after issuing the shut command, and the traffic does not stop right away after shutting the interface on the router.
Workaround: None
•CSCtb13789
Tracebacks are seen while initiating config and unconfig when dmvpn tunnel is configured on the ASR 1000 Router Series. This condition will happen when using config and unconfig when dmvpn tunnel is configured.
Workaround: None
•CSCtb24959
The ASR 1000 Router Series may fail while clearing large number of rp mappings. This instance can happen when the following has occurred:
–the router has been configured for rp agent and candidate
–there are a large number of rp's
–initiating the clear ip pim rp-map command
Workaround: Is not to apply the clear ip pim rp-map command one after the other.
•CSCtb32892
Traceback has been logged "%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed" may be seen on the ASR 1000 Router Series console when loading the image or adding the RP with SSO.
In this condition, the tracebacks can be seen on reloading a Provider Edge router with mVPN configuration or adding the RP with SSO on the router.
Workaround: None
•CSCtb33587
NDB state Error Tracebacks on DMVPN spoke with NHO may be found on the ASR 1000 Router Series:
%IPRT-3-NDB_STATE_ERROR: NDB state error (NO NEXT HOPS UNEXPECTED)
This may cause temporary packet drops or forwarding to less specific routes.
The problem may occur, when using RIP or EIGRP and running NHRP and NHRP has installed NHO nexthops for the RIP/EIGRP route.
Workaround: Is to wait after the holddown timer expires, the problem will be cleared.
•CSCtb70115
Bgp state in the show ip bgp vpnv4 show command in all of the summaries are in NoNeg state instead of Active and Idle state. This instance happens when the neighbor has no session in established state in any of the address-families.
Workaround: Is to configure the show ip bgp vpnv4 all nei <address> show command
•CSCtb72095
When the service policy is removed after the vlan has been re-attached, the session policy will be re-parented to the main interface but it will not re-parent back to the subinterfaces. This instance is only seen when there are vlans and sessions configured on the subinterfaces.
Workaround: There is no workaround for this. The only option is to reload the router back to it's orginally state.
•CSCtb72734
DHCP OFFER not reaching the client with unicast flag set on the ASR 1000 Router Series. This occurs only on the ASR 1000 Router Series where creation/removal of ARP entry does not maintain sequential ordering as a result packet could arrive at forwarding plane after the ARP entry has already been removed, or before ARP entry has been created.
Workaround: None
•CSCtb74547
The ASR 1000 Router Series DMVPN HUB reloads when processing IPSEC key engine.
This conditions happens when dual DMVPN with shared tunnel protection feature is enabled.
Workaround: None
•CSCtb75027
MVPN traffic has been dropped while enabling nat on the core interface using cli "ip nat outside" on the ASR 1000 Router Series. This instance occurs when mVPN and NAT features are configured together on the router.
Workaround: As of now, there is no workaround . The other option is to remove NAT on the core interface to receive the mVPN traffic.
•CSCtb80765
The sub-interface flap on the ASR 1000 Router Series may close on the port channels prior to configuring the ATM SPA. This conditon occurs when the sub-interface flap closes, when the port channels prior to configuring the ATM SPA.
Workaround: None
•CSCtb86811
On the ASR 1000 Router Series the following error message may state:
"%MFI_LABEL_BROKER-3-MULTIPLE_BIND"
within Standby mode, after initiating the configure replace command.
This may occur, when there are large vrf scalability configurations, after static routes are in use in conjunction with encapsulation ppp and mpls label mode all-vrfs protocol all-afs per-vrf.
Workaround: There is no workaround for this specific command sequence and configuration.
•CSCtb87546
Tftp server may times out sometimes or always on the ASR 1000 Router Series. This may occur when uploading or downloading files, including IOS images to tftp server.
Workaround: Is to use 2.5 pre-released images on the router in order to run the tftp operation successfully.
•CSCtb96600
All new calls dropped after RP2 switcover on ASR 1004 RP2_ESP20 router. This may occur after intiating RP2 switchover when the cli "redundancy force-switchover" happens on the router.
Workaround: None
•CSCtc12334
The ASR 1000 Router Series may fail when initiating "clear ip bgp " command.
This command deletes all bgp neighbor relationships and clears bgp RIB.
This can occur when the following has been configured:
1. Need to have MDT configured on the router
2. Need to issue clear ip bgp command
Workaround: None
•CSCtc16232
When the L2 MAC address of an Ethernet interface is changed on the ASR 1000 Router Series, the final RA is not sent to the remote endpoint.
The expected behaviour is that when the L2 MAC address is changed, on theASR 1000 Router is to send a final RA to the endpoint indicating the change.
Workaround: None
•CSCtc17366
Only 1-way media or no media is passng when call setup is establish on the ASR 1000 Router Series. This may occur when SIP trunk has been configurated or any setup using 2 IP adress pair with sport and dport equals 5060 for multiple dialogs on the router.
Workaround: There is no straight forward workaround other than to put the call on hold, then resume the call to try and recover the media.
•CSCtc19914
The Embedded Services Processor (ESP) is reloaded when configuring and unconfigure a large static RP addresses multiple times rapidly with mVRFs on the ASR 1000 Router Series.
When using the following scripts this condition has been seen:
1. Configuring large mVRF's on PE
2. Configuring large Loopbacks on PE, one for each of the VRF
3. Configuring and unconfiguring large static RP addresses multiple times rapidly.
Workaround: None
•CSCtc22109
The PPPoEoA sessions when established over ATM VP tunnel may time out on the ASR 1000 Router Series. Only in this instance, a problem can occur when PPPoEoA sessions are established over ATM VP tunnel on the router. When when PPPoEoA sessionst are established directly on ATM VC, the sessions works fine.
Workaround: None.
•CSCtc30420
CPP tracebacks are logged after configuring the ASR 1000 Series Router as an RP2 with IPSec DMVPN Spoke. Only in this condition, when unconfiguring DMVPN on the router and reconfiguring it again, CPP tracebacks are logged.
Workaround: Is to reload the router.
•CSCtc33471
CPUHOG message has been seen indicating MFIB_mrib_read as the offending process after a clear ip mroute command is issued on the ASR 1000 Router Series. This conditions happens when there arelarge scaled configurations and there are a huge number of forwarding interfaces on the same multicast forwarding entries.
Workaround: There is no known workaround.
•CSCtc33511
When sending very low policing value for the rate, less than 500 bps, from dynamic clients such as Radius, will crash the ASR 1000 Router Series. This condition may happen when a policing rate is set to lower than 500 bps on the router.
Workaround: None
•CSCtc33821
IOS may crash when configuring MPLS over Generic Routing Encapsulation (MPLSoGRE) on the ASR 1000 Router Series. Only in this condition, when MPLSoGRE is configured and one GRE tunnel interface is shutdown after the address has been removed and another GRE tunnel is added the IOS may crash on the router.
Workaround: None
•CSCtc42960
On the ASR 1000 Router Series memory leaks have been seen when using PPPoX sessions. This may occur when memory leaks have been observed with PPPoX sessions in scaled scenario's.
Workaround: None
•CSCtc43110
Under H.323 call scenarios, outgoing H.323 signaling packets (TCP) are marked with a non-zero DSCP value, even though no QoS is configured for H.323 calls. This happens under all H.323->H.323 and SIP->H.323 scenarios when SBC creates a downstream H.323 calls.
Workaround: There is no workaround with SBC configuration. QoS can be re-marked when MQC policy is placed on the outbound physical interfaces of the ASR 1000 Series Router. ASR 1000 Series Router. CSCtc44472
After SSO of the RP with 660 VRF aware NAT configuration the FP crashes on the ASR 1000 Router Series. This conditions happens when RP has VRF and NAT configured on the router.
Workaround: None
•CSCtc52358
When a previous "logging buffer" is done on the ASR 1000 Series Router as subsequent cli is on .
Workaround: Is to do another "logging buffer" the the previous one will be released.
•CSCtc54042
The ASR 1000 Router Series may crash and reload following a reboot or initial boot from a power-up.
The embedded syslog manager (ESM) needs to be configured along with an ESM script present during an initial boot or reload. Also, redundant RP/FP appears to be the scenario that has the greatest likelihood of encountering the problem.
Workaround: None
However if problem manifests, the subsequent rebooting is very likely to be successful. If stuck in a situation where crashes are repetative, momentarily pull redundant RP until system stabilizes, and re-insert redundant RP.
•CSCtc69991
When the Cisco ASR 1000 Router has been configured as a DMVPN spoke it may throw tracebacks. This can happen when ODR is configured as the Overlay Routing protocol and shut/no shut is done on the tunnel interface.
Workaround: Is to use eigrp as the overlay routing protocol.
•CSCtc70661
The ASR1000 Router Series ESP may unexpectedly reload during sequences of repeated configuration change which also cause "flapping" of large numbers of auto-vcs. This may be seen with 4k active auto-vcs when the config on the PVCs is changed from PTA to L2TP multiples times.
Workaround: None.
In addition, can be timing related and has been seen so far in cases of scripted config changes from: PTA-> L2TP. It has not been seen in cases of changing the config from PTA-> PTAor from L2TP -> L2TP
•CSCtc71004
During Change of Authorization (CoA), a message may show that an Access Control List reference
failed to download. This behaviour may be seen on ASR1000 images where a series of CoA requests rapidly cause
Traffic Classes to be applied and removed. It may be more likely to happen when there are more
Traffic Classes applied to a session.
WorkAround: None
In addtion, If this message is seen, the session will likely be torn down, and have to be brought back up on the router.
•CSCtc71338
When configuring a 10k line ACL (production-out) on the interface, the FP process crashes on the ASR 1000 Route Series.
The production-out will show as follows:
interface GigabitEthernet0/3/4
ip address 1.10.4.1 255.0.0.0
ip access-group production-out in
ip access-group production-out out
speed 100
no negotiation auto
cdp enable
service-policy output test
Workaround: None
•CSCtc72651
A crash has been seen on a new RP after SSO with AToM debugs are enabled on the ASR 1000 Router Series. When enabling AToM debugs which requests VC Accouting details from MFI during SSO the router may fail.
Workaround: None
•CSCtc73657
ASR 1000 Router Series may fail when core file points to the Range Inheritance . This condition may happen, when PVC is locked or PVC teardown Fails in CPP on the router. In addditon, when the Range has been deleted and the PVC has not been removed from the common code.
The Range's stale pointer should be cleaned up on the router.
Workaround: None
•CSCtc76353
ASR 1000 Router Series may fail when core file points to the Range Inheritance . This condition may happen, when PVC is locked or PVC teardown Fails in CPP on the router. In addditon, when the Range has been deleted and PVC will not be removed from the common code . Note: The Range's stale pointer should be cleaned up
Workaround: None
•CSCtc76598
MFIB_IPv4 sub-block not removed from virtual access interface on the ASR 1000 Router Series. The error is shown when pppoe session is established on the router.
Workaround: None
•CSCtc79444
On the ASR 1000 Router Series config bulk sync failure has been seen.
This condition may happen, when configuring" static-ipfrr ipv4-nexthop Loopback0 1.1.1.1 backup Loopback1 1.1.1.2" and removing the loopback 0 in current active, followed by doing a first switchover and a sync failure on the router. This is due to the command as being shown as active.
Workaround: Is to remove the ipfrr static route if the loopback is removed on the router.
•CSCtc80502
FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt message has been seen with tracebacks on the ASR 1000 Router Series.
This has been observed during ISSU upgrades starting from release 2.4.2 and up to 2.5.
Workaround: None
•CSCtc81949
On the ASR 1000 Router Series Service policy application on the standby LNS fails, while its successful on the active. If static ip route is configured on the LAC to the l2tp tunnel interface on the LNS, the FIB next hop does not get configured on the standby LNS and hence QOS application fails.
Workaround: Is to reload the LAC resolves the problem.
CSCtc85586
L2TP HA functionaity may not work and STANDBY is not seen with L2TP sessions on the ASR 1000 Router Series. This condition may happen, when ACTIVE does not have any VPDN/L2TP configuration before
STANDBY is brought up on the router.
Workaround: Is to restart STANDBY.
Further Problem Description:
This problem can be avoided by configuring "vpdn enable" on the ACTIVE before bringing up STANDBY on the ASR 1000 Router Series.
•CSCtc86490
Error message stating "Can't install service policy with empty name" is shown on the ASR 1000 Router Series. This condition hay occur, when an invalid service policy is pushed from the DBS on to the VC, the error message is shown and the policy on the VC doesn't fall to the default on the router.
Workaround: None.
•CSCtc90996
While under load for extended periods of time, a condition may ocurr that causes a large amount of stale call legs to exhibit on the ASR 1000 Router Series. These stale call legs can consume enough memory on the platform to cause a crash due to memory outage. It has been observed with 2000 active calls at 20 CPS for an extended period of time.
Workaround: To avoid a runaway condition, the use of the command max-conn on the dial-peers of the platform is capable of holding back the amount of stale call legs. While the condition occurs that triggers the event, max-conn has the side effect of not permitting calls to be established over this dial-peer. Eventually it will clear and calls may continue.
•CSCtc96161
DMVPN is working fine for a week and then one of spokes appears to be no longer able to pass traffic to other spokes. IPSEC tunnel between thespokes can be established at IOS level, but cannot be programmed into hardware and traffic is not getting through. This problem is only seen when there are more spoke to spoke dynamic tunnels and the dynamic tunnels are flapping frequently for a long period of time.
Workaround: Is to reduce the frequency of dynamic tunnel flapping by increasing NHRP hold down timer to avoid tearing down dynamic tunnels too often. This can reduce the chance of hitting the problem. But when the problem happens, the affected spoke has to be reloaded.
•CSCtd00644
The ASR 1000 Router Series may restart ungraceful with scaled config. When there is scaled config and sessions are flapping frequently, only on rare instances the ASR 1000 Router Series may restart ungracefully. This problem may also timing related, so it may not happen with every time sessions flaps.
Workaround: None
•CSCtd05318
Watchdog exception crash on "MRIB Transaction" may be observed on a new active RP when RP switchover is initiated on ASR 1000 Series Router. This happens when a RP switchover Trigger under a scaled scenario of router config with approximately 1K EBGP peers with 500 K Unicast routes + 300 mVRF's with 1K Mcast routes.
Workaround: None
•CSCtd14048
After ISSU loads the 2.5 images, ISG PPPoE Sessions will not be established on the ASR 1000 Router Series. In this conditon there is no ISG PPPoE Session established on the router.
Workaround: None
•CSCtd17197
The serial interface with "frame-relay" encapsulation goes down and can no longer forward traffic, when "keepalive" is configured along this interface. The serial interface has both "frame-relay" encapsulation and keepalive configured.
Workaround: Configure "no keepalive" on the serial interfaces of both sides when we use "frame-relay" encapsulation on the interfaces.
•CSCtd26479
On ASR 1000 Router Series, the FP may crash with the following error message:
%IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected
The FP crashes may happen in some instances, when switchover is pushing COA toward PPPoE and there are 1000 PPPoE ISG sessions on the router.
Workaround: None
•CSCtd32560
During Cisco ASR 1002 or Cisco ASR 1004 ISSU upgrades from 2.3.2 to 2.5, observed loss of QoS functionality. This condition happens when loss of QoS functionality has been observed right after CC/SPA upgrade, while following Cisco ASR 1002 or Cisco ASR 1004 ISSU procedure.
Workaround: Is to reverse the order of CC/SPA and FP upgrades so that FP will be running 2.5.
when CC/SPA is upgraded to 2.5.
ISSU procedure for this workaround will be:
1. Upgrade the RPAccess, RPIOS, and RPControl sub-packages in the standby bay. Once the SSO state is reached, commit the software version.
issu loadversion rp 0 file file-system:asr1000rp1-
{rpaccess,rpios,rpcontrol}*version-string*.pkg bay standby-bay force
issu commitversion
2. Force a switchover from the active IOS process to the standby IOS process.
redundancy force-switchover
3. Upgrade the RPAccess, RPIOS, and RPControl sub-packages in the standby bay (a different bay than in step 1). Once the SSO state is reached, commit the software version.
issu loadversion rp 0 file file-system:asr1000rp1-
{rpaccess,rpios,rpcontrol}*version-string*.pkg bay standby-bay force
issu commitversion
4. Upgrade the ESP Base sub-package and Commit the ESP Base software
issu loadversion rp 0 file file-system:asr1000rp1-esp*version*.pkg
force
issu commitversion
5. Upgrade the SIP and SPA sub-packages for each SIP on the router.Repeat this step for each SIP installed in your router before proceeding to the next step.
issu loadversion install rp 0 file file-system:asr1000rp1-
{sipbase,sipspa}*version*.pkg slot SIP-slot-number force
issu commitversion
6. Upgrades all sub-packages, including the RPBase sub-package, which is the last sub-package that needs to be upgraded
issu loadversion rp 0 file file-system:asr1000rp*version*.pkg
7. Verify that the sub-packages are properly installed
show version installed
8. Reload the RP. The router will continue normal operation even without a reload, so you can reload the router during scheduled maintenance or a slower traffic period.
reload
•CSCtd34284
ASR 1000 Router Series is experiencing this error message on the console:
%IOSXE-3-PLATFORM: F1: cpp_cp: QFP:00 Thread:100 TS:00000016373874688294 %QOS-3-INVALID_CLASS_QID:
When the router is receiving COA in the background after a switchover.
Workaround: None
•CSCtd34644
Hub and spoke on the ASR 1000 Router Series in DMVPN - Hub Support by QoS Class (DMVPN Phase 3) the network shows ATTN SYNC timeout and IPSEC-3-CHUNK_DESTROY_FAIL messages in steady state traffic and during dmvpn config cleanup. This is seen during scale config and configuration cleanup.
Workaround: No Workaround
•CSCtd38347
CPP can run out of memory and cause FPs to reload on the ASR 1000 Router Series. This condition can happen, when flapping LNS firewall sessions are running over time on the router.
Workaround: None
•CSCtd39409
IOSD crash on the ASR 1000-WATCHDOG: Process = L2TP mgmt daemon has been seen on the ASR 1000 Router Series.
This condition has been seen, when flapping on LNS firewall sessions over time happens on the router.
Workaround: None
•CSCtd42366
Acct_Input_Packets for non-TC service are inaccurate post CoA for short lived session on the ASR 1000 Router Series.
On the ASR 1000 Router Series where continuous traffic is being sent using an IXIA, when bringing up a PPPoX session using the dialer interface. The PPPoX session activates 2 TC and 1 non-TC service. After waiting for a few seconds, we perform a CoA-SVC_logon to a new non-TC service. This unapplies the previous non-TC service. We let the session remain up for a few more seconds, before tearing down the session. At this time, when we compare the Rx stats on the IXIA with the Acct_INput_Packets in the account records of the non-Tc services, the Acct-Input-Packets are incorrect.
Workaround: None
•CSCtd43841
Two framed-ipv6-prefix are present in accounting stop when following CLI's are enabled on the ASR 1000 Router Series:
aaa accounting include authprofile framed-ip-address
aaa accounting include authprofile framed-ipv6-prefix
aaa accounting include authprofile delegated-ipv6-prefix
The above CLIs are needed when all the following 3 conditions are met:
1. Dual Stack Server and
2. "aaa accounting delay-star" is configured and
3. either ipv4 or ipv6 negotiation fails.
These CLIs are needed to include the IPv4 & IPv6 attributes in the accounting record sent. Only in such scenario, framed-ipv6-prefix may be present twice in accounting records.
Workaround: Is to do the following:
On dual stack server with "aaa accounting delay-start", need to ensure that both IPv4 and IPv6 negotiation are successful for the accounting records to be sent. In such case, there is no need to include above mentioned CLI's (in symptom).
•CSCtd44755
The ASR 1000 Router Series with ATM SPA, following ERR message is seen on standby RP:
Nov 21 15:57:24.192: %ATM-3-FAILCREATEVC: ATM failed to create VC(VCD=1874, VPI=1, VCI=1905) on
Interface ATM0/0/0.65000, (Cause of the failure: VCD# mismatched on standby-RP -reload standby-RP)
The ASR 1000 Router Series with ATM SPA having 32k pvc-in-range VCs configured with 32k PPPOE sessions and when these sessions are brought down followed by un-configuration of all 32K VCs in below sequence:
1. Un-configure pvc-in-range.
2. Un-configure range.
3. Un-configure sub-interface.
Workaround: Is to do the following:
ATM range VC configuration can be removed by just removing the sub-interface alone which has range VC configuration instead of removing it in above mentioned sequence.
•CSCtd44966
On ASR 1000 Router Series with ATM SPA, one may see following ERR message in fman-fp_F0-0/1.log:
[aom]: (ERR): Unable to find async context for AOM
On ASR 1000 Router Series with ATM SPA, when ATM VC modify is involved and there are multiple parameters to be modified, one may see such error message in fman-fp_F0-0/1.log
Workaround: None