| |
Bug Id: | CSCuq43652 |
Title: | ppm crash while loading ACL |
|
Description: | Symptom:
ppm crash while loading ACL. This issue happens when config session verify/commit in progress on switch A and switch B sends config sync lock/unlock request to switch A.
Conditions:
While loading acls to the switch, ppm gets crashed resulting in switch crash
In running-config, there is switch-profile (config sync) config
Workaround:
Disable config-sync
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 02-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U1(3) |
|
Known Fixed Releases: | 6.0(2)A3(3.75), 6.0(2)A3(4), 6.0(2)A4(0.890), 6.0(2)A4(1), 6.0(2)U3(3.75), 6.0(2)U3(4), 6.0(2)U4(0.890), 6.0(2)U4(1) |
|
|
| |
| |
Bug Id: | CSCus75034 |
Title: | Nexus 3500 - Flexlink Mcast Fast Convergence - no IGMP report leak |
|
Description: | Symptom:
No IGMP reports are leaked over Backup Standby Port in Flexlink configuration when Mcast fast convergence is configured.
No IGMP snooping entry is created on the upstream switch for the port connecting to the Backup port on the N3500 side.
This would lead to high Mcast convergence when Active Port goes down and Standby port becomes active as upstream switch would not be forwarding multicast traffic for the hosts connected on the N3500.
Conditions:
Flexlink configuration with Mcast Fast convergence configured:
switchport backup interface <> multicast fast-convergence
The upstream switch connecting to the backup port does not receive any IGMP reports for the hosts/receivers connected across N3500 switch.
Workaround:
Add static IGMP snooping entry on the Upstream switch connecting to the N3k backup port. Example if upstream is a N5k/N3k/N7k switch:
ip igmp snooping static-group interface <#port or po connecting to backup port>
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(2.68), 6.0(2)A4(3) |
|
Known Fixed Releases: | 6.0(2)A6(0.65), 6.0(2)A6(1) |
|
|
| |
| |
Bug Id: | CSCuq92870 |
Title: | Nexus 3500: MAC Address table not update correctly after mac move |
|
Description: | Symptom:
MAC address table not synced properly between Nexus 3500 vPC peers, after vMotion
Conditions:
Issue seen in Nexus3500 after mac-address goes through vMotion (moving between two port-channels from Nexus3500 perspective).
Traffic should be flowing in such a way that both members of VPC should be getting traffic, to make sure both vpc peer are learning mac address via hardware new learn. After this , if the traffic flows from that mac moves via vmotion or any other mac move, then this issue can hit.
Workaround:
Clear mac address
Further Problem Description:
Mac-address gets updated on receiving a frame on local vPC port.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(2.68) |
|
Known Fixed Releases: | 6.0(2)A4(3.41), 6.0(2)A4(4), 6.0(2)A6(0.48), 6.0(2)A6(1), 6.0(2)U4(3.41), 6.0(2)U4(4), 6.0(2)U6(0.48), 6.0(2)U6(1) |
|
|
| |
| |
Bug Id: | CSCuq61825 |
Title: | Nexus3500: Packet received on access vPC port w/ vlan id 0 not processed |
|
Description: | Symptom:
Nexus3500 does not process the packets received on an access vPC port. Happens only when a dot1q header with vlan id as 0 is received
Conditions:
The port is in access port, and part of a vPC.
Issue is seen in 6.0(2)A3 releases.
Workaround:
None
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 04-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(2.68), 6.0(2)A4(1) |
|
Known Fixed Releases: | 6.0(2)A4(5.47), 6.0(2)A4(6), 6.0(2)A6(1), 6.0(2)U4(4.47), 6.0(2)U4(5) |
|
|
| |
| |
Bug Id: | CSCus34881 |
Title: | N3k - SNMPD crash due to segmentation fault polling port_manager |
|
Description: | Symptom:
NX-OS SNMPd process crashes with HAP reset.
Conditions:
SNMP GET requests to IF-MIB may cause the SNMP deamon to crash due to a segmentation fault while trying to fetch the interface counters belonging to a port channel.
Workaround:
Do not poll OID's to collect interface counters belonging to a port-channel
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 06-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A5(1.37), 6.0(2)A5(2), 6.0(2)A6(0.64), 6.0(2)A6(0.66), 6.0(2)A6(0.78), 6.0(2)A6(1), 6.0(2)U5(1.37), 6.0(2)U5(2), 6.0(2)U6(0.64), 6.0(2)U6(0.66) |
|
|
| |
| |
Bug Id: | CSCus34355 |
Title: | recursive-route updates not pushed to hardware in certain conditions |
|
Description: | Symptom:
N3k continues to forward traffic to a failed HA box due to egress port not getting updated
Conditions:
Trigger for this issue is Mac Move of directly connected next-hop on vlan interface from one physical port to another physical port.
Affects only IPv4 recursive routes with single next-hop.
Workaround:
clear ip arp force-delete
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 06-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1.35), 6.0(2)U4(1M) |
|
Known Fixed Releases: | 6.0(2)A4(3.36), 6.0(2)A4(3.41), 6.0(2)A4(4), 6.0(2)A5(0.34), 6.0(2)A5(1), 6.0(2)A5(1.37), 6.0(2)A5(2), 6.0(2)U4(3.36), 6.0(2)U4(3.41), 6.0(2)U4(4) |
|
|
| |
| |
Bug Id: | CSCuq96923 |
Title: | Nexus 3500: Buffer Block stuck and drops all egress Multicast/Broadcast |
|
Description: | Symptom:
Broadcast and multicast frames are not getting transmitted on one or more ports mapped to the affected buffer block.
Unicast traffic is not affected.
Conditions:
Issue is seen in Nexus 3500 running 6.0(2)A1(1c) release.
Workaround:
Reload of the switch.
Further Problem Description:
Nexus 3548 Switch Architecture White Paper:
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-3548-switch/white_paper_c11-715262.html
As mentioned in the above architecture white paper, following is the mapping of the ports to the buffer blocks:
Buffer Block #1: Ports 9-12, 21-24, 33-36, 45-48
Buffer Block #2: Ports 5-8, 17-20, 29-32, 41-44
Buffer Block #3: Ports 1-4, 13-16, 25-28, 37-40
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 07-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A1(1c) |
|
Known Fixed Releases: | 6.0(2)A1(0.100), 6.0(2)A1(1e), 6.0(2)A4(1.32), 6.0(2)A4(3), 6.0(2)U4(1.32), 6.0(2)U4(3) |
|
|
| |
| |
Bug Id: | CSCup80823 |
Title: | SVI not responding to ARP request after reload |
|
Description: | Symptom:
Incomplete ARPs entries can occur randomly after a Nexus 3000 switch is reloaded.
To verify this condition check if the following counter is incrementing -
sh ip arp statistics vlan 2000 interface-all
ARP packet statistics for interface: Vlan2000
...
Received:
Total 24576, Requests 0, Replies 0, Requests on L2 0, Replies on L2 0
Proxy arp 0, Local-Proxy arp 0, Tunneled 0, Fastpath 0, Snooped 0, Dropped 24576
Received packet drops details:
Appeared on a wrong interface : 24576 <<<<<<<<<<<<<<<<<<<<<<<<< This is incrementing
You may also see syslogs message like
%ARP-3-REQ_NON_AM: arp [3393] Sending ARP request for X.X.X.X on invalid interface VlanXXX request from pid: XXXX
Conditions:
After reloading the switch.
Workaround:
We can try bouncing the SVI and if this does not recover it then reload the switch again.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 07-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(1) |
|
Known Fixed Releases: | 6.0(2)A3(3.70), 6.0(2)A3(4), 6.0(2)A4(0.817), 6.0(2)A4(1), 6.0(2)U3(3.70), 6.0(2)U3(4), 6.0(2)U4(0.817), 6.0(2)U4(1), 7.0(3)I2(0.122), 7.0(3)I2(1) |
|
|
| |
| |
Bug Id: | CSCun37604 |
Title: | install add fails when we use non-mgmt ports for ftp/tftp/scp |
|
Description: | Symptom:
install add fails
Conditions:
when we use location as ftp/scp/tftp using non-management vrf.
Workaround:
Use management vrf.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 08-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1) |
|
Known Fixed Releases: | 7.0(0)BNZ(0.23), 7.1(0)D1(0.113), 7.1(0)D1(0.132), 7.1(0)FC(0.2), 7.1(0)NF(0.28), 7.1(0)PDB(0.94), 7.1(0)ZD(0.178), 7.2(1)N1(0.1), 7.2(1)N1(1), 7.9(0)ZD(0.4) |
|
|
| |
| |
Bug Id: | CSCui89328 |
Title: | Nexus 3500: All Ports Move to a Hardware Failure State |
|
Description: | Symptom:
All the ports are shut down with the following error messages:
%NOHMS-2-NOHMS_DIAG_ERROR: Module 1: Runtime diag detected major event: Port failure: Ethernet /
%ETHPORT-3-IF_DOWN_HW_FAILURE: Interface Ethernet/ is down (Hardware Failure)
Conditions:
- Parity Error
- 6.0(2)A1(1a) or older
Workaround:
Reload the device.
Further Problem Description:
It is recommended to run 6.0(2)A1(1c) or later if you encounter this issue.
This bug changed the following:
- Only ports related to a soft parity error are moved into a failure state. This allows traffic to flow normally on unaffected ports prior to the reload.
- Provides more granular output in logs for the cause of the parity error.
Both changes are partially implemented in 6.0(2)A1(1b) and fully implemented 6.0(2)A1(1c) and later.
All ports shutting down in 6.0(2)A1(1b) may still be a soft parity error. If a Nexus 3500 shuts down all ports in 6.0(2)A1(1c) or later, the switch should be replaced.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 11-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A1(0.99) |
|
Known Fixed Releases: | 6.0(2)A1(1c) |
|
|
| |
| |
Bug Id: | CSCup38101 |
Title: | Nexus 3548: Routed Traffic Matching CoPP Class Sent to CPU in Warp Mode |
|
Description: | Symptom:
Intermittent routed traffic loss or high latency observed with traffic traversing a Nexus 3548
Conditions:
- 6.0(2)A3(x)
- Warp mode
- Layer 3 routed traffic matching a CoPP class-map
Workaround:
Revert to Normal mode
Further Problem Description:
Issue is not present in 6.0(2)A1(x) or 6.0(2)A4(x) and later.
Traffic affected by this issue will match a CoPP class and increment the copp-s-l3destmiss class:
Before:
N3548# sh policy-map interface control-plane
class-map copp-s-l3destmiss (match-any)
police pps 100 , bc 0 packets
HW Matched Packets 0
SW Matched Packets 0
After:
N3548# sh policy-map interface control-plane
class-map copp-s-l3destmiss (match-any)
police pps 100 , bc 0 packets
HW Matched Packets 0
SW Matched Packets 32
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 12-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(1), 6.0(2)A4(0.787) |
|
Known Fixed Releases: | 6.0(2)A4(0.791), 6.0(2)A4(1), 6.0(2)U4(0.791), 6.0(2)U4(1) |
|
|
| |
| |
Bug Id: | CSCus32535 |
Title: | n3548 stops processing traffic after upgrade to 6.0(2)A4(3) |
|
Description: | Symptom:
3548 stops processing traffic after upgrade to 6.0(2)A4(3)
Conditions:
This issue is seen when ports on the switch are configured with "speed 1000" but does not have any SFP inserted.
Workaround:
For ports that have no SFP plugged in , ensure the speed is set to auto.
Once this change is done, a reload must be performed to recover.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(2.55) |
|
Known Fixed Releases: | 6.0(2)A4(3.36), 6.0(2)A4(4), 6.0(2)A6(0.13), 6.0(2)A6(0.21), 6.0(2)A6(1), 6.0(2)A6(1.108), 6.0(2)A6(2), 6.0(2)U4(3.36), 6.0(2)U4(4), 6.0(2)U6(0.108) |
|
|
| |
| |
Bug Id: | CSCuq06284 |
Title: | Nexus 3172-T interop fixes with 3rd party NIC cards |
|
Description: | Symptom:
Nexus 3172-T base T ports stay down upon reload or link-partner pxe-boot
Conditions:
N3172-T connected to i210AT Intel onboard NIC i210AT on server. or HP DL560G8 Servers.
Workaround:
none
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(1), 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A3(2.63), 6.0(2)A3(3), 6.0(2)A4(0.834), 6.0(2)A4(0.846), 6.0(2)A4(1), 6.0(2)A6(0.67), 6.0(2)A6(0.73), 6.0(2)A6(1), 6.0(2)U3(2.63), 6.0(2)U3(3) |
|
|
| |
| |
Bug Id: | CSCua49361 |
Title: | N3K ABR will not generate Summary LSA |
|
Description: | Symptom:
N3K as OSPF ABR router will not generating type 3 summary LSA.
N3K receives a prefix from connected Router in an Area and will not advertise it into other Area.
This is seen with 5.0(3)U3(2) but NOT seen with 5.0(3)U3(1).
Conditions:
Workaround:
None
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 15-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U3(2), 5.0(3)U5(0.306) |
|
Known Fixed Releases: | 5.0(3)U3(2b) |
|
|
| |
| |
Bug Id: | CSCuu35333 |
Title: | Should not shutdown system when there is PS or FAN direction mismatch |
|
Description: | Symptom:
Donot shutdown system due to fan/PS direction mismatch.
Print Sev1 syslogs every minute instead.
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 16-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(7.103) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCur32090 |
Title: | N3k - SNMPD crash due to memory leak polling SFP sensor thresholds |
|
Description: | Symptom:
SNMPD crashes due to memory leak while polling CISCO-ENTITY-SENSOR-MIB. Specifically for OID's and indexes collecting SFP thresholds.
Conditions:
Get Requests to collect SFP thresholds using OID's of CISCO-ENTITY-SENSOR-MIB
Workaround:
Do not poll OID's to collect SFP Sensor values and thresholds.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 18-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(0.759), 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A4(1.25), 6.0(2)A4(2), 6.0(2)A5(0.938), 6.0(2)A5(1), 6.0(2)U3(5.93), 6.0(2)U3(6), 6.0(2)U4(1.25), 6.0(2)U4(2), 6.0(2)U5(0.938), 6.0(2)U5(1) |
|
|
| |
| |
Bug Id: | CSCuf36771 |
Title: | N3k-OF:Vlan ID is removed when packets are punted to controller |
|
Description: | Symptom:
When the Datapath Service Set is asked to provide Layer-2 frames to it's client, the frames will be missing any 802.1Q or QinQ header that may have originally been on the frame.
This in turn affects any OpenFlow packets sent to the controller, preventing the controller from properly performing reactive-mode learning switch or similar operations.
Conditions:
When 802.1q tagged packets need to be diverted via the OneP Datapath Service Set to a client, including to an OpenFlow controller by way of the Cisco Plug-in for OpenFlow Agent.
Workaround:
no known workarounds.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 19-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(0.728) |
|
Known Fixed Releases: | 6.0(2)A4(1), 6.0(2)U4(1), 7.1(0)ES(0.10), 7.1(0)ES(0.11), 7.1(0)ES(0.13), 7.1(0)ES(0.14), 7.3(0)ZD(0.10), 7.3(0)ZN(0.11) |
|
|
| |
| |
Bug Id: | CSCue91528 |
Title: | Device crashes at ARP service crash @arp_adj_timer_callback |
|
Description: | Symptom:
Nexus 3000 device unexpected reload
Conditions:
ARP process crashes and then leads to Nexus 3000 reload.
Workaround:
Unknown at this time
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U4(1) |
|
Known Fixed Releases: | 6.0(2)U1(1) |
|
|
| |
| |
Bug Id: | CSCuo10155 |
Title: | msdp hap reset when multicast frames larger than 9208 are received |
|
Description: | Symptom:
An msdp hap reset and core dump may be observed when jumbo frame support and msdp are both configured.
Conditions:
This condition is only possible in when jumbo frames and msdp are configured and multicast frames are received that are greater than or equal to 9209 bytes.
Workaround:
Configure a maximum MTU size that is less than or equal to 9208 bytes.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 20-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A1(1c), 6.0(2)A3(1), 6.0(2)U3(0.696) |
|
Known Fixed Releases: | 6.0(2)U3(0.711), 6.0(2)U3(1), 7.0(0)BZ(0.46), 7.0(0)HSK(0.317), 7.0(0)KM(0.97), 7.1(0)BF(0.90), 7.1(0)D1(0.171), 7.1(0)FC(0.2), 7.1(0)N1(0.145), 7.1(0)N1(1) |
|
|
| |
| |
Bug Id: | CSCtx54803 |
Title: | Specific SNMP GET request causes 'vlan_mgr' to crash on Nexus switches |
|
Description: | Symptoms:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices contain a denial of service vulnerability within the SNMP subsystem. An
authenticated, remote attacker could submit a request to an affected device designed to trigger a null pointer dereference error that results in a crash
and reload of the affected device.
Conditions:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices running an affected version of Cisco NX-OS Software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/6.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C
CVE ID CVE-2012-4125 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 21-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U1(2) |
|
Known Fixed Releases: | 5.0(3)U3(2) |
|
|
| |
| |
Bug Id: | CSCut89022 |
Title: | FR upgrade from FP to ICARIA2 does not get XCVR info |
|
Description: | Symptom:
After fastreload, port goes to 'SFP not Inserted' after FR upgrade from FP to ICARIA2 on 3132*
Conditions:
Fast reload upgrade from 6.0(2)U3*, 6.0(2)U4* to 6.0(2)U5* or 6.0(2)U6*
Workaround:
Do a install-all upgrade.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 21-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U6(1) |
|
Known Fixed Releases: | 6.0(2)U7(0.168), 6.0(2)U7(0.169), 6.0(2)U7(1) |
|
|
| |
| |
Bug Id: | CSCuq38110 |
Title: | Multiple Vulnerabilities in OpenSSL - August 2014 |
|
Description: | Symptom:
This product includes a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
* Information leak in pretty printing functions (CVE-2014-3508)
* Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
* Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
* Double Free when processing DTLS packets (CVE-2014-3505)
* DTLS memory exhaustion (CVE-2014-3506)
* DTLS memory leak from zero-length fragments (CVE-2014-3507)
* OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
* OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
* SRP buffer overrun (CVE-2014-3512)
This bug has been opened to investigate and address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assessed these vulnerabilities using the Base and Temporal CVSS scores from the National Vulnerability Database (NVD).
Details about the third-party software vulnerabilities listed above, as well as their CVSS score can be found at the following URL:
http://web.nvd.nist.gov/view/vuln/search
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A4(1) |
|
Known Fixed Releases: | 6.0(2)A4(1) |
|
|
| |
| |
Bug Id: | CSCuq38103 |
Title: | Multiple Vulnerabilities in OpenSSL - August 2014 |
|
Description: | Symptom:
This product includes a version of OpenSSL that could be affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
* Information leak in pretty printing functions (CVE-2014-3508)
* Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139)
* Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509)
* Double Free when processing DTLS packets (CVE-2014-3505)
* DTLS memory exhaustion (CVE-2014-3506)
* DTLS memory leak from zero-length fragments (CVE-2014-3507)
* OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510)
* OpenSSL TLS protocol downgrade attack (CVE-2014-3511)
* SRP buffer overrun (CVE-2014-3512)
This bug has been opened to investigate and address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
no feature onep
no feature scp-server
no feature ssh
no feature vmtracker
Further Problem Description:
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assessed these vulnerabilities using the Base and Temporal CVSS scores from the National Vulnerability Database (NVD).
Details about the third-party software vulnerabilities listed above, as well as their CVSS score can be found at the following URL:
http://web.nvd.nist.gov/view/vuln/search
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 22-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U1(3) |
|
Known Fixed Releases: | 6.0(2)A4(0.13), 6.0(2)A4(1), 6.0(2)U4(0.13), 6.0(2)U4(1) |
|
|
| |
| |
Bug Id: | CSCus68770 |
Title: | Nexus 3k/3500: assess GHOST vulnerability in glibc (CVE-2015-0235) |
|
Description: | Symptom:
On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affect applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited. This vulnerability is documented in CVE-2015-0235.
A Cisco Security Advisory has been published to document this vulnerability at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 10/7.8
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A4(1), 6.0(2)U5(0.37), 6.0(2)U5(1) |
|
Known Fixed Releases: | 6.0(2)A4(3.41), 6.0(2)A4(4), 6.0(2)A5(1.37), 6.0(2)A5(1.38), 6.0(2)A5(1.39), 6.0(2)A5(2), 6.0(2)A6(0.59), 6.0(2)A6(1), 6.0(2)U4(3.41), 6.0(2)U4(4) |
|
|
| |
| |
Bug Id: | CSCus74195 |
Title: | Incorrect parity handling for certain tables on T2 |
|
Description: | Symptom:
Parity error callbacks on the same index and L2/l3 tables can cause device reloads due to a plog_sup process crash.
Conditions:
Affects only T2 Platforms
Workaround:
1) reload should recover from the condition temporarily.
2) upgrade.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 23-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(1) |
|
Known Fixed Releases: | 6.0(2)A4(3.41), 6.0(2)A4(3.42), 6.0(2)A4(4), 6.0(2)U4(3.41), 6.0(2)U4(3.42), 6.0(2)U4(4), 6.0(2)U5(1) |
|
|
| |
| |
Bug Id: | CSCus26875 |
Title: | December 2014 - NTPd.org Vulnerabilities |
|
Description: | Symptom:
The following Cisco products
Cisco Nexus 3000 Switches
include a version of NTPd that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296
This bug has been opened to address the potential impact on this product.
Please consult http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd for further information.
Conditions:
feature ntp
Workaround:
Block NTP query requests:
ntp access-group query-only query-only-acl
Below shows an example of the NX-OS host being a NTP client:
ntp server 192.168.0.1 use-vrf management
ntp source-interface mgmt0
ntp access-group peer ntp-peer
ntp access-group query-only ntp-query-only
!
ip access-list ntp-peer
statistics per-entry
! Permit the NTP servers you wish to sync with
10 permit udp 192.168.0.1/32 any log
ip access-list ntp-query-only
statistics per-entry
! Deny NTP control messages from any host.
10 deny ip any any log
!
For more information consult: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/6_x/b_3k_System_Mgmt_Config_6_x/b_3k_System_Mgmt_Config_6_x_chapter_010010.html#task_B61435A7608D4FDBAA43AC77C8C0B76D
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U5(1) |
|
Known Fixed Releases: | 6.0(2)A4(3.43), 6.0(2)A4(4), 6.0(2)A5(1.38), 6.0(2)A5(2), 6.0(2)A6(0.44), 6.0(2)A6(1), 6.0(2)U4(3.43), 6.0(2)U4(4), 6.0(2)U5(1.38), 6.0(2)U5(2) |
|
|
| |
| |
Bug Id: | CSCur04934 |
Title: | Nexus 3000/3500 - Product evaluation for CVE-2014-6271 and CVE-2014-7169 |
|
Description: | Symptom:
Symptoms:
The Nexus 3000 and 3500 includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-6271
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
CVE-2014-6277
CVE-2014-6278
This bug has been opened to address the potential impact on this product.
Conditions:
Conditions:
A user must first successfully log in and authenticate via SSH to trigger this vulnerability.
Workaround:
Workaround:
Not available.
Release with the vulnerability fix:
6.0(2)A3(4), 6.0(2)U3(4) - CCO posted on 10/11
Release expected in future: (Contact Deepak Patwardhan - depatwar for dates)
6.0(2)U2(6)
6.0(2)A4(2), 6.0(2)U4(2)
6.0(2)U5(1) - Nexus3000 only
Further Problem Description:
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation
are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1), 7.0(99.1)ZZ, 9.5(1)N1(7.8) |
|
Known Fixed Releases: | 5.0(3)U5(0.214), 5.0(3)U5(1j), 6.0(2)A3(3.80), 6.0(2)A3(3.82), 6.0(2)A3(4), 6.0(2)A4(1.21), 6.0(2)A4(2), 6.0(2)A5(0.918), 6.0(2)A5(0.920), 6.0(2)A5(1) |
|
|
| |
| |
Bug Id: | CSCur28178 |
Title: | Nexus3000/3500: evaluation of SSLv3 POODLE vulnerability |
|
Description: |
Symptom:
This product includes a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3566
This bug has been opened to address the potential impact on this product.
Conditions:
Web based HTTPS interface is provided in Nexus 3000 only when "feature nxapi" is enabled.
This feature support came in from 6.0(2)U4(1) onwards, and is disabled by default.
When this feature is not enabled, Nexus 3000 is not vulerable.
Workaround:
Disable 'feature nxapi' if enabled.
Will be fixed in following release:
6.0(2)U4(2) - goa MR1
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A4(1.26), 6.0(2)A4(2), 6.0(2)A5(0.946), 6.0(2)A5(0.947), 6.0(2)A5(1), 6.0(2)U4(1.26), 6.0(2)U4(2), 6.0(2)U5(0.946), 6.0(2)U5(0.947), 6.0(2)U5(1) |
|
|
| |
| |
Bug Id: | CSCuu06246 |
Title: | Nexus 3K: vulnerability related to cmd injection via DHCP offer options |
|
Description: | Symptom:
Command injection via DHCP offer options used with PowerOn Auto Provisioning (POAP)
Conditions:
NX-OS Switch would have to be in a state where POAP is initiated, and if an attacker can either:
A) Inject their own DHCP server and respond to the POAP DHCP request with
crafted DHCP options.
B) Compromise an existing DHCP server, and craft the specific DHCP
options.
Then during the POAP process, when the crafted DHCP options are processed
arbitrary commands on the system could be executed in the context of root
user.
Note this issue only occurs during the POAP DHCP boot process.
Workaround:
Further Problem Description:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dis
patch=1&version=2&vector=AV:A/AC:H/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVE ID CVE-2015-0658 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U5(1h), 6.0(2)U4(1), 6.0(2)U5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut77415 |
Title: | APRIL 2015 NTPd Vulnerabilities |
|
Description: | Symptom:
This product includes a version of ntpd that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-1798 and CVE-2015-1799
This bug has been opened to address the potential impact on this product.
Conditions:
Device configured with NTP and NTP Keys
All shipping versions affected.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 4.3/3.2
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U6(1) |
|
Known Fixed Releases: | 6.0(2)A7(0.163), 6.0(2)A7(1), 6.0(2)U7(0.163), 6.0(2)U7(1) |
|
|
| |
| |
Bug Id: | CSCur05529 |
Title: | Nexus 3000/3500 evaluation for CVE-2014-6271 and CVE-2014-7169 |
|
Description: | Symptom:
The Cisco Nexus 3000/3500 includes a version of bash that is affected by the vulnerabilities
identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-6271
CVE-2014-7169
This bug has been opened to address the potential impact on this product.
Conditions:
A user must first successfully log in and authenticate via SSH to trigger this vulnerability.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation
are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 24-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A3(3.80), 6.0(2)A3(4), 6.0(2)A5(0.918), 6.0(2)A5(1), 6.0(2)U3(3.80), 6.0(2)U3(4), 6.0(2)U5(0.918), 6.0(2)U5(1) |
|
|
| |
| |
Bug Id: | CSCut87006 |
Title: | Crash in n3500 netstack library when running with NDB embedded |
|
Description: | Symptom:
After some time of normal operation, Nexus Data Broker (NDB) is suddenly no longer reachable
through the GUI.
Openflow switches using the underlying XNC as controller report a connection failure to the
controller, e.g.
2014 Nov 9 05:06:22 switch01 %VMAN-5-VIRT_INST_NOTICE: VIRTUAL SERVICE
ofa_ndbemb LOG: OVS: sw1<->tcp:10.0.0.1:6653%management: no response to
inactivity probe after 5 seconds, disconnecting
2014 Nov 9 05:06:22 switch01 %VMAN-5-VIRT_INST_NOTICE: VIRTUAL SERVICE
ofa_ndbemb LOG: OVS: sw1<->tcp:10.0.0.1:6653%management: connection failed
(Connection reset by peer)
Conditions:
This has been observed on NDB 2.0 running embedded on a Nexus 3548 running NXOS 6.0(2)A6(1)
It is not confirmed at this time whether or not other versions or other platforms are affected.
Workaround:
Restart the NDB service:
conf t
onep
virtual-service ofa_ndb
no activate
activate
exit
Further Problem Description:
This defect only affects the working of the controller and the NDB application, it does not
affect the flows created by the controller, except flows that were created but not saved.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A6(1) |
|
Known Fixed Releases: | 6.0(2)A4(5.50), 6.0(2)A4(6), 6.0(2)A6(2.25), 6.0(2)A6(3), 6.0(2)A7(0.172), 6.0(2)A7(1), 6.0(2)U4(4.50), 6.0(2)U4(5), 6.0(2)U6(1.25), 6.0(2)U6(2) |
|
|
| |
| |
Bug Id: | CSCut64829 |
Title: | packets greater than 361B egressing 1G link on 3548 have CRC errors |
|
Description: | Symptom:
If packet size is more than 361 bytes and it goes out of an 1G link of Nexus 3548, we will hit CRC errors on peer switch. Due to CRC errors packet loss can happen.
Conditions:
Packet loss occurs.
Workaround:
NA
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A6(1) |
|
Known Fixed Releases: | 6.0(2)A6(1.13), 6.0(2)A6(2), 6.0(2)U6(0.13), 6.0(2)U6(1) |
|
|
| |
| |
Bug Id: | CSCuu18724 |
Title: | N3k MTS memory leak caused snmpd process to crashes multiple times |
|
Description: | Symptom:
snmpd process crashes
2015 Apr 29 15:00:33.104 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:32 %KERN-2-SYSTEM_MSG: [538326.904027] mts_is_q_space_available_haslock_old():2013: regular+fast mesg total = 46388, soft limit = 1024 - kernel
2015 Apr 29 15:00:33.106 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:32 %KERN-2-SYSTEM_MSG: [538326.904034] mts_is_q_space_available_haslock_old(): NO SPACE - node=4, sap=27, uuid=26, pid=19086, sap_opt = 0x1, hdr_opt = 0x0, rq=46388(27966872), lq=0(0), pq=0(0), nq=0(0), sq=0(0), fast: rq=0, lq=0, pq=0, nq=0, sq=0 - kernel
2015 Apr 29 15:00:33.108 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:32 %KERN-2-SYSTEM_MSG: [538326.904040] mts_print_longest_queue_state: opcode counts for first and last 50 messages in recv_q of sap 27: - kernel
2015 Apr 29 15:00:33.111 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:32 %KERN-2-SYSTEM_MSG: [538326.904048] mts_print_msg_opcode_in_queue: opcode 2832 - 100 messages - kernel
2015 Apr 29 15:00:33.113 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:32 %KERN-2-SYSTEM_MSG: [538326.904051] mts_do_msg_input() failing since no space available in 27 (src_sap = 27, opc = 325) - kernel
2015 Apr 29 15:00:52.241 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:52 %KERN-2-SYSTEM_MSG: [538346.023794] [sap 27][pid 19086][comm:snmpd] QFULL drop notify posted - kernel
2015 Apr 29 15:00:52.244 nttcom-tyo4 %$ VDC-1 %$ 29 15:00:52 %KERN-2-SYSTEM_MSG: [538346.031952] [sap 27][pid 19086][comm:snmpd] sap recovering failed and so Killed - kernel
2015 Apr 29 15:00:53.034 nttcom-tyo4 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "snmpd" (PID 19086) hasn't caught signal 6 (core will be saved).
2015 Apr 29 15:03:53.855 nttcom-tyo4 %$ VDC-1 %$ %SYSMGR-2-CORE_SAVE_FAILED: core_client_main: PID 24943 with message command /isan/bin/sysmgr_logmgr /var/sysmgr/tmp_logs 0 1>> /var/sysmgr/core_handling.log failed for srv , ret = 2 .
nttcom-tyo4#
Conditions:
normal operation
Workaround:
unknown at this point
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu14529 |
Title: | VxLAN: NVE peering may fail on N3132Q |
|
Description: | Symptom:
VxLAN session in between N3K-C3132Q and other VxLAN capable platforms may not come up.
When problem happens, NVE peering is not established and no remote MAC addresses learned by the chassis:
Nexus3132Q# show nve vni
Interface VNI Multicast-group VNI State
---------------- -------- --------------- ---------
nve1 10000 239.0.0.1 Up
nve1 20000 239.0.0.2 Up
Nexus3132Q# show nve peers
Conditions:
Issue observed on N3K-C3132Q platform.
Workaround:
Under certain conditions ingress replication can be used to workaround this problem. Since ingress replication limits NVE peering to single per VNI session, this may not be suitable for all scenarios.
Further Problem Description:
This is a compatibility issue between the nexus 3000 and nexus 5000 with vxlan configuration because of the difference in implementation of the feature. Nexus 5000 requires PIM bidir while Nexus 3000 uses PIM SM
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(7.99) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuu28210 |
Title: | memory leak in PIM SLAB |
|
Description: | Symptom:
On a Nexus 3500 switch multicast traffic might stop forwarding for specific groups/sources.
Conditions:
The following messages are seen in the syslog:
%PIM-3-SLAB_ALLOC: pim [3665] Slab alloc of type pim_routetype failed in pim_build_pim_route()
%PIM-3-CREATE_ROUTE: pim [3665] Couldn't create PIM route for (A.B.C.D/32, E.F.G.H/32) in pim_add_oif_to_sources_walk()
Also, memory allocation for PIM can be seen increasing using the following command:
show ip pim internal mem-stats detail | grep -i "grand total"
Workaround:
Reload the device to clear the memory allocation.
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(2.55) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCue43983 |
Title: | N3K not classifying PIM-REG under CoPP |
|
Description: | <B>Symptom:</B>
High CPU on Nexus 3000 due to unicast PIM_REG messages being incorrectly classified under the
CoPP policy.
class-map copp-s-routingProto1 (match-any)
match access-grp name copp-system-acl-routingproto1
match access-grp name copp-system-acl-v6routingproto1
police pps 1000
OutPackets 28067449
DropPackets 29883650
class-map copp-s-pimreg (match-any)
match access-grp name copp-system-acl-pimreg
police pps 200
OutPackets 0
DropPackets 0
class-map copp-s-pimautorp (match-any)
police pps 200
OutPackets 0
DropPackets 0
<B>Workaround:</B>
Ideally the RP should send a register stop and stop he PIM-REG process. For any reason if RP has
been mis-configured you can use a VACL to drop these PIM-REG packets in hardware.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 25-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U5(1b) |
|
Known Fixed Releases: | 5.0(3)U5(1c), 6.0(2)A1(1), 6.0(2)U1(1) |
|
|
| |
| |
Bug Id: | CSCtu10593 |
Title: | CDP with long address crashes process |
|
Description: | Summary
Cisco Nexus, Cisco Unified Computing Systemn (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers
(CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:
* Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products
* Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability
* Cisco NX-OS Software SNMP Buffer Overflow Vulnerability
* Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-nxosmulti
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-1181 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
Symptom:
wrongly moved to M-moving back to R & V.
Bhavesh
Conditions:
wrongly moved to M-moving back to R & V.
Bhavesh
Workaround:
wrongly moved to M-moving back to R & V.
Bhavesh
Further Problem Description:
wrongly moved to M-moving back to R & V.
Bhavesh
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(1) |
|
Known Fixed Releases: | 5.0(3)U3(1) |
|
|
| |
| |
Bug Id: | CSCtu10603 |
Title: | CDP with long protocol crashes process |
|
Description: | Summary
Cisco Nexus, Cisco Unified Computing Systemn (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers
(CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:
* Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products
* Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability
* Cisco NX-OS Software SNMP Buffer Overflow Vulnerability
* Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-nxosmulti
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-1181 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(1) |
|
Known Fixed Releases: | 5.0(3)U3(1) |
|
|
| |
| |
Bug Id: | CSCtx66070 |
Title: | CDP crashes when receiving malformed packet |
|
Description: | Symptom:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches as well as Cisco Unified Computing System Fabric Interconnect devices may restart after receiving malformed Cisco Discovery Protocol (CDP) Packets. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.
Conditions:
Cisco Nexus Switches running an affected version of NX-OS.
Cisco Unified Computing System, Fabric Interconnect devices running an affected version of UCS Software.
Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.
NX-OS:
no cdp enable
UCS:
Add the 'disable cdp' command to all Network Control Policies
Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2012-1322 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(1), 5.0(3)U4(1) |
|
Known Fixed Releases: | 5.0(3)U3(1) |
|
|
| |
| |
Bug Id: | CSCtu10554 |
Title: | CDP with long sysobj crashes process |
|
Description: | Summary
Cisco Nexus, Cisco Unified Computing Systemn (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers
(CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:
* Multiple Cisco Discovery Protocol Vulnerabilities in Cisco NX-OS-Based Products
* Cisco NX-OS Software SNMP and License Manager Buffer Overflow Vulnerability
* Cisco NX-OS Software SNMP Buffer Overflow Vulnerability
* Cisco NX-OS Software Jumbo Packet Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130424-nxosmulti
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.8/6.4:
https://intellishield.cisco.com/security/alertmanager/cvss?target=new&version=2.0&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2013-1181 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(1) |
|
Known Fixed Releases: | 5.0(3)U3(1) |
|
|
| |
| |
Bug Id: | CSCtr10146 |
Title: | N3K - ospfv2 memory leak when receiving specific malformed packets |
|
Description: | Symptoms:
OSPF process leaks memory when receiving specially-crafted packet
Conditions:
This issue may occur when the switch processes a malformed packet.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2011-2539 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U1(1d) |
|
Known Fixed Releases: | 5.0(3)U1(2) |
|
|
| |
| |
Bug Id: | CSCua68258 |
Title: | SYSRET 64-bit operating system privilege escalation |
|
Description: | Symptoms:
On June 12, 2012, US CERT published VU 649219 addressing a local privilege escalation vulnerability in several 64-bit operating systems and virtualization software running on Intel CPU hardware. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.
Link to VU: http://www.kb.cert.org/vuls/id/649219
Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable.
CVE-2012-0217 and CVE-2006-0744 have been issued to document this issue in the industry.
This bug has been filed to investigate and track this issue in this product.
Conditions:
This issue has not been confirmed to be exploitable in this product. However, this is a locally exploitable vulnerability and a valid user must be authenticated before he/she can exploit this issue.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.6/6.3:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C
CVE IDs CVE-2012-0217 and CVE-2006-0744 havebeen assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Terminated |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 9.5(1)N1(7.8) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCuc19569 |
Title: | RADIUS insufficient attribute length check |
|
Description: | Symptoms:
Cisco NXOS contains a vulnerability in the RADIUS authentication code.
Conditions:
Malformed packets are returned from a RADIUS authentication server.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
CVE ID CVE-2012-6377 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(2c) |
|
Known Fixed Releases: | 6.0(2)A1(1), 6.0(2)U1(1) |
|
|
| |
| |
Bug Id: | CSCug38697 |
Title: | OSPF LSA Injection Vulnerability |
|
Description: | Summary
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA)
database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table,
blackhole traffic, and intercept traffic.
The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a
targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.
To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability
can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.
OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This
advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
5.8/5.8:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:P/E:H/RL:U/RC:C
CVE ID CVE-2013-0149 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Symptom:
Invalid LSA in Database
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U2(1), 6.2(0)PF(0.155) |
|
Known Fixed Releases: | 5.2(1)N1(6) |
|
|
| |
| |
Bug Id: | CSCtr61490 |
Title: | ACL leak if "remark" is added to ACL |
|
Description: | Summary
A vulnerability exists in Cisco Nexus 5000 and 3000 Series Switches that may allow traffic to bypass deny statements in access control lists
(ACLs) that are configured on the device.
Cisco has released free software updates that address this vulnerability.
A workaround is available to mitigate this vulnerability.
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110907-nexus.shtml
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE ID CVE-2011-2581 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 5.0(3)U2(1) |
|
Known Fixed Releases: | 5.0(3)U1(2a) |
|
|
| |
| |
Bug Id: | CSCun43042 |
Title: | Sudoers file needs review for dangerous entries |
|
Description: | Symptoms:
Cisco NX-OS based devices should be hardened against local attacks even when such access is not designed into the product. This defect documents the need to review the
local sudoers file and remove or modify any potentially dangerous entries. This will help hardened the general defensive posture of the product.
Conditions:
Devices running Cisco NX-OS.
Workaround:
None.
Further Problem Description:
This is a proactive hardening defect to improved the overall security posture of the Nexus Product lines.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U3(1) |
|
Known Fixed Releases: | 6.0(2)U2(2.41), 6.0(2)U2(3), 6.0(2)U3(0.658), 6.0(2)U3(1), 6.0(2)U4(0.60), 6.0(2)U4(1) |
|
|
| |
| |
Bug Id: | CSCut43397 |
Title: | Nexus 3000 and 3500 (N3K and N3500K) Leap Second |
|
Description: | Symptom:
When the leap second update occurs a N3K could have the kernel hit what is known a "livelock" condition under the following circumstances:
a. When the NTP server pushes the update to the N3K NTPd client, which in turn schedules the update to
the Kernel. This push should have happened 24 hours before June 30th, by most NTP servers.
b. When the NTP server actually updates the clock
Conditions:
The leap second update will be propagated via Network Time Protocol (NTP) or via manually setting the clock.
Workaround:
On switches running affected code, following workaround can be used.
1)Remove NTP/PTP configuration on the switch at least two days prior to June 30, 2015 Leap second event date.
2)Add NTP/PTP configuration back on the switch after the Leap second event date(July 1, 2015)
Further Problem Description:
The following releases and above are not affected by this issue:
6.0(2)U3(1)
6.0(2)U2(2Z)
6.0(2)U2(1)
6.0(2)U1(1)
6.0(2)A1(1b)
- The last leap second update happened on June 30th @ 23:59:60 UTC.
- The next leap second update is not due until next several years, and 6 months notice will be given before the update. Please see URL below for leap second update details.
Reference : http://www.timeanddate.com/time/leapseconds.html
- Now that we have past June 30th 23:59:60 UTC, if your N3K have not reset or switched over, you are not affected this caveat until the next leap second update.
|
|
Status: | Other |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U1(1) |
|
Known Fixed Releases: | 6.0(2)A1(2d), 6.0(2)U2(1), 6.0(2)U2(2Z), 6.0(2)U3(1) |
|
|
| |
| |
Bug Id: | CSCur83153 |
Title: | NDB may stop working unexpectedly |
|
Description: | Symptom:
After some time of normal operation, Nexus Data Broker (NDB) is suddenly no longer reachable
through the GUI.
Openflow switches using the underlying XNC as controller report a connection failure to the
controller, e.g.
2014 Nov 9 05:06:22 switch01 %VMAN-5-VIRT_INST_NOTICE: VIRTUAL SERVICE
ofa_ndbemb LOG: OVS: sw1<->tcp:10.0.0.1:6653%management: no response to
inactivity probe after 5 seconds, disconnecting
2014 Nov 9 05:06:22 switch01 %VMAN-5-VIRT_INST_NOTICE: VIRTUAL SERVICE
ofa_ndbemb LOG: OVS: sw1<->tcp:10.0.0.1:6653%management: connection failed
(Connection reset by peer)
Conditions:
This has been observed on NDB 2.0 running embedded on a Nexus 3548 running NXOS 6.0(2)A4(1)
It is not confirmed at this time whether or not other versions or other platforms are affected.
Workaround:
Restart the NDB service:
conf t
onep
virtual-service ofa_ndb
no activate
activate
exit
Please note: unsaved changes in NDB will be lost.
Further Problem Description:
This defect only affects the working of the controller and the NDB application, it does not
affect the flows created by the controller, except flows that were created but not saved.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.7:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:TF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 26-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(0.41) |
|
Known Fixed Releases: | 6.0(2)A4(5.47), 6.0(2)A4(6), 6.0(2)A6(0.17), 6.0(2)A6(1), 6.0(2)U4(4.47), 6.0(2)U4(5), 6.0(2)U6(0.17), 6.0(2)U6(1), 7.0(0)BZ(0.46), 7.0(0)HSK(0.357) |
|
|
| |
| |
Bug Id: | CSCuu14304 |
Title: | Not sending packets after being changed transceiver from 1G to 10G |
|
Description: | Symptom:
After being changed transceiver from 1G to 10G, N3548(X) don't send any packet.
Conditions:
Swapping the transceivers from 1000base-SX to 10Gbase-SR
Workaround:
Rebooting the device.
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 27-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A6(1) |
|
Known Fixed Releases: | 6.0(2)A4(5.51), 6.0(2)A4(6), 6.0(2)A6(2.26), 6.0(2)A6(3), 6.0(2)U4(4.51), 6.0(2)U4(5), 6.0(2)U6(1.26), 6.0(2)U6(2) |
|
|
| |
| |
Bug Id: | CSCuu54126 |
Title: | 10g SFP not working/detected on Nexus 3K in port E1/1 |
|
Description: | Symptom:
- 10g SFP not working/detected on Nexus 3K in port E1/1 and same SFP works on other switch ports
Conditions:
- issue found in code : 6.0(2)U2(6)
- Interface status remains down
etaccsw17.wsf.prnynj# sho int ethernet 1/1
Ethernet1/1 is down (Link not connected)
Dedicated Interface
Hardware: 100/1000/10000 Ethernet, address: 885a.9237.2228 (bia 885a.9237.2228)
Description: [CISCO][WIFI][OUTDOOR] wc101.wsf.prnynj [8510] PORT 02
MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
reliability 255/255, txload 1/255, rxload 1/255
- Transceiver status show present
sdeaccsw17.wsf.prnynj# sho int ethernet 1/1 transceiver details
Ethernet1/1
transceiver is present >>>>
type is 10Gbase-LR
name is CISCO-FINISAR
part number is FTLX1474D3BCL-CS
- bcm_shell status of interface shows no error only stp in blocking state which seems to be expected behavior as interface is down.
bcm-shell.0> port 1
PORT: Status (* indicates PHY link up)
*xe0 LS(SW) Forced(10GFD) STP(Block) Lrn(ARL,FWD) UtPri(0) Pfm(FloodNone) IF(SFI) Max_frame(1518) MDIX(ForcedNormal, Normal) Medium(Copper) VLANFILTER(3)
Workaround:
Reload the switch
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 28-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U2(5.87) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut78781 |
Title: | N3000 does not install pim OIL for (S,G) |
|
Description: | Symptom:
Missing PIM derived OIL for some (S,G)-s when multiple sources come online at the same time
Conditions:
Workaround:
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 28-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U4(1) |
|
Known Fixed Releases: | 6.0(2)A7(0.167), 6.0(2)A7(1), 6.0(2)U7(0.167), 6.0(2)U7(1) |
|
|
| |
| |
Bug Id: | CSCut86141 |
Title: | SFP-H10GB-CU2.255M, hardware type changed to No-Transceiver on N3k |
|
Description: | Symptom:
SFP not detected on the ports. The same SFP works on other ports
Conditions:
interface remain down with following error
%ETHPORT-5-IF_HARDWARE: Interface Ethernet1/30, hardware type changed to No-Transceiver
in the bcm_shell interface shows FAUTL remote
bcm-shell.0> port 8
PORT: Status (* indicates PHY link up)
xe7 LS(SW) Forced(10GFD) STP(Disable) Lrn(ARL,FWD) UtPri(0) Pfm(FloodNone) IF(SFI) Max_frame(1518) MDIX(ForcedNormal, Normal) Medium(Copper) Fault(Remote) VLANFILTER(3)
Workaround:
power drain of the switch seems to be recovering the issue some times
Further Problem Description:
|
|
Status: | Open |
|
Severity: | 2 Severe |
Last Modified: | 29-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U5(0.37) |
|
Known Fixed Releases: | |
|
|
| |
| |
Bug Id: | CSCut97806 |
Title: | 1G link not up in QI2-CR with autoneg enabled. |
|
Description: | Symptom:
1G ports does not link up between Nexus 3172PQ and other peers
Conditions:
When Nexus 3172 is configured in 48x10G+6x40G portmode
Workaround:
Two options:
a) Configure portmode as 48x10g+breakout6x40g. In this mode, 1G ports does not have this issue. Also the last QSFP ports will work in 40G mode.
b) Disable auto-negotiation (AN) on the affected interface using "no negotiate auto" in interface configuration mode. Note that this command will fail while the interface is assigned to a port-channel. Procedure in this case is to first remove the "channel-group" command, then add the "no negotiate auto" and then re-apply the "channel-group".
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 29-MAY-2015 |
|
Known Affected Releases: | 6.0(2)U6(1) |
|
Known Fixed Releases: | 6.0(2)A6(2.35), 6.0(2)A6(3), 6.0(2)U6(1.35), 6.0(2)U6(2) |
|
|
| |
| |
Bug Id: | CSCus89127 |
Title: | Disabling ptp on one interface breaks ptp on many other interfaces. |
|
Description: | Symptom:
When a change performed on one of the interfaces on N3K, which affects PTP on this interface, it may affect PTP on other interfaces on this switch.
Conditions:
PTP enabled on interfaces
Workaround:
restart PTP on other affected interfaces by:
no ptp
ptp
Further Problem Description:
|
|
Status: | Fixed |
|
Severity: | 2 Severe |
Last Modified: | 30-MAY-2015 |
|
Known Affected Releases: | 6.0(2)A3(1), 6.0(2)A4(3), 6.0(2)A6(0.77) |
|
Known Fixed Releases: | 6.0(2)A4(5.47), 6.0(2)A4(5.53), 6.0(2)A4(6), 6.0(2)A6(0.80), 6.0(2)A6(1), 6.0(2)A6(2.28), 6.0(2)A6(3), 6.0(2)U4(4.47), 6.0(2)U4(4.53), 6.0(2)U4(5) |
|
|
| |
没有评论:
发表评论