Cisco Notification Alert -3850 Series Switch-01-May-2016 16:53 GMT

Feedback Sign Up Unsubscribe         End-of-Sale and End-of-Life Announcements - Catalyst 3850 Series Switches Title: End-of-Sale and End-of-Life Announcement for the Cisco IOS XE 16.2.1 Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco IOS XE 16.2.1. The last day to order the affected product(s) is October 11, 2016. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract. Click here for the French Version of this Bulletin. Date: 14-APR-2016 Find additional information in End-of-Sale and End-of-Life Products Known Bugs - Catalyst 3850 Series Switches Alert Type: New Bug Id: CSCuy86016 Title: SMD proc may be held-down with EAP-FAST local & Multi Auth Host Mode Status: Open Severity: 1 Catastrophic Description: Symptom: The process smd has been held down with EAP-FAST local authentication and Multi-Auth Host Mode. It will happen when concerned interface have more than one session. Conditions: This issue will be seen only with local authentication (EAP-FAST) & multi-auth host mode only. Workaround: There is no workaround. Last Modified: 28-APR-2016 Known Affected Releases: Denali-16.3.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw01266 Title: ffm crash when adding 3.3.x switch to 3.6.3 stack Status: Fixed Severity: 2 Severe Description: Symptom: switch with 3.3.x release crashes when added to the stack running 3.6.3 release Conditions: Member switch running 3.3.x crashes with Feature Forwarding Manager service upon joining the stack Workaround: Install 3.6.3 on a switch before adding the switch to the stack Further Problem Description: This behavior is not seen when switch with 3.6.3 is added to the stack already running 3.6.3, switches loaded with same version will never hit this issue. Last Modified: 07-APR-2016 Known Affected Releases: 3.6 Known Fixed Releases: * 15.2(2)E4, 15.2(3)E3, 3.6(4)E, 3.7(3)E Alert Type: New Bug Id: CSCuz29721 Title: Memory leak under HTTP EPM Redirect Daemon Status: Open Severity: 2 Severe Description: Symptom: Memory leak under malloc lite if turned on. If not, the memory will be held under *Dead* Conditions: HTTP redirection on. Workaround: none at this time. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 3.7(3)E Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy81074 Title: Stack Manager requested reload due to ASIC ballot failure Status: Open Severity: * 2 Severe Description: Symptom:This issue has been seen in a 3850 STACK running 3.6.4E. The switch will boot after upgrading to 3.6.4E (in the test case from 3.6.3E). and it will work well in a random interval of 2 to 10 minutes. After this, the switch will display the "Stack Manager requested reload due to ASIC ballot failure" message and will reload. This behavior will keep repeating itself. Conditions:3850 Stack running 3.6.4E. Workaround:When the switches are standalone, that is NO stack, the issue is not presented and the switches run steadily. More Info:Migrating from 3.6.3E to 3.6.4E , although we believe that the previous release does not set precedence. This issue was NOT seen in 3.6.3E in the same stack. This issue occurred in one out of 6 stacks in our lab. Last Modified: 06-APR-2016 Known Affected Releases: 15.2(2)E4 Known Fixed Releases: Alert Type: New Bug Id: CSCuy16820 Title: 'show SUDI' cmd: Unsupported for c3850/c3650 switches Status: Fixed Severity: 2 Severe Description: Symptom: Secure Unique Device Identifier Sudi Support is expected for NG3K Latest Certificate. "show crypto pki certificate" will show the latest SHA1 certificate always as cisco SUDI legacy id, and SHA2 as cisco sudi id. Expecting to see the latest certificate as cisco sudi id without legacy Conditions: While checking board with only sha1 certificate, it will show cisco sudi legacy while checking board with both sha1 and sha2 certificate, sha1 will show as legacy and sha2 as cisco sudi id Workaround: None Further Problem Description: Issue fixed in Denali 16-3, Customers can upgrade to that version when available for this fix. Last Modified: 06-APR-2016 Known Affected Releases: 1.0 Known Fixed Releases: 16.3(0.119) Alert Type: Updated * Bug Id: CSCuy85838 Title: Clients stuck 'Method status list: empty' after SSO->shut/no shut helps Status: Fixed Severity: 2 Severe Description: Symptom: Some of the clients are stuck in Unauth forever with 'Method status list: empty'. Conditions: The issue happens intermittently after reload of the stack or switchovers. Workaround: shut and no shut of the interface. Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 16.2.1 Known Fixed Releases: * 15.2(2)E2, 15.2(2)E3, 15.2(2)E4, 15.2(3)E, 15.2(3)E1, 15.2(3)E2, 15.2(3)E3, 15.2(4)E, 15.2(4)E1, 15.5(1)S Alert Type: Updated * Bug Id: CSCuj10443 Title: Standby sw crash@crypto_engine/sw/src/keylib/lib_key_storage.c:646 Status: Fixed Severity: 2 Severe Description: Symptom: Switch crashes when being added to stack after switchoer Conditions: This occurs in switchover scenarios Workaround: Reload the complete stack and boot again. Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 15.0(11.98)EMP, 15.0(12.3)EMP, 15.2(2.2.94)E Known Fixed Releases: * 12.2(60)EZ2, 12.2(60)EZ3, 15.0(1)EZ, 15.0(1)EZ1, 15.0(12.14)EZD, 15.0(14.1)TSR, 15.0(14.49)EZD, 15.0(2)EX5, 15.0(2)EX7, 15.0(2)SE7 Alert Type: Updated * Bug Id: CSCuy64839 Title: SMD Crash on Active Switch during bootup Status: Fixed Severity: 2 Severe Description: Symptom: SMD Crash observed Conditions: Probable Conditions are when APs flap at join Workaround: Reload the Stack. Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 16.2.1, Denali-16.2.1 Known Fixed Releases: * 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 16.2(0.363), 16.3(0.147) Alert Type: Updated * Bug Id: CSCuy73209 Title: Client association failed in native-profiling test Status: Fixed Severity: 2 Severe Description: Symptom: Symptom: Wireless client is not able to join to a WLAN which has native profile and AAA override enabled Conditions: Conditions: WLAN with native profile policy and client is able to join. Enable AAA override on the same WLAN; client is not able to join Workaround: Workaround: Run "clear access-session cache" command. Further Problem Description: Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 16.2(0) Known Fixed Releases: * 16.2(0.363), 16.3(0.145) Alert Type: Updated * Bug Id: CSCux24057 Title: Install/upgrade on a specific non-active switch will fail Status: Fixed Severity: 2 Severe Description: Symptom: When doing a superpackage install on a specific member, other than active, using the "request platform software package install" command will result in an error message and install will fail. Conditions: This only occurs when doing superpackage install on a specific non-active switch. Issue is not seen when using "switch all", or when the switch specified is the current active. Workaround: The expansion of the superpackage to member will be successful, only the install portion will have failed. In such cases, user can reissue the install command on that specific switch but instead of specifying the superpackage as the filename, they can use *.pkg expression to denote the necessary subpackages instead. Example: Superpackage cat3k_caa-universalk9.BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.bin expands to the following subpackages: cat3k_caa-rpbase.BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.pkg cat3k_caa-srdriver.BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.pkg cat3k_caa-wcm.BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.pkg cat3k_caa-webui.BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.pkg Build string in this case would be BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA So user can run install on all the extracted subpackages using: request platform software package install switch file flash:*BLD_V161_0_THROTTLE_LATEST_20151116_230450_2.SSA.pkg Further Problem Description: Last Modified: 10-APR-2016 Known Affected Releases: 16.3(0) Known Fixed Releases: * 16.1(2.43), 16.2(0.350), 16.3(0.140) Alert Type: New Bug Id: CSCuy70285 Title: Perennial traceback after SSO and some windows client not able to rejoin Status: Fixed Severity: 2 Severe Description: Symptom: After certain number of Switchcovers, there could be a chance that perennial traceback being observed. Some clients may not be able to join back. Conditions: Certain number of Switchovers, perennial traceback could be seen. Workaround: No workaround Further Problem Description: Last Modified: 06-APR-2016 Known Affected Releases: Denali-16.2.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy51956 Title: AAA server moves to DEAD state even though CTS server is ALIVE Status: Fixed Severity: 2 Severe Description: Symptom: Dot1x accounting fails when trying to send to CTS enabled radius server due to invalid authenticator, because of this AAA server might go to DEAD state intermittently. Conditions: When we have AAA accounting enabled along with CTS authorization , might run into this issue Workaround: Remove the AAA related Accounting configuration to over come this issue. Further Problem Description: Last Modified: 14-APR-2016 Known Affected Releases: Denali-16.2.1 Known Fixed Releases: * 16.2(0.355), 16.3(0.113) Alert Type: Updated * Bug Id: CSCuu18029 Title: 3650/3850 May Experience RP Protocol Flaps with Aggressive Timers. Status: Fixed Severity: 2 Severe Description: * Symptom: The 3650 and 3850 switches may experience Routing Protocol Flaps when using aggressive timers. Conditions: The problem has been seen on the NGWC switches with RP protocols using 3 seconds or less for dead/hold-down timers. Workaround: It is recommended to use the default routing protocol timers. If faster convergence is required do not use anything less than 10 second dead/hold-down to avoid this defect. Further Problem Description: Last Modified: 18-APR-2016 Known Affected Releases: 15.2(2.0)E Known Fixed Releases: 15.2(2)E4, 15.2(3)E3, 3.6(4)E, 3.7(3)E Alert Type: Updated * Bug Id: CSCuw55669 Title: Crash is seen in iosd on switch and auth-mgr Status: Fixed Severity: 2 Severe Description: Symptom: Switch with IOSD crashes in auth-manager with this symptom: IOSD-EXT-SIGNAL: Segmentation fault(11), Process = EPM MAIN PROCESS Conditions: The system crashed due to stack overflow caused by loop calls between PI sanet and vlan group plugin on switch platform while dumping sanet trace messages in the case when handling dynamic vlan updates for a given vlan on standby switch. Workaround: None Further Problem Description: Last Modified: 02-APR-2016 Known Affected Releases: 3.6(0) Known Fixed Releases: * 15.2(2)E4, 15.2(3)E3, 15.2(4)E1, 15.2(4)EA1, 15.2(4.0.95)EA1, 15.2(4.0.95a)E, 15.2(4.1.25)EA1, 15.2(4.1.5a)E, 15.2(4.2.1)EA2, 15.2(5.0.38)E Alert Type: Updated * Bug Id: CSCux22760 Title: On reload, 1G SFP is connected/up on 3750x while 3850 is notconnect/down Status: Fixed Severity: 2 Severe Description: Symptom: Topology: 3850-12S downlink port connected to uplink port of 3750X using 1G SFP. Now on reload of 3850, 1G SFP is connected/up on 3750x while 3850 is notconnect/down. Conditions: Topology: 3850-12S downlink port connected to uplink port of 3750X using 1G SFP. Now on reload of 3850, 1G SFP is connected/up on 3750x while 3850 is notconnect/down. Workaround: No Workaround Further Problem Description: The defect is fixed in Polaris dev and amur mr4 (3.6.4) and beni mr4 (3.7.4) Last Modified: 27-APR-2016 Known Affected Releases: 15.2(2)E3 Known Fixed Releases: * 15.2(2)E4, 16.1(2.62), 16.2(0.199), 3.6(4)E Alert Type: Updated * Bug Id: CSCux77511 Title: 3850: Webauth not working when incorrect username/password entered Status: Fixed Severity: 2 Severe Description: Symptom: For a switch configured to run with WEBAUTH and MAB, when a user enters invalid username/password on logon page, the failed window opens. However, nothing is displayed and it just sits there trying to connect to the page you want to get to and doesn't connect to anything. After this, the connection is unresponsive and the login screen doesn't function. The connection becomes responsive again after resetting the connection (unplugging/plugging the Ethernet cable) but WEBAUTH only works when a valid username/password is entered. Conditions: Workaround: Further Problem Description: Last Modified: 20-APR-2016 Known Affected Releases: 15.2(3)E Known Fixed Releases: * 15.2(2)E4, 15.2(5.1.8)E, 15.2(5.5.66)E Alert Type: New Bug Id: CSCuz29932 Title: cat3k when connected to 8510 WLC fails to forward capwap traffic Status: Open Severity: 2 Severe Description: Symptom: C3850 fails to forward CAPWAP traffic to 8510 WLC. Conditions: The issue is seen when C3850 is directly connected to 8510 WLC. Workaround: The workaround is to ping WLC from C3850. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: Denali-16.3.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux24515 Title: "%Failed to update configuration" message seen on boot-up sometimes Status: Fixed Severity: 3 Moderate Description: Symptom: After booting up, the error "%Failed to update configuration in the database. Please revert" is printed to console. Conditions: In rare condition when "attribute password PASSWORD" contains the characters 3F, this error is printed. This is however, non functional impacting Workaround: None Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: * Denali-16.1.1 Known Fixed Releases: 16.1(1.50), 16.1.2, 16.2(0.201), Denali-16.1.2 Alert Type: New Bug Id: CSCum71431 Title: Cat3850 FED Reload when trying to being up switch stack Status: Terminated Severity: 3 Moderate Description: Symptom: In an environment where downloadable ACLs are used a Cat3850 may report a FED crash. Conditions: This crash is triggered due to ACL names longer than 64 characters. Internally, several strings are added to the ACL name, and if the aggregate exceeds 63 characters this crash would be seen. As an example, consider an ACL configured in an ACS server as "this-acl-is-22-letters". - ACS adds characters to the beginning and end of this ACL (which can be seen in "show auth sess int detail - the switch adds characters to the beginning and end of this ACL #sh auth sess int gi 2/11 details Interface: GigabitEthernet2/11 ... Authorized By: Authentication Server ACS ACL: xACSACLx-IP-this-acl-is-22-letters-520492d0 ... Any port where a device receives an ACL which is longer then 64 characters will be truncated and this same truncated string will share the ACL programming with other ports in same state and trigger the issue. Workaround: Shorten ACL names to less than 64 characters. As additional character are padded towards the beginning/end of the ACL name those characters should be factored in when renaming the ACLs. Further Problem Description: This issue is fixed in 3.6.0E / 15.2(2)E and later releases. Last Modified: 26-APR-2016 Known Affected Releases: 15.0(1)EZ Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy54762 Title: IPv4 DHCP traffic is intercepted by L3 SVI interface with ACL log Status: Fixed Severity: 3 Moderate Description: * Symptom: When the IPv4 unicast traffic should be switched by 3850, it is intercepted and copied to L3 SVI interface on IN direction. If there is an ACL on IN direction applied to SVI interface, the log message is printed. However, traffic still is L2 switched to the destination, while the copy of the traffic addressed to L3 SVI is dropped. Example: *Feb 29 00:06:26.087: %SEC-6-IPACCESSLOGP: list INNER denied udp 10.1.1.1(67) (Vlan500 5ca4.8afb.6dd0) -> 10.1.1.8(68), 6 packets *Feb 29 00:11:26.088: %SEC-6-IPACCESSLOGP: list INNER denied udp 10.1.1.1(67) (Vlan500 5ca4.8afb.6dd0) -> 10.1.1.8(68), 6 packets Both 10.1.1.1(relay agent) and 10.1.1.8(client) do not belong to the L3 SVI interface, so the traffic should be switched using L2 mac-address-table only and not printing Log messages Conditions: Only DHCP unicast conversations are affected, other traffic is not affected Workaround: None Further Problem Description: Last Modified: 22-APR-2016 Known Affected Releases: 15.2(3.7.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy79579 Title: SMD leak while testing CWA disconnect&reauth Status: Fixed Severity: 3 Moderate Description: Symptom: SMD memory leak after central webauth clients associated and disconnected Conditions: central webauth clients Workaround: NA Further Problem Description: Last Modified: 22-APR-2016 Known Affected Releases: Denali-16.2.1 Known Fixed Releases: * 16.2(0.364), 16.3(0.145) Alert Type: New Bug Id: CSCul67169 Title: Fed Crash on NG3K when trying to authenticate a supplicant using 802.1x Status: Fixed Severity: 3 Moderate Description: Symptom: In an environment where downloadable ACLs are used a Cat3850 may report a FED crash. Conditions: This crash is triggered due to ACL names longer than 64 characters. Internally, several strings are added to the ACL name, and if the aggregate exceeds 63 characters this crash would be seen. As an example, consider an ACL configured in an ACS server as "this-acl-is-22-letters". - ACS adds characters to the beginning and end of this ACL (which can be seen in "show auth sess int detail - the switch adds characters to the beginning and end of this ACL #sh auth sess int gi 2/11 details Interface: GigabitEthernet2/11 ... Authorized By: Authentication Server ACS ACL: xACSACLx-IP-this-acl-is-22-letters-520492d0 ... Any port where a device receives an ACL which is longer then 64 characters will be truncated and this same truncated string will share the ACL programming with other ports in same state and trigger the issue. Workaround: Shorten ACL names to less than 64 characters. As additional character are padded towards the beginning/end of the ACL name those characters should be factored in when renaming the ACLs. Further Problem Description: Last Modified: 18-APR-2016 Known Affected Releases: 15.0(1)EZ Known Fixed Releases: 15.2(2)E Alert Type: Updated * Bug Id: CSCuy24630 Title: Not able to open webauth page in client with ipv6 address. Status: Fixed Severity: 3 Moderate Description: Symptom: Webauth redirection not happening for IPv6 only wireless clients to do web authentication Conditions: 3850 configured with IPv6 virtual-ip address in web-auth parameter-map. 1. Wireless client with only IPv6 address 2. Open IPv6 web page or domain in browser Workaround: NA Further Problem Description: Last Modified: 14-APR-2016 Known Affected Releases: Denali-16.2.1 Known Fixed Releases: * 16.2(0.355), 16.3(0.156) Alert Type: New Bug Id: CSCuy34177 Title: Need 5508 to support sleeping client as single Anchor with NGWC Status: Open Severity: 3 Moderate Description: Symptom: Sleeping Clients will not be seen in sleeping Client list on Guest Anchor (5508). When the clients wake up, they will have to re-authenticate. Conditions: When Clients are joined in Foreign Anchor (NGWC) <--> Guest Anchor (5508) Scenario. Workaround: No Workarounds for now. Further Problem Description: Last Modified: 06-APR-2016 Known Affected Releases: 16.2.0 Known Fixed Releases: Alert Type: New Bug Id: CSCuy79465 Title: Prime - Unable to modify Transmitted Power Threshold for TPC Status: Open Severity: 3 Moderate Description: Symptom: Unable to make configuration changes on Prime to the Transmit Power Threshold for TPC. Conditions: Attempting to modify the Transmit Power Threshold via Prime. Workaround: Make changes on Polaris controller web interface (webui). Further Problem Description: Last Modified: 06-APR-2016 Known Affected Releases: Denali-16.2.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv03683 Title: %Failed to determine package type when sw install from non-Active flash Status: Fixed Severity: 3 Moderate Description: Symptom: When a user attempts to do a software install where you specify the source image from a non-Active flash switch, it will fail with a "% Failed to determine package type for flash-X:image.bin" Conditions: Customer has to be trying to install an image from a non-Active flash in order to see the issue. Workaround: The workaround would be to copy the image to the Active flash and then issue the software install from that flash instead of a non-Active flash - software install file flash:image.bin. Further Problem Description: Last Modified: 05-APR-2016 Known Affected Releases: 15.2(3.7.1E) Known Fixed Releases: * 15.2(2)E4, 15.2(3)E3, 3.6(4)E, 3.7(3)E Alert Type: New Bug Id: CSCuz47111 Title: Disabling Option 66&67Stack 3850Suddenly a member reload config mismatch Status: Open Severity: 3 Moderate Description: Symptom: Suddenly the standby switch reload after disable commands "option 66" and "option 67" and write the config. Conditions: w-3850-2#conf t Enter configuration commands, one per line. End with CNTL/Z. w-3850-2(config)#ip dhcp pool Vlan_16 w-3850-2(dhcp-config)#no option 66 w-3850-2(dhcp-config)#no option 67 w-3850-2(dhcp-config)# w-3850-2(dhcp-config) 订阅： 博文评论 (Atom) Facebook 电子名片 Morris Hagen 创建你的Facebook电子名片 Cisco Security Advisory 正在加载... Cisco Applied Mitigation Bulletins 正在加载... Cisco Event Responses 正在加载... Cyber Risk Reports 正在加载... Cisco Security Notice 正在加载... RSS Feed for End-of-Sale and End-of-Life Products 正在加载... Cisco IPS Threat Defense Bulletins 正在加载... Cyber Risk Reports 正在加载... Threat Outbreak Alerts 正在加载... Cisco Security Response 正在加载... “图片窗口”主题背景. 由 Blogger 提供支持.