| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw14948 | Title: | HSRP vip ping failure after power off one side Router with SM module |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
HSRP vip ping failure after power off one side Router with SM module
Conditions:
After power off one side Router with SM module, at other side from SM module,
ping physical ip of router there is no problem, but ping vip at router failed.
Workaround:
Reconfig HSRP of the one with ping issue
Further Problem Description:
|
|
Last Modified: | 20-MAY-2016 |
|
Known Affected Releases: | 15.3(3)M4 |
|
Known Fixed Releases: * | 15.3(3)M6.2, 15.3(3)M7, 15.4(3)M4.1, 15.4(3)M5, 15.5(3)M1.1, 15.5(3)M2, 15.6(1)T1.1, 15.6(1.6)T, 15.6(1.9)T0.1, 15.6(1.9)T0.2 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuz63038 | Title: | Trunk group race condition generates CCAPI IEC software error |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
gateway generates IEC=1.1.180.1.13.114 system message when trunk group configuration is used
Conditions:
appears when trunk group commands are used
Workaround:
remove trunk group and configure using dial-peer & port configuration
Further Problem Description:
|
|
Last Modified: | 12-MAY-2016 |
|
Known Affected Releases: | 15.4(3)M4.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul58283 | Title: | GM crashes while registering to key server with GDOI MIB poll |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Cisco 3945-E running 15.3(2)T Crash while registering on the Key server.
Conditions:
The symptom is observed using GETVPN on Cisco IOS release 15.3(2)T.
Workaround:
There is no workaround.
Further Problem Description:
|
|
Last Modified: | 04-MAY-2016 |
|
Known Affected Releases: | 15.3(2)T1.2 |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuy33804 | Title: | Traceback seen @resolve_sig_ip_address_to_bind during SRTP calls |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traceback on T train and crash on S train
Conditions:
SRTP calls
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 24-MAY-2016 |
|
Known Affected Releases: | 15.6(1.22)T |
|
Known Fixed Releases: * | 15.3(3)S7.3, 15.6(1.22)T0.3, 15.6(2)T, 15.6(2.1)T, 15.6(2.12.1a)T0, 16.2(0.308), 16.3(0.112) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv49227 | Title: | 'bfd interval' values only 999-999 in Port-channel sub-interface mode |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
1) BFD interval command missing after IOS upgrade.
2) The range of values available for the command 'bfd interva' under Port-channel sub-interface configuration is different between 15.1 and 15.3 IOS versions.
On Version 15.1(4)M6
!
interface Port-channel1.999
Router(config-subif)#bfd interval
<50-999> Milliseconds
min_rx
<50-999> Milliseconds
multiplier
<3-50> value used to multiply the interval
On Version 15.4(3)M3
!
interface Port-channel1.999
Router(config-subif)#bfd interval
<999-999> Milliseconds
min_rx
<999-999> Milliseconds
multiplier
<3-50> value used to multiply the interval
Conditions:
'bfd interval' configuration under Port-Channel sub-interface.
Workaround:
Use BFD-template instead.
For example:
R1 and R2 are directly connected via Port-Channel 1.2
The configuration for both devices and the 'show bfd neighbor' output are the following:
On R1
bfd fast-timers-on-slow-interface
!
bfd-template single-hop TEST
interval min-tx 150 min-rx 50 multiplier 3
!
interface Port-channel1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
bfd template TEST
end
R1#show bfd neighbors
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
192.168.2.2 1/1 Up Up Po1.2
R1#
*********************************************************************************************
On R2
bfd-template single-hop TEST
interval min-tx 150 min-rx 50 multiplier 3
!
interface Port-channel1.2
encapsulation dot1Q 2
ip address 192.168.2.2 255.255.255.0
bfd template TEST
!
R2#show bfd neighbor
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
192.168.2.1 1/1 Up Up Po1.2
R2#
More information via:
www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-s/irb-15-s-book/irb-bfd-shop-auth.html
Further Problem Description:
On version 15.1(4)M6, the available configuration values for the command 'bfd interval', under interface Port-channel1.123 were <50-999>
Router(config-subif)#bfd interval
<50-999> Milliseconds
min_rx
<50-999> Milliseconds
multiplier
<3-50> value used to multiply the interval
After upgrading to 15.4(3)M3, the range of available values was changed to <999-999>
On Version 15.4(3)M3
!
interface Port-channel1.123
Router(config-subif)#bfd interval
<999-999> Milliseconds
min_rx
<999-999> Milliseconds
multiplier
<3-50> value used to multiply the interval
The consequence is that the command is ignored at boot-time when the Router is upgraded, which is not expected by customers.
At boot time, we can see the command previously available in 15.1 is no longer accepted and then ignored in 15.3 when the configuration is being loaded
bfd interval 50 min_rx 150 multiplier 3
^.
% Invalid input detected at '^' marker.
%Interface MTU set to channel-group MTU 1500.
%Interface MTU set to channel-group MTU 1500.
|
|
Last Modified: | 05-MAY-2016 |
|
Known Affected Releases: | 15.4(3)M2.2 |
|
Known Fixed Releases: * | 15.4(3)M4.1, 15.4(3)M5, 15.5(3)M2.1, 15.6(0.17)PI30e, 15.6(0.19)T, 15.6(1.9)T0.1, 15.6(1.9)T0.2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuy32360 | Title: | Crash after Quiet mode is triggered with login block-for configured |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A crash is seen on a router that has login block-for configured. The crash occurs after Quiet mode is triggered:
C3900#
*Feb 13 03:37:06.767: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cats] [Source: xx.xx.xx.xx [localport: 22] [Reason: Login Authentication Failed] at 03:37:06 UTC Sat Feb 13 2016
*Feb 13 03:37:06.767: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 52 secs, [user: cats] [Source: xx.xx.xx.xx] [localport: 22] [Reason: Login Authentication Failed] [ACL: login] at 03:37:06 UTC Sat Feb 13 2016
*Feb 13 03:37:12.791: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cats] [Source: xx.xx.xx.xx] [localport: 22] [Reason: Login Authentication Failed] at 03:37:12 UTC Sat Feb 13 2016
*Feb 13 03:37:12.791: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: cats] [Source: 10.24.1.190] [localport: 22] [Reason: Login Authentication Failed] [ACL: 8"d
#G
] at 03:37:12 UTC Sat Feb 13 2016
chunk_diagnose, code = 3
chunk name is MallocLite
Conditions:
SSH authetication failures occur after either using the wrong username or password. If another attempt is made quick enough (around the same time as quiet mode should be triggered) a crash could occur. The issue only seems to occur if the device has not been reloaded since the login block-for configuration has been added.
Workaround:
1) Remove login block-for configurations
2) Save the configs and reload. The issue doesn't seem to occur again after a reload/crash.
Further Problem Description:
When the configs are saved and device is reloaded, the configs are added in a specific order that prevents the issue. We have found that the order of the configs added is what is allowing the issue to occur. As long as the configs are in the following order, the issue will not happen:
ip access-list extended login
deny ip any any
login block-for <#> attempts <#> within <#>
login delay <#>
login quiet-mode access-class login
login on-failure log
login on-success log
|
|
Last Modified: | 24-MAY-2016 |
|
Known Affected Releases: | 15.6(1.22)T |
|
Known Fixed Releases: * | 15.5(3)M2.1, 15.6(2.12.1a)T0, 15.6(2.3)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui79745 | Title: | Crash @ crypto_engine_packet_callback in IPSEC on ISR Codenomicon |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A vulnerability in IPSec processing of Cisco IOS Software could allow an authenticated, remote attacker to cause a reload of the affected device.
The vulnerability is due to improper processing of malformed IPSec packets. An attacker could exploit this vulnerability by sending malformed IPSec
packets to be processed by an affected device. An exploit could allow the attacker to cause a cause a reload of the affected device.
Conditions:
Cisco IOS device receiving malformed IPSec packets over an established IPSec SA, may crash.
Workaround:
None
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-3299 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3299
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 09-MAY-2016 |
|
Known Affected Releases: | 15.4(0.12)T |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(1)SY2, 15.2(2)E, 15.2(2.2.73)ST, 15.2(2.2.93)EA, 15.2(2.3)PSR, 15.2(2.39)PSR, 15.2(2b)E, 15.2(3)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux16650 | Title: | SHA-2 support on ISR G2 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
SHA-2 support needed for CVP - IOS browser integration.
Conditions:
CVP with IOS VXML browsers.
Workaround:
Further Problem Description:
|
|
Last Modified: | 24-MAY-2016 |
|
Known Affected Releases: | 15.3(3.3)S3 |
|
Known Fixed Releases: * | 15.6(2.12.1a)T0, 15.6(2.3)T, 16.3(0.128) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuz52960 | Title: | ifHCInBroadcastPkts Decreasing |
|
Status: * | Fixed |
|
Severity: * | 3 Moderate |
Description: * | Symptom:
issues with 3945 running 15.3(3)M4 and OID ifHCInBroadcastPkts no incrementing but decreasing and other ifXEntry OIDs.
Conditions:
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518887
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518884
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518883
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518879
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518876
C:\usr\bin>snmpwalk -v2c -c test 192.168.10.1 1.3.6.1.2.1.31.1.1.1.13.6
IF-MIB::ifHCOutBroadcastPkts.6 = Counter64: 18446744073709518873
ifHCInUcastPkts
C:\usr\bin>snmpwalk -v2c -c test 192.168.20.2 1.3.6.1.2.1.31.1.1.1.7.13
IF-MIB::ifHCInUcastPkts.13 = Counter64: 18446744073640573803
C:\usr\bin>snmpwalk -v2c -c test 192.168.20.2 1.3.6.1.2.1.31.1.1.1.7.13
IF-MIB::ifHCInUcastPkts.13 = Counter64: 18446744073640569584
C:\usr\bin>snmpwalk -v2c -c test 192.168.20.2 1.3.6.1.2.1.31.1.1.1.7.13
IF-MIB::ifHCInUcastPkts.13 = Counter64: 18446744073640563215
C:\usr\bin>snmpwalk -v2c -c test 192.168.20.2 1.3.6.1.2.1.31.1.1.1.7.13
IF-MIB::ifHCInUcastPkts.13 = Counter64: 18446744073640561101
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-MAY-2016 |
|
Known Affected Releases: | 15.3(3)M4, 15.5(3)M0.2 |
|
Known Fixed Releases: * | 15.6(2.17)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuy43787 | Title: | EHWIC-1GE-SFP auto media type is not working properly |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A EHWIC-1GE-SFP containing a 1000baseT SFP may result in the link staying down/down and the configured speed/duplex being automatically changed.
Conditions:
The EHWIC-1GE-SFP must not have a media type manually configured and the card must have a 1000baseT SFP installed along with a working ethernet connection on the builtin RJ45 port. The interface must be manually configured for 100/Full duplex. When the problem occurs (normally after a reboot) the running configuration will automatically change to 1000/Full and the link will stay down/down.
Workaround:
Manually set the preferred media type using the command "media-type sfp" or "media-type RJ45".
Further Problem Description:
|
|
Last Modified: | 24-MAY-2016 |
|
Known Affected Releases: | 15.4(3)M |
|
Known Fixed Releases: * | 15.5(3)M2.1, 15.6(1)T1.1, 15.6(2.12.1a)T0, 15.6(2.3)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw10370 | Title: | Router with ISM module crash when crypto enabled interface goes down |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Router with ISM module crash when crypto enabled interface goes down
Conditions:
Routers with ISM modules installed
Workaround:
No Workaround Available
Further Problem Description:
|
|
Last Modified: | 05-MAY-2016 |
|
Known Affected Releases: | 15.2(4)M |
|
Known Fixed Releases: * | 15.5(3)M2.1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus52771 | Title: | ISR G2:PA-3-PA_INIT_FAILED appears when bootup if securityk9 intsalled |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
The below msg shows up when the box boot up;
%PA-3-PA_INIT_FAILED: Performance Agent failed to initialize (Missing Data and APPX License)
Conditions:
1. securityk9 license is installed AND
2. 15.4T/M is used
3.Also seen on 15.5(3)M
If 15.3T/M or older is used, this doesn't happen.
Workaround:
Activate datak9 license(not necessarily permanent but evaluation works);
license boot module technology-package datak9
Further Problem Description:
This is just a cosmetic issue and no impact onto system.
|
|
Last Modified: | 12-MAY-2016 |
|
Known Affected Releases: | 15.4(1)T1, 15.4(3)M, 15.5(1)T |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuz49319 | Title: | Re-visit the CERM algorithm for micro-burst traffic on ISR-G2 |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Short-term bursts resulting in %CERM-4-RX_BW_LIMIT: Errors
Customers are seeking for better ways of preventing these errors from being logged due to short-term bursts, especially in GETVPN environment (collective inbound IPSec/ESP traffic on WAN from different GMs).
Conditions:
NA
Workaround:
HSEC-k9 license
Further Problem Description:
|
|
Last Modified: | 03-MAY-2016 |
|
Known Affected Releases: | n/a |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtq76509 | Title: | Dynamic perf mon should be supported on crypto enabled interfaces |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Dynamic perf mon should be supported in crypto enabled interfaces like GETVPN deployments
Conditions:
Mediatrace stats do not traverse from end to end in GETVPN deployments
Workaround:
None in GETVPN deployments
|
|
Last Modified: | 03-MAY-2016 |
|
Known Affected Releases: * | 15.1(4)M |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo30300 | Title: | 3945E: Cos-inner marking is not implied on egress in 3945e for QinQ tags |
|
Status: | Other |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
All the traffic towards the network is marked as best effort causing all the queues to not be used and causing a severe damage to priority traffic.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 05-MAY-2016 |
|
Known Affected Releases: | 15.4(1)T1 |
|
Known Fixed Releases: | |
|
|
| |
没有评论:
发表评论