| |
|
Alert Type: | Updated * |
Bug Id: | CSCtc59429 | Title: | Crafted GRE packet may cause FP of ASR1K series to crash. |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptom:
Crash of the Forwarding Processor in a Cisco ASR 1000 Series Aggregation Services Routers.
Conditions:
Device is configured with at least one GRE Tunnel, and receives a specially crafted GRE packet matching the source and destination addresses of
the tunnel interface.
Workaround:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are
7.1/5.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=&version=2.0
dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
CVE ID CVE-2011-1633 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNC, 12.2(33)XND, 12.2(33)XNE |
|
Known Fixed Releases: | 12.2(33)XND2, 12.2(33)XNE |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup30335 | Title: | ASR1K CPP crash due to oversized egress packet with OTV |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
A vulnerability in OTV processing code of Cisco IOS XE could allow an unauthenticated, adjacent attacker to cause a reload of the affected device.
The vulnerability is due to improper processing of oversized OTV frames passing through an affected device. An attacker could exploit this vulnerability by sending a
number of packets that are processed as oversized OTV frames that may require fragmentation and reassembly by an affected device. An exploit could allow the
attacker to cause a reload of the affected device.
Conditions:
This has been seen on two ASR1002-X's running IOS-XE 03.10.01.S. Crash was seen when passing large packets across an OTV topology.
Workaround:
Limit oversize packets across overlay topology.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0710 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S1 |
|
Known Fixed Releases: | 15.3(3)S4, 15.4(1)S3, 15.4(2)S1, 15.4(3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup37676 | Title: | OTV jumbo packet fragmentation and reassembly causes ASR1K CPP crash |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
A vulnerability in OTV processing code of Cisco IOS XE could allow an unauthenticated, adjacent attacker to cause a reload of the affected device.
The vulnerability is due to improper processing of oversized OTV frames passing through an affected device. An attacker could exploit this vulnerability by sending a number of packets that are processed as oversized OTV frames that may require
fragmentation and reassembly by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
Conditions:
This has been seen on two ASR1002-X's running IOS-XE 03.10.01.S. Crash was seen when passing large packets across an OTV topology.
Workaround:
Limit oversize packets across overlay topology.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0710 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S1 |
|
Known Fixed Releases: | 15.3(3)S4, 15.4(1)S3, 15.4(2)S2, 15.4(3)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv66011 | Title: | ESP100: cpp_cp_svr crashed in function cpp_ess_ea_is_vsi_valid |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ESP100 crashed in process cpp_cp_svr.
Conditions:
Subscriber accounting accurate feature is enabled for IPoE session on ESP100.
Clear IPoE session.
Workaround:
Disable subscriber accounting accurate feature.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(1)S, 15.5(2)S, 15.5(3)S, 15.6(1)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu98660 | Title: | 4331: MMA record timestamp mismatch btw PI/PD, TC missing after 48 hours |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Some performance monitor records might be dropped silently on IOS with longevity run.
Conditions:
This happens on software platform like CSR1000v, and USD with longevity test, the time clock get out of sync in short interval between control-plane and forwarding plane.
Workaround:
No workaround
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S2.3, 15.5(2)S0.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj85993 | Title: | SBC RP2 crash when a preserved call is hold resume after a HA fail over |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
A Cisco ASR1006 (RP2) running Cisco IOS-XE Version: 03.07.04.S (asr1000rp2-adventerprisek9.03.07.04.S.152-4.S4) will crash after a recent High Availability (HA) fail-over event.
Conditions:
High Availability (HA) fail-over is implemented with RP2 on the Cisco ASR. When a fail-over is initiated to the active RP2 module (for example by removing the active RP2 module), the ASR fails over fine, but once a hold resume is initiated on an existing call (that was preserved from the fail-over), the ASR reboots.
Workaround:
The crash is not observed on IOS-XE version 03.07.03.S
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S4.5 |
|
Known Fixed Releases: * | 15.2(4)S4.8, 15.2(4)S5, 15.2(4)S6, 15.3(3)S2.9, 15.3(3)S3, 15.3(3)S4, 15.4(1)S0.1, 15.4(1)S0.2, 15.4(1)S0e, 15.4(1)S1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj50396 | Title: | Flow Exporter status goes inactive after RP swithover |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom: The flow exporter status becomes inactive.
Conditions: This symptom occurs after an RP switchover while checking flow monitor information.
Workaround: There is no workaround.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: * | 15.3(3)S, 15.4(1)S, 15.4(2)S |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1, 15.1(2)SY2, 15.1(2)SY3, 15.1(2)SY4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu54317 | Title: | Backout CSCur48133/CSCuu21225/CSCuu33633 from XE316 & mcp_dev |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The DDTS is the backout of CSCur48133 and related commits to XE316
Conditions:
Due to timing issues introduced by CSCur48133 and related commits the DDTS is backed out from XE316
Workaround:
None
Further Problem Description:
The related issues will be fixed in mcp-dev and soaked and the commited to throttles
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S, 15.6(0.3)S, 15.6(1)S |
|
Known Fixed Releases: * | 15.5(2.21)S0.12, 15.5(2.21)S0.6, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.12)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu03930 | Title: | RPcrash while booting with 3.13.2IOSXE after SPA-4XCT3/DS0-V2 insertion |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
RPcrash and core dump.
Conditions:
Post SPA-4XCT3/DS0-V2 insertion with 3.13.2IOSXE image.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)S3.2, 15.5(2)S0.9, 15.5(2)S1, 15.5(2)SN, 15.5(2.21)S0.12, 15.5(2.21)S0.5, 15.5(2.24)S, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul35389 | Title: | 1RU: %SERVICES-3-NORESOLVE_ACTIVE causing occasional mcpcc-lc-ms crash |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Following error messages re observed with SPA reload
==================================================================
Nov 26 2013 15:14:31.496 EST: %SERVICES-3-NORESOLVE_ACTIVE: SIP0: mcpcc-lc-ms: Error resolving active FRU: BINOS_FRU_RP
Nov 27 2013 17:31:42.464 EST: %SERVICES-3-NORESOLVE_ACTIVE: SIP0: mcpcc-lc-ms: Error resolving active FRU: BINOS_FRU_RP
The process mcpcc-lc-ms is held down and the SIP is reloaded.
Logs may also be flooded with these errors:
12/09 08:05:49.021 [bipc]: (note): Pending connection to server 10.0.1.0
12/09 08:05:49.488 [bipc]: (note): Pending connection to server 10.0.1.0
12/09 08:05:49.021 [bipc]: (note): Pending connection to server 10.0.1.0
12/09 08:05:49.488 [bipc]: (note): Pending connection to server 10.0.1.0
Conditions:
Error are observed when SPA is reloaded
Workaround:
NA
Further Problem Description:
The error messages are caused due to IOS trying to establish a connection with a non-existing process on ASR1001.As a result of these error messages, we are observing a SIP reload (mcpcc).The issue is observed in XE311 (ASR1001 and possibly ASR1002-X).
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S, 15.4(2)S, 15.4(3)S, 16.0(0) |
|
Known Fixed Releases: * | 15.3(1)S1, 15.3(1)S1e, 15.3(1)S2, 15.4(1)S0.3, 15.4(1)S0e, 15.4(1)S1, 15.4(1)S2, 15.4(1)S3, 15.4(1.16)S, 15.4(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur10311 | Title: | MAG does not accept PBA without GRE key during de-registration |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Cisco MAG (ASR1K & WLC) fails to delete the PMIPv6 user during De-registration.
Cisco MAG includes GRE key Option in the PMIPv6 De-registration PBU message & also expects GRE key option to be present in PBA. When an LMA responds with PBA De-registration without GRE key, the user was not deleted at the MAG.
Conditions:
This issue is seen only during User De-Registration.
Workaround:
No Workaround
Further Problem Description:
As per RFC 5845, section 4.2:
If the mobile access gateway has successfully negotiated GRE encapsulation and exchanged the GRE keys with the local mobility anchor for a specific mobility session, the mobile access gateway SHOULD NOT include the GRE Key option in the de-registration Proxy Binding Update.
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S, 15.5(2)T |
|
Known Fixed Releases: * | 15.5(1.14)S, 15.5(1.8)T, 15.5(2)S, 7.6(130.204), 8.0(106.1), 8.0(110.0), 8.0(110.10), 8.0(120.0), 8.1(10.203) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv91545 | Title: | ESP continuous crash on ASR1013 using 03.13.03.S.154-3.S3-ext.bin |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
Crash
Conditions:
when customer upgraded from asr1000rp2-adventerprisek9.03.11.02.S.154-1.S2-std to asr1000rp2-adventerprisek9.03.13.03.S.154-3.S3-ext.bi
Workaround:
Removing the deny entries from the ACL used in ZBFW policy-map stops the ESP crash
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: * | 15.4(3)S, 15.4(3)S3.1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur48133 | Title: | ATM 3xOC3 SPA failed to program with IFCFG_CMD_TIMEOUT error |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IFCFGTIMEOUT and ProcClient hogs message are seen after 8-10 hours of router up time.
Conditions:
The Router is loaded with large number of ATM SPA (8 or more ATM SPAs) and very high VCs configure ( ~30K per slot ) and continuous session churns are done. After 8 - 10 hours the IFCFGTIMEOUT continuous IFCFGTIMEOUT message are seen, which brings the card down.
Workaround:
A shut followed by no shut on the few Interface brings the ATM card backup.
Another option is to configure a lesser scale (lesser number of vcs ) to avoid getting into this problem.
Further Problem Description:
This problem is seen when there are large number vcs configured on the router and there is a continuous session churn happening. (continuously sessions are brought down and up).
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: * | 15.5(2.21)S0.12, 15.5(2.21)S0.2, 15.5(2.23)S, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCta77008 | Title: | Crafted SIP packet causes Cisco IOS XE with NAT configured to crash. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:Cisco ASR1000 may crash when configured with NAT.
Conditions:Device is configured with NAT.
Receives a specially crafted SIP packet.
Workaround:None.
More Info:PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6271 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XND |
|
Known Fixed Releases: | 12.2(33)XND3, 12.2(33)XNE |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCtf87624 | Title: | ESP crash wtih VFR enabled |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:Crash of the ASR1K ESP.
Conditions:Affects versions 2.x.x.
First complete fix in 3.1.2S-15.0(1)S2. (Related bugs: CSCtf87624, CSCte93229, CSCtd19103 and CSCti63623)
The device is vulnerable if running an affected
version of Cisco IOS XE Software and is configured either with Cisco
IOS Firewall or NAT for IP Address Conservation, and Virtual Fragment
Reassembly (VFR) is enabled. Both these features automatically enable
VFR.
Cisco IOS Firewall in Cisco IOS XE Software release 2.4 - 12.2(33)XND
and earlier did not automatically enable VFR.
To determine if the Cisco IOS Firewall feature is configured, log
into the device and issue the "show zone security" CLI command. If
the output contains at least one interface, under the sections
"Member Interfaces" then the device is configured with Cisco IOS
Firewall feature, and has a zone member active on an interface. The
following example, shows a device configured with Cisco IOS Firewall
feature:
ASR1KRouter#show zone security
zone self
Description: System defined zone
zone inside
Description: ** Inside Network **
Member Interfaces:
FastEthernet1/0/0
zone outside
Description: ** Outside Network **
Member Interfaces:
FastEthernet1/0/1
ASR1KRouter#
To determine if the NAT for IP Address Conservation feature is
configured, log into the device and issue the "show running-config |
include ip nat inside|ip nat outside" CLI command. If the output
contains at least one or more ip nat configuration lines, then the
device is configured with NAT for IP Address Conservation feature.
The following example, shows a device configured with NAT for IP
Address Conservation feature:
ASR1KRouter#sh run | include ip nat inside|ip nat outside
ip nat inside
ip nat outside
ASR1KRouter#
To determine if the Cisco IOS XE Software device is configured with
the VFR feature, log into the device and issue the "show ip
virtual-reassembly" CLI command. If the output contains "Virtual
Fragment Reassembly (VFR) is ENABLED" and the device is configured
for either Cisco IOS Firewall feature or NAT for IP Address
Conservation feature, then the device is vulnerable.
The following shows a device configured with VFR:
ASR1KRouter#show ip virtual-reassembly
GigabitEthernet0/2:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:0
Total reassembly timeout count:0
ASR1KRouter#
For more information on the VFR feature, consult the Security
Configuration Guide: Securing the Data Plane, Cisco IOS XE Release 3S
- Virtual Fragmentation Reassembly document at the following
location:
http://www.cisco.com/en/US/docs/ios/ios_xe/sec_data_plane/configuration/guide/sec_virt_frag_reassm_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1054311
Workaround:If the device is configured with either "Cisco IOS Firewall" or "NAT
for IP Address Conservation" features, whilst VFR can be disabled it
is not recommended as a workaround. Disabling VRF when configured
with these features would only be recommended if seeing active
exploitation to provide the means to upgrade the Cisco IOS XE
Software.
Note: If VRF is disabled the device cannot identify the contents of
the IP fragments nor can it gather port information from the
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XND2 |
|
Known Fixed Releases: | 15.1(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup13502 | Title: | OTV FC: All FF MAC entry not downloaded to PD |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Intermittent connectivity loss between hosts at different OTV sites. Pinging from one host to the other more than 8 times restores connectivity for about 8-10 minutes. Packet captures show ARP request broadcasts from a host at one site not being received by the host at the other site for about 7-8s, and then suddenly starting to work.
This problem has a tendency to get worse over time, with more and more hosts being affected over the course of a week or two until connectivity between sites is essentially gone.
Additionally ARP requests both arriving from an Overlay interface or from the inside interface could be lost.
Conditions:
ASR1K running 15.4 or 15.3 code, possibly earlier code, with OTV configured.
Workaround:
Remove the EVC's involved from all interfaces and overlay interface.
Wait for a minute. Then it is OK to reconfigure them back.
Statically configuring ARP entries on the hosts will work also.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(2)S |
|
Known Fixed Releases: * | 15.2(1)S, 15.2(1)S1, 15.2(2)SA, 15.2(2)SA1, 15.2(2)SA2, 15.2(2)SNI, 15.2(4)S1c, 15.2(4)S2, 15.2(4)S3, 15.2(4)S3a |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv94186 | Title: | SNMPWALK crash at ipsmIPSec_policyOfTunnel |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: * | Symptom:
SNMPWALK crash at ipsmIPSec_policyOfTunnel
Conditions:
SNMPWALK crash at ipsmIPSec_policyOfTunnel
Workaround:
Workaround: Configure SNMP view to exclude
snmp-server view iso included
snmp-server view ipSecPolMapTable excluded
snmp-server community view RO
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S4 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCta74749 | Title: | Crafted SIP packet causes Cisco IOS XE with NAT configured to crash. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:Cisco ASR1000 may crash when configured with NAT.
Conditions:Device is configured with NAT.
Receives a specially crafted SIP packet.
Workaround:None.
More Info:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6271 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XND |
|
Known Fixed Releases: | 12.2(33)XND1, 12.2(33)XNE |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu76585 | Title: | ArgusX- Error with 32K VLAN - TDL msges not sent |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
With 32K vlans configured on single EPA - 10x10GE , seeing TDL messages failures. This will results in VLAN STATS failure
Conditions:
Without VLAN unlimited and 32K vlans (dot1q or QinQ) on single subslot, some of the TDL messages related to Vlan stats are not exchanged by between EZMAN and IOSCC. And Hence some stats will not get updated for valn
Workaround:
1. Configure VLAN UNLIMITED on subslot and then 32K vlans
2. Configure VLAN spilt across 2 slots in 16K in bay 0 and 16k in bay1
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu97977 | Title: | Pfrv2 load-balance not working with passive mode. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic is not load-balancing in Outbound /Inbound direction while running PFRv2 with Internet Edge Solution.
Conditions:
while running PFRv2 with Internet Edge Solution and load-balance with passive mode.
Workaround:
Further Problem Description:
Customer is running Pfrv2 Internet Edge solution to load-balance Outbound and Inbound Traffic.
Seems like the new link-group algorithms not work well for load-balance with passive mode.
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S2.2 |
|
Known Fixed Releases: * | 15.4(3)S3.10, 15.5(1)S2.12, 15.6(0.14)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCte93229 | Title: | ESP crash wtih VFR enabled |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:Crash of the ASR1K ESP.
Conditions:Affects versions 2.x.x.
First complete fix in 3.1.2S-15.0(1)S2. (Related bugs: CSCtf87624, CSCte93229, CSCtd19103 and CSCti63623)
The device is vulnerable if running an affected
version of Cisco IOS XE Software and is configured either with Cisco
IOS Firewall or NAT for IP Address Conservation, and Virtual Fragment
Reassembly (VFR) is enabled. Both these features automatically enable
VFR.
Cisco IOS Firewall in Cisco IOS XE Software release 2.4 - 12.2(33)XND
and earlier did not automatically enable VFR.
To determine if the Cisco IOS Firewall feature is configured, log
into the device and issue the "show zone security" CLI command. If
the output contains at least one interface, under the sections
"Member Interfaces" then the device is configured with Cisco IOS
Firewall feature, and has a zone member active on an interface. The
following example, shows a device configured with Cisco IOS Firewall
feature:
ASR1KRouter#show zone security
zone self
Description: System defined zone
zone inside
Description: ** Inside Network **
Member Interfaces:
FastEthernet1/0/0
zone outside
Description: ** Outside Network **
Member Interfaces:
FastEthernet1/0/1
ASR1KRouter#
To determine if the NAT for IP Address Conservation feature is
configured, log into the device and issue the "show running-config |
include ip nat inside|ip nat outside" CLI command. If the output
contains at least one or more ip nat configuration lines, then the
device is configured with NAT for IP Address Conservation feature.
The following example, shows a device configured with NAT for IP
Address Conservation feature:
ASR1KRouter#sh run | include ip nat inside|ip nat outside
ip nat inside
ip nat outside
ASR1KRouter#
To determine if the Cisco IOS XE Software device is configured with
the VFR feature, log into the device and issue the "show ip
virtual-reassembly" CLI command. If the output contains "Virtual
Fragment Reassembly (VFR) is ENABLED" and the device is configured
for either Cisco IOS Firewall feature or NAT for IP Address
Conservation feature, then the device is vulnerable.
The following shows a device configured with VFR:
ASR1KRouter#show ip virtual-reassembly
GigabitEthernet0/2:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:0
Total reassembly timeout count:0
ASR1KRouter#
For more information on the VFR feature, consult the Security
Configuration Guide: Securing the Data Plane, Cisco IOS XE Release 3S
- Virtual Fragmentation Reassembly document at the following
location:
http://www.cisco.com/en/US/docs/ios/ios_xe/sec_data_plane/configuration/guide/sec_virt_frag_reassm_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1054311
Workaround:If the device is configured with either "Cisco IOS Firewall" or "NAT
for IP Address Conservation" features, whilst VFR can be disabled it
is not recommended as a workaround. Disabling VRF when configured
with these features would only be recommended if seeing active
exploitation to provide the means to upgrade the Cisco IOS XE
Software.
Note: If VRF is disabled the device cannot identify the contents of
the IP fragments nor can it gather port information from the
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.0(1)S |
|
Known Fixed Releases: | 12.2(33)XND4, 12.2(33)XNF1, 15.0(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut52677 | Title: | %SERVICES-3-NORESOLVE_ACTIVE: SIP0: linux_iosd-image after RP switchover |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
%SERVICES-3-NORESOLVE_ACTIVE: SIP0: linux_iosd-image: Error resolving active FRU: BINOS_FRU_RP. This error message is seen.
Conditions:
This issue is seen while doing sweep ping after doing RP switchover with latest MCP_DEV image.
Workaround:
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(2)S, 15.5(3)S |
|
Known Fixed Releases: * | 15.5(1)S2.12, 15.5(2)S0.4, 15.5(2)S1, 15.5(2)SN, 15.5(2.18)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsw95496 | Title: | Crafted LT2P packet causes Cisco IOS XE to crash |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:Cisco ASR1000 may crash when processing a crafted L2TP packet.
Conditions:Device is configured to process L2TP packets.
Workaround:None.
More Info:PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6267 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 12.2XN |
|
Known Fixed Releases: | 12.2(33)XNB3, 12.2(33)XNC, 3.9.0.6i.LC |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtd19103 | Title: | ESP crash wtih VFR enabled |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:Crash of the ASR1K ESP.
Conditions:Affects versions 2.x.x.
First complete fix in 3.1.2S-15.0(1)S2. (Related bugs: CSCtf87624, CSCte93229, CSCtd19103 and CSCti63623)
The device is vulnerable if running an affected
version of Cisco IOS XE Software and is configured either with Cisco
IOS Firewall or NAT for IP Address Conservation, and Virtual Fragment
Reassembly (VFR) is enabled. Both these features automatically enable
VFR.
Cisco IOS Firewall in Cisco IOS XE Software release 2.4 - 12.2(33)XND
and earlier did not automatically enable VFR.
To determine if the Cisco IOS Firewall feature is configured, log
into the device and issue the "show zone security" CLI command. If
the output contains at least one interface, under the sections
"Member Interfaces" then the device is configured with Cisco IOS
Firewall feature, and has a zone member active on an interface. The
following example, shows a device configured with Cisco IOS Firewall
feature:
ASR1KRouter#show zone security
zone self
Description: System defined zone
zone inside
Description: ** Inside Network **
Member Interfaces:
FastEthernet1/0/0
zone outside
Description: ** Outside Network **
Member Interfaces:
FastEthernet1/0/1
ASR1KRouter#
To determine if the NAT for IP Address Conservation feature is
configured, log into the device and issue the "show running-config |
include ip nat inside|ip nat outside" CLI command. If the output
contains at least one or more ip nat configuration lines, then the
device is configured with NAT for IP Address Conservation feature.
The following example, shows a device configured with NAT for IP
Address Conservation feature:
ASR1KRouter#sh run | include ip nat inside|ip nat outside
ip nat inside
ip nat outside
ASR1KRouter#
To determine if the Cisco IOS XE Software device is configured with
the VFR feature, log into the device and issue the "show ip
virtual-reassembly" CLI command. If the output contains "Virtual
Fragment Reassembly (VFR) is ENABLED" and the device is configured
for either Cisco IOS Firewall feature or NAT for IP Address
Conservation feature, then the device is vulnerable.
The following shows a device configured with VFR:
ASR1KRouter#show ip virtual-reassembly
GigabitEthernet0/2:
Virtual Fragment Reassembly (VFR) is ENABLED...
Concurrent reassemblies (max-reassemblies): 16
Fragments per reassembly (max-fragments): 32
Reassembly timeout (timeout): 3 seconds
Drop fragments: OFF
Current reassembly count:0
Current fragment count:0
Total reassembly count:0
Total reassembly timeout count:0
ASR1KRouter#
For more information on the VFR feature, consult the Security
Configuration Guide: Securing the Data Plane, Cisco IOS XE Release 3S
- Virtual Fragmentation Reassembly document at the following
location:
http://www.cisco.com/en/US/docs/ios/ios_xe/sec_data_plane/configuration/guide/sec_virt_frag_reassm_xe_ps11174_TSD_Products_Configuration_Guide_Chapter.html#wp1054311
Workaround:If the device is configured with either "Cisco IOS Firewall" or "NAT
for IP Address Conservation" features, whilst VFR can be disabled it
is not recommended as a workaround. Disabling VRF when configured
with these features would only be recommended if seeing active
exploitation to provide the means to upgrade the Cisco IOS XE
Software.
Note: If VRF is disabled the device cannot identify the contents of
the IP fragments nor can it gather port information from the
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XN |
|
Known Fixed Releases: | 12.2(33)XND3, 12.2(33)XNE, 12.2(33)XNE1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsv98555 | Title: | Crafted IPv6 packet can cause Cisco IOS XE to crash. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:Cisco ASR1000 may crash when processing a crafted IPv6 packet.
Conditions:Device receives a specially crafted IPv6 packet.
Device must have a configured IPv6 address.
Workaround:None.
More Info:PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6270 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNC, 12.2XN |
|
Known Fixed Releases: | 12.2(33)XNB3, 12.2(33)XNC, 3.9.0.6i.LC |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv21984 | Title: | Fair-queue queue-limit force adjust after change queue-limit. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Fair-queue queue-limit force adjust after change queue-limit.
Conditions:
in case of change queue-limit, the fair-queue queue-limit adjust automatically in spite of manually configure the fair-queue queue-limit.
2nd, apply policy-map which have bandwidth ramaining ratio at last line.
policy-map test10
class class-default
fair-queue
fair-queue queue-limit 64
bandwidth remaining ratio 1
The fair-queue queue-limit become 16.
Workaround:
Reconfigure the fair-queue queue-limit after change queue-limit.
Further Problem Description:
none
|
|
Last Modified: | 30-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: * | 15.3(3)S6.4, 15.6(0.13)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv14195 | Title: | Chassis-X Need to have CPLD upgrade support in IOS for RP2 support |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASR1009-X and ASR1006-X will not work without the RP2 CPLD being upgraded. Only the RP2 CPLD is required to be upgraded despite messaging in other slots. The following failure error messages are a good example of what will be experienced:
%CMRP-3-FRU_CPLD_INCOMPATIBLE: R0/0: cmand: ASR1000-6TGE in slot 0 has been held in reset as its CPLD firmware version is incompatible with ASR1009-X
changed state to up
mcp-6ru-25>
mcp-6ru-25>en
mcp-6ru-25#show plat
Chassis type: ASR1009-X
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ASR1000-6TGE act_rp_cpld_incompatib00:04:32
1 ASR1000-SIP40 act_rp_cpld_incompatib00:04:32
2 ASR1000-SIP40 act_rp_cpld_incompatib00:04:32
R0 ASR1000-RP2 act_rp_cpld_incompatib00:04:32
F0 ASR1000-ESP160 act_rp_cpld_incompatib00:04:32
F1 unknown 00:04:32
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 N/A N/A
1 N/A N/A
2 N/A N/A
R0 10021901 15.4(2r)S
Conditions:
The failure is specific to customer environments where an existing RP2 which has not been upgraded to the latest
CPLD to support the asr1009-x or 1006-x. If the customer installs said RP2(s) into these chassis types the symptoms indicated will occur. The new chassis will come with upgraded RP2's if ordered as part of a bundle.
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv46022 | Title: | ArgusX:10G and 100G EPA show slow CRC |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
1. CRC errors are seen intermittently at very slow rate on EPA-10x10GE and EPA-1x100GE.
2. EPA-10x10GE sends unknown type/Malformed packets
Conditions:
1. On ASR1000-MIP100 with EPA-10x10GE and EPA-1x100GE running IOS-XE version 15.3(3)S
2. CRC issue is seen with extreme voltage variations combined with cold and hot temperatures. The issue is not seen with normal temperature/Voltage/Frequency.
3. Unknown / Malformed packets are seen on 10G interface with multiple soft (via CLI) or multiple hard (Physical) EPA OIRs (online insertion and remove)
Workaround:
None.
Further Problem Description:
This issue will be fixed in IOS-XE version 15.3(3)S1
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.6(0.15)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj44237 | Title: | GETVPN Suite-B OVERLAPPING IV RANGES: ACL changed back to initial ACL |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: With Suite-B configured, that is, esp-gcm / esp-gmac transform on a GETVPN Key Server (KS), Group Members (GM) will see the "*** SERIOUS ERROR: OVERLAPPING IV RANGES DETECTED ***" un-gated error message on the console when the following is done:
(1) GM registers to KS and downloads ACL1
(2) KS configures ACL2 which is a subset of ACL1
(3) KS issues "crypto gdoi ks rekey" & GM receives rekey successfully, downloading ACL2
(4) KS configures the original ACL1 again
(5) KS issues "crypto gdoi ks rekey" & GM the error message is seen
After this, the GM begins to re-register.
Conditions: Suite-B is configured, that is, esp-gcm / esp-gmac transform on a GETVPN Key Server (KS) with GM's registered
The KS policy ACL is changed from ACL1 to ACL2 (where ACL2 is a subset of ACL1) & a rekey is sent from the KS using "crypto gdoi ks rekey"
The KS policy ACL is reset back from ACL2 to ACL1 & a rekey is sent from the KS using "crypto gdoi ks rekey"
Workaround: If a Key Server (KS) policy ACL1 must be changed to ACL2 & then changed back to the original ACL1 while Group Members (GM) have already registered and downloaded GETVPN Suite-B policy, that is, esp-gcm / esp-gmac transform, do one of the following:
1.) Wait for the TEK's of the original ACL1 to expire after the first rekey before changing back to the original ACL1
2.) Issue "crypto gdoi ks rekey replace-now" instead of "crypto gdoi ks rekey" after changing back to the original ACL1.
3.) If the above two workarounds do not work, issue "clear crypto gdoi" on the GM's with the error or "clear crypto gdoi ks members now" on the KS to reset the entire group.
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(3)M, 15.3(3)S, 15.4(0.26)T0.1, 15.4(1)S, 15.4(1.4)T |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj66067 | Title: | ASR1001 - BGP Route-Server scale config causing low memory |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: Router running out of memory after an upgrade to Cisco IOS Releases 15.3(1)S, 15.3(3)S, and 15.4(1)S.
Conditions: This symptom is observed when huge number of route server (approximately more than 700) contexts configures in the router.
Workaround: Perform the following workaround:
1.)Reduce the number of Route server contexts
2.)Downgrade the IOS version to 15.2(4)S or lower release
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S1, 15.3(3)S |
|
Known Fixed Releases: * | 15.2(1)IC273.12, 15.2(1)IC273.142, 15.2(1.1)PSR, 15.2(1.24)PSR, 15.2(2)E, 15.2(2)E1, 15.2(2)E2, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut77070 | Title: | SPA-1xCHOC12/DS0 not supporting Framed E1 connections. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Framed E1 on SPA-1xCHOC12/DS0 is not coming up. The device is sending AIS to the remote node.
Conditions:
The issue is with Framed E1's. When we configure unframed E1, the link is coming up.
Workaround:
No workaround
Further Problem Description:
NA
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.1(3)S |
|
Known Fixed Releases: * | 15.4(3)S3.3, 15.5(1)S2.2, 15.5(2)S0.8, 15.5(2)S1, 15.5(2)SN, 15.5(2.21)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup75310 | Title: | XE3.13: CENT Color pending on datapath for DMVPN Tunnels after recreate |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
PfRv3 path Color get pending on datapath after DMVPN Tunnels recreate, this casue all channels for this Path cannot be activated at all.
Conditions:
Remove DMVPN tunnels with PfRv3 configured, and config it again
Workaround:
Power cycle of the border router to recover from this failure
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)M1.1, 15.4(3)M2, 15.4(3)S1.8, 15.4(3)S2, 15.5(1)S0.7, 15.5(1)S1, 15.5(1)SN1, 15.5(1)T0.2, 15.5(1.18)S0.6, 15.5(1.18)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus86120 | Title: | RP1: CLI run slow in new XE313/XE314 image |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A Cisco router that is rebooted may display the following logs repeatedly:
%PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server https://devicehelper.cisco.com/pnp/HELLO
%SYS-3-HARIKARI: Process Wait on Autoinstall top-level routine exited
Conditions:
This happens at bootup under some conditions incorrectly.
Workaround:
There is no workaround for the problem.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.2(1)IC273.283, 15.4(3)S, 15.5(2)S |
|
Known Fixed Releases: * | 15.2(1)IC273.310, 15.2(1)SY0.4, 15.2(1)SY1, 15.2(2)ID101.131, 15.2(2)IE101.142, 15.2(3)E1, 15.2(4.0)ST, 15.4(3)M2.2, 15.4(3)M3, 15.4(3)M3.1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun62047 | Title: | ASR1k: Cleanup tracebacks seen while testing CEoP SPA-24CHT1-CE-ATM |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
'%IDBINDEX_SYNC-4-RESERVE' error message seen during subinterface creation with CEoP SPA-24CHT1-CE-ATM. Traceback also seen in Standby router.
%IOSXE_RP_DPIDB-3-IDXLOOKUPFAILED: Lookup of datapath IDB index from the database failed (swidb 74 + sub-number 1746602118)
Conditions:
This happens only on HA router with sub-interface creation and after OIR of the CEoP SPA-24CHT1-CE-ATM.
Workaround:
none.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S, 15.5(1)S |
|
Known Fixed Releases: * | 15.3(3)S4.15, 15.3(3)S5, 15.4(2)S2.9, 15.4(2)S3, 15.4(3)S1.7, 15.4(3)S2, 15.5(1)S0.5, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus28745 | Title: | POS FRR issue with traffic loss around 1 sec instead of 50ms |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic loss of around 1 sec.
Conditions:
1) "pos action b3-ber prdi" must be configured on one of the interfaces and path level B3 errors are introduced on that interface to such an extent that B3 TCA alarm is asserted.
2) POS FRR should be configured.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S3.1, 15.3(3)S3.10 |
|
Known Fixed Releases: * | 15.3(3)S5.1, 15.3(3)S6, 15.4(2)S2.15, 15.4(2)S3, 15.4(3)S2.1, 15.4(3)S3, 15.5(1)S0.10, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.8 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur78381 | Title: | After a reboot of SPA-4XCT3/DS0, first 4 packet loss in channelized mode |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This problem has two parts:
1. Either after a reboot of chassis or reset(soft-OIR) of the module/SPA,
Individual DS1s de-multiplexed out SPA-4XCT3/DS0 will stop passing traffic for
5-6 seconds immediately after the DS1 line protocol comes up.
2. After the condition #1, traffic passes for a while(~half a minute), and then
traffic freezes again for 4-5 seconds on DS1 Serial interfaces and then module
operation normalizes and continue to work fine.
During the above problematic window, control-plane & PUNT traffic seems to be
working fine, as we could see that:
1. Layer-2 connectivity established and we did not observe any missed keepalives.
2. EIGRP adjacency comes up immediately as soon as the line protocol comes up.
Conditions:
When SPA-4XCT3/DS0 is configured in channelized mode for de-multiplexing
DS3 into multiple DS1s.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.3(3)S4.16, 15.3(3)S5, 15.4(3)S1.12, 15.4(3)S2, 15.5(1)S0.7, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.6, 15.5(2)S, 15.5(2)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq66004 | Title: | Peer removed from mka's live peer list but macsec's Rx SC is not updated |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Number of MKA's live peers and macsec installed RX SC do not match.
Conditions:
When peer is offline, ma's live peer list is updated but macsec installed RX SC is not.
Workaround:
No work-around
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.5(1.18)S0.11, 15.5(2)S, 15.5(2)SN, 15.5(2.10)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut50228 | Title: | ASR1001-X ping loss with peer ASR1k at fixed speed 10M |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASR1001-X ping loss with peer ASR1k at fixed speed 10M and half-duplex
This issue is specific to ASR1001-X and will not be seen in ASR1001
Conditions:
Only half-duplex could trigger this issue when ping big packet like 1280
and could be seen at the setup below:
1)ASR1001-X (0/0) <---> other ASR1k
2)ASR1002-X (0/0) <---> ASR1002-X (0/0)
3)ASR1002-X (0/0) <---> other ASR1k
For 1) this bug will fix it.
For 2) ASR1002-X 0/0 MAC does not support half-duplex in 10/100M
3) same as 2
Workaround:
None
Further Problem Description:
This issue is specific to ASR1001-X box with half-duplex in any other 1G ports of 0/0 "only"
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S, 15.4(3)S2.1 |
|
Known Fixed Releases: * | 15.4(3)S2.16, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 15.5(2)S0.8, 15.5(2)S1, 15.5(2)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus46259 | Title: | ASR1k (ISG Radius-Proxy): Memory Leak after excessive client roaming |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The memory leak increase slowly during client roaming. Meaning a client roams on a hotspot from Subnet A to B and receives a new IP-Address and the ISG (ASR1k with radius-proxy feature enabled) creates a new session for the client and the old session is deleted due to accounting stop.
Conditions:
Radius-Proxy feature is enabled on the ISG and clients are using EAP-SIM
Workaround:
None. Booting the ASR1k if he used up 3.5GB of memory otherwise the box won't accept any furhter new sessions.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S3, 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)S2.3, 15.4(3)S3, 15.5(1)S1.3, 15.5(1)S2, 15.5(1)S2.1, 15.5(1.18)S0.12, 15.5(2)S, 15.5(2)SN, 15.5(2.12)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur57035 | Title: | ASR 1k crash on __be_bfd_fib_nh_change_cb |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IOS crash
Conditions:
ASR running 15.3(1)S1 with bfd
Workaround:
none at this time
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S1 |
|
Known Fixed Releases: * | 15.3(3)S4.16, 15.3(3)S5, 15.4(3)M2.2, 15.4(3)M3, 15.4(3)M3.1, 15.4(3)S2.14, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul38081 | Title: | Pseudowire goes down when preffered path is removed and RP switchover |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: In a scaled environment, when a preferred path configuration is removed and is followed by a RP switchover the pseudowire interfaces goes down. The psudowire interface comes up if we add the preferred path or just remove and add the neighbor statement.
Conditions: This symptom is not observed under any specific conditions.
Workaround: There is no workaround.
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.1(1)IC66.61, 15.1(1)ICB29.36, 15.2(1.24)PSR, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E, 15.2(3)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut68925 | Title: | Crash seen in QOS when policy-map without child or turbo svc is used |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Issue happens when there is no child policy attached to the parent policy and the get_bw api is called.
Conditions:
same as symptoms
Workaround:
no work around
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.5(2.19)T, 15.5(2.21)S0.12, 15.5(2.21)S0.4, 15.5(2.22)S, 15.5(3)S, 15.5(3)S0a, 16.1(0.237) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq86382 | Title: | FLEXVPN IKEv2 auto reconnect | virtual-access | VRF lost | anyconnect |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASR/FLEXVPN
ANYCONNECT
Conditions:
On client side, AnyConnect is used. Pings are sent in the VPN during all the tests.
The reconnect feature is activated with timeout = 600
An outage is simulated by blackholing the trafic on an intermediate router: the source IP and the destination IP are sent to null 0. When doing this, the client starts the reconnect process and the PE brings the Virtual-Access interface after a short period.
If the connectivity is restored before the Vi interface goes down, the reconnect feature works fine.
If the connectivity is restored after the Vi interface goes down, the client reconnects but something is broken in the installation of the route into the VRF. As a result, the VPN is up but the client connectivity is still down.
Workaround:
NONE
Further Problem Description:
NONE
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(5.0)ST, 15.4(3)M0.3, 15.4(3)M1, 15.4(3)S0.8, 15.4(3)S1, 15.4(3)S2, 15.4(3)SN1a |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut14502 | Title: | Address pool leak upon Anyconnect reconnect and subsequent disconnect |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASR1K acting as an IKEv2 VPN server experiences an address pool leak when we have local address pools configured with the group parameter. The issue is seen upon AnyConnect auto-reconnect and subsequent disconnect (the disconnect being a graceful one).
Conditions:
Issue first found on ASR1K running 3.13 and 3.14 codes. The important thing is the group parameter in the address pool being used. The format of this is:
ip local pool pool1 x.x.x.x y.y.y.y group V1
Workaround:
Reload the router
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S1.1 |
|
Known Fixed Releases: * | 15.2(4.0)ST, 15.2(4.0.21)E, 15.4(3)M3.1, 15.4(3)S3.5, 15.5(1.18)S0.16, 15.5(2)S, 15.5(2)SN, 15.5(2)T1, 15.5(2.15)S, 15.5(2.23)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun13772 | Title: | NHRP: CPUHOGs seen when many child entries expire simultaneously |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
CPUHOG messages and watchdog timeout crashes are observed on an ASR1000 series router running DMVPN.
Conditions:
This has been observed on a router with a very large NHRP table (10-20k individual entries) with a very high number (thousands) of child entries per parent entry.
Workaround:
Reduce the number of child entries per parent entry through the use of supernetting.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S1 |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(5.0)ST, 15.3(3)M4.1, 15.3(3)M5, 15.3(3)S4.10, 15.3(3)S5, 15.4(2.17)S0.7, 15.4(3)M0.3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtl92036 | Title: | FP crash observed @ ipv4_tunnel_compare_hash_bucket |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
FP crash observed on ASR1K when enabling tunnel checksum cli under the dmvpn tunnel
interface.
Conditions:
DMVPN phase 3 network protected with gdoi with hub or spoke as ASR1K
Traffic (unicast and multicast flowing)
Tunnel checksum configuration under the dmvpn tunnel interface.
Workaround:
Removing the Tunnel checksum command avoids the fp crashes.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 12.2(33.1), 15.1(2)S |
|
Known Fixed Releases: | 15.0(1)S4, 15.1(2)S1, 15.1(3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr56576 | Title: | QFP crash w *GTRMP_GTR_OTHER_LEAF_INT_INT_SDMA_REGULAR_SW_ERR* du to QOS |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Cisco ASR 1000 may experience a QFP crash pointing to fragmentation/reassembly of packets if a QOS input or output service policy is configured
Conditions:
QOS(service-policy), a service-policy configured with "class-default" only, or only 1 of the following match filters: "match ip precedence", "match ip dscp", "match vlan", or "match "mpls exp"
Workaround:
Remove service-policy applied to interface, or add an additional "dummy" class-map to the policy-map using a different match filter type. Example, if the policy-map has configured only "match ip prec", then add an extra "dummy" class-map that will match on an unused vlan id, or an unused qos-group.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.4/4.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4007 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 15.1(2)S |
|
Known Fixed Releases: | 15.1(2)S2, 15.1(3)S1, 15.2(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsv87997 | Title: | DHCPv6 relay: IOSd crash on Active RP |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
DHCPv6 relay process crash on Actice RP.
Conditions:
Unknown at this time.
Workaround:
Unknown at this time.
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNB |
|
Known Fixed Releases: * | 12.2(32.8.11)SR179, 12.2(32.8.6)REC177, 12.2(32.8.6)REE177, 12.2(33)CX, 12.2(33)IRF, 12.2(33)IRG, 12.2(33)MRA, 12.2(33)SB14, 12.2(33)SB15, 12.2(33)SB16 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte89787 | Title: | Segment Switch manager Error followed by crash at 'sw_mgr_sm_cm_send_msg |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: A Cisco ASR 1000 crashes after the Segment Switch Manager (SSM)
reports that an invalid segment has been detected:
%SW_MGR-3-INVALID_SEGMENT: Segment Switch Manager Error - Invalid segment - no
segment class.
The crash follows this message.
Conditions: The symptom is observed on a Cisco ASR 1002 that is running Cisco
IOS Release 12.2(33)XND1. The crash is caused by a NULL pointer de-reference
following the "no segment class" error. The error itself is not fatal and the
crash should have been avoided.
Workaround: There is no workaround.
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XND |
|
Known Fixed Releases: * | 12.2(32.8.11)SX349, 12.2(33)SXI10, 12.2(33)SXI11, 12.2(33)SXI12, 12.2(33)SXI13, 12.2(33)SXI14, 12.2(33)SXI4, 12.2(33)SXI6, 12.2(33)SXI8a, 12.2(33)SXJ |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtb01505 | Title: | Router crashes with ospf_build_net_lsa |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: A Cisco router may crash when building an OSPF Network LSA.
Conditions: This symptom is observed while unconfiguring ospf configurations.
Workaround: There is no workaround.
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)SXH, 12.2(33)XND, 15.0(1)M |
|
Known Fixed Releases: * | 12.2(32.8.11)SX300, 12.2(32.8.11)XJC273.18, 12.2(32.8.29)REC186, 12.2(33.1.6)XNE, 12.2(33.1.8)MCP6, 12.4(24.6)M0.3, 15.0(1)SY, 15.0(2.26)DPB1.47, 15.0(4.4)DPB1, 15.1(0.3)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum88382 | Title: | BFD session not established upon RP Switchover and back |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: BFD session not established upon RP Switchover and back.
Conditions: This symptom is observed during RP switchover and switchback.
Workaround: There is no workaround.
|
|
Last Modified: | 08-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.2(1.30)PSR, 15.2(2)E, 15.2(2)E1, 15.2(2)EA1.1, 15.2(2.2.32)EA, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E, 15.2(3)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtu14409 | Title: | Not able to update a policy with priority to pri + police |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: The "Insufficient bandwidth 2015 kbps for bandwidth guarantee" error
message is displayed when configuring a policy map with "priority level xxx"
and then updating it with "police cir xxx".
Conditions: This symptom occurs when the priority is configured without a
specific rate. This issue is only seen with a Cisco ASR 1000 series router.
Workaround: Configure police before priority.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S |
|
Known Fixed Releases: * | 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EX0.5, 15.2(1)EY, 15.2(1.18)S0.10, 15.2(2)E, 15.2(2)E1, 15.2(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtd43841 | Title: | Framed-IPv6-Prefix attribute sent twice in Accounting Stop |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Two framed-ipv6-prefix is present in accounting stop when the
following CLIs are enabled:
- aaa accounting include authprofile framed-ip-address
- aaa accounting include authprofile framed-ipv6-prefix
- aaa accounting include authprofile delegated-ipv6-prefix
Conditions: This symptom occurs when the above-mentioned CLIs are needed when
all the following three conditions are met:
1. A dual stack server is present.
2. "aaa accounting delay-start" is configured.
3. Either ipv4 or ipv6 negotiation fails.
These CLIs are needed to include the IPv4 and IPv6 attributes in the
accounting record sent.
Only in such scenario, framed-ipv6-prefix may be present twice in
accounting records.
Workaround: On a dual stack server with "aaa accounting delay-start"
configured, ensure that both IPv4 and IPv6 negotiation are successful for the
accounting records to be sent. In such cases, you need not include the above-
mentioned CLIs.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 12.2XN |
|
Known Fixed Releases: * | 12.2(33)XNE1, 12.2(33)XNF, 12.2(33.1.1)XNF1, 12.2(33.1.18)XNE, 12.2(33.1.9)XNF, 15.0(2)EA, 15.0(2)EB, 15.0(2)EC, 15.0(2)ED, 15.0(2)EH |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr59314 | Title: | ASR: DVTI ikev2 headend crashes for clear crypto session |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: A router reloads when the clear crypto session
command is issued with 4000 sessions up.
Conditions: This symptom is observed only under load conditions.
Workaround: There is no workaround.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.0(2)EA, 15.0(2)EB, 15.0(2)EC, 15.0(2)ED, 15.0(2)EH, 15.0(2)EK, 15.0(2)EK1, 15.0(2)EY, 15.0(2)EY1, 15.0(2)EY2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtt35936 | Title: | RLS3.4 EIGRP route updates are not sent to DMVPN spokes |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: EIGRP route updates are not sent to DMVPN spokes. The show
ip eigrp inter command output shows pending routes in interface Q,
which remains constant. The show ip eigrp int deta command
output shows that the next sequence number of the interface remains the same
(does not advance).
Conditions: This symptom occurs when EIGRP session flapped, resulting in routes
being withdrawn and restored.
Workaround: Add a static route on any spoke that kicks out EIGRP learned routes
from the RIB table; this will again kick the interface on the HUB.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.1(3)S1 |
|
Known Fixed Releases: * | 15.0(1)IA273.167, 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1, 15.1(2)SY2, 15.1(2)SY3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtu43731 | Title: | Watchdog fires taking down RP on ISSU event with 4000 DVTI sessions |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: On an RP1, RP switchover causes an RP reset.
Conditions: This symptom is observed with RP switchover under the following
conditions:
- The router must be an RP1
- The configuration of Flexible NetFlow (FNF) or equivalent must be applied to
4000 or more interfaces. In this case of testing, 4000 DVTI interfaces were in use.
An equivalent of FNF is AVC or passive Video Monitoring. That is, those
configured on a comparable number of interfaces will have the same effect.
Workaround 1: Prior to doing a controlled switchover, such as ISSU, deconfigure
FNF from some interfaces to take it well under the threshold at which the issue
can occur.
Workaround 2: Do not enable FNF monitoring.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 12.2(58)EZ, 12.2(58)SE1, 12.2(58)SE2, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4, 12.2(60)EZ5, 15.0(1)EY2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr29831 | Title: | ASR1000-WATCHDOG: Process = SXP CORE when adding 1k sxp connection |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
SXP cored
Conditions:
when bring up 1000 sxp connections
Workaround:
None
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.1(3)S |
|
Known Fixed Releases: * | 15.0(1)SY1, 15.0(1)SY2, 15.0(1)SY3, 15.0(1)SY4, 15.0(1)SY5, 15.0(1)SY6, 15.0(1)SY7, 15.0(1)SY7a, 15.0(1.9)AWD, 15.0(10.32)EMW |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtt18689 | Title: | SPA goes offline with AVC config on physical interface |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
SPAs with AVC configs do not boot up
Conditions:
AVC config has to be saved to NVRAM and then the router brought up. SPAs with interfaces having AVC config do not boot up.
Workaround:
Apply AVC config after router is up. Do not save the AVC config onto NVRAM and bringup the router
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.0(1.1)AWD, 15.0(10.32)EMW, 15.2(0.18)S0.8, 15.2(1)S, 15.2(1)S1, 15.2(1.1)PSR, 15.2(1.14)T0.4, 15.2(1.18)S0.9, 15.2(2)GC, 15.2(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCts42154 | Title: | ASR Fails to Register after the Initial Attempt Failing |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: After the Cisco IOS ASR 1006 router is reloaded, it fails to
reregister to the key server. From the debugs, it is observed that the
attempt to register is generated too early before the GDOI is ON. This
registration attempt is made before the interface, through which GDOI
registration traffic with the key server passes, goes to the UP state.
Conditions: This symptom is observed on a Cisco IOS ASR 1006 router that runs
Cisco IOS Release 15.0(1)S2 and Cisco IOS Release 15.0(1)S3.
Workaround: Use the clear crypto gdoi command to fix this
issue.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.0(1)S2, 15.0(1)S3 |
|
Known Fixed Releases: * | 15.0(2)EA, 15.0(2)EB, 15.0(2)EC, 15.0(2)ED, 15.0(2)EH, 15.0(2)EJ, 15.0(2)EJ1, 15.0(2)EK, 15.0(2)EK1, 15.0(2)EX |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx41296 | Title: | xe35:memory leak @ be_variable_chunk_malloc_internal |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: When you do a clear crypto session in 4k
flexVPN cases, the memory of crypto IKEv2 shows that it is increasing.
Conditions: The symptom is observed with session flapping.
Workaround: There is no workaround.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.0(2)EA, 15.0(2)EB, 15.0(2)EC, 15.0(2)ED, 15.0(2)EH, 15.0(2)EJ, 15.0(2)EJ1, 15.0(2)EK, 15.0(2)EK1, 15.0(2)EX |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtz77171 | Title: | Subscriber drops not reported in mod4 accounting |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Subscriber drops are not reported in mod4 accounting.
Conditions: This symptom is observed on checking policy-map interface for
account QoS statistics on a port-channel subinterface.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(3)S |
|
Known Fixed Releases: * | 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EX0.5, 15.2(1)EY, 15.2(2)E, 15.2(2)S1.5, 15.2(2)S2, 15.2(2.19)S0.7 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtw50952 | Title: | ASR crashes due to memory exhaustion after issuing "clear ip ospf" |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: A Cisco ASR series router crashes due to memory exhaustion after
issuing the clear ip ospf. This symptom was not observed
before issuing this command.
ACC-CDC-NET-Pri#sh mem stat
Head Total(b) Used(b) Free(b) Lowest(b)
Largest(b)
Processor 30097008 1740862372 279628560 1461233812 1460477804
1453167736
lsmpi_io 97DD61D0 6295088 6294120 968 968
968
Conditions: This symptom is observed upon executing the clear ip
ospf causing tunnel interfaces to flap.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.1(3)S |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1, 15.1(2)SY2, 15.1(2)SY3, 15.1(2)SY4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtz90154 | Title: | GETVPN rapid re-registartion after ipsec failure during registration |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Rapid getVPN re-registration by GM when IPsec failure occurs during
initial registration. Multiple ISAKMP SAs created and deleted per second.
Conditions: The symptom is observed on a Cisco ASR 1000 that is running Cisco
IOS Release 15.2(1)S or Release 15.2(1)S2 as a GM.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S, 15.2(1)S2 |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(2)SY, 15.2(2)S1.4, 15.2(2)S2, 15.2(2.19)S0.6, 15.2(2.19)S0.7, 15.2(2.2.70)ST, 15.2(3)GC1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua06476 | Title: | clear crypto sa vrf re-registers GM irrespective of their data plane VRF |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: When "clear crypto sa vrf" is executed to clear a non-GETVPN SA,
there is an attempt to reregister the GETVPN group members irrespective of
their data plane VRF.
Conditions: This symptom occurs when "clear crypto sa vrf" is executed to clear
a non-GETVPN SA, and there is an attempt to reregister the GETVPN group members
irrespective of their data plane VRF.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(3.13)T |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(1.2.3)PI22, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtt45654 | Title: | Virtual-Access is not deleted when tear down ipsec session |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: In a DVTI IPSec + NAT-t scaling case, when doing session flapping
continually, several Virtual-Access interfaces are "protocol down" and are not
deleted.
Conditions: This symptom can be observed in a DVTI IPSec + NAT-t scenario when
session flapping is done in the spoke side.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.0(5.2)DPB35, 15.0(5.28)SID, 15.1(1)SG5.222, 15.1(1)SG5.223, 15.1(1)SG5.224, 15.1(1)SY, 15.1(2)SG1.90, 15.1(2)SIV11.1, 15.1(2)STV11.1, 15.1(2)SY |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub04345 | Title: | Memory leak after applying ip sla path-echo and path-jitter config |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: ASR-1002-X freezes after four hours with an scaled "path-jitter"
sla probe configuration.
Conditions: The symptom is observed with scaled "path-jitter" sla probe
configuration.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)M, 15.3(1)S, 15.3(1)T |
|
Known Fixed Releases: * | 12.2(58)EZ, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6, 15.0(5.0)SG1, 15.0(5.0.26)SG |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud13768 | Title: | RP crashed while trying to verify UDP-JITTER in IP SLAs vrf-lite |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: RP crashes while trying to verify UDP-JITTER in IP SLAs VRF-lite.
Conditions: This symptom occurs while trying to verify IP SLAs UDP Jitter operation.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: * | 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6, 15.1(1)ICA4.122, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1)IC273.5 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub99778 | Title: | ASR1K GETVPN GM does not attempt registration after reload interface up |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: The Cisco ASR 1000 router being GM in a Get VPN deployment fails to
start GDOI registration after a reload.
Conditions: This symptom occurs when running Cisco IOS Release 15.2(4)S. The
following error is displayed in the show crypto gdoi
command output after reload.
Registration status : Not initialized
Workaround: Use an EEM script to issue "clear crypto gdoi" some time after boot
time or issue this manually.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(1)SY0.1, 15.1(1)SY1, 15.1(1)SY1.32, 15.1(1)SY1.55, 15.1(1)SY1.57, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc47399 | Title: | IKEv2-Accounting Wrong values in STOP Records when locally cleared |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: IKEv2 STOP Accounting records show wrong counters for packets/octets, when the sessions are locally cleared using "clear crypto sa" or "clear crypto session" on ASR1K.
Conditions: This symptom is observed with latest Cisco IOS XE Release 3.8S images when IKEV2-Accounting is enabled. This issue is easily reproducible with a single session, and may be service impacting as STOP Accounting records are usually used for billing purposes.
Workaround: The STOP records reflect the right counters when the disconnect is through the remote-end.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S, 15.3(2)S |
|
Known Fixed Releases: * | 15.1(1)SY0.1, 15.1(1)SY1, 15.1(1)SY1.32, 15.1(1)SY1.55, 15.1(1)SY1.57, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc46827 | Title: | RP crash at __be_NetworkInterface_setAddressIDL on unsetting IP address |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: There is an RP crash at __be_NetworkInterface_setAddressIDL.
Conditions: This symptom occurs when an interface IP address is removed through OnePk API.
Workaround: Use CLI to resolve the issue.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(2.4.11)EA, 15.2(2.6.89)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(1.10)T, 15.3(1.13.1)PIH21, 15.3(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua56184 | Title: | RP crashes during flexvpn longevity after multiple RP switchovers |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Multiple RP switchovers occur within a very short span of time.
Conditions: The symptom is observed with multiple RP switchovers on a Cisco ASR
1000 router and it fails to allocate an IPsec SPI.
Workaround: There is no workaround.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1, 15.1(2)SY2, 15.1(2)SY3, 15.1(2)SY4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj71234 | Title: | FP100: %QFPOOR-4-LOWRSRC_PERCENT error observed on XE-311 (10/08). |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Tracebacks with the following signature "%QFPOOR-4-LOWRSRC_PERCENT" are seen on the console with negative percentage complaining of resource depletion.
Conditions:
These tracebacks are usually seen on a clean-up operation performed on a router i.e manual removal of all configs. But it's not limited to only this operation and could be seen with router configuration as well.
Workaround:
None.
Further Problem Description:
Error messages with "-ve" percentage values of resource depletion are incorrectly being printed on the console. It's safe to ignore them as the router is not under any duress. Moreover these traces don't cause any operational impact.
It should be noted however that if such tracebacks are reported with "+ve" percentage values of resource depletion, then it's an altogether different issue. In such a case, the system maybe under duress and inspection of the router configs and it's operational state is required.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S, 15.4(1)S, 15.4(2)S |
|
Known Fixed Releases: * | 15.3(3)S2, 15.3(3)S2a, 15.3(3)S2t, 15.4(1)S1, 15.4(3)S, 15.5(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo36917 | Title: | XE3.12 DPSS : CFT returns out of memory error under load |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When handling greater than 50000 concurrent flows, the following error is seen by dpss_mp:
src/main/onep_dpss_engine.c:1482: cft_handle_packet() returned error [2]:out of memory
Packets associated with flows greater than 50000 do not have the flow action applied and are returned to the router without being sent to the onePK application.
Conditions:
- ASR 1000 platform running IOS XE
- More than 50000 uni-directional flows established
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S, 15.4(3)S |
|
Known Fixed Releases: * | 15.2(1)IC273.212, 15.2(3)E1, 15.2(4.0)ST, 15.2(5.0)ST, 15.5(1)S0.7, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.5, 15.5(1.8)T, 15.5(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue69214 | Title: | Memory leak @__be_fmd_get_if_fn_buffer on removing MLPPP |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: Memory leaks are seen in the metadata after removing a virtual interface.
Conditions: This symptom occurs after removing a virtual interface, if metadata is enabled.
Workaround: There is no workaround.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: * | 15.1(1)IB273.63, 15.1(1)SY1.21, 15.1(1)SY1.32, 15.1(1)SY1.55, 15.1(1)SY1.57, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY, 15.1(2)SY1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus43594 | Title: | rp crash when cleanup vpls scale configuration |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | RP crashed when doing config replace with a cleanup config.
Symptom:
Conditions:
Scale vpls bgp signaling config.
Workaround:
No.
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.3(3)S5.1, 15.3(3)S6, 15.4(3)M2.1, 15.4(3)M3, 15.4(3)M3.1, 15.4(3)S2.1, 15.4(3)S3, 15.5(1)S0.10, 15.5(1)S1, 15.5(1)SN1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug37196 | Title: | BFD: Crash observed @__be_bfd_interface_command during basic test |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: Execution of "no bfd interval" under an interface results in a router crash.
Conditions: Basic usage of the BFD template on an interface followed by the execution of the "no bfd interval" results in a router crash.
Workaround: There is no workaround.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: * | 12.2(33)SCI, 15.1(1)IC66.49, 15.1(1)ICB29.21, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1.1)EY, 15.2(2)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug63564 | Title: | IKEv2: Crafted IKE_SA_INIT packet causes traceback |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms:
Under certain conditions, malformed IKEv2 packets may cause a traceback in the ''Crypto IKEv2'' process:
*Feb 13 21:07:15.812: %SYS-2-MALLOCFAIL: Memory allocation of 4294967078 bytes failed from 0x16A15FF8, alignment 0
Conditions:
The condition is only causing traceback message to be printed. No actual crash is happening.
Workaround:
None
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(0.1)T, 15.4(0.6)S, 15.4(1)CG, 15.4(1)CG1, 15.4(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug64957 | Title: | ASR1K: Unable to alter class map after configuring 1k class maps |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: An error occurs on changing the grandchild class rate.
Conditions: This symptom occurs when 1x1000x8 policy maps are configured.
Workaround: There is no workaround.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.1(1)XO0.1, 15.3(1)S, 15.3(2)S, 15.3(3)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(1.2.43)PI22, 15.2(2)E, 15.2(2)E1, 15.2(2)SA, 15.2(2)SA1, 15.2(2)SA2, 15.2(2)SNI, 15.2(2b)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue14596 | Title: | mib cfmFlowMetadataAppName truncated |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: The mib cfmFlowMetadataAppName value in the SNMP query should not include vendor information.
Conditions: This symptom occurs when the SNMP query is run for mib cfmFlowMetadataAppName and the following value is obtained:
cfmFlowMetadataAppName.2.1 = cisco telepresence-control
The vendor information "cisco" should be removed.
The expected mib value should be as following:
cfmFlowMetadataAppName.2.1 = telepresence-control
Workaround: There is no workaround.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S0.7, 15.3(1)S1.6, 15.3(1.17)S0.13, 15.3(1.17)S0.4, 15.3(2)S0.13, 15.3(2)S0.5, 15.3(3)S, 15.4(0.5)S |
|
Known Fixed Releases: * | 15.1(1)XO2, 15.2(2)E, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.12)S, 15.3(2.15.1)XEB, 15.3(2.21)PI23a, 15.3(3)M0.2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh62266 | Title: | Unexpected reloads due to SNMP Engine CPU HOGs |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
During normal operation, a Cisco IOS or IOS-XE running device may crash after repeated SNMP CPU HOG messages.
IOS
%SYS-3-CPUHOG: Task is running for (YYYYYY)msecs, more than (2000)msecs (YYY/ZZ),process = SNMP ENGINE.
-Traceback= 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = SNMP ENGINE.
-Traceback= 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz 0xXXXXXXXz
Unexpected exception to CPU: vector 1500, PC = 0xXXXXXXX , LR = 0xXXXXXXX
IOS-XE
%SCHED-0-WATCHDOG: Scheduler running for a long time, more than the maximum configured (120) secs.
-Traceback= 1#YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX :10000000+XXXXXXX
Upon reloading unexpectedly, the "show version" command may show.
System returned to ROM by error - a Software forced crash, PC 0xXXXXXXX at
OR
Last reload reason: Critical software exception, check bootflash:crashinfo_RP_00_01_
OR
System returned to ROM by s/w reset at (SP by error - a Software forced crash, PC 0xXXXXXXX)
Conditions:
This symptom occurs while trying to obtain data from IP SLAs Path-Echo (ciscoRttMonMIB) by SNMP polling operation.
Workaround:
Polling ciscoRttMonMIB can be restricted by configuring an SNMP view.
Create a cutdown view.
snmp-server view cutdown iso included
snmp-server view cutdown 1.3.6.1.4.1.9.9.42 excluded
Remove the existing SNMP community strings
no snmp-server community [snmp_community_string]
Configure the community string with the cutdown view.
snmp-server community [snmp_community_string] view cutdown RO
snmp-server community [snmp_community_string] view cutdown RW
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.1(2)S2 |
|
Known Fixed Releases: * | 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6, 15.1(1)ICA4.122, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EX0.2, 15.2(1)EY |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug15952 | Title: | Stby RP crash: %QOS-3-INDEX_EXISTS, HA bulk sync and self Reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
%QOS-3-INDEX_EXISTS error message is shown and router crashes.
Conditions:
The symptom is observed when sessions are bought up and the collision IDs with dynamic policy names are synced to standby from active. When the sessions time out and restart, the same dynamic policy names are synced to HA tree on standby again without cleaning up the tree earlier and the crash will happen.
Workaround:
Avoid the same session reestablishment before rebooting the router.
More Info:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S, 15.3(2.19)S0.8, 15.3(3)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(4)GC1, 15.2(4)M5.4, 15.2(4)M6, 15.2(4)S3.8, 15.2(4)S4, 15.2(4)S4a, 15.2(4)S5, 15.2(4)S6 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun25912 | Title: | IKEv2 auto-reconnect: some virtual-access dynamic configs are lost |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: Configurations dynamically applied to the virtual-access interface might be lost over the reconnection while using the autoreconnect feature on Cisco Anyconnect on the ASR platform.
For example, the interface after initial connection establishment would have a QOS service policy applied:
ROUTER#sh derived-config int virtual-access 1
!
interface Virtual-Access1
ip unnumbered GigabitEthernet0/0/1
tunnel source 10.1.1.1
tunnel mode ipsec ipv4
tunnel destination 10.10.1.100
tunnel protection ipsec profile ipsec-profile
no tunnel protection ipsec initiate
service-policy input INPUT-POLICY
end
After reconnection the INPUT-POLICY is missing:
ROUTER#sh derived-config int virtual-access 1
!
interface Virtual-Access1
ip unnumbered GigabitEthernet0/0/1
tunnel source 10.1.1.1
tunnel mode ipsec ipv4
tunnel destination 10.10.1.100
tunnel protection ipsec profile ipsec-profile
no tunnel protection ipsec initiate
end
Conditions: This symptom is observed with configurations being applied from the user AAA profile over radius authentication. Affected parameters observed are QOS service policies and access-group.
Workaround: 1. Do not use the reconnect feature.
or
2. Apply the configurations directly to the virtual-template (if this is an option).
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(1)S1.8, 15.4(1)S2, 15.4(1)S3, 15.4(1)T1.2, 15.4(1)T2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum22612 | Title: | ASR1k IKE SA Stuck in MM_KEY_EXCH with RSA-SIG blocking new SAs with CAC |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Since the ASR fails to send MM6 [being a responder] in the absence of a valid certificate, IKE SAs start leaking and hence get stuck in MM_KEY_EXCH state. Multiple MM_KEY_EXCH exist for a single Peer on the ASR, however the Peer does not retain any SAs for ASR in this case.
Along with CAC for in-negotiation IKE SAs, these stuck SAs block any new SAs or IKE rekeys even after renewing the certificates on the ASR.
Conditions:
This symptom is observed under the following conditions:
- ASR acting as IKEv1 termination point [sVTI for example] and is a responder.
- IKE authentication mode is RSA-SIG [Certificates].
- On the ASR, the ID-Certificate is either Expired or Not-present for a given sVTI tunnel
- The ASR also has a IKE in-negotiation CAC of a certain value.
Example:
crypto call admission limit ike in-negotiation-sa 30
Workaround:
Perform the following workarounds:
a) Manually delete stuck SAs by using:
clear crypto isakmp 12345
.. where 12345 is conn_id of a stuck SA.
Repeat this for each stuck SA
b) Temporarily increase CAC to accommodate new SA requests:
crypto call admission limit ike in-negotiation-sa 60
Further Problem Description:
Found and Tested in Cisco Release XE 3.7.4/Cisco IOS Release 15.2(4)S4.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.2(1)IC273.175, 15.2(1)IC273.8, 15.2(2)EA1, 15.2(2.0)EA, 15.2(2.1)EB, 15.2(2.2.75)ST, 15.2(2.6.68)EA, 15.2(2.7.9)EA, 15.2(2.8.1)EA1, 15.2(4)GC1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo72961 | Title: | ASR1K:%FMFP-3-OBJ_DWNLD_TO_CPP_FAILED: F1: fman_fp_image: Batch type |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: An error message is logged in during QoS configuration during an FPM test.
Conditions: This symptom occurs due to a policy with FPM class.
Workaround: There is no workaround.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S, 15.3(3)S, 15.4(1)S |
|
Known Fixed Releases: * | 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1)IC273.77, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo44562 | Title: | ASR1K crash @policymap_inform_child_policymaps |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: The Cisco ASR 1000 Series Router crashes.
Conditions: This symptom occurs with duty cycle testing with a lot of negative events.
Workaround: There is no workaround.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.3(3.3)S3 |
|
Known Fixed Releases: * | 15.2(1)IC273.77, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2.2.32)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(3)M4, 15.3(3)S2.14 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo95313 | Title: | Duplicate Lcookies in every Access-Request |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: Duplicate cookies are observed in every access request.
Conditions: This symptom occurs when multilogon or logoff is performed on the same session.
Workaround: Tear down the session during the logoff event. Do not configure any delay on the account logoff event.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S2.9 |
|
Known Fixed Releases: * | 15.0(1)EZ4, 15.0(1.77)ZSR, 15.0(13.95)EZD, 15.0(14.1)TSR, 15.0(14.18)TTT, 15.0(14.57)EZD, 15.0(2.29)ZSR, 15.2(1)IC273.113, 15.2(2)DB101.101, 15.2(2)DB101.112 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtg84649 | Title: | asr1k eigrp not forming adjacencies in dvti environment |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: EIGRP is not forming adjacencies over virtual interfaces in a DVTI
environment.
Conditions: This symptom is observed on a Cisco ASR 1000 platform with Cisco
IOS Release 12.2(33)XNE or Release 12.2(33)XNF1.
Workaround: Remove the passive-interface configurations for Virtual-Template
and then re-configure the passive-interface designation. For example,
Router#sh run | b router
router eigrp 100
network 10.1.0.0 0.0.31.255
passive-interface default
no passive-interface Virtual-Template1
Router(config)#router eigrp 100
Router(config-router)#no passive-interface default
Router(config-router)#passive-interface default
Router(config-router)#no passive Virtual-Template 1
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNE, 15.1(1.1) |
|
Known Fixed Releases: * | 12.2(58)EZ, 12.2(58)SE1, 12.2(58)SE2, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtb32892 | Title: | %MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed Tracebacks |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Tracebacks such as:
%MFIB-3-DECAP_OCE_CREATION_FAILED: Decap OCE creation failed
may be be seen on a router console when loading an image or during an RP SSO.
Conditions: The symptom is observed upon reloading a Provider Edge (PE) router
with an mVPN configuration or during a simple SSO. It is observed on the
standby RP.
Workaround: There is no workaround.
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2(32.8.1)YCA273.10, 12.2(33)XNE, 12.2XN, 12.2XNE |
|
Known Fixed Releases: * | 12.2(32.8.2)YCA273.10, 12.2(33)SRE3, 12.2(33)XNF, 12.2(33.1.11)MCP7, 12.2(33.1.23)XNE, 12.2(33.1.9)XNF, 12.2(58)EZ, 12.2(58)SE1, 12.2(58)SE2, 12.2(60)EZ |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsz42939 | Title: | IOS crash pointing @mcprp_spa_ct3_pat_remove_interface |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms: Router crashes and reloads when multiple interfaces are configured
with SPA-4XCT3/DS0/SPA-2XCT3/DS0 SPA.
Conditions: The symptom is observed when multiple channel groups are configured
on SPA-4XCT3/DS0 SPA and then a soft/hard OIR is performed.
Workaround: There is no workaround.
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2REC, 12.2SRD, 12.2XN |
|
Known Fixed Releases: * | 12.2(32.8.2)YCA273.15, 12.2(32.8.31)REC186, 12.2(32.8.5)YCA273.15, 12.2(33)SRE, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9, 12.2(33)SRE9a |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsu38228 | Title: | QoS:Exponential Weighting Constant propagates wrong bit - WRED |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
With WRED enabled, when exponential weighting constant is tweaked with values (1-6...default is 4) and removed from the policy-map applied, Random detect Exp weighting constant is set to 9.
Conditions:
N/A.
Workaround:
Reconfigure random-detect Exp weight constant to the correct value.
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XN2 |
|
Known Fixed Releases: * | 12.2(32.8.1)REC169, 12.2(32.8.1)REE169, 12.2(32.8.1)REE177, 12.2(32.8.11)SR167, 12.2(33)SRE, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun73043 | Title: | Nightster: Native copper GE port not up with 100mbps forced speed |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
copper sfp (SFP-GE-T) interface in subslot 0/0 of nightster doesnt come up/up with 10/100mbps forced speed
Conditions:
the copper sfp(SFP-GE-T) interface hit this condition after router power cycle is issued.
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 15.4(2)S0.5, 15.4(2)S0a, 15.4(2)S1, 15.4(2)S2, 15.4(2.17)S0.2, 15.4(3)S, 15.4(3)S0d, 15.4(3)S1, 15.4(3)SN1, 15.5(0.1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul40478 | Title: | ASR1k: Crash periodic acc. process due to stale attr. list w/ AAA |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom: A crash was seen in the periodic accounting process due to the stale reference of the attribute list with AAA accounting DB (this specific attribute list is used by the periodic accounting process for sending the interim accounting records).
Conditions: This symptom occurs with Policy Component allocate AAA attribute list handle. This handle reference is shared among multiple components for processing. A component can free the attribute list using this handle. AAA does not validate the handle before usage. The policy will not share the same attribute handle reference with other components. The policy will share a copy of the attribute list to other components so that the component does not refer the same handle.
Workaround: There is no workaround.
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S1 |
|
Known Fixed Releases: * | 15.3(3)S2.9, 15.3(3)S3, 15.4(2)S0.8, 15.4(2)S1, 15.4(2)S2, 15.4(2.17)S0.2, 15.4(3)S, 15.4(3)S0d, 15.5(0.1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh03933 | Title: | IPv6 ping over IPv4 core to ASR1k LISP xTR connected EID address fails |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
IPv6 echo replies are not sent back from ASR1k for IPv6 echo requests to a directly connected LISP EID address
Conditions:
IPv6 ping over LISP IPv4 core to an IPv6 EID address that is directly connected to the ASR1k is dropped. The problem is present only for IPv6 ping over LISP IPv4 core to an IPv6 EID address that is directly connected to ASR1k.
Workaround:
To check reachability, either ping the remote LISP xTR's RLOC address or an IPv6 EID address that is not directly connected to the LISP xTR.
More Info:
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: * | 15.1(1)IC66.14, 15.1(1)ICA4.16, 15.1(1)ICB40.1, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1.1)EY, 15.2(2)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul38819 | Title: | ASR1K crash due to PfR |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A Cisco router acting as a PfR master or border may unexpectedly reloads, when TCP connection between PfR master and border is broken or shut down during sending or receiving many packets.
Conditions:
The problem occurs, when a PfR master is controlling a large number of Traffic Classes (TC), and when a master router or a border router is sending a large number of packets to another router, "shut down" command is executed or a link between them is down.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S1 |
|
Known Fixed Releases: * | 15.3(3)M2.4, 15.3(3)M3, 15.3(3)M4, 15.3(3)S3.4, 15.3(3)S4, 15.4(1)T1.2, 15.4(1)T2, 15.4(1)T3, 15.4(1.16)S0.12, 15.4(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtn63216 | Title: | ASR - NHRP registrations shouldn't do a routing table lookup |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | $$IGNORE
This is an internal defect
Symptom:
CSCef67010 should have changed NHRP behavior in ASR but it didn't.
Conditions:
ASR configured as Hub in a double Hub and Spoke setup for DMVPN. Using OSPF in point-to-multipoint
DMVPN Phase 3
Workaround:
OSPF host routes must be suppressed either with 'prefix-suppression' or using distribute-list with prefix-list to block them from going into the routing table.
To suppress the host routes you do need to make changes on all DMVPN routers.
Further Problem Description:
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 15.1(1)S1 |
|
Known Fixed Releases: | 15.0(2)EA, 15.0(2)EB, 15.0(2)EC, 15.0(2)ED, 15.0(2)EH, 15.0(2)EJ, 15.0(2)EJ1, 15.0(2)EK, 15.0(2)EK1, 15.0(2)EX |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh23859 | Title: | GETVPN Suite-B: "SERIOUS ERROR: OVERLAPPING IV "with KS-ACL change |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
With Suite-B configured (i.e. esp-gcm / esp-gmac transform) on a GETVPN Key Server (KS), Group Members (GM) will see the following un-gated error message on the console when the KS policy ACL is changed or edited and a rekey is sent from the KS using "crypto gdoi ks rekey"...
May 31 09:56:49.906 IST: *** SERIOUS ERROR: OVERLAPPING IV RANGES DETECTED ***
When the GM receives the rekey, the policy is installed successfully. However, after this the GM re-registers twice and then these errors are displayed.
Conditions:
Suite-B is configured (i.e. esp-gcm / esp-gmac transform) on a GETVPN Key Server (KS), the KS policy ACL is changed or edited and a rekey is sent from the KS using "crypto gdoi ks rekey"
This issue was seen with at least 50 Group Member (GM) instances using VRF-Lite on a ASR1K GM box and no more than 30 ACE's in the KS policy ACL, however this issue should also be seen on a ISRG2 GM box with less GM instances and less ACE's as well.
Workaround:
If a Key Server (KS) policy ACL must be changed or edited while Group Members (GM) have already registered and downloaded GETVPN Suite-B policy (i.e. esp-gcm / esp-gmac transform), issue "crypto gdoi ks rekey replace-now" instead of "crypto gdoi ks rekey" after changing the KS policy ACL. (NOTE: a very small amount of traffic loss may be expected)
If possible, do not change the KS policy ACL after a GETVPN network using Suite-B is up and running.
NOTE: The fix requires both an upgrade of the KS and GM to properly work.
Further Problem Description:
|
|
Last Modified: | 02-AUG-2015 |
|
Known Affected Releases: | 15.3(1)T1.1, 15.3(3)S, 15.4(0.26)T0.1, 15.4(0.4)T |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur04399 | Title: | XE314: CPU hog and Tracebacks on Primary and COOP with clear ks members |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
CPU-HOG and Tracebacks may be observed on the Primary and Secondary Key-Servers when "clear crypto gkm group grp_name ks members now" is executed on the Primary, with close to 3000 Gikev2 GM's registered
Conditions:
Seen on ASR1001 and ASR1002 acting as Primary and COOP-KS running latest XE3.14 throttle code base
Workaround:
None at the moment
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(1)S, 15.5(2)S |
|
Known Fixed Releases: * | 15.2(4.0)ST, 15.2(4.0.21)E, 15.5(1.18)S0.9, 15.5(1.21)PI28e, 15.5(2)S, 15.5(2)SN, 15.5(2)T1, 15.5(2.14)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus25255 | Title: | ASR1K IPSEC - Traffic sent in cleartext after clearing IPv6 neighbors |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASR1K sends out all IPv6 traffic in cleartext for a short time, even the traffic that should be encrypted.
Conditions:
Clear IPv6 neighbors on the ASR1K. This is not seen on ISRs
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)S2.6, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 15.5(1)SN1, 15.5(2)S0.5, 15.5(2)S1, 15.5(2)SN, 15.5(2.15)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur56087 | Title: | ASR1001X: XE315 built-in interfaces are down after local switch is used |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
local switching function is failed over 1001X
Conditions:
"connect xxx gi 0/0/0 gi 0/0/1 " command is run on optical modules
Workaround:
1.Either use copper sfps instead of optical modules.Feature works fine with cu sfp.
2. After connect config, shut/no shut the interface of optical modules.
3. Operate the interfaces in no autoneg mode.
This will ensure interface protocol state will not go down after connect is used.
4. If using optical modules, after executing connect command, reload the router.
This will bring the interfaces up.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 15.4(3)S2.12, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 15.5(2)S0.5, 15.5(2)S1, 15.5(2)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus21426 | Title: | ASR1001-X//SFP-10G-LR transceiver data incorrect |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASR1001-X// SFP-10G-LR transceiver data incorrect
Conditions:
ASR1001-X installed with SFP-10G-LR transceiver.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S1.1 |
|
Known Fixed Releases: * | 15.4(3)S2.1, 15.4(3)S3, 15.5(1)S0.8, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.5, 15.5(2)S, 15.5(2)SN, 15.5(2.2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus76835 | Title: | ISG: v-cookie value cannot be altered |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When the value for v-cookie is set in the ISG it cannot be altered anymore.
Conditions:
V-cookie is set
Workaround:
none known.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S3 |
|
Known Fixed Releases: * | 15.4(3)S2.11, 15.4(3)S3, 15.5(1)S1.2, 15.5(1)S2, 15.5(1)S2.1, 15.5(2)S0.4, 15.5(2)S1, 15.5(2)SN, 15.5(2.20)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui90913 | Title: | XE311 cthrift error: -65553 'required parameter missing' |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
cthrift error: -65553 'required parameter missing'
Conditions:
Error is seen in some instances of running a Java onePK application against Location Service Set
Workaround:
No known workaround
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.1(1)ICB29.9, 15.2(1)IC273.5, 15.2(3)E, 15.2(4.0)ST, 15.2(5.0)ST, 15.4(1.16)S0.6, 15.4(1.16)S0.7, 15.4(1.19)T, 15.4(1.20)PI25, 15.4(2)CG |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq10142 | Title: | Aggr. GEC QoS service-policy in suspended after reload |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
QoS service-policy is in suspended mode after router reload. Hence QoS features failed.
Conditions:
When aggregate port-channel QoS is configured, it works fine. However after a router reload, the QoS service-policy would be put to suspended mode.
Workaround:
Remove and re-apply the same service-policy command on port-channel interface will activate QoS features.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S, 15.5(1)S |
|
Known Fixed Releases: * | 15.4(3)S1.8, 15.4(3)S2, 15.5(1)S0.5, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.2, 15.5(2)S, 15.5(2)SN, 15.5(2.2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus51303 | Title: | Combi card ASR1000-2T+20X1GE Standby RP doesn't accept configuration |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Standby RP console not accepting any commands for combi card interfaces on 1Gig and 10 Gig
Conditions:
This issue surfaced on removing SPA from subslot 2/2
Workaround:
No workaround has been identified as yet
Further Problem Description:
1. Customer removed SPA from subslot 2/2.
2. Active RP informs standby RP that SPA is plugged out from subslot 2/2
3. Standby RP misinterprets this as both subslot 0/0 and 5/0 [where combi card line card is present] and subslot 2/2 [This is the real issue where we need to identify the cause of misinterpretation]
4. Standby RP de-installs subslot 0/0 and subslot 2/2. However 0/0 on active RP remains intact.
5. Any further config related to subslot 0/0 on active is failed as standby rejects the configuration due to absence of line card.
The issue is not there anymore after standby RP was reloaded.
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.3(3)S5.17, 15.3(3)S6, 15.4(3)S2.10, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 15.5(2)S0.3, 15.5(2)S1, 15.5(2)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur44217 | Title: | Receive SA Next PN counter is not increment |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When Issued "show macsec status interface <>" the Receive SA Next PN counter is not increment.
Conditions:
MACsec enabled and there're bi-direction traffic.
Workaround:
No work-around
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(1)S |
|
Known Fixed Releases: * | 15.5(1.18)S0.8, 15.5(2)S, 15.5(2)SN, 15.5(2.2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur53721 | Title: | ASR1000-2T+20X1GE:LED status flaps to green then to amber with RJ45 SFP |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Insertion of an RJ45-SFP into a port placed in 'no shutdown' state, makes the port LED change its status to green and then back to amber
Conditions:
on ASR1000-2T+20X1GE, if we have inserted a RJ45-SFP into a port, which is in 'no shutdown' state, it's LED status blinks to green and then back to amber
Workaround:
There is no workaround to this issue
Further Problem Description:
This problem is functionally non impacting
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(1)S |
|
Known Fixed Releases: * | 15.5(1.18)S0.5, 15.5(2)S, 15.5(2)SN, 15.5(2.4)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq79817 | Title: | xe312/xe313_throttle: Unable to modify actions for an entry |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Modify Entry operation fails.
Conditions:
Create pmap p1
Create cmap c1
Create cmap c2
Add entry at seq. 10 to pmap with match c1 action a1
Add entry at seq. 11 to pmap with match c2 action a2
submit operation
Now try to modify pmap,
modify entry seq 10 -- chage a1 to a3 --- > operation fails.
Workaround:
In order to replace a previously configured action from a given policy flow (entry), entry needs to be first deleted and then recreated with same class-map and new set of actions.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 15.4(3)M0.3, 15.4(3)M1, 15.4(3)S0.8, 15.4(3)S1, 15.4(3)S2, 15.4(3)SN1a, 15.5(0.18)S0.8, 15.5(1.18)S0.5, 15.5(1.8)T, 15.5(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus33647 | Title: | Smart License: traceback prints in console when show version |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
traceback is printing when show version from console/vty
Conditions:
run "show version" over 1001X
Workaround:
No
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(2.2)S |
|
Known Fixed Releases: * | 15.5(1)S0.8, 15.5(1)S1, 15.5(1)SN1, 15.5(1.18)S0.8, 15.5(2)S, 15.5(2)SN, 15.5(2.5)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv04767 | Title: | SMP Fragment bit should set to "Flags: 0x02 (Don't Fragment)" on ASR1K |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In smart probe's IP header, the fragment flag is set "More fragment" and the id field isn't set, so the smart probe will drop if the MTU is set less than the smart probe packet.
Conditions:
The MTU is set less than smart probe packet's size.
Workaround:
Set the MTU larger than smart probe's size.
Further Problem Description:
Generally, the smart probe is 94 Bytes and MTU is 1500 Bytes, this problem will not appear under normal conditions. With this fix, ASR has the same behavior with ISR.
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut62751 | Title: | ASR1K-Chimera - Some fileds missing in SFP+ idprom command o/p |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Some fields missing in IDPROM details of SFP+ transceiver on 10GE EPA
Conditions:
Insert an SFP+ on Chimera EPA and issue command "sh hw-mod subslot transceiver idprom"
Workaround:
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.4(3)S2.11, 15.4(3)S3, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 15.5(2)S0.4, 15.5(2)S1, 15.5(2)SN, 15.5(2.20)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc54838 | Title: | PTP Tracebacks while removing the ptp clock configurations |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
1. When PTP configuration is removed using the command "NO PTP CLOCK ORDINARY DOMAIN 0" for ordinary Master/Slave configuration or "NO PTP CLOCK BOUNDARY DOMAIN 0" for Boundary Clock configuration, then TRACEBACK showing RUNHOG is seen on IOS-RP console of the router.
2. When PTP port (MASTER/SLAVE) is removed using the command "NO CLOCK-PORT ", then TRACEBACK showing RUNHOG is seen on IOS-RP console of the router.
Please refer the logs below for the TRACEBACK during PTP un-configuration:-
ASR1K(config)#no ptp clock boundary domain 0
*Apr 14 13:02:55.029: %EVENTLIB-3-RUNHOG: SIP0: ptpd_mcp_rp: undefined: 27584ms, Traceback=1#f91da4d96e9c6265654bb5f193ced604 evlib:7FCF21F78000+B242 evlib:7FCF21F78000+93B4 :400000+222C3 :400000+21FE4 :400000+223C7 :400000+3087A evlib:7FCF21F78000+BAD0 evlib:7FCF21F78000+E200 :400000+2521F :400000+25188 c:7FCF19B4F000+1E514 :400000+14979
*Apr 14 13:02:55.029: %EVENTLIB-3-HISTSUMM: SIP0: ptpd_mcp_rp: dispatch start: 8947859ms elapsed time: 2137ms detected hog: 0 set count: 0
ASR1K(config)#no ptp clock ordinary domain 0
ASR1K(config)#
*Apr 14 13:42:53.400: %EVENTLIB-3-RUNHOG: SIP0: ptpd_mcp_rp: undefined: 9723ms, Traceback=1#f91da4d96e9c6265654bb5f193ced604 evlib:7F8D2E134000+B242 evlib:7F8D2E134000+93B4 :400000+222C3 :400000+22314 evlib:7F8D2E134000+BB8F evlib:7F8D2E134000+E200 :400000+2521F :400000+25188 c:7F8D25D0B000+1E514 :400000+14979
*Apr 14 13:42:53.400: %EVENTLIB-3-HISTSUMM: SIP0: ptpd_mcp_rp: dispatch start: 11449286ms elapsed time: 2136ms detected hog: 0 set count: 0
ASR1K(config)#ptp clock ordinary domain 0
KP5(config-ptp-clk)#no clock-port slave
KP5(config-ptp-clk)#
*Apr 15 08:37:13.891: %EVENTLIB-3-RUNHOG: SIP0: ptpd_mcp_rp: undefined: 27369ms, Traceback=1#f91da4d96e9c6265654bb5f193ced604 evlib:7F8D2E134000+B242 evlib:7F8D2E134000+93B4 :400000+222C3 :400000+22314 evlib:7F8D2E134000+BB8F evlib:7F8D2E134000+E200 :400000+2521F :400000+25188 c:7F8D25D0B000+1E514 :400000+14979
*Apr 15 08:37:13.891: %EVENTLIB-3-HISTSUMM: SIP0: ptpd_mcp_rp: dispatch start: 79514113ms elapsed time: 2136ms detected hog: 0 set count: 0
KP5(config-ptp-clk)#
Conditions:
The execution of the following commands result in the TRACEBACK
1. "NO PTP CLOCK ORDINARY DOMAIN 0" : To remove the ordinary clock PTP configuration.
2. "NO PTP CLOCK BOUNDARY DOMAIN 0" : To remove the boundary clock PTP configuration.
3. "NO CLOCK-PORT " : TO remove MASTER PORT or SLAVE PORT
Workaround:
1. There is no workaround to avoid this TRACEBACK.
2. This is not a real HOG as the actual deletion of the PTP clock takes very less time (approx 150 ms).
3. There is no functional impact of this bug. It is just a harmless HOG reported wrongly by IOS-XE infra.
4. There is a bug filed in Polaris-dev to fix this issue.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: * | 15.4(3)S, 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup01088 | Title: | CPUHOG and crash on 'clear dmvpn session' with large NHRP cache |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On an ASR 1000 Series Aggregation Services Router configured with DMVPN, CPUHOG messages may be observed after 'clear dmvpn session' is invoked.
In certain cases, this may lead to a watchdog timeout and an unexpected reboot of the router.
Conditions:
This issue is observed when a router has a very large NHRP table (10-20k entries or more) with a large number (thousands) of child entries per parent entry.
Workaround:
Reduce the size of the NHRP database through supernetting or similar.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S1 |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(5.0)ST, 15.3(3)M4.1, 15.3(3)M5, 15.3(3)S4.10, 15.3(3)S5, 15.4(3)M2.1, 15.4(3)M3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq55377 | Title: | xe312/xe313_throttle: Unable to insert entry at a specified position |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
User is unable to insert an entry at a specified position using onePK Policy service set API. Instead the new entry is always inserted at the end.
Conditions:
When the API onep_policy_pmap_op_entry_insert_sequence() is called to insert an entry at a specified position.
Workaround:
There are no workarounds
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 15.2(1)IC273.182, 15.2(3)E, 15.2(4.0)ST, 15.2(5.0)ST, 15.4(3)S0.6, 15.4(3)S1, 15.4(3)S2, 15.4(3)SN1a, 15.5(0.18)S0.8, 15.5(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub68073 | Title: | IOS XE Crafted IPv6 Packet Denial of Service Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers (ASR), Cisco 4400 Series Integrated Services Routers (ISR), and Cisco Cloud Services Routers (CSR) 1000v Series contains the following vulnerabilities:
* Cisco IOS XE Software Fragmented Packet Denial of Service Vulnerability
* Cisco IOS XE Software Crafted TCP Packet Remote Code Execution Vulnerability
* Cisco IOS XE Software Crafted IPv6 Packet Denial of Service Vulnerability
* Cisco IOS XE Software Layer 4 Redirect Crafted Packet Denial of Service Vulnerability
* Cisco IOS XE Software Common Flow Table Crafted Packet Denial of Service Vulnerability
Conditions:
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others.
Successful exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to trigger a reload of the forwarding plane, causing an interruption of services. Repeated exploitation could result in a sustained denial of service (DoS) condition.
Successful exploitation of Cisco IOS XE Software Crafted TCP Packet Remote Code Execution Vulnerability could allow an unauthenticated remote attacker to execute malicious code on the affected device.Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-iosxe
Workaround:
See http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-iosxe Mitigation and Workarounds section.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0641 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: | 15.2(4)S7, 15.3(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsz23139 | Title: | NBAR PD mib is not able to collect details from the Gigi sub-interface |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | None
Symptom:
NBAR PD mib is not able to collect details from the Gigi sub-interface
Conditions:
While doing getmany on cnpdStatusPdEnable SNMP manager is not able to collect the PD information
from the sub-interface
Workaround:
Further Problem Description:
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)SRD2, 12.2XN |
|
Known Fixed Releases: * | 12.2(32.8.11)REC186, 12.2(33)SRD4, 12.2(33)SRE, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9, 12.2(33)SRE9a, 12.2(33)XNE |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsv61458 | Title: | [no] mpls ip propagate-ttl needs no mpls ip - mpls ip to take effect. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On an ASR 1000 router running IOS version 12.2(33)XN2, changes to "mpls ip propagate-ttl" don't take effect until "mpls ip" is removed and replaced on the interface.
Conditions:
The router is acting as a PE router.
Workaround:
None
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XN2 |
|
Known Fixed Releases: * | 12.2(32.8.1)REC186, 12.2(32.8.11)SX259, 12.2(32.8.4)REE177, 12.2(33)SRE, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9, 12.2(33)SRE9a |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsv15129 | Title: | Console logs warning of LNS vpdn-group source-ip address during bootup. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom(s)
============
A message "% Warning, source-ip a.b.c.d is not our ip address"
may show up on the console during system bootup even though this IP is
a valid address configured on the router.
Condition(s)
===========
During system boot up.
Workaround(s)
==============
None
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2XN |
|
Known Fixed Releases: * | 12.2(32.8.11)XJC206.27, 12.2(32.8.4)REC169, 12.2(33)XNC, 12.2(52)EY, 12.2(52.23)SIN, 12.2(58)EZ, 12.2(58)SE1, 12.2(58)SE2, 12.2(60)EZ, 12.2(60)EZ1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsu73842 | Title: | RP2: Traceback @ _be_l2tp_errmsg_internal |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | None
This bug occurs on RP2 only and not on RP1.Also this happens when the vpdn-group is not configured
on the box and it is obtained from radius. It doesn't have a workaround.
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2XN |
|
Known Fixed Releases: * | 12.2(32.8.11)SR179, 12.2(32.8.11)XJC206.30, 12.2(32.8.11)YST206.20.4, 12.2(32.8.5)REC169, 12.2(52)EY, 12.2(52.23)SIN, 12.4(23.5.14)PIC1, 12.4(24.4)T, 15.0(1)SY, 15.0(2.26)DPB1.47 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtg37296 | Title: | PIM J/P timer stuck after RPSO |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
MC (zenkoku stream) Packet losses 800sec or more after RPSO.
The reproducibility of this issue is very low.
Conditions:
Workaround:
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XN |
|
Known Fixed Releases: * | 12.2(32.0.36)SRE, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE2, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9, 12.2(33)SRE9a, 12.2(33)XNF2, 12.2(58)EZ |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCts02779 | Title: | Local PBR broken on ASR |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
tcp packets that match the acl in the route-map are not routed to next hop defined in the route-map
Conditions:
configuring local policy based routing on an ASR
Workaround:
add a static route to the ASR for the source of the tcp session and point it to a next hop connected to the ASR
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.1(1)S |
|
Known Fixed Releases: * | 12.4(24)T4f, 15.0(5.2)DPB20, 15.1(1)SY, 15.1(3)MR, 15.1(3)S2.2, 15.1(3)S3, 15.1(4)XB7, 15.2(0.18)S0.4, 15.2(1)S, 15.2(1.0.0)IPI2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx01415 | Title: | Negative value can be used to index into idb table |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Its passed NULL HWIDB or SWIDB.
Conditions:
When IDB is created and its passed NULL argument(SWIDB or HWIDB) to network-infra API's. This issue is happened some rare cases.
Workaround:
There is no workaround for this defect.
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S |
|
Known Fixed Releases: * | 15.0(1.33)EZD, 15.0(10.16)EMW, 15.0(9.1)PCD, 15.0(9.50)EMW, 15.1(1)ICB40.1, 15.1(1.23)SID, 15.1(2)SG, 15.1(2)SG1, 15.1(2)SG1.170, 15.1(2)SG2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr86950 | Title: | CPU HOG with FP reload for FNF |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
CPU HOG with FNF for 4k DVTI sessions
Conditions:
Active ESP reload causes CPU hog for 4k DVTI sessions
Workaround:
None
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.1(1)SY, 15.2(0.18)S0.11, 15.2(1)S, 15.2(1)S1, 15.2(1.0.0)IPI2, 15.2(1.17)S, 15.2(2)GC, 15.2(2)SA, 15.2(2)SA1, 15.2(2)SA2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq88060 | Title: | "no transport udp" is getting removed from "sip-ua" after reloading ASR |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
If we configure any listening ports under 'voice service voip', sip as below
voice service voip
sip
no listen-port non-secure 5561
Now if we disable transport of udp from sip-ua as below
sip-ua
no transport udp
then 'show sip-ua register status' show udp as disable, however once we reboot the device(ASR1K), command 'no transport udp' gets enabled and under 'show sip-ua register status' show udp gets enabled.
Conditions:
As soon the router is reloaded the command is getting removed
Workaround:
No workaround
Further Problem Description:
|
|
Last Modified: | 09-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S3.1, 15.4(3)S0.5 |
|
Known Fixed Releases: * | 15.3(3)M5.2, 15.3(3)M6, 15.3(3)S5.10, 15.3(3)S6, 15.4(3)M1.1, 15.4(3)M2, 15.4(3)S1.7, 15.4(3)S2, 15.5(0.18)S0.11, 15.5(0.25)T0.3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua06804 | Title: | ipv6 Trace route showed 2nd hop ip address incorrectly |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ipv6 Trace route showed 2nd hop ip adress incorrectly
Conditions:
over the interAS network
Workaround:
NO
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(1)IC66.14, 15.1(1)ICA4.16, 15.1(1)ICB29.1, 15.1(1)ICB40.1, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EX0.5, 15.2(1)EY |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtz32627 | Title: | Phase II does not come up on ASR for DVTI w/VRF and ASA endpoint |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
dVTI tunnel does not come up with ASA
Conditions:
Set up an ASR(running either 3.5.1S or 3.6.0S) with dVTI configuration with multiple VRFs. When an ASA tries to bring up the tunnel, it fails on phase II
Workaround:
use ASR version 3.4.0S, 3.4.3S, 3.5.0S
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S1 |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(2)SY, 15.2(2)S1.4, 15.2(2)S2, 15.2(2.19)S0.6, 15.2(2.2.70)ST, 15.2(3)GC1, 15.2(3)GCA1, 15.2(3)T2.1, 15.2(3)T3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtz28544 | Title: | RP Crash due to ASR1000-EXT-SIGNAL: U_SIGSEGV(11), Process = MLD |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6 may reload after receiving
certain MLD packets. The following traceback will be shown in the logs.
Exception to IOS Thread:
Frame pointer 4081B7D8, PC = 1446A878
ASR1000-EXT-SIGNAL: U_SIGSEGV(11), Process = MLD
Conditions:
Cisco ASR 1000 Series Aggregation Services Routers configured for Multicast Listener Discovery (MLD) tracking for IPv6.
Workaround:
The only workaround is to disable MLD tracking.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-1366 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNF |
|
Known Fixed Releases: * | 15.1(1)SY, 15.1(1)SY1, 15.1(1)SY2, 15.1(1)SY3, 15.1(1)SY4, 15.1(1.23)SID, 15.1(2)SG, 15.1(2)SG1, 15.1(2)SG1.156, 15.1(2)SG2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtz19080 | Title: | rttMonNotificationsPrefix trap incorrect in latest 15.1 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
when we are sending "rttMonCtrlOperTimeoutOccurred" on 12.2(33)XNF and 12.4(15)T.
but "rttMonCtrlOperOverThresholdOccurred" is getting sent in the latest 15.1
and also regarding RTT falling threshold,
"rttMonCtrlOperOverThresholdOccurred" sent on 12.2(33)XNF.
but "rttMonCtrlOperVerifyErrorOccurred" is getting sent in the latest 15.1
Conditions:
Workaround:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.1(3)S2.1 |
|
Known Fixed Releases: * | 12.2(58)EZ, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6, 15.0(0.54)EY, 15.1(1)ICA4.122 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtw93437 | Title: | eToken generated RSA keys should not be "redundancy enabled" |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On ASR1K, keys on etoken should not be marked as "redundancy enabled", but they are. This can cause key sync error message on standby.
Conditions:
ASR1K with RP/FP redundancy with key on etoken.
Workaround:
none.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S, 15.2(4)S |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub37266 | Title: | Stby RP reload: %QOS-3-HA_BULK_SYNC bulk sync failure, cg id collisions. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
HA Collision ID sync failed and router will be reloaded.
Conditions:
For PAC3 HA operation, there are two databases storing CCE ID and HA collision. One is PAC3 HA tree and the other is regular CCE HA/HA collision tree. The issue here is that the collision ID is only consumed from PAC3 HA tree but not CCE HA collision tree so if the script for syncing collision ID is run twice, the collision ID will be added to CCE HA collision tree again before it is actually consumed and therefore the crash will happen. The solution is to change the logic so the collision ID in CCE HA collision tree will need to be found and consumed before consuming the ID stored in PAC3 HA tree. If the collision ID found from CCE HA collision tree is UNASSIGNED ID or 0, it means that the collision ID is not residing in CCE HA collision tree so we set the ID to be the CCE ID inside policymap.
Workaround:
N/A
More Info:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1)IC273.5, 15.2(2)E, 15.2(2b)E, 15.2(4)GC1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub97881 | Title: | Mem leak seen in HSRP-CLB notification |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Few Mem leak seen in HSRP-CLB notification in scaled IKEv2 load-balancing cluster scenario.
Conditions:
Scaled IKEv2 load-balancing cluster scenario. Crypto Load Balancer HSRP state change [Master->Slave] or [Slave->Master]. IOS TCP process cleaning up internal message which has pointer to meory which CLB has allocated.
Workaround:
None.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.3(0.18)T0.1, 15.3(1)S |
|
Known Fixed Releases: * | 15.1(1)IB273.155, 15.1(1)ICA4.122, 15.1(1)ICB29.21, 15.1(1)SY2.45, 15.1(1)SY3, 15.1(1)SY4, 15.1(2)SY0.1, 15.1(2)SY1, 15.1(2)SY2, 15.1(2)SY3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub02743 | Title: | FP100#lfd_install_local_label_for_key: installation failed Error-stbyRP |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
lfd_install_local_label_for_key: installation failed Error on Stby RP
Conditions:
remove the MCPT timer or flapping the ATM cell packed interface
Workaround:
none
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(1)IC66.14, 15.1(1)ICA4.16, 15.1(1)ICB29.1, 15.1(1)ICB40.1, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1)IC273.1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtt70417 | Title: | MT 2.0 : Mediatrace requests are not sent at the frequency configured |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Mediatrace initiator sends requests at the frequency which is double the amount of the frequency configured.
Conditions:
When a mediatrace sesssion is scheduled on ASR RP1 router.
Workaround:
None.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1)IC273.5, 15.2(1.2.3)PI22, 15.2(2)E, 15.2(2)E1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub06288 | Title: | Transport mode NAT-T:No TSi substitution in CREATE_CHILD_SA exchange |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
TSi Source address is not substituted with IKE local address at the responder during CREATE_CHILD_SA exchange to establish new IPsec SA's
Conditions:
The initiator should be behind a NAT device and NAT-Traversal should occur in transport mode.
Workaround:
Establish IPsec SA's with IKE_AUTH exchange itself.
Further Problem Description:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S, 15.3(1)T1.1 |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.8, 15.2(1.2.3)PI22, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4)GC1, 15.2(4)GC2, 15.2(4)GC3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua73416 | Title: | Capabilities flag for IKEv2 SA is not set for on-demand DPD |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Capabilities flag under 'Show crypto session detail' output is not set with a value of 'D' when on-demand DPD is enabled for an IKEv2 SA
Conditions:
On-demand DPD should have been configured either under the relevant IKEv2 profile or globally
Workaround:
Use 'show crypto ikev2 sa detailed' CLI to check if DPD is configured for the IKEv2 SA's
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub16463 | Title: | atm overhead keyword not available with bandwidth remaining ratio |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
bandwidth remaining ratio command does not accept atm keyword for atm cell tax compensation.
Conditions:
This problem is apparent during basic command line configuration.
Workaround:
Use bandwidth remaning percent configuration instead of bandwidth remaining ratio. When converting from ratio to percent take into account that percent configurations are based on a total of 100% and not the sum of the ratios.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(2)S1 |
|
Known Fixed Releases: * | 15.2(1)E, 15.2(1)E1, 15.2(1)E2, 15.2(1)E3, 15.2(1)EY, 15.2(1.2.3)PI22, 15.2(2)E, 15.2(2)E1, 15.2(2b)E, 15.2(4)GC |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc43337 | Title: | vrf name missing in sh run for path-jitter operation |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
vrf name not present in sh run
Conditions:
for vrf path-jitter probe
Workaround:
None
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S, 15.3(1)S |
|
Known Fixed Releases: * | 12.2(58)EZ, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4, 12.2(60)EZ5, 12.2(60)EZ6, 15.1(1)ICA4.122, 15.2(1)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub91677 | Title: | Accounting interim update gets delayed after RP switchover |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Radius accounting interim update gets delayed after RP switchover happened.
Conditions:
This symptom is observed when aaa accounting update command with periodic option is configured, and after RP switchover happened.
Workaround:
None
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.1(2)S2, 15.2(2)S1 |
|
Known Fixed Releases: * | 15.0(1)EX3, 15.0(1)EZ, 15.0(1.1)AWD, 15.0(1.43)EZD, 15.0(1.44)XSR, 15.0(1.50)XRD, 15.0(1.54)XSR, 15.0(1.66)XSP, 15.0(10.16)EMW, 15.0(10.20)EXD |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue99331 | Title: | XE37, GTPV1: match mcc/mnc is not working if mnc is 00X/0XX |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
if mnc code is 001, aic can not match it
if mnc code is 011, aic can not match it
Conditions:
match mcc or mnc
Workaround:
No.
More Info:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(0.12)T, 15.4(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup21070 | Title: | ASR1k / Denial of service vulnerability, ESP crash in NAT ALG |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
The ESP module of an ASR1000 Series Routers may crash in NAT ALG due to RBUF handle exhaustion.
Conditions:
Running versions prior to this bugfix, with a NAT configuration and h323 traffic being fixed-up by the ALG.
Workaround:
None.
Further Problem Description:
The issue is caused under a specific scenario where NAT is being used and specifically malformed h323 packets
are being NATed. The processing of those are causing a leak of an internal structure, that when exhausted
causes the ESP to crash.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as
of the time of evaluation are 5.4/4.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0688 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S2 |
|
Known Fixed Releases: | 15.3(3)S4, 15.4(2)S2, 15.4(3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh66373 | Title: | KS not sending rekey to the registered GM |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
KS not sending rekey to the registered GM
Conditions:
KS not sending rekey to the registered GM
Workaround:
If we enable retransmission on KS , rekey are received by the GMs
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(2)T1.2, 15.3(2)T1.3, 15.3(2)T3.1, 15.3(2.19)S0.12, 15.3(2.19)S0.8, 15.4(0.4)T |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug89662 | Title: | ASR1k:Traceback@cfc_lisp_ios_adj_mgr_reevaluate_src_addr_and_mtu |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Traceback@cfc_lisp_ios_adj_mgr_reevaluate_src_addr_and_mtu
Conditions:
LISP+OTV for ISSU and ISSD
Workaround:
none
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: * | 15.1(1)IC66.14, 15.1(1)ICA4.16, 15.1(1)ICB40.1, 15.2(2)E, 15.2(2)E1, 15.2(2a)E1, 15.2(2b)E, 15.2(3)E, 15.2(4.0)ST, 15.2(4.0.64a)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuf82417 | Title: | XE310:Getvpn: V6-ACL with remark statement breaks the v6-dataplane |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom : When an IPv6 ACL is defined with 'remark' on the Key-server, the Key-server is translating this entry as "deny ipv6 any any" before pushing it in TEK to the GM. Due to this the GM is installing this as the first sequence in its temporary downloaded acl and any v6 dataplane traffic that should have been encrypted goes out as clear-text bypassing the crypto.
Conditions : Seen on ASR1K (ASR1002x) acting as Keyserver where the IPv6 ACL is defined, running the latest MCP_DEV code. This can be service impacting, as usually customers have remarks in their ACL's which helps them identify the ACL per group/customer/..etc and for better readability.
Workaround : Do not configure the IPv6-ACL with the 'remark' statement
Symptom:
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.2(4)M, 15.3(3)S |
|
Known Fixed Releases: * | 15.2(1)IC273.8, 15.2(1.2.42)PI22, 15.2(2)E, 15.2(2)E1, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4)GC1, 15.2(4)GC2, 15.2(4)GC3, 15.2(4)M5.4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud17476 | Title: | traceback @ __be_bfd_allocate_adj_resources when BFD session flapping |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
traceback is seen in bfd flapping case
Conditions:
4k bfd session, flapping bgp
Workaround:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.3(1)S, 15.4(3)S |
|
Known Fixed Releases: * | 15.2(2)E, 15.2(2)EA1.1, 15.2(2.2.32)EA, 15.2(2.2.70)ST, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(2.1)T, 15.4(2.1.1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun43663 | Title: | HA: Multiple switchovers causes onePK process to hang |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After HA switchover, before the application session transitions to Connected state (that is, no reconnect yet), if user does "no onep", then it takes 5 minutes for the onep network element thread to exit. During this 5 minutes period, no new onep sessions can be established.
After this 5 minutes period, new onep sessions can be established again.
Conditions:
After HA switchover, before the application session transitions to Connected state (that is, no reconnect yet), and user does "no onep".
Workaround:
avoid doing "no onep" in the above condition.
one workaround is to do "onep stop session all" first, and then do "no onep".
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.2(1)IC273.37, 15.2(3)E, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(2)S0.6, 15.4(2)S1, 15.4(2)T1, 15.4(2)T1.1, 15.4(2.1.2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun85284 | Title: | XE3.12 DPSS issues with incompatible actions |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Some ONEP datapath flow action combinations that do not make logical sense are not blocked.
Conditions:
Using the Datapath service set for ONEP and applying flow action combinations (like QoS and drop flow) are not blocked.
Workaround:
Flow actions are applied to the flow in the order that the APIs are called.
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 15.2(1)IC273.41, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(2)S0.6, 15.4(2)S1, 15.4(2)T1 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur45401 | Title: | Wrong Priority setting in NAT interchassis redundancy |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Wrong Priority setting in NAT interchassis redundancy
Conditions:
devices configured with stateful interchassis redundancy for NAT
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.1(2.0) |
|
Known Fixed Releases: * | 15.4(3)S3.10, 15.5(1.10.1)GB, 15.5(1.15)S, 15.5(1.9)T, 15.5(2)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsz94201 | Title: | mcp_dev: PBR set interface null0 issues warning message |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: |
Symptom:
When "set interface null0" is configured under route-map (PBR) configuration,
IOS issues a warning message
%Warning:Use P2P interface for routemap set^M
interface clause^M
This is just a warning message but the set interface itself takes effect.
There is no operational impact.
Conditions:
When "set interface null0" is configured under route-map (PBR) configuration,
IOS issues a warning message
%Warning:Use P2P interface for routemap set^M
interface clause^M
This is just a warning message but the set interface itself takes effect.
Workaround:
There is no workaround.
Since it does not affect the router operation, workaround is not needed.
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2(33)XNE, 12.2(33.1.5)REI, 12.2XN |
|
Known Fixed Releases: * | 12.2(32.8.10)YCA273.15, 12.2(33.1.9)MCP7, 12.2(58)EZ, 12.2(58)SE1, 12.2(58)SE2, 12.2(60)EZ, 12.2(60)EZ1, 12.2(60)EZ2, 12.2(60)EZ3, 12.2(60)EZ4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtc80502 | Title: | ISSU(RLS4.2->5):%FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: |
Symptom:
FRR_OCE-3-GENERAL: un-matched frr_cutover_cnt message seen with tracebacks
Conditions:
Observed during ISSU upgrade from RLS4.2 to RLS5
Workaround:
There is no workaround
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 12.2XNE |
|
Known Fixed Releases: * | 12.2(32.8.3)YCA273.35, 12.2(33)SRE10, 12.2(33)SRE11, 12.2(33)SRE5, 12.2(33)SRE8, 12.2(33)SRE9, 12.2(33)SRE9a, 12.2(33)XNE1, 12.2(33.1.16)XNE, 12.2(33.1.7)MCP7 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup14212 | Title: | IOS-XE: IPv6 GETVPN dropped after un-configure then re-configure VRF |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
GETVPN IPv6 packets are dropped.
Conditions:
When GETVPN VRF-lite is enabled at an interface, this problem could happen if the VRF definition is de-configured.
Workaround:
When VRF of the GETVPN VRF-lite protected interface has to be modified, please follow these steps:
1. Remove the GDOI-ipv6 crypto-map
2. change the VRF of the interface from old-VRF to new-VRF
3. re-apply GDOI-ipv6 crypto map to interface
After the step3, the unused "old-VRF" can now be de-configured accordingly.
Further Problem Description:
Only GETVPN IPv6 data path is having this issue. This DDTS is to track IOS-XE side fix.
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv79776 | Title: | Router with Pfr feature crashed at cpp_free_exmem |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
A Cisco router may crash and generated a
Conditions:
Issue is now seen on a ISR4331 with Pfr feature running 15.5(3)S code
Workaround:
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut66894 | Title: | evsi session fail to come up using multicast on all the virtual-access |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Fail to bring sessions up when multicast is used
Conditions:
Using multicast
Workaround:
reduce the amount of multicast interfaces
ie : segregate at the vtemplate or via radius
Further Problem Description:
This issue has only been seen at one customer so far and is not reproducible in the lab
The current path is the EVSI installation that we saw in the log.
But this description might change
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)S3.8, 15.5(2)S1.2, 15.5(3)S0.3, 15.6(0.8)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj95903 | Title: | On-demand perf-mon MT Aborts Poll on self without displaying stats |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When executing Mediatrace poll from CLI, the following message is displayed:
Escape sequence received. Aborting poll...
However, no escape sequence has been sent.
Conditions:
On the Mediatrace poll command, no timeout parameter is specified.
Workaround:
Specify a timeout on the Mediatrace poll CLI:
mediatrace poll timeout 60 path-specifier name perf-monitor profile
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.4(0.19)S0.11, 15.4(1)S, 15.4(1.15)S, 15.4(1.6)T |
|
Known Fixed Releases: * | 15.2(1)IC273.6, 15.2(1.24)PSR, 15.2(2.2.70)ST, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(1)CG1, 15.4(1)S0e, 15.4(1)S1, 15.4(1)T1 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv51619 | Title: | Memory consumption reaching 94% in asr1002x |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
Output Error message from console like "RP/0: Used Memory value 94% exceeds critical level 93% "
Conditions:
Image version: XE315-15.2(2)S
Per VRF label, 2.5M IPv4 VRF Routes (MPLS VPN) configured or learned
Workaround:
Decrease the number of the routes
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(2.22)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui77191 | Title: | ASR crashes with pfr configuration |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Happened at Customer site
Symptom:
With Pfr Config.
Conditions:
Will be updated as more investigation is done
Workaround:
none at this time
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S, 15.3(3)M |
|
Known Fixed Releases: * | 15.2(4)M6.2, 15.2(4)M7, 15.2(4)S4.14, 15.2(4)S5, 15.2(4)S6, 15.3(3)M1.8, 15.3(3)M2, 15.3(3)M3, 15.3(3)M4, 15.3(3)S1.9 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj04086 | Title: | asrk1:ikev2-ondemand DPD fails |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On-demand dpd triggered
Conditions:
Configure on-demand dpd on peer3. Keep receiving the traffic from peer1
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.4(0.19)S0.4, 15.4(0.26)T, 15.4(1)S, 15.4(1.11)S, 15.4(1.4)T, 15.4(1.5)T, 15.4(1.6)S |
|
Known Fixed Releases: * | 15.2(1)SY1.13, 15.2(4.0)ST, 15.2(4.0.21)E, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(0.19)S0.8, 15.4(1)S, 15.4(1)S0.2, 15.4(1)S0e, 15.4(1)T1.2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj96123 | Title: | Standby ASR1001 router crashed due to SBC related issue |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
ASR1000 crashed with following log in crashinfo file:
UNIX-EXT-SIGNAL: Segmentation fault(11), Process = SBC main process
Conditions:
the ASR1000 router is the standby router in CUBE-SP setup.
Workaround:
None
Further Problem Description:
None
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S3 |
|
Known Fixed Releases: * | 15.2(4)S4.8, 15.2(4)S5, 15.2(4)S6, 15.3(3)S2.9, 15.3(3)S3, 15.3(3)S4, 15.4(1)S0.1, 15.4(1)S0.2, 15.4(1)S0e, 15.4(1)S1 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu92372 | Title: | X-chassis MIB descriptions for power supplies are incorrect |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
X-chassis MIB descriptions for power supplies are incorrect
Conditions:
While testing Entity-MIB on x-chassis
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | 15.5(3)S0.3, 15.6(0.6)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCus64035 | Title: | EPC: mac-acl was written to running-config incorrectly in inline filter |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
when enable epc with inline filter a mac address, the dynamic mac acl was written on running-config, it will cause the epc can't be re-enable if router is reloading.
Conditions:
enable epc and reload
Workaround:
no epc and then reload
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut84097 | Title: | Kernel crash on doing hw-module slot <> shut |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
RP1 crashes on "hw-module slot <> shut" command.
This issue is specific to RP1 and will not be seen in RP2
Conditions:
Router reloads every time the "hw-module slot <> shut" command is executed. Happens only on RP1
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv02495 | Title: | XE316 ASR crash @cts_sgt_send_msg on reload |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASR1K router may crash during in iWAN + Trustsec setup during router reload or tunnel flap.
Conditions:
Stateful traffic is flowing.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv52997 | Title: | /32 static route added without add-route enabled for outside dynamic nat |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:Static route incorrectly added by NAT into the RIB.
Conditions:Outside dynamic NAT configured without add-route option & inbound connection initiated from an outside host.
Workaround:None
More Info:When using Outside dynamic NAT we are seeing /32 route added for outside local ip address.
This should be injected into the RIB only when we have add-route option enabled in the nat statement.
Issue is observed in 15.4(3)S3.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv80911 | Title: | change BFD timer granularity to 3ms for USD |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
BFD may flapping on USD
Conditions:
Configure BFD
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj88292 | Title: | BFD session are not coming up with XE3.11 mcp dev image |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Once you reboot router with XE3.11 BFD is getting disabled.
Conditions:
BFD session showing down
Workaround:
Remove interface BFD config and reapply it
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.4(2)S |
|
Known Fixed Releases: * | 12.2(33)SCI, 15.2(2)E, 15.2(2)E1, 15.2(2)EA1.1, 15.2(2.2.32)EA, 15.2(2.2.70)ST, 15.2(2a)E1, 15.2(2b)E, 15.2(3)E, 15.2(4.0)ST |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu30999 | Title: | Asset ID write not working on pluggable spa of Nightster |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The Asset ID not working on pluggable spa of nighster.
Conditions:
The asset id write for nightster uses the common call of eeprom write function,which has a different callout for bus retrieval.
->1ru, 2kh, argus-x and speedracer eeprom write uses I2c driver.
->And platforms like nightster and kingpin( spa) uses the c2w
Workaround:
The c2w write function is used for writing asset id on pluggable spa of nightster platform.
Further Problem Description:
So functions(eeprom write using I2c driver and eeprom write using c2w) cannot be inter-used between these 2 (nightster and kingpin)mentioned categories.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S3.16 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug73485 | Title: | ASR1k: XE3.10 LISP ISSU traceback for Invalid input IPv6 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LISP assert error and associated traceback displayed in the log. No other side effects.
Conditions:
ISSU ISSD on a router configured with the Locator ID Separation Protocol (LISP).
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.13, 15.3(3)XB12, 15.4(0.19)S0.8, 15.4(1)CG1, 15.4(1)S, 15.4(1)S0.2, 15.4(1)S0e, 15.4(1)T1, 15.4(1.0)CG1 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv64324 | Title: | Memory leak @crypto_ssl_policy_add_addr upon config-replace on SSL-GW |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Config-replace on a SSLVPN-GW results in a memory leak @crypto_ssl_policy_add_addr
Conditions:
On a SSLVPN-GW if we happen to perform a config-replace, we happen to observe a memory leak @crypto_ssl_policy_add_addr
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.6(1)S |
|
Known Fixed Releases: | 15.6(0.14)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuh83537 | Title: | Overlord: BFD not working properly when interworking with egress ACL |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
On Overlord, BFD will not work properly when interworking with ACL. For example, configure an out ACL to permit BFD packets, BFD packets cannot still be sent out, this will cause service impact in customer's network.
Conditions:
Hardware mode BFD session interworks with ACL.
Workaround:
Change the BFD session to software mode
More Info:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S, 15.4(1)S |
|
Known Fixed Releases: | 15.3(3)S1, 15.4(1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut29170 | Title: | ISG sends only encoded name when service is applied through shell map |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Policy name is seen as "ISG-X" in accounting packets and in 'show subscriber session detail' output rather than actual policy name
Conditions:
when sending policy from radius with VSA to add classes
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(3), 15.4(3)S1.9 |
|
Known Fixed Releases: * | 15.5(2.20)S, 15.5(2.21)S0.12, 15.5(2.21)S0.6, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.1)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus95303 | Title: | Collect application http URL is missing after loading/ unloading ppack |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Collect application http url is missing
Conditions:
Load/ unload protocol pack with missing collect http url twice
Workaround:
the only way to get url cli again is to reload the router
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.5(2)S, 15.5(2)T, 15.5(2.14)T, 15.5(2.6)T, 15.5(3)S |
|
Known Fixed Releases: * | 15.5(2.15)T, 15.5(2.18)PI29a, 15.5(2.21)S0.12, 15.5(2.21)S0.3, 15.5(2.22)S, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu02084 | Title: | ISG behavior 3.10->3.13 changed: service-name is sent in session account |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
With RLS 3.10 we haven't sent service-name in session accounting-request from ISG to AAA Server.
Conditions:
Establishing a WebAuth session on ISG and sending session accounting-request
Workaround:
NA
Further Problem Description:
It depends on the Radius and Backend-System config if this will have an impact for customers.
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: * | 15.4(3)S3.3, 15.5(2.21)S0.12, 15.5(2.21)S0.9, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.5)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu50189 | Title: | ASR1K reported %LSMPI-4-INJECT_FEATURE_ESCAPE for PPPoE data packet |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Error on ASR1000:
%LSMPI-4-INJECT_FEATURE_ESCAPE: Egress IP packet delivered via legacy inject path
Conditions:
PPPoE session hasn't been provisioned on data plane yet, but the peer side already sends PPPoE data traffic to that PPPoE session.
Workaround:
Further Problem Description:
This is a cosmetic error.
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.4(3)S2.18, 15.5(2)S1.2, 15.5(2.21)S0.12, 15.5(2.21)S0.6, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.3)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv90904 | Title: | ASR1K B2B CGN NAT lost sync in standby IP NAT allocated addresses |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
In a Back-to-Back Carrier Grade NAT configuration using ASR1013 chassis and PAP+BPA configured, ESP200 lost sync in standby in NAT entries & IP NAT allocated addresses.
Conditions:
PAP+BPA configured ASR1013 with ESP200 B2B CGN NAT
Workaround:
Redundancy fail over to corrected the issue.Once the standby CGN became active, the IP allocated addresses would be corrected.
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut41815 | Title: | Unable linkup on opposing unit of ASR1k built in port after "no shut" |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Opposing unit's ports sometimes is not link-up after entering "shut" "no shut" on ASR1001X built in ports.
Conditions:
ASR1001X running with 3.13.2S or 3.14.1S.
Workaround:
Sometimes the issue is improved by input "shut" "no shut" again on ASR1001X built in ports
This issue is always improved by ASR1001X reload.
Further Problem Description:
none
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S, 15.5(1)S |
|
Known Fixed Releases: * | 15.4(3)S2.15, 15.4(3)S3, 15.5(2)S0.6, 15.5(2)S1, 15.5(2)SN, 15.5(2.21)S0.12, 15.5(2.21)S0.6, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu42183 | Title: | ASR1K SSL: AnyConnect 4.x Connection fails |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASR1K SSL connection from AnyConnect 4.x client is failing with error "The AnyConnect package on the secure gateway could not be located"
Conditions:
AnyConnect Version installed on headend should be 4.x
Workaround:
1) Bypass downloader from AnyConnect Client if you want to continue using
2) Use 3.x AnyConnect Client
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: * | 15.5(2.21)S0.12, 15.5(2.21)S0.6, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh09580 | Title: | crypto ikev2 dpd configuration lost after RP Switch-Over on ASR1K |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
With IOS-XE 3.7.3S on ASR1K and global crypto ikev2 dpd configuration, all crypto sessions have dpd enabled as expected, after performing RP Switch-Over, the crypto ikev2 dpd configuration is missed, all crypto session are re-established with dpd disabled.
Conditions:
DPD and RP Switch Over
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S |
|
Known Fixed Releases: * | 15.2(1)IC273.175, 15.2(2)EA1, 15.2(2.0)EA, 15.2(2.1)EB, 15.2(2.2.75)ST, 15.2(2.6.68)EA, 15.2(2.7.9)EA, 15.2(2.8.1)EA1, 15.2(4.0)ST, 15.2(4.0.21)E |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu14809 | Title: | Byte counters display incorrect value for multicast traffic over sub-int |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The "show vlans" output does not show the correct byte stats
Conditions:
This was observed for multicast traffic
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 15.2(4)S4.1 |
|
Known Fixed Releases: * | 15.3(3)S5.16, 15.3(3)S6, 15.4(3)S3.3, 15.5(2)S0.9, 15.5(2)S1, 15.5(2)SN, 15.5(2.21)S0.12, 15.5(2.21)S0.4, 15.5(2.24)S, 15.5(3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc43160 | Title: | fhs-ask1k dynamic Binding Table number not include dhcp prefix entry |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom: dynamic binding table number wrong,dhcp iapd prefix entry not count by dynamic, but by total number
Conditions:enable prefix-glean from dhcpv6-pd,
Workaround:none
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 15.3(2)S |
|
Known Fixed Releases: * | 15.1(1)IC66.63, 15.1(1)ICA4.122, 15.1(1)ICB29.36, 15.2(2)E, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.13)S, 15.3(2.15.1)XEB |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue74708 | Title: | destination-glean recovery not shown in show snoop policy command |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:In ipv6 snooping policy, destination-glean recovery not shown in show ipv6 snooping policy command, while the data-glean recovery is shown in show ipv6 snooping policy command
Conditions:In ipv6 snooping policy, destination-glean recovery not shown in show ipv6 snooping policy command
Workaround:user can check the destination-glean recovery use show running command.
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 15.2(1)E, 15.3(2)S |
|
Known Fixed Releases: * | 15.1(1)IC66.63, 15.1(1)ICA4.122, 15.1(1)ICB29.36, 15.2(2)E, 15.2(2)E1, 15.2(2b)E, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.13)S |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv92978 | Title: | ESP 100 crash due to many "deny" entries in access-groups used in ZBFW |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
a/ ESP crash
b/log alarm:
Jul 2 00:43:51: %CPPHA-3-FAULT: F0: cpp_ha: CPP:0.0 desc:CPP Client process failed: cpp_cp det:HA class:CLIENT_SW sev:FATAL id:1 cppstate:RUNNING res:UNKNOWN flags:0x0 cdmflags:0x0
Jul 2 00:43:51: %CPPOSLIB-3-ERROR_NOTIFY: F0: cpp_ha: cpp_ha encountered an error -Traceback= 1#2a465b0cda95a06af9bbe1ac2edcba01 errmsg:7FE38B17A000+121D cpp_common_os:7FE38EBD9000+DC08 cpp_common_os:7FE38EBD9000+1B77E cpp_drv_cmn:7FE38E4A1000+29C97 :400000+238B8 :400000+230A0 :400000+144D7 :400000+BFBE :400000+1285D :400000+F8C6 :400000+13A12 cpp_common_os:7FE38EBD9000+1274F evlib:7FE38A331000+B937 evlib:7FE38A331000+E200 cpp_common_os:7FE38EBD9000+14012 :400000+D93D c:7FE382E49000+1E514 :400000+82C
Jul 2 00:43:51: %CPPDRV-3-LOCKDOWN_INITIATED: F0: cpp_ha: QFP0.0 CPP Driver LOCKDOWN being triggered due to fatal error.
Jul 2 00:43:51: %CPPOSLIB-3-ERROR_NOTIFY: F0: fman_fp_image: fman-fp encountered an error -Traceback= 1#a1e7faeab809d86e183bf14d676c0b56 errmsg:7F01E54D3000+121D cpp_common_os:7F01CB547000+DC08 cpp_common_os:7F01CB547000+1B77E cpp_common_os:7F01CB547000+1276A evlib:7F01CFAB3000+B937 evlib:7F01CFAB3000+E200 :400000+51F8F3 c:7F01BBE85000+1E514 :400000+18F849
Jul 2 00:43:51: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Active to Init
Jul 2 00:43:51: %CPPDRV-3-LOCKDOWN: F0: fman_fp_image: QFP0.0 CPP Driver LOCKDOWN encountered due to previous fatal error (SW: Userspace fault).
Jul 2 00:43:51: %IOSXE-6-PLATFORM: F0: cpp_ha: Shutting down CPP MDM while client(s) still connected
Jul 2 00:43:52: %PMAN-3-PROCHOLDDOWN: F0: pman.sh: The process cpp_cp_svr has been helddown (rc 139)
Jul 2 00:43:52: %PMAN-0-PROCFAILCRIT: F0: pvp.sh: A critical process cpp_cp_svr has failed (rc 139)
Jul 2 00:43:52: %PMAN-3-PROCHOLDDOWN: F0: pman.sh: The process cpp_ha_top_level_server has been helddown (rc 69)
Conditions:
config "deny" entries in access-group and the access lists are used in the ZBFW policies
Workaround:
use default deny
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 15.4(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu49706 | Title: | Consider reading power SPA power consumption from Inventory |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Display of some SPA power allocation (or power consumption) is 0 using the CLI command show platform power.
Conditions:
ASR1000-RP2 is running IOS-XE version 3.16.0 on ASR1009-X and ASR1006-X chassis. The behavior is observed when SPA-1X10GE-L-V2 is installed.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv18079 | Title: | Chassis-X RP2 downrev CPLD indicate FRU's incompatible-misleading msgs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The following output (sample) is a representation of the incorrect messaging that will occur if the RP2 CPLD is not upgraded. The only FRU that actually requires upgrade when moved to ASR1009-X or 1006-X is the RP2. All log and "show platform" state messages are irrelevant except for RP2 and when upgraded, all other FRU messaging should clear to correct output.
Router#sh plat
Chassis type: ASR1006-X
Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ASR1000-SIP40 act_rp_cpld_incompatib00:07:53
R0 ASR1000-RP2 act_rp_cpld_incompatib00:07:53
R1 ASR1000-RP2 act_rp_cpld_incompatib00:03:58
F0 ASR1000-ESP40 act_rp_cpld_incompatib00:07:53
P0 Unknown ps, fail never
P1 Unknown ps, fail never
P2 Unknown ps, fail never
snip--
Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 N/A N/A
1 N/A N/A
R0 08103002 15.4(2r)S
R1 10021901 15.2(1r)S
F0 N/A N/A
F1 N/A N/A
*Jul 2 19:35:09.210: %CMRP-3-FRU_CPLD_INCOMPATIBLE: R0/0: cmand: ASR1000-ESP40 in slot F1 has been held in reset as its CPLD firmware version is incompatible with ASR1006-X
*Jul 2 19:37:01.896: %CMRP-3-FRU_CPLD_INCOMPATIBLE: R0/0: cmand: ASR1000-SIP40 in slot 0 has been held in reset as its CPLD firmware version is incompatible with ASR1006-X
*Jul 2 19:37:12.731: %IOSXE_OIR-6-ONLINECARD: Card (rp) online in slot R1
*Jul 2 19:37:12.738: %CMRP-3-FRU_CPLD_INCOMPATIBLE: R0/0: cmand: ASR1000-RP2 in slot R1 has been held in reset as its CPLD firmware version is incompatible with ASR1006-X
*Jul 2 19:37:12.951: %IOSXE_OIR-6-OFFLINECARD: Card (rp) offline in slot R1
*Jul 2 19:35:36.440: %CMRP_PFU-4-PWR_MGMT_WARN: R0/0: cmand: WARNING: Insufficient number of power supplies (0) is installed for power redundancy mode none. The system needs 1057 watts additional power.
Conditions:
The failure is specific to customer environments where an existing RP2 which has not been upgraded to the latest
CPLD to support the asr1009-x or 1006-x. If the customer installs said RP2(s) into these chassis types the symptoms indicated will occur. The new chassis will come with upgraded RP2's if ordered as part of a bundle
Workaround:
None. CPLD must be upgraded
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu66094 | Title: | %INFRA-3-INVALID_GPM_ACCESS_INFO wiith multiprotocol traffic on IWAN BR |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
%INFRA-3-INVALID_GPM_ACCESS_INFO tracebacks on IWAN Border router
Conditions:
sending statefull multiprotocol traffic (ftp,HTTP1_0, IMAP, POP3, SIP_SU_VOICE)
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu26397 | Title: | tb @cpp_gic_ea_enable_protocols and fman_fp crash @__intel_sse2_strncpy |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
traceback observed when configuring service instance ethernet understand the interface.
Creating a BDI and defaulting the main interface results in fman_fp crash
Conditions:
service instance creation under the interface causes the traceback. fman_fp crash observed when we default the main interface
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu27478 | Title: | XE316 : Ovd crashes with multiple frequent SGTcaching add/remove cmds |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
ISR 4451 may crash with multiple 'cts role-based sgt-caching' and 'no cts role-based sgt-caching' commands
Conditions:
Workaround:
Wait for a minute before either adding or removing SGT caching.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv84600 | Title: | Netflow packets are dropped when EPC is enabled |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When EPC was active, half of netflow packets were dropped. After EPC was stopped, drop counters stopped to increment and data was sent:
Conditions:
enable EPC on netflow export interface
Workaround:
stop EPC, issue will be gone
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 15.4(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu91116 | Title: | LLDP inject packets to Vxlan NVE interface causing tracebacks |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
It was observed that with IOSXE release 3.14.1S that if you enable LLDP, it will inject packets into Vxlan NVE interface causing tracebacks and packets drops
Conditions:
This issue will be seen if LLDP is enable with Vxlan configurations
Workaround:
Disable LLDP on Vxlan NVE interface
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: * | 15.6(1)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv74763 | Title: | ASR 1K - SSH Hangs on "Show Logging Count" When SBC Errors Flood Console |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASR 1K may experience a hang or crash on the SSH process when running "show log count" if SBC is busy printing out a heavy amount of logs to the console.
Conditions:
SBC is printing many messages to the console at the time "show log count" is issued.
Workaround:
None known.
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 15.3(3)S4 |
|
Known Fixed Releases: * | 15.4(3)S3.13 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv71273 | Title: | fragmented packet cause high qfp load |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Cisco ASR 1000 Series Aggregation Service Routers contain a vulnerability within the QFP subsystem when processing fragmented packets that could
allow an unauthenticated, remote attacker to create a denial of service (DoS) condition.
The vulnerability is due to a deadlock scenario that occurs when processing crafted fragments. When the issue occurs the QFP CPU on the ESP may
cause elevated CPU usage which may cause critical processes on the device to be impacted. An attacker could exploit this issue by submitting IP
fragments designed to trigger the issue through an affected device in a continuous flow. The affected device will recover once the malicious
traffic has stopped.
Conditions:
100k pps or higher fragment traffic destined to the ASR1k router.
Impacted platforms:
ESP100 - observed QFP CPU utilization of up to 99%
ESP40 - observed QFP CPU utilization of up to 70%.
The ASR1001 is not affected.
Impacted Releases:
TBD
Workaround:
None.
Further Problem Description:
None.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-6274 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup42922 | Title: | SASR1K1XU-312S does not support command to check ACT2 chip programming |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Failure to validate ACT2 chip is programmed correctly.
Conditions:
During Burn-In testing. Not a functionally impacting issue.
Workaround:
Validate ACT2 chip with Universal image instead of no-crypto image.
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | n/a |
|
Known Fixed Releases: * | 15.5(2.21)S0.12, 15.5(2.21)S0.4, 15.5(2.24)S, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj91145 | Title: | "Clear counters" not able to clear the elapsed time in controller output |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
"SHOW CONTROLLER SERIAL <>" will show the current status of the controller t1/e1/t3/e3 which includes framing,clock source, bandwidth etc. If we execute the "CLEAR COUNTERS" command all the current information will be deleted and status will be updated from zero onwards. but after the "CLEAR COUNTERS" command the o/p of "show controller serial" was not cleared properly. The Data in current interval ( 70 seconds elapsed)was not cleared.
Conditions:
It is common in all channelized spa under ASR1k box
Workaround:
No workaround
Further Problem Description:
-
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S, 15.4(1.2)S |
|
Known Fixed Releases: * | 15.5(1.18)S0.7, 15.5(2)S, 15.5(2)SN, 15.5(2.5)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus11939 | Title: | up mep over vpls scaling will be flapping |
|
Status: | Open |
|
Severity: * | 4 Minor |
Description: | Symptom:
configuration 4k 10s interval up mep over vpls
there are some session will flapping
1s interval up mep sessions over vpls can not up to 1000
there are some sessions will flapping
and there is no session flapping with up mep over bd
Conditions:
up mep over vpls flapping @4k session
configuration 4k up mep over vpls
there are some session will flapping
and there is no session flapping with up mep over bd
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 15.5(2)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx41449 | Title: | CPUHOG tracebacks after "clear ip nhrp" on hub scaling up to 3k spokes |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
CPUHOG tracebacks after "clear ip nhrp" or "shut" the tunnel interface
Conditions:
ASR1002
Workaround:
None
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S |
|
Known Fixed Releases: * | 15.1(2)IC66.3, 15.2(1)IC273.70, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(2.2.70)ST, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(1.2)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup77660 | Title: | Port Live Process Dump (LPD) to mcp_dev |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptoms:
CiscoFireSIGHT contains a stored XSS vulnerability
Conditions:
none
Workaround:
Additional mitigation at: http://www.cisco.com/c/en/us/support/docs/cmb/cisco-amb-20060922-understanding-xss.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtj46368 | Title: | Traceback @frag_info_cp_pkt_to_dram during vulnerability scan test |
|
Status: | Other |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Request capability to have Memory Tracebacks disabled on CLI by default and ability to re-enable as needed.
Conditions:
Traceback is seen @frag_info_cp_pkt_to_dram during vulnerability scan test
Workaround:
Unknown
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0970 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 15.0(1)S, 15.1(0.18)S, 15.1(1)S1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75950 | Title: | ATTN_SYNC timeout and FragTail Drop |
|
Status: | Open |
|
Severity: * | 6 Enhancement |
Description: | Symptom:
The following console logs may appear when the device is processing a large amount of traffic;
*Jun 8 12:49:29.091: %IOSXE-3-PLATFORM: F1: cpp_cp: QFP:0.0 Thread:016 TS:00000014475131480946 %ATTN-3-SYNC_TIMEOUT: msecs since last timeout
14132482, missing packets 2295
*Jun 8 12:50:32.760: %IOSXE-3-PLATFORM: F1: cpp_cp: QFP:0.0 Thread:063 TS:00000014538638634763 %ATTN-3-SYNC_TIMEOUT: msecs since last timeout
14194559, missing packets 2583
*Jun 8 12:51:35.554: %IOSXE-3-PLATFORM: F1: cpp_cp: QFP:0.0 Thread:012 TS:00000014601272311941 %ATTN-3-SYNC_TIMEOUT: msecs since last timeout
14255618, missing packets 2223
*Jun 8 12:52:38.669: %IOSXE-3-PLATFORM: F1: cpp_cp: QFP:0.0 Thread:061 TS:00000014664226856171 %ATTN-3-SYNC_TIMEOUT: msecs since last timeout
14317043, missing packets 204
This excessive logging may lead to elevated CPU utlization in extreme conditions.
Conditions:
NAT configured
Workaround:
turn off NAT ALG
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.5(3)S |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup99736 | Title: | ASR1k-IOSd cli copy command cannot copy multiple files, unlike delete |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
The IOS XE cli copy command is unable to copy multiple files e.g. using the '*' wildcard construct, unlike the corresponding "delete" command which can work with '*' and expand file names to be deleted.
Conditions:
IOS XE, file manipulation using CLI commands
Workaround:
The only workaround is to copy files one by one.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 15.2(1)S2, 15.3(3)S3 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv53315 | Title: | "debug ip nat route" not working for dynamic NAT using add-route |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
"debug ip nat route" not working for dynamic NAT using add-route
Conditions:
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 15.4(3)SS |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv57750 | Title: | Support of DHCP options for ASR1k |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Currently ASR1k does not support DHCP options to be sent to client.
Conditions:
ASR1k as LMA and Accespoint / Wireless LAN Controller as MAG.
Workaround:
Manually configured options on Client
Further Problem Description:
|
|
Last Modified: | 23-AUG-2015 |
|
Known Affected Releases: | 15.5(2.16.5)PIH28 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtn50831 | Title: | Remove and count %MEM_MGR-3-MALLOC_NO_MEM tracebacks |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Request capability to have Memory Tracebacks disabled on CLI by default and ability to re-enable as needed.
Conditions:
Request for ASR1002-F where currently running 12.2(33)XND4 displays various Memory tracebacks that appear with large frames various pin
ackets from SNMP stress test.
Workaround:
Unknown
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.8/6.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0970 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 12.2(33.1) |
|
Known Fixed Releases: | 15.0(1)S3, 15.1(1)S2, 15.1(2)S, 15.1(3)S |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui19103 | Title: | No value is returned for an SNMP Query from Hierarchical DMVPN HUB |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
It is observed that no value is returned for an SNMP query (nhrpServerEntry) made by the SNMP server to the UUT (DMVPN Hub) in a Hierarchical DMVPN Scenario, where the HUB is an intermediate device which works as both DMVPN Hub and Spoke.
Conditions:
It is observed that no value is returned for an SNMP query (nhrpServerEntry) made by the SNMP server to the UUT (DMVPN Hub) in a Hierarchical DMVPN Scenario, where the HUB is an intermediate device which works as both DMVPN Hub and Spoke.
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: * | 15.1(4)M8, 15.1(4)M9, 15.4(2)S, 15.4(2.2)T, 15.4(2.5)S, 15.4(2.9)S, 15.5(0.7)S, 15.5(1.4)T, 15.5(1.7)S, 15.5(2.6)T |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq30260 | Title: | VC flaps on removing disable-fallback option from pseudowire |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Pseudowire flaps on updating config
Conditions:
Update disable-fallback option that is part of "preferred-path interface " command.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.4(3)M2.1, 15.4(3)M3, 15.4(3)M3.1, 15.4(3)S1.8, 15.4(3)S2, 15.5(1)S0.5, 15.5(1)S1, 15.5(1)SN1, 15.5(1)T1.1, 15.5(1)T2 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuf21704 | Title: | GEC QoS: Support HQoS on GEC main interface. |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Enable GEC QoS support for XE platform.
Conditions:
Enable GEC QoS support for XE platform.
Workaround:
feature commit.
More Info:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 15.4(1)S |
|
Known Fixed Releases: * | 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.21)PI23c, 15.4(0.1)T, 15.4(0.5)S, 15.4(1)S |
|
|
| |
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论