| |
|
Alert Type: | Updated * |
Bug Id: | CSCtk34535 | Title: | Nexus reset due to HA policy on multiple CDP process crash |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
A Cisco Nexus 7000 may reset due to a HA policy if the CDP process crashes multiple times
Conditions:
This has been seen when processing a malformed CDP packet
Workaround:
Disable the CDP process
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-2469 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(6) |
|
Known Fixed Releases: | 5.0(5)E1, 5.1(4)E3, 5.1(5)S1, 5.2(0.149)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtu39708 | Title: | Non-dflt VDC grants access to unauthorized user via SSH |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
A Cisco Nexus switch may allow unauthorized users SSH access under specific
circumstances. However, the user is logged in as a VDC-operator. No escalation is
possible from VDC-operator to VDC-admin.
Conditions:
Device configured with SSHv2 and logging in to a non-default VDC.
Workaround:
Please execute the following command :
"no tacacs-server directed-request"
This would ensure that the unauthorized user would not be able to login.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The
Base and Temporal CVSS scores as of the time of evaluation are
4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4495 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at
the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1) |
|
Known Fixed Releases: | 5.1(6)S2, 5.2(3)S9, 5.2(3.8)S0, 6.0(2)S12, 6.1(0.151)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti11629 | Title: | Cisco NX-OS VDC SSH Privilege Escalation Vulnerability |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptom:
Advisory ID: cisco-sa-20140521-nxos
Revision 1.0
For Public Release 2014 May 21 16:00 UTC (GMT)
Summary
=======
Cisco Nexus, Cisco Unified Computing System (UCS), Cisco MDS 9000 Series Multilayer Switches, and Cisco 1000 Series Connected Grid Routers
(CGR) are all based on the Cisco NX-OS operating system. These products are affected by one or more of the following vulnerabilities:
* Cisco NX-OS Virtual Device Context SSH Privilege Escalation Vulnerability
* Cisco NX-OS Virtual Device Context SSH Key Privilege Escalation Vulnerability
* Cisco NX-OS-Based Products Smart Call Home Buffer Overflow Vulnerability
* Cisco NX-OS Message Transfer Service Denial of Service Vulnerability
Cisco has released free software updates that address these vulnerabilities.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140521-nxos
Conditions:
A device running an affected version of software.
Workaround:
None
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
7.1/6.2:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-2200 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(2a) |
|
Known Fixed Releases: | 5.0(3)N1(1), 5.0(5.1)S0 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCus81915 | Title: | L2FM PSEC memory corruption |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
L2FM crash, possible memory corruption
Conditions:
Enable/Disable PS on port channels/shut no shut of port channels with PSEC
Workaround:
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.397) |
|
Known Fixed Releases: | 6.2(13.3)S0, 6.2(14)FB(0.67), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)SIB(99.92), 7.2(0)BA(0.12), 7.2(0)CF(0.11), 7.2(0)D1(0.415), 7.2(0)D1(1), 7.2(0)FM(0.3) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul22949 | Title: | Apex6: Crash @ mts_spin_lock_func when OIR spine |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Unexpected system reset during online insertion and remove (OIR) of spines, or during manual reloading of N7Ks.
Conditions:
In rare instances, this problem may occur when OIR spines or manually reloading N7Ks.
Workaround:
None.
Further Problem Description:
MTS sap release triggered by application cleanup needs to wait until it is safe to be released. However in rare circumstances, a deadlock can occur due to a signal interrupting the wait, causing kernel panic and system reset.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(5.45)S2, 6.2(5.61)S0 |
|
Known Fixed Releases: | 6.2(13.3)S0, 6.2(14)FB(0.47), 7.0(0)BZ(0.46), 7.0(0)HSK(0.317), 7.1(0)AV(0.38), 7.1(0)BF(0.104), 7.1(0)D1(0.171), 7.1(0)D1(0.282), 7.1(0)EV(0.116), 7.1(0)EVN(0.18) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv88508 | Title: | Crash in the pltfm_config process |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
A Sup failover/crash occurred after a pltfm_config process crash:
2015 Aug 19 10:29:29.045 sw-core2-int.dc6 %SYSMGR-2-SERVICE_CRASHED: Service "pltfm_config" (PID 5792) hasn't caught signal 11 (core will be saved).
2015 Aug 19 10:29:29.952 sw-core2-int.dc6 %SYSMGR-2-LAST_CORE_BASIC_TRACE: : PID 18490 with message pltfm_config(non-sysmgr) crashed, core will be saved .
Conditions:
The exact conditions are still being investigated. The only change that was relating to route-maps 15 minutes prior on VDC 2.
Workaround:
None Known
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(8b) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv87645 | Title: | Traffic not classified according to the static SGT |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
If an IP-SGT mapping overlapping with a VLAN-SGT mapping is first learned over SXP and then deleted the 7k will not classify the traffic with the static VLAN-SGT configured.
Conditions:
Workaround:
force-delete the ARP entry for the source IP
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(10)E3, 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut25162 | Title: | VPLS VC's don't come after delete/add VFI's in EFP scale setup |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Few VPLS PW's remain down
Conditions:
With L2VPN VFI's scaled, delete all VFIs and Re-add all VFI's.
Workaround:
clear l2vpn service vfi all
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.422), 7.2(0)D1(0.430) |
|
Known Fixed Releases: * | 15.5(1)S0.17, 15.5(1)S1.1, 15.5(1)S2, 15.5(1)S2.1, 7.0(0)FHS(0.23), 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus97380 | Title: | plcmgr crash during OpenFlow extended sanity |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Crash in plcmgr.
Conditions:
Occurs sometimes during addition of OpenFlow matches to end of policy.
Workaround:
None known.
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.402) |
|
Known Fixed Releases: * | 7.1(0)ES(0.5), 7.3(0)DHB(0.32) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu89065 | Title: | Activating L2 netflow causes mac flap on F2 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Activating L2 netflow causes mac flap on F2
Conditions:
Activating L2 netflow on F2 card
Workaround:
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 6.2(14)S0, 6.2(14.1)S0, 7.2(1)D1(0.51), 7.2(1)ZD(0.45) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut17793 | Title: | SSTE:Traffic loss observed after flapp mpls interf with 7.2(0)D1(0.422) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Few VPLS PWs are down
Conditions:
Flap MPLS interface used by PWs
Workaround:
clear l2vpn service all
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.422), 7.2(0)D1(0.484) |
|
Known Fixed Releases: * | 15.5(1)S1.5, 15.5(1)S2.7, 7.0(0)FHS(0.23), 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut98473 | Title: | PortLoopback test fails following EOBC congestion |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
After seeing EOBC congestion in some rare circumstances it is possible to starting seeing false Gold port loopback failures
/* example of EOBC congestion */
2015 Apr 13 18:07:43 iad7-ws-dis-r2 %MODULE-4-MOD_WARNING: Module 18 reported
warning due to EOBC heartbeat failure in device DEV_EOBC_MAC (device error 0xc0a09145)
/* example of the false errors */
2015 Apr 13 18:07:43 iad7-ws-dis-r2 %MODULE-4-MOD_WARNING: Module 18 reported warning due to EOBC heartbeat failure in device DEV_EOBC_MAC (device error 0xc0a09145)
Conditions:
Problem occurs after heavy EOBC congestion and link flapping
Workaround:
To recover from the issue you can reload the affected LC
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 6.1(4) |
|
Known Fixed Releases: * | 7.3(0)PDB(0.37) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut17447 | Title: | SPAN dest port load balancing doesn't work with M2 as span src |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
If SPAN source is on M2 module in the RX direction, then load balancing on SPAN destination port-channel does not work.
Hostname(config-monitor)# sh port-channel traffic interface po X
NOTE: Clear the port-channel member counters to get accurate statistics
ChanId Port Rx-Ucst Tx-Ucst Rx-Mcst Tx-Mcst Rx-Bcst Tx-Bcst
------ --------- ------- ------- ------- ------- ------- -------
19 Eth8/18 100.00% 65.15% 40.00% 100.00% 0.0% 0.0%
19 Eth8/19 0.0% 34.84% 59.99% 0.0% 0.0% 0.0%
Hostname(config-monitor)#
Conditions:
SPAN source is on M2 module and SPAN direction in RX only
This problem is seen on 6.2 code when ISSU was performed from 6.1 code.
Workaround:
This problem is not seen when N7K was upgraded to code 6.2 code traditionally or N7K is reloaded after ISSU to 6.2
Further Problem Description:
|
|
Last Modified: | 23-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 7.2(1)D1(0.60), 7.2(1)ZD(0.52) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun16981 | Title: | Snmp mibwalk on mplsL3VpnMIB returns resourceUnavail error. |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: | Symptom:
mibwalk on mplsL3VpnMIB abruptly stops in the middle and doesn't continue. Seems like memory resource issue?
Conditions:
This issue happens when l3vpn is enabled.
Workaround:
no workaround
Further Problem Description:
|
|
Last Modified: | 23-AUG-2015 |
|
Known Affected Releases: * | 6.2(10)FM(0.23), 6.2(12), 6.2(14)S10, 7.1(0)D1(0.34) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus58902 | Title: * | It is possible to install a back door on a fully compromised device |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: * | Symptom:
If the admin user is able to reach the underlying OS shell, it migh be possible to create a fully functional operating system account that could
have unlimited access to the underlying operating system.
Conditions:
Requires already full administrative access to the device and the existence of a separate bug that would allow the administrator to access the
underlying operating system shell
Workaround:
None
Further Problem Description:
This is a generic attack type, not a vulnerability in the software,
The proper way to prevent the attack is to prevent the conditions that allow an attacker to gain access to the device and to the unerlaying operating system shell.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. Related issues might be addressed via different Cisco bug IDs.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 7.2(0)ZN(0.36) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu10618 | Title: | Traffic loss on some vlans after line card reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
after reload there is 100% packet drop on a few vlans
Conditions:
LC reload on scaled setup
Workaround:
clear l2vpn service all
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.471), 7.2(0)D1(0.475) |
|
Known Fixed Releases: * | 15.5(1)S1.5, 15.5(1)S2.7, 15.5(2.20)T, 15.5(2.21)S0.12, 15.5(2.21)S0.5, 15.5(3)S, 15.5(3)S0a, 15.5(3)SN, 15.6(0.2)S, 7.0(0)FHS(0.23) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCto16599 | Title: | STP:trunk port error disabled, on receiving vtp msg with rspan vlan info |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: |
Symptom:While Creating VLAN following error message is shown and interface will be error disabled
N7K-VTP2(config-if)# 2011 Mar 24 13:54:23 N7K-VTP2 %$ VDC-1 %$ %STP-2-SET_PORT_STATE_FAIL: Port state change req to PIXM failed, status = 0x40e00003 [The BD value is invalid] vdc 1, tree id 0, num ports 1, ports state BLK, opcode MTS_OPC_PIXM_SET_MULT_CBL_VLAN_BM_FOR_MULT_PORTS, msg id (191285), rr_token 0x2EB35
2011 Mar 24 13:54:23 N7K-VTP2 %$ VDC-1 %$ %ETHPORT-2-IF_DOWN_ERROR_DISABLED: Interface Ethernet1/20 is down (Error disabled. Reason:STP set port state failure)
sh int e1/20 br
Conditions:Seen while adding new VLAN
Workaround:None
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 5.2(0.245), 5.2(0.257), 5.2(0.266) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut72659 | Title: | SSH connection failure with 'no matching cipher found ' syslog |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
SSH connections initiated form the device fails with the below syslog
switch# ssh admin@10.196.98.73 vrf management
no matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr
switch#
Upon failed ssh connections connection, similar syslog is reported at the server also.
switch(config)# e2015 Mar 9 10:03:55 $ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: fatal: no matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr - dcos_sshd[18259]
Conditions:
The issue occurs only if the server does not support any CBC ciphers.
Workaround:
The workaround is to add the client CBC ciphers in sshd_config/dcos_sshd_config file of the server to re-enable them, so that there will be matching ciphers.
Edit the following files in the server from Linux prompt:
/isan/etc/dcos_sshd_config
+ # Secure Ciphers and MACs
+ Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
/isan/etc/sshd_config
+ # Secure Ciphers and MACs
+ Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Further Problem Description:
Fix Description
=================
As per openssh6.7 code, FIPS-approved ciphers are the following:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
For NXOS SSH client, ctr ciphers were not enabled by default on FIPs mode.
Fixed the issue by setting the FIPS mode flag for ctr ciphers.
On Nexus 7000 this problem can manifest itself also in the following way:
can not attach to rise nam from sup
N7K-6# attach rise slot 332
Attaching to RISE 332 ...
Username:root
no matching cipher found: client \
aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server \
aes128-ctr,aes192-ctr,aes256-ctr
N7K-6#
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.2(13)FM(0.66), 6.2(13)S12, 7.2(0)D1(0.430), 7.2(0)D1(0.451) |
|
Known Fixed Releases: * | 5.2(8g), 5.2(8g)S9, 6.2(13), 6.2(13)S15, 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu58619 | Title: | IPFIB vrf dependency database doesnt cleanup on VDC reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic drops can be seen for multicast and/or unicast flows.
Conditions:
In the presence of Vinci configurations, when a VDC is reloaded, we can get into this condition of unicast/multicast routes not getting updated in certain asic instances
Workaround:
reloading of the affected LC.
Further Problem Description:
n/a
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: * | 7.2(0)D1(1), 7.3(0)D1(0.64) |
|
Known Fixed Releases: | 7.2(1)D1(0.8), 7.2(1)ZD(0.7), 7.3(0)D1(0.64), 7.3(0)D1(0.74) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur12364 | Title: | N5K:ISSU fails 5.1(3)Nx(x)/5.2(1)N1(x) -> 6.0(2)Nx(x)/5.2 -> 7.0(x)N1(1) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When performing multi step non disruptive ISSU of a Nexus 55xx to NX-OS 7.0 release a urib hap reset can be seen after the final upgrade. For example, this issue is hit with ISSU upgrade path of 5.1.x->5.2.x->6.x--->7.0(6)N1(1)
Conditions:
Issue seen after a multi-step Non disruptive ISSU of a Nexus 55xx to 7.0 release
Workaround:
If possible reload the switch prior to final ISSU. This bug is fixed in NX-OS 7.0(7)N1(1)
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 5.1(3)N1(1a), 6.0(2)N2(5), 7.0(3)N1(0.125) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(3)I2(0.489), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 7.0(6)N1(0.276), 7.0(6)N1(1b), 7.0(7)ZN(0.112), 7.1(0)AV(0.81), 7.1(0)ES(0.18) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun60756 | Title: | multiple iscm cores with nice configs when issu to upg |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
multiple iscm cores with nice configs when issu to upg
Conditions:
multiple iscm cores with nice configs when issu to upg
Workaround:
multiple iscm cores with nice configs when issu to upg
Further Problem Description:
multiple iscm cores with nice configs when issu to upg
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(8)EC(0.12) |
|
Known Fixed Releases: | 6.2(8), 6.2(8)EC(0.14), 6.2(8)S1 |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul69817 | Title: | LDP core after netstack process crash in 6.2.1.61.S0 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
LDP core may occur.
Conditions:
May be seen on a Nexus 7000 device after the netstack process gets restarted
Workaround:
No workaround.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(5.61)S0 |
|
Known Fixed Releases: | 6.2(10)E5, 6.2(13.3)S0, 6.2(14)FB(0.65), 6.2(8)E10, 7.0(0)BNZ(0.23), 7.0(0)GI(0.5), 7.1(0)ARP(0.2), 7.1(0)BF(0.21), 7.1(0)D1(0.47), 7.1(0)PDB(0.13) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu86787 | Title: | N7K - SNMP messed up 48 transceiver traps when OIR module |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
cefcFRURemoved notification of transceiver does not have correct information when line card was physically removed.
Conditions:
Physically remove the line card, with transceivers present, from the chassis.
Workaround:
No workaround.
Further Problem Description:
Problem exists only in NX-OS software release 7.2(0)D1(1).
Fixes had been integrated into 7.2(1)D1(1) and later releases.
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: | 7.2(1)D1(0.56), 7.2(1)ZD(0.50) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut77411 | Title: | Assess April 2015 NTPd vulnerabilities for N5k/N6k/N7k |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This has been opened to document the potential impact on the following products:
Cisco Nexus 5/6k switch family
Cisco Nexus 7k switch family
of the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-1798
CVE-2015-1799
Conditions:
Exposure is configuration dependent. The configuration that can expose the vulnerability are
ntp authenticate
ntp authentication-key 1234 md5 104D000A0618 7
ntp trusted-key 1234
ntp peer 1.2.3.4 key 1
Workaround:
Remove the applicable configuration.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 4.3/3.2
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.3), 7.3(0.9) |
|
Known Fixed Releases: * | 5.2(1)N1(8.167), 5.2(1)N1(9), 6.0(2)N2(6.141), 6.0(2)N2(7), 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.0(7)ZN(0.108), 7.1(0)AV(0.74), 7.1(0)ES(0.18) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu12769 | Title: | No l2 flow exported or flow not pushed to lc , on fex l2pc int |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
No l2 flow exported or flow not pushed to lc , on fex l2pc int
Conditions:
only when fex connected.
Workaround:
Remove and add the net flow policy back will resolve the issue.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.475), 7.2(0)D1(0.490) |
|
Known Fixed Releases: | 7.2(1)D1(0.48), 7.2(1)ZD(0.42) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur17440 | Title: | snmpwalk on cpmCPUTotalTable(1.3.6.1.4.1.9.9.109.1.1.1) failing |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
On nexus 5500/6000 series switches, snmpwalk on 1.3.6.1.4.1.9.9.109.1.1.1( cpmCPUTotalTable) does not return the expected objects.
Conditions:
This is seen with 7.1 train, the issue does not exist with previous trains such as 7.0
Workaround:
An snmpget to the object will work, for instance to 1.3.6.1.4.1.9.9.109.1.1.1.1.8.1 for cpmCPUTotal5minRev
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1(1), 7.1(1)N1(0.8) |
|
Known Fixed Releases: * | 7.0(0)FHS(0.23), 7.1(0)ES(0.24), 7.1(3)N1(0.613), 7.1(3)N1(1), 7.1(3)ZD(0.10), 7.1(3)ZN(0.19), 7.2(1)N1(0.293), 7.2(1)N1(1), 7.2(1)ZD(0.56), 7.2(1)ZN(0.57) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv64056 | Title: | N7K/N77 - need NX-OS mechanism(s) to upgrade firmware on eUSB flash |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
Over a period of several months or a year, eUSB flash goes unresponsive. When the first flash fails GOLD's CF test report fails. At a later point in time,the boot-flash mounted will go to a state of read-only causing configuration copy to fail.
Conditions:
This happens after several months of system being in use.
Workaround:
6.2.14 has a plugin Load the plugin on the active, which will attempt to repair single flash failures on both active and standby. Double flash failures cannot be repaired; a reload of the affected sup is needed for that.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(13.16), 7.2(1)D1(0.32), 7.3(0)D1(0.53) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv99391 | Title: | Iftmc core seen when modify of PVLAN configs with vpc setup |
|
Status: | Terminated |
|
Severity: | 2 Severe |
Description: | Symptom:
Iftmc core seen while add-delete and add of pvlan configs ,
decode is here :
#0 0x0eaee9a4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0eaf3bf4 in *__GI_abort () at abort.c:88
#2 0x0eae5cd8 in *__GI___assert_fail (assertion=0xfe62c64 "0", file=0xfe6ad98 "../platform/dc3/iftmc/common/iftmc_pd_res_mgmt.c", line=1192, function=0xfe6ac74 <__PRETTY_FUNCTION__.270151> "iftmc_pd_res_commit") at assert.c:78
#3 0x0fe2d124 in iftmc_pd_res_commit (p_mdata=, keyid=1, p_vfy_obj=0x4bd637c4, p_elem=0xbfc63908) at ../platform/dc3/iftmc/com
Conditions:
Iftmc core seen while add-delete and add of pvlan configs ,
decode is here :
#0 0x0eaee9a4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0eaf3bf4 in *__GI_abort () at abort.c:88
#2 0x0eae5cd8 in *__GI___assert_fail (assertion=0xfe62c64 "0", file=0xfe6ad98 "../platform/dc3/iftmc/common/iftmc_pd_res_mgmt.c", line=1192, function=0xfe6ac74 <__PRETTY_FUNCTION__.270151> "iftmc_pd_res_commit") at assert.c:78
#3 0x0fe2d124 in iftmc_pd_res_commit (p_mdata=, keyid=1, p_vfy_obj=0x4bd637c4, p_elem=0xbfc63908) at ../platform/dc3/iftmc/com
Workaround:
Iftmc core seen while add-delete and add of pvlan configs ,
decode is here :
#0 0x0eaee9a4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0eaf3bf4 in *__GI_abort () at abort.c:88
#2 0x0eae5cd8 in *__GI___assert_fail (assertion=0xfe62c64 "0", file=0xfe6ad98 "../platform/dc3/iftmc/common/iftmc_pd_res_mgmt.c", line=1192, function=0xfe6ac74 <__PRETTY_FUNCTION__.270151> "iftmc_pd_res_commit") at assert.c:78
#3 0x0fe2d124 in iftmc_pd_res_commit (p_mdata=, keyid=1, p_vfy_obj=0x4bd637c4, p_elem=0xbfc63908) at ../platform/dc3/iftmc/com
Further Problem Description:
Iftmc core seen while add-delete and add of pvlan configs ,
decode is here :
#0 0x0eaee9a4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0eaf3bf4 in *__GI_abort () at abort.c:88
#2 0x0eae5cd8 in *__GI___assert_fail (assertion=0xfe62c64 "0", file=0xfe6ad98 "../platform/dc3/iftmc/common/iftmc_pd_res_mgmt.c", line=1192, function=0xfe6ac74 <__PRETTY_FUNCTION__.270151> "iftmc_pd_res_commit") at assert.c:78
#3 0x0fe2d124 in iftmc_pd_res_commit (p_mdata=, keyid=1, p_vfy_obj=0x4bd637c4, p_elem=0xbfc63908) at ../platform/dc3/iftmc/com
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.2(1)D1(0.54) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv75088 | Title: | Phyport vPC with Esxi does not come up thr FEX |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Phyport vPC with Esxi does not come up thr FEX
Conditions:
When trying to bring up phyport vPC thr FEX
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: * | 7.0(2)FIP(0.55), 7.2(1)D1(0.62), 7.2(1)D1(0.63), 7.2(1)ZD(0.54), 7.2(1)ZD(0.56), 7.3(0)D1(0.81), 7.3(0)ZD(0.95) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut50838 | Title: | M2 VLAN Translation Not Translating Non-Native VLAN BPDUs |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Ingress non local VLAN BPDUs are dropped as "igr ifc: total pkts dropped due to cbl? and egress BPDUs are not tagged with translated VLAN causing both devices to see them self as spanning-tree root for translated VLAN
Conditions:
When VLAN translation is configured on N7K-M224XP-23L
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(12), 6.2(8a) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.65), 6.2(14)S3, 7.2(1)D1(0.64), 7.2(1)ZD(0.57) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus57881 | Title: | VPC PO continuously flapping when untagged frame statement exist |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When a profile containing a "untagged frame VNI" configuration is mapped to a vPC port channel the port channel will be unstable and continuously flap.
Conditions:
The issue will be seen with link level protocols like LACP etc. Due to the 'untagged VNI frame' configuration applied to the port, the following behavior is seen: the LACP untagged packet coming in hits the port profile and gets the VNI encapsulation. Then the VSI if index is determined when the packet reaches the SUP. The packet is then forwarded to the client (LACP in this case )with the physical if index value replaced by the VSI ifindex. The client expects the packet to contain the physical if index and not the VSI if index, this causes the port lookup to fail and the packet gets dropped at the client.
Workaround:
NONE
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.386) |
|
Known Fixed Releases: * | 7.2(1)D1(0.65), 7.2(1)ZD(0.57) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuo76571 | Title: | Nexus 7000: QSFP-40G-SR-BD V01 Generates TX-LOS after Multiple Reloads |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
Optical link does not come up after line card reload or switch reload
Conditions:
- QSFP-40G-SR-BD V01 (serial number up to and including AVM1813xxxx)
- Multiple line card or chassis reloads
Workaround:
Three workarounds are available on this platform:
- Reseat QSFP
- Reload module
- Reload switch
Further Problem Description:
This is an intermittent issue with a very low failure rate , field failure rate is less than 0.01%.
Issue is not seen in QSFP-40G-SR-BD V02.
Related bug for Nexus 3100: CSCuq05010
|
|
Last Modified: | 29-AUG-2015 |
|
Known Affected Releases: | 6.2(6), 6.2(8) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv77575 | Title: | ingress svi configured with ITD would show route 0.0.0.0 not reachable |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
Hi Team ,
Ingress vlan 100 when configures it logs a message for 0.0.0.0 not reachable . but the functionality seems working fine .
<>
switch(config-itd)# sh ver internal build-identifier
Kickstart image file: bootflash:///n7000-s2-kickstart.7.2.1.D1.0.46.gbin.S0 : S
0
System image file: bootflash:///n7000-s2-dk9.7.2.1.D1.0.46.gbin.S0 : S0
switch(config-itd)#
<>
Conditions:
Hi Team ,
Ingress vlan 100 when configures it logs a message for 0.0.0.0 not reachable . but the functionality seems working fine .
<>
switch(config-itd)# sh ver internal build-identifier
Kickstart image file: bootflash:///n7000-s2-kickstart.7.2.1.D1.0.46.gbin.S0 : S
0
System image file: bootflash:///n7000-s2-dk9.7.2.1.D1.0.46.gbin.S0 : S0
switch(config-itd)#
<>
Workaround:
Hi Team ,
Ingress vlan 100 when configures it logs a message for 0.0.0.0 not reachable . but the functionality seems working fine .
<>
switch(config-itd)# sh ver internal build-identifier
Kickstart image file: bootflash:///n7000-s2-kickstart.7.2.1.D1.0.46.gbin.S0 : S
0
System image file: bootflash:///n7000-s2-dk9.7.2.1.D1.0.46.gbin.S0 : S0
switch(config-itd)#
<>
Further Problem Description:
Hi Team ,
Ingress vlan 100 when configures it logs a message for 0.0.0.0 not reachable . but the functionality seems working fine .
<>
switch(config-itd)# sh ver internal build-identifier
Kickstart image file: bootflash:///n7000-s2-kickstart.7.2.1.D1.0.46.gbin.S0 : S
0
System image file: bootflash:///n7000-s2-dk9.7.2.1.D1.0.46.gbin.S0 : S0
switch(config-itd)#
<>
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.2(1)D1(0.46) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw02224 | Title: | PVLAN missing programming for host-association on vpc port |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
PVLAN missing programming for host-association on vpc port
Conditions:
PVLAN missing programming for host-association on vpc port
Workaround:
PVLAN missing programming for host-association on vpc port
Further Problem Description:
PVLAN missing programming for host-association on vpc port
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.2(1)D1(0.60) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut84904 | Title: | Process "mtm" Cores on F3 Cards Shortly After Boot |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Repeated "mtm" cores on an F3 linecard
Conditions:
The issue is not specific to any line card type.
The issue happens in a vpc complex, when one Peer has a version >= 6.2.10 and the other peer has a version < 6.2.10
If port-security with aging time is configured on a vpc leg, then the issue could be seen.
The issue is also seen if port-security with aging time is configured on an orphan port
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(10)S1 |
|
Known Fixed Releases: * | 6.2(14)S2, 7.2(1)D1(0.66), 7.2(1)ZD(0.58) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu82356 | Title: | Evaluation of n7k-infra for OpenSSL June 2015 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1792
This bug has been opened to address the potential impact on this product.
Conditions:
NXOS uses OpenSSL 0.9.8 release and is vulnerable.
Workaround:
Nexus 7000 (N7K) : The LDAP feature uses Open SSL. To disable the LDAP
SSL Authentication feature. LDAP can be disabled or used without SSL
Authentication.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Please check IMPACT_ASSESSMENT attachment for more details.
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZD(0.9) |
|
Known Fixed Releases: * | 6.2(13.6)S0, 7.2(1)D1(0.17), 7.2(1)D1(0.22), 7.2(1)D1(0.23), 7.2(1)D1(0.37), 7.2(1)N1(0.248), 7.2(1)N1(0.255), 7.2(1)N1(0.271), 7.2(1)N1(1), 7.2(1)ZD(0.13) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut47663 | Title: | SSTE: OSPF Adj are struct in TWO-WAY state after ospf process restart |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
OSPF Adj are struct in TWO-WAY state
Conditions:
restart opsf 100. If there is no BDR.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.444) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)D1(0.468), 7.2(0)D1(1), 7.2(0)N1(1), 7.2(0)PDB(0.401), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus55589 | Title: | NX-OS IS-IS Net Command |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
n7k-3a-wnlb-dcore-3a# conf t
Enter configuration commands, one per line. End with CNTL/Z.
n7k-3a-wnlb-dcore-3a(config)# router isis core
n7k-3a-wnlb-dcore-3a(config-router)# net 47.0124.0010.6301.0a00.0508.1103.2230.4100
^
% Invalid command at '^' marker.
n7k-3a-wnlb-dcore-3a(config-router)#
Conditions:
always present
Workaround:
adding 00 - but this is not accepted as it changes the area ID
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 6.2(12)E4, 6.2(13.3)S0, 6.2(14)FB(0.76), 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.440), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus54220 | Title: | Service not responding when attaching ACLs to many SVIs at the same time |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
This was found when verifying CSCur31394. Service not responding followed by router crash occurs when applying ACLs to many SVIs at the same time. (1000 SVIs and 140 port-channels) Details are shown in the attached log.
Conditions:
This happened when ACL is applied to large number of SVIs.
Workaround:
Apply ACL config in smaller chunks, for example:
interface vlan 1-100
ip access-list X
Further Problem Description:
Is it a duplicate of CSCur31394?
Probably not.
it might be moved to Aclmgr to either reduce the number or increase their memlimit.
It's not the same problem of CSCur31394, other than mem exhaustion.
But at a totally different point in code.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S102, 6.2(12)FT(0.26), 6.2(12)S21, 6.2(12)S25, 6.2(12)S31 |
|
Known Fixed Releases: * | 6.2(12)E2, 6.2(13.3)S0, 6.2(14)FB(0.3), 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(3)I1(1.213), 7.0(3)I1(2), 7.0(3)ISH1(2), 7.0(3)ISH1(2.13), 7.0(3)IX1(1.93) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus42713 | Title: | 2014 and 2015 OpenSSL Vulnerabilities |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:Cisco NX-OS (Covering Nexus 5K, N6K and N7K and Cisco MDS) includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE)
IDs:
CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275,
CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
This bug has been opened to address the potential impact on this product.
Conditions:This device has a vulnerable version of OpenSSL, this bug is being used to update the OpenSSL package used on the product.
Product doesn't support DTLS so is not affected by either:
CVE-2014-3571
CVE-2015-0206
The LDAP SSL authentication feature may be configured to use OpenSSL. This feature is disabled by default. Hence, this vulnerability only exists if the LDAP SSL Authentication feature is enabled.
Workaround:1. Nexus 5000 (N5K) : The following features can use SSL and would need to
be disabled.
a) Avoid any "fabric database" configuration with keyword "enable-ssl".
For example:
fabric database type network
server protocol ldap ip 172.29.21.2 enable-ssl
b) Make sure the 'secure LDAP' option is unchecked when defining POAP
template on DCNM.
c) Do not use Cisco's One Platform Kit (OnePK) with the transport type tls
..." open.
d) Remove the VM Tracker Configuration.
2. Nexus 7000 (N7K) : The LDAP feature uses Open SSL. To disable the LDAP
SSL Authentication feature. LDAP can be disabled or used without SSL
Authentication.
More Info:PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score.
The Base and Temporal CVSS scores as of the time of evaluation are: 4.3/3.6
http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from
multiple sources. This includes the CVSS score assigned by the third-party
vendor when available. The CVSS score assigned may not reflect the actual
impact on the Cisco Product.
Additional information on Ciscos security vulnerability policy can be
found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 5.2(8f), 6.2(10), 6.2(11), 6.2(7), 6.2(8)S3, 6.2(8a), 7.2(0)VX(0.9), 7.2(0.1)PR(0.1), 7.3(0.9), 9.9(0)XS(0.1) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.52), 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.504) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus09312 | Title: | PVLAN:VPC PO member (M1 LC) flaps. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Port-channels which have
1) PVLAN trunk secondary config
and
2)LACP or other control protocols running,
could flap continuously, due to BPDU's not flowing. They don't flow because the native vlan is in CBL disabled state, instead of being in CBL Blocking state.
Conditions:
The issue is specific to M1 module since the programming model is different on F2/F3 LC's.
There is no issue on F2 and F3 modules.
Even if the customer uses M1 module there is NO issue, if customer is allowing native VLAN on VPC Leg.
Below are the 3 conditions that need to be satisfied to hit this bug:
1) PVLAN port mode should be TRUNK Secondary
2) Native VLAN is NOT allowed on VPC Leg
3) LC Module should be M1 module
Workaround:
Workaround is to have customer have the native vlan in allowed list for the port, by configuration.
For a private-vlan port, the command to add trunk allowed vlan 1 would be:
switchport private-vlan trunk allowed vlan 1
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S102, 6.2(12)FT(0.7) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.2(0)CF(0.11), 7.2(0)D1(0.459), 7.2(0)D1(1), 7.2(0)PDB(0.382) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq46564 | Title: | SSTE:LDP core observed after process restart LDP with 7.1(0)D1(0.232) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
LDP crashes due to heartbeat failure following a proc restart of LDP.
Conditions:
Happens when user does a proc restart of LDP.
Workaround:
No workaround.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.1(0)D1(0.232) |
|
Known Fixed Releases: * | 6.2(10)E5, 6.2(13.3)S0, 6.2(14)FB(0.65), 6.2(8)E10, 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)OTT(0.45), 7.2(0)CF(0.11) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur28450 | Title: | [6210-S100] Rollback to a checkpoint fails verification at FEX SAT PO |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Rollback fails the verification phase, saying "flowcontrol send on" is present in the running-config on the port-channel.
switch# rollback running-config checkpoint checkpoint_name
Verification patch contains the following commands:
---------------------------------------------------
!!
interface port-channel###
no flowcontrol send on
exit
Conditions:
When trying to rollback to a checkpoint where a current HifPC (a port-channel with FEX host interfaces as its members) becomes a simple port-channel (no FEX host interfaces as its members), rollback will fail the verification phase.
Workaround:
Rollback running checkpoint checkpoint_name best-effort
So that it wont do verification and won't revert back to original running config.
And then do "no flowcontrol send on" on the affected interfaces
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S100 |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.2(0)CF(0.11), 7.2(0)D1(0.439), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.360), 7.2(0)VOF(0.2), 7.2(0)VZD(0.6) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq96822 | Title: | After ISSU 6.1.4 to 6.2.8 crash due to heartbeat failure on scale |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | This is a scale config on an interface
Symptom:
When 4k vlans are assigned to an interface, the heartbeat fails as it is looping and it will crash due to timeout
Conditions:
Same as above
Workaround:
Assign about 1000 vlans at a time
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S77 |
|
Known Fixed Releases: * | 6.2(10.21)S0, 6.2(12), 6.2(12)FT(0.8), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.422), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.359), 7.2(0)RTG(0.70) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus62432 | Title: | RP not treating itself as rp for remote source traffic. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
If the RP is rebooted, it's discarding PIM register messages from itself and the other PE:
2015 Jan 20 14:13:30.092655 pim: [8115] (default-base) Received Register from 10.1.1.18 for (10.1.1.18/32, 239.255.254.0/32)
2015 Jan 20 14:13:30.092702 pim: [8115] (default-base) We are not RP for group 239.255.254.0, message discarded
Conditions:
RP router reboot
AND
Customer has an interface configured with a primary AND secondary IP address, and the secondary address is used as the address called in the "ip pim rp-address" command.
There is a bug in the code that if the secondary address is configured AFTER the rp info is created by PIM, PIM does not identify itself as the RP.
It is possible during bootup that before IP component had a chance to configure the secondary address, PIM process reads the static RP configuration and then it receives the secondary address addition message and hence the bug.
Workaround:
1. Restart pim on the RP router
2. Remove and reconfigure "ip pim rp-address <>" in global configuration on the RP.
3. Configure the primary address to be the RP instead of the secondary address of the interface.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(9)S0 |
|
Known Fixed Releases: * | 6.0(2)A6(0.44), 6.0(2)A6(1), 6.0(2)U6(0.44), 6.0(2)U6(1), 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.7) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup19405 | Title: | targeted ldp session fails when frr is in use |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Targeted ldp session is up when the primary tunnel is up, but goes down when frr goes active.
Conditions:
"In the scenarios where the MPLS core interface is a SVI or a sub-interface, packets coming in with two or more NULL labels and bound to the Supervisor card will be dropped"
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.1(0)D1(0.151), 7.2(0)D1(0.456) |
|
Known Fixed Releases: * | 7.1(0)AV(0.81), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.475), 7.2(0)D1(0.507), 7.2(0)D1(0.510), 7.2(0)ZD(0.186), 7.2(0)ZD(0.190), 7.2(1)D1(0.20), 7.2(1)PIB(0.14) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtg74537 | Title: | N7K - STP forwarding Port count mismatch |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Vlan interface will not go to UP/UP state when ports in vlan are stp forwarding.
Conditions:
This may occur if a new vlan is created and the vlan (not SVI) is shut/no shut.
Workaround:
Upgrade to a fixed release.
Reload will clear the issue.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 4.2(6), 5.1(0.206) |
|
Known Fixed Releases: | 4.2(6)S10, 4.2(6)S23, 4.2(6.40)S0, 4.2(7.15)S0, 5.0(3)S24 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus51150 | Title: | Some created MSDP SA cache data are not updated immediately |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When new mcast traffics are coming into N7K side(MSDP RP), new created S,G entries should be transmitted to MSDP peer immediately, however, some of entries of SA cache data are not transmitted to peer device.
The remained entries are updated at next MSDP update period of time(maximum 60seconds later).
Conditions:
Running MSDP RP
many S,G entries are created within very short period of time at once
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.1(2) |
|
Known Fixed Releases: * | 6.0(2)A6(0.43), 6.0(2)A6(1), 6.0(2)U6(0.43), 6.0(2)U6(1), 6.1(2)I3(3.74), 6.1(2)I3(4), 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur33396 | Title: | OTV cannot match extended vlan range |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
OTV extended vlan range cannot go above 3967 in NX-OS 6.2 releases even when the reserved vlan range is re-allocated from 3968-4095
Conditions:
NX-OS 6.2 release software running on Nexus 7000.
Workaround:
Potentially vlan translation on Layer2 link can be used as a workaround but it may or may not work depending on RSTP or MST.
Further Problem Description:
OTV works fine with the extended vlan range in NX-OS releases 6.0 and 6.1.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(2) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.422), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)N1(1), 7.2(0)PDB(0.359), 7.2(0)RTG(0.65), 7.2(0)VZD(0.6) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus74176 | Title: | boot loop w/ 'no logging logfile' in config w/ power outage/reload VDC3 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
core dump generated in boot loop when sudden power outage such as unplug power cord. soft reload worked fine. issue can be recreated with reload VDC 3
Conditions:
suddenly lost power when the command 'no logging logfile' is in the configuration
Workaround:
Remove 'no logging logfile' from the configuration
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 7.2(0)D1(0.430) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.40), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.443), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.379), 7.2(0)VOF(0.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur26436 | Title: | Nexus 7000 & MDS 9000 evaluation of SSLv3 vulnerability (POODLE) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Nexus 7000 and MDS 9000 switches include a version of SSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3566
Conditions:
A POODLE exploit requires a man in the middle attack between the switch (the LDAP client utilising the SSL client) and the LDAP server. Nexus 7000 and MDS 9000 both contain an SSL client with SSLv3 support. The client supports fallback to SSLv3 if negotiation with TLS 1.0 fails.
The LDAP SSL feature may be configured to utilise this client. This feature is disabled by default. Hence, this vulnerability only exists if the LDAP feature is enabled.
Workaround:
Disable the LDAP SSL feature with the ldap-server host ip_address enable-ssl command.
Further Problem Description:
All previously released versions of SAN-OS and NX-OS software are affected. The fix will be delivered for currently supported releases as follows:
MDS:
NX-OS 5.2 release - first fixed release is 5.2(8f), released on 18 Feb 2015
NX-OS 6.2 releases:
- 6.2(9b), released on 01 Apr 2015
- 6.2(11b), released on 02 Mar 2015
- 6.2(13), projected to be available in Q3 2015
There are no fixed MDS NX-OS releases that are FICON certified yet.
Nexus 7000:
NX-OS 6.2 release - first fixed release is 6.2(12), released on 03 Feb 2015
There will not be any fixed releases for software trains that are past the end of software maintenance support.
The current fix is for the NX-OS SSL client to refuse to fall back to SSLv3. If the server tries to negotiate to SSLv3, the client will now terminate the SSL session. SSLv3 support will be completely removed in future releases.
A Cisco Security Advisory has been published to document this vulnerability at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(7), 6.2(8) |
|
Known Fixed Releases: * | 5.2(8f), 5.2(8f)S3, 6.2(11b), 6.2(11b)S1, 6.2(11c), 6.2(11c)S2, 6.2(12), 6.2(12)S24, 6.2(12.4)S0, 6.2(13)FM(0.65) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus78697 | Title: | N7K wrong source-interface selected for IPv6 logging after device reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
logging source-interface seems to be non-working with v6 syslog server on N7K after device reload even the loggingsource-interface pointing to the loopback0 interface
Conditions:
After device reload
Workaround:
reapply logging source-interface loopback0
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.1(5), 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.4)S0, 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.443), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)N1(1), 7.2(0)PDB(0.379), 7.2(0)VOF(0.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus26870 | Title: | December 2014 ntpd CVEs for Nexus 5k/6k/7k/MDS |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The following Cisco products:
NEXUS 7000
NEXUS 6000
NEXUS 5000
MDS
include a version of NTPd that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295
CVE-2014-9296
This bug has been opened to address the potential impact on this product.
Conditions:
This issue is configuration dependant and applies only when the following command is configured:
feature ntp
All prior versions of NX-OS are affected.
Workaround:
1. If the upstream mgmt0 device supports uRPF then ensure it is configured.
2a. Filter incoming NTP queries and restrict them to trusted NTP server addresses only by using the ntp access-group configuration command.
2b. For affected platforms that do not support the ntp access-group command, configure an inbound ACL for trusted NTP server addresses to the NTP port (UDP port 123) on mgmt0.
Further Problem Description:
All previously released versions of SAN-OS and NX-OS software are affected. The fix will be delivered for currently supported releases as follows:
Nexus 50xx:
NX-OS 5.2 release - a to be determined release
Nexus 55xx, 56xx
NX-OS 7.0 release - first fixed release is 7.0(6)N1(1), available in Apr 2015
Nexus 60xx:
NX-OS 7.0 release - first fixed release is 7.0(6)N1(1), available in Apr 2015
Nexus 7xxx:
NX-OS 6.2 release - first fixed release is 6.2(12), released on 03 Feb 2015
MDS:
NX-OS 5.2 release - first fixed release is 5.2(8f), released on 20 Feb 2015
NX-OS 6.2 releases:
- 6.2(9b), released on 01 Apr 2015
- 6.2(11b), released on 02 Mar 2015
- 6.2(13), to be released in June 2015
There are no fixed MDS NX-OS releases that are FICON certified yet. There will not be any fixed releases for software trains that are past the end of software maintenance support.
A Cisco Security Advisory has been published to document this vulnerability at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/7.5:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.0(3), 6.2(13)FM(0.8), 6.2(9)S32, 6.2(9a)S5, 7.2(0)ZD(0.1), 7.2(0)ZN(0.4), 7.9(0)ZD(0.4), 8.0(0.1), 9.9(9) |
|
Known Fixed Releases: * | 5.2(1)N1(8.155), 5.2(1)N1(8.158), 5.2(1)N1(9), 5.2(8f), 5.2(8f)S9, 6.0(2)N2(6.132), 6.0(2)N2(6.133), 6.0(2)N2(7), 6.2(11b), 6.2(11b)S4 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus42725 | Title: | Breakout ports have 40G latency buffer carving values instead of 10G val |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Nexus 7ks running vPCs and utilizing breakout cables on the N7K-F312FQ-25 modules will hit this failure condition after some time(a relatively short period of time). The result is all vPCs will show a downed state because of the vPC peer link being down.
This issue is caused because of the misconfiguration of the latency buffers. We can see for the breakout ports has 40G latency buffer carving values, instead of the 10G breakout latency values. This results in corrupted packets and sometimes packet truncation.
Conditions:
Nexus 7ks running vPCs and utilizing breakout cables on the N7K-F312FQ-25 modules.
Workaround:
No current work-around.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(12), 6.2(12)S25, 6.2(12.4)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.422), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus77610 | Title: | N7710G: ports down due to UDLD empty echo after neighbor LC reloaded |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Link may go to errdisable state with "UDLD empty echo" very rarely when line card reload
Conditions:
On 10G board, configure
1. UDLD protocol enabled
2. Option "system default link-fail laser-on" enabled
3. interface debounce time is set to 0
then reload the line card.
Workaround:
1. shut/no shut the port that in "errdisable" state, or
2. configure the link debounce time to 10ms or larger, or
3. disable the UDLD protocol, or
4. configure "no system default link-down laser-on" option
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(12)S33 |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.453), 7.2(0)D1(1), 7.2(0)PDB(0.373), 7.2(0)VOF(0.2), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq93334 | Title: | [Performance impact] M2 reload stuck in power cycle for 17-18 minutes |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Module power cycle takes 17-18 mins to complete.
Conditions:
we observed this issue with the reload module scenario with more than about 100+ BFD session in the system.
as module goes off, PPF session can't reach the destination which cause ppf server do a retry internally and it takes approximately 10 sec for each session. we got over 100 session (1000 sec =16 mins) that's the reason why power-cycle took 17~18 mins
Workaround:
before reloading the module, I recommend doing a no feature bfd, and then do a module reload, finally add bfd feature back to the system.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)E1, 7.2(0)ZD(0.106) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.476), 7.2(0)D1(1), 7.2(0)PDB(0.408), 7.2(0)VZD(0.26), 7.2(0)ZD(0.156) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug39011 | Title: | N7K: F2 may reset in case of receiving excessive error frames |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A faulty F2 module may cause resetting other multiple F2 modules
within the chassis.
Conditions:
very rare condition. the faulty F2 module may send out excessive error
frames to other F2 modules.
Workaround:
Module reload to recover. Isolate the faulty module and remove from the chassis.=
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.1(3) |
|
Known Fixed Releases: * | 6.2(10)E7, 6.2(10)E8, 6.2(13.3)S0, 6.2(14)FB(0.34), 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.482) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur32209 | Title: | LDP should not remove/free entries while walking the xos radix tree |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
LDP can encounter memory corruption or process crash.
Conditions:
Because of the nature of the bug, the problem can happen at any point, unexpectedly.
Workaround:
No workarounds.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.1(0)ZD(0.341) |
|
Known Fixed Releases: * | 6.2(10)E5, 6.2(13.3)S0, 6.2(14)FB(0.65), 6.2(8)E10, 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.38), 7.1(0)ES(0.7) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut14381 | Title: | Inproper 16 way ECMP hasing with IPv6 traffic |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic for the destination which is reachable via IPv6 ECMP with unresolved paths will experience traffic loss.
Conditions:
IPv6 adjacency for some of the ECMP next hop is in unresolved state
Workaround:
Execute the command "ping6" for each of the affected IPv6 ECMP next hop to get the ECMP next hop in resolved state.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S102, 7.2(0)D1(0.493) |
|
Known Fixed Releases: * | 6.2(10)E7, 6.2(12)E1, 6.2(12)E2, 6.2(13.3)S0, 6.2(14)FB(0.8), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.439), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut23557 | Title: | N7K platform: netstack crash while saving tech-support in bootflash |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The netstack process on a Nexus 7000 switch running 6.2(8a) may unexpectedly crash while collecting a 'show tech' and redirecting it to bootflash
Conditions:
saving tech-support in bootflash
Workaround:
please do not save "show-tech" to bootflash.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(8a)S2 |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.28), 7.0(0)HSK(0.433), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.479), 7.2(0)D1(1), 7.2(0)ZD(0.159), 7.3(0)RTG(0.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut68515 | Title: | SSTE: multiple port-profile cores with 7.2(0)D1(0.456) on autoconfig |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | $$IGNORE
Symptom:
port-profile crash & switch hap reset.
Conditions:
auto config
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.456), 7.2(0)D1(0.490) |
|
Known Fixed Releases: * | 7.0(0)FFW(0.7), 7.0(0)HSK(0.474), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.499), 7.2(0)D1(0.506), 7.2(0)D1(0.509), 7.2(0)D1(1), 7.2(0)ZD(0.188) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu29945 | Title: | SSTE: m2rib core on POAP + autoconfig |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
m2rib core
Conditions:
POAP + autoconfig
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.499) |
|
Known Fixed Releases: * | 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.506), 7.2(0)D1(0.510), 7.2(0)D1(1), 7.2(0)ZD(0.190), 7.2(1)PIB(0.14), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut78387 | Title: | l2fm crash @l2fm_rvtep_free_entry after shut/no shut nve interface. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
l2fm crash
Conditions:
shut/no shut nve interface
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.471) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.482), 7.2(0)D1(1), 7.2(0)ZD(0.162), 7.3(0)RTG(0.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut13324 | Title: | pvlan scale configs results in %PIXM-3-PIXM_SYSLOG_MESSAGE_TYPE_ERR: |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
pvlan scale configs results in %PIXM-3-PIXM_SYSLOG_MESSAGE_TYPE_ERR:
Conditions:
pvlan scale configs results in %PIXM-3-PIXM_SYSLOG_MESSAGE_TYPE_ERR:
Workaround:
pvlan scale configs results in %PIXM-3-PIXM_SYSLOG_MESSAGE_TYPE_ERR:
Further Problem Description:
pvlan scale configs results in %PIXM-3-PIXM_SYSLOG_MESSAGE_TYPE_ERR:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0.8) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.442), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.368), 7.2(0)VOF(0.2), 7.2(0)VZD(0.6) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut37620 | Title: | VXLAN VPC pair reboot con if peer cnt slightly more thank 1k |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
NVE crash
Conditions:
NVE peer count slightly more thank 1k.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)ZN(99.131) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)IB(122), 7.1(0)SIB(99.109), 7.2(0)AB(9), 7.2(0)BA(0.12), 7.2(0)CF(0.11), 7.2(0)D1(0.446) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu13344 | Title: | Rackspace - pixmc crash and M2 LC - communication failure |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
During the HA switch over of the supervisors, the neighbor switch crashed with pixmc core.
Conditions:
have a M2 LC and more than 128 interfaces within a BD LTL.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(12)E5, 6.2(13.3)S0, 6.2(14)FB(0.46), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.496), 7.2(0)D1(1), 7.2(0)ZD(0.178) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut83358 | Title: | nve memory leak@ libnve_pd in n7k-platform |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
nve memory leak
Conditions:
nve peer down and up
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.471) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.475), 7.2(0)D1(0.476), 7.2(0)D1(1), 7.2(0)N1(0.168), 7.2(0)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu05012 | Title: | Post ISSU : EXP based classification is not working |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Before fixing the issue ISSU from 6.2.x to 7.2, qos was not working properly.
Conditions:
The hardware initialization is modified in 7.2 and if did ISSU from 6.2.x to 7.2 with flanker card, hardware is with still old 6.2.x programming and in some qos cases may not work properly in 7.2, since ISSU do not touch the hardware.
To fix this qos tables are reprogrammed at the time of ISSU when moved to 7.2.
Workaround:
Reload LC.
Further Problem Description:
There may be some packet drops while doing ISSU from 6.2.x to 7.2 till qos tables get reprogrammed in the hardware.
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.475) |
|
Known Fixed Releases: * | 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.496), 7.2(0)D1(1), 7.2(0)ZD(0.178), 7.3(0)IB(0.19), 7.3(0)RTG(0.17), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu38580 | Title: | 7.2.0.506.S2 UI - congestion on F2 LC after vdc reload |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Applicable to all F2 (Clipper/Clipper CR) based cards.
Congestion seen on ingress traffic on some/all of the ports. This is because, frames are stuck in the IB caused due to bad acos to ccos table.
To confirm if the issue is due to bad table, please compare the acos to ccos mapping in the below commands
show hardware internal qengine inst x vq acos_ccos_4cl/acos_ccos_8cl
compare it with the ccos mapping in
show hardware internal qengine inst x table fr_dcx4q_oq_ccos/fr_dcx8q_oq_ccos
if the acos to ccos mapping are different, then the Credit Loop logic will affected and frames will be stuck in the IB resulting in congestion on the ingress ports.
Conditions:
Do ISSU and then VDC reload (VDC containing ports from F2 LC).
This is because, the shadow memory in our Qengine driver was corrupted during ISSU and VDC reload causes a shadow refresh to the HW.
Workaround:
Workaround1(preferred as less traffic interrupt):
Copy the Applied network QoS Template:
1) find the applied tempalte
show policy-map system
Type network-qos policy-maps
============================
policy-map type network-qos default-nq-8e-policy template 8e
class type network-qos c-nq-8e
match cos 0-7
congestion-control tail-drop threshold burst-optimized
mtu 1500
2) Copy:
qos copy policy-map type network-qos default-nq-8e-policy prefix Copy_
3) Apply Ciopy to trigger reporgramming:
switch(config)# system qos
switch(config-sys-qos)# service-policy type network-qos Copy_nq-8e
4) Optional: Reapply back the previous template
switch(config)# system qos
switch(config-sys-qos)# service-policy type network-qos default-nq-8e-policy
Note: Applicable for any networkqos template. During Template Change traffic on All VDC which contain F cards will be disrupted for less than a Second
Workaround2: reload the LC after ISSU or
Workaround3: reload the LC after VDC reload
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.506) |
|
Known Fixed Releases: * | 6.2(13.4)S0, 7.0(0)FFW(0.7), 7.0(0)HSK(0.474), 7.2(0)CF(0.11), 7.2(0)D1(1), 7.2(0)D1(1.1), 7.2(0)ZD(0.202), 7.2(1)PIB(0.14), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut87473 | Title: | bfd crash @bfd_sys_get_remote_ip_info on BDI/peer link i/f shut/unshut |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
bfd crash
Conditions:
On BDI/VPC peer link interface shut/no shut few times with scaled configuration
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.471), 7.2(0)D1(0.490) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.504), 7.2(0)D1(1), 7.2(0)VZD(0.26), 7.2(0)ZD(0.184), 7.2(1)PIB(0.14) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut49944 | Title: | sw reload would put range of private-vlan are STP blocked state |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
sw reload its observed that range of private-vlan are STP blocked state
Conditions:
sw reload its observed that range of private-vlan are STP blocked state
Workaround:
workaround : realod of LC
Further Problem Description:
sw reload its observed that range of private-vlan are STP blocked state
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(14)FB(0.72), 7.2(0)D1(0.444) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(13.4)S0, 6.2(14)FB(0.65), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.504), 7.2(0)D1(1), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu68566 | Title: | NVT-DC1:IGMP snooping for VLANs disabled in hardware |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IGMP Snooping remains disabled in hardware. In some VPC setup, there could be duplicate traffic also.
Conditions:
There are some IGMP snooping related commands for a vlan but the vlan itself is not present in the running config. ie the vlan is not created either through CLI or VTP. When such configs are present, it is possible that IGMP may pack updates for such vlans along with explicitly created vlans to m2rib module for hardware programming. But that message might be rejected by m2rib due to some vlans not explicitly created.
If the update contained snooping status info, then, we will end up with snooping status unchanged in the hardware.
Workaround:
Deleting all unnecessary configs and restarting igmp will fix the problem.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: * | 7.2(0)CF(0.11), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu29773 | Title: | Crash in the pim process after exceeding 32K multicast routes |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Multiple pim process crashes seen resulting in a hap-reset that restarts the system
Conditions:
This issue occurs after exceeding the limit of 32K multicast routes and PIM assert message for a new S,G arrives.
show ip mroute detail vrf all`
IP Multicast Routing Table for VRF "default"
Total number of routes: 44037
Total number of (*,G) routes: 141
Total number of (S,G) routes: 43895
Total number of (*,G-prefix) routes: 1
Also saw many SLAB memory errors which could potentially be the result of a memory leak:
2015 May 6 18:11:09 CVC-1-1761C-BR-0-2 %PIM-3-SLAB_ALLOC: pim [15748] Slab alloc of type pim_routetype failed in pim_build_pim_ro
ute()
2015 May 6 18:11:09 CVC-1-1761C-BR-0-2 %PIM-3-CREATE_ROUTE: pim [15748] Couldn't create PIM route for (141.214.83.211/32, 239.255
.255.253/32) in join notification
2015 May 6 18:11:19 CVC-1-1761C-BR-0-2 %PIM-4-SYSLOG_SL_MSG_WARNING: PIM-3-SLAB_ALLOC: message repeated 1349 times in last 7710408
sec
2015 May 6 18:11:19 CVC-1-1761C-BR-0-2 %PIM-3-SLAB_ALLOC: pim [15748] Slab alloc of type pim_routetype failed in pim_build_pim_ro
ute()
2015 May 6 18:11:29 CVC-1-1761C-BR-0-2 %PIM-4-SYSLOG_SL_MSG_WARNING: SYSLOG-4-SL_MSG_WARNING: message repeated 1 times in last 7710
418 sec
2015 May 6 18:11:30 CVC-1-1761C-BR-0-2 %PIM-3-SLAB_ALLOC: pim [15748] Slab alloc of type pim_routetype failed in pim_build_pim_ro
Workaround:
Reduce the total mulitciast routes to less than 32K
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.58), 7.0(0)FFW(0.7), 7.0(0)HSK(0.474), 7.0(0)KM(0.138), 7.0(0)KMS(0.11), 7.0(3)I2(0.519), 7.0(3)I2(1), 7.1(2)N1(0.574), 7.1(2)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv26132 | Title: | Evaluation of n7k-infra for OpenSSL July 2015 vulnerability |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Conditions:Exposure is not configuration dependent.
Workaround:Not available.
More Info:Cisco NXOS 7.2(1) MR and 7.3 release are VULNERABLE.
Cisco NXOS 7.1(x), 7.0(x), 6.x and 5.x releases are NOT VULNERABLE.
Symptom:
Cisco Nexus 6000 Series Switches;Cisco Nexus 7000 Series Switches; includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID:
CVE-2015-1793
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
Further Problem Description:
Cisco NXOS 7.2(1) MR and 7.3 release are VULNERABLE.
Cisco NXOS 7.1(x), 7.0(x), 6.x and 5.x releases are NOT VULNERABLE.
Symptom:Cisco Nexus 6000 Series Switches;Cisco Nexus 7000 Series Switches; includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) ID:
CVE-2015-1793
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
More Info:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 4.3/3.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(1)S8 |
|
Known Fixed Releases: * | 7.2(1)D1(0.40), 7.2(1)D1(0.41), 7.2(1)N1(0.274), 7.2(1)N1(1), 7.2(1)ZD(0.35), 7.2(1)ZN(0.38) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtf08873 | Title: | CDP with long hostname crashes the CDP process on N7k |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
A port is connected to other switch with CDP enabled. Once CDP is exchanged, the CDP process crashes.
Conditions:
It happens when the remote switches or routers with CDP enabled has the extraordinary LONG hostname (> 255B)
Workaround:
Disable CDP under the interface of the remote device where the N7k port is connected.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0361 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(3) |
|
Known Fixed Releases: | 4.2(5), 5.0(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtf40008 | Title: | LESS allows bash access |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco Nexus OS contains a vulnerability that could allow an authenticated,
local attacker to execute arbitrary commands on a targeted device. The
vulnerability is due to improper sanitization of user-supplied values to
command line interface commands.
An authenticated, local attacker could exploit the vulnerability by issuing
commands that contain malicious options on the device command line interface.
If successful, the attacker could gain elevated privileges on the targeted device.
Conditions:
Injection can be done via either the less or the section sub command. Full
details below:
----------------------------------------------------------------------
NX-OS - "less" sub-command - Command injection / sanitization issues.
----------------------------------------------------------------------
Affected Products:
==================
The following products are affected by this vulnerability:
+-----------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+----------------|
| Cisco Nexus 7000 Series Switches | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 5000 Series Switches | CSCtf40008 | 4.2(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 2000 Series Switches | CSCtf40008 | 4.1(1)N2(1) |
|-----------------------------------+------------+----------------|
| Cisco Nexus 1000V Series Switches | CSCtf40008 | 4.2(1)SV1(5.1) |
|-----------------------------------+------------+----------------|
| Cisco MDS 9000 Software | CSCtf40008 | 4.2(6) |
| | | 5.1(1) |
|-----------------------------------+------------+----------------|
| Cisco Unified Computing System | CSCtg18363 | 1.3(1c) |
| | | 1.4(1i) |
+-----------------------------------------------------------------+
The following are not affecfed by the "less" sub-command - command injection
vulnerability.
* Cisco Nexus 3000 Series Switches
* Cisco Nexus 4000 Series Switches
-------------------------------------------------------------------------
NX-OS - "section" sub-command - Command injection / sanitization issues.
-------------------------------------------------------------------------
Affected Products:
==================
The following products are affected by this vulnerability:
+--------------------------------------------------------------+
| Affected Product | Cisco Bug | First Fixed |
| | ID | Release |
|-----------------------------------+------------+-------------|
| Cisco Nexus 7000 Series Switches | CSCtr44645 | 5.2(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 5000 Series Switches | CSCtr44645 | 5.1(3)N1(1) |
|-----------------------------------+------------+-------------|
| Cisco Nexus 3000 Se
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(4), 4.2(6), 5.1(1a), 5.1(2) |
|
Known Fixed Releases: | 4.2(1)N2(1), 4.2(5.10), 5.1(0.76), 5.1(1), 7.0(1)ZD(0.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus62502 | Title: | OTV Tunnel Depolarization causes traffic loss when some tunnels are down |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
if OTV Tunnel Depolarization is implemented, traffic will be dropped when several OTV tunnels down
Conditions:
none
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.63) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtf19827 | Title: | VSH parsing of backquotes allows linux cli access |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * |
Symptom:
An authenticated, local attacker could leverage an input handling flaw to execute arbitrary commands on the underlying operating system with elevated
privileges.
Conditions:
Cisco devices running an affected version of NXOS software.
This issue affects:
Nexus 7000
Nexus 5000
Workaround:
Restrict local console access to trusted users only.
Further Problem Description:
This issue was identified during an internal security audit of the Cisco UCS and relate devices.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score and has issued this Release Note Enclosure. There will be no further
communications from the Cisco PSIRT regarding this issue.
The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4075 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2012-4075
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr63091 | Title: | OSPF Process hogging CPU after receiving certain crafted packets |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Certain crafted OSPF packets may cause high CPU and OSPF processing to be degraded.
Conditions:
Cisco Nexus 7K configured for OSPF routing.
The attacker must be layer 2 adjacent to the device.
Workaround:
Not available.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/3.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1)S67 |
|
Known Fixed Releases: | 5.2(3.28)S0, 6.0(0.21)S0, 7.2(0)ZN(0.111) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsw63039 | Title: | User with vdc-admin role can escalate privileges |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
An already logged on user can escalate privileges
Conditions:
Cisco NX OS 4.1(2) and prior
Workaround:
None
Further Problem Description:
Fixed in NX OS starting with 4.1(3) and 4.2(1)
Additional Information:
This vulnerability was reported to Cisco by George Hedfors.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.1(1.64) |
|
Known Fixed Releases: | 4.1(3), 4.2(0.120), 4.2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti69207 | Title: | Security Issue in OpenSSL |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: * | Symptom:
The device may be affected by an OpenSSL vulnerability described in CVE-2010-2939.
Conditions:
Device configured with any feature that uses SSL.
Workaround:
Not available
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2010-2939 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.0(1a)N2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc48695 | Title: | Mac address not learnt on a port security port |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
MAC addresses are not learned from a port security enable port.
If a MAC address is learned as dynamically from a non port security port first, then N7K does
not learn the MAC address properly if it receives a frame from a port security port. This
applies to the condition where the N7K put the MAC address as static or drop.
Conditions:
This bug only applies to M1 and M2 modules only. This bug applies to NX OS up to 6.2(6).
<B>
Workaround:
</B>
You can configure the unsecure port as Port-sec/secure port to avoid this issue.
<B>
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:W/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.1(2)S8, 6.1(3)S30, 6.2(0.269)S8, 6.2(1.52)S1 |
|
Known Fixed Releases: | 6.2(1)AG(0.3), 6.2(1.53)S0, 7.1(0)AV(0.38), 7.1(0)D1(0.14), 7.1(0)D1(0.15), 7.1(0)D1(0.343), 7.1(0)OTT(0.47), 7.1(0)PDB(0.264), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx54818 | Title: | Specific SNMP GET request causes 'ipqosmgr' to crash on Nexus 7K |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Cisco Nexus 7000 devices contain a denial of service vulnerability within the SNMP subsystem. This vulnerability could allow an authenticated,
remote attacker to crash the device by submitting a malformed SNMP request to a specific MIB.
Conditions:
Cisco Nexus 7000 devices running an affected version of Cisco NX-OS Software.
Workaround:
None.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4126 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1), 6.0(1) |
|
Known Fixed Releases: | 5.2(4.9)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte62771 | Title: | Command Injection in admin CLI |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
A vulnerability exists in affected versions of NX-OS which could allow an authenticated local attacker to inject shell commands. A successful exploit
would allow an attacker to gain elevated privileges on the underlying operating system.
Conditions:
Devices running affected versions of NX-OS are vulnerable.
Workaround:
None
Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4235 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.0(4)SV1(2), 4.2(1), 4.2(3) |
|
Known Fixed Releases: | 4.2(1)N2(1), 4.2(4), 4.2(4.14), 4.2(5), 5.0(1), 5.0(1.24) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx54797 | Title: | Specific SNMP GET request causes 'vlan_mgr' to crash on Nexus switches |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices contain a denial of service vulnerability within the SNMP subsystem. An
authenticated, remote attacker could submit a request to an affected device designed to trigger a null pointer dereference error that results in a crash
and reload of the affected device.
Conditions:
Cisco Nexus 1000v, Nexus 3000, Nexus 5000, and Nexus 7000 devices running an affected version of Cisco NX-OS Software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4125 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1), 6.0(1) |
|
Known Fixed Releases: | 5.2(4.47)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur54182 | Title: | NX-OS Tacacs Daemon hap reset |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | <B>
Symptom:
</B>
Device configured for TACACS may face crash due to "Tacacs
Daemon hap reset"
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
<B>
Conditions:
</B>
On a switch running NX-OS 6.2(8a) or later, if a very long command is
given with remote authorization using TACACS enabled, a crash is seen in TACACS. Because
TACACS expects the strings to be of size 255, it is unable to handle strings greater than 255.
<B>
Workaround:
</B>
None.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.4/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-8013 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: | 6.0(2)A6(0.41), 6.0(2)A6(1), 6.0(2)U6(0.41), 6.0(2)U6(1), 6.1(2)I3(2.15), 6.1(2)I3(3), 6.2(10.21)S0, 6.2(12), 6.2(12)FT(0.12), 7.0(0)BZ(0.46) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv37216 | Title: | Callhome messages via HTTP transport is not sent due to L3VM error |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Callhome messages vis HTTP transport not sent due to l3vm_get_context_id failing.
Conditions:
Try sending any call home message thru http transport.
Workaround(s):
None.
Workaround:
None.
Further Problem Description:
None.
|
|
Last Modified: | 08-AUG-2015 |
|
Known Affected Releases: | 7.3(0)SLN(0.28) |
|
Known Fixed Releases: * | 7.3(0)SL(0.85) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut61977 | Title: | Crash after show forwarding route adjacency <interface> <ip address> |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A ipfib process crash is seen. This may lead a HAP-Reset which could reload a module:
Nexus# sh core vdc-all
VDC Module Instance Process-name PID Date(Year-Month-Day Time)
--- ------ -------- --------------- -------- -------------------------
1 4 1 ipfib 18455 2015-03-26 11:06:19
1 4 1 ipfib 2173 2015-03-26 11:06:23
1 3 1 ipfib 12089 2015-03-26 11:06:29
1 3 1 ipfib 2173 2015-03-26 11:06:3
Conditions:
This occurs after the show forwarding route command is entered with the adjacency options.
Workaround:
Avoid using the show forwarding route adjacency command
Further Problem Description:
This is similar to the CSCur91392 bug but additional changes are needed.
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.41), 7.0(3)I2(0.542), 7.0(3)I2(1), 7.2(1)D1(0.9), 7.2(1)ZD(0.8) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun40658 | Title: | Nexus 7700-SPAN capturing in one direction when VLAN in fabricpath mode |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
In Nexus 7000 systems running 6.2.2a/6.2.6 code, if fabric path traffic egressing out of a core port is captured using Egress SPAN sessions, the MiM header will not be stripped off at the SPAN destination. The reason for this particular enhancement is that, many times, capture the packet in its entirety, including the MiM header is desirable. But in 6.2.2a and 6.2.6 releases, there was no option to let the user decide whether MiM header should be preserved or not. Some end analyzers are not able to detect/parse MiM headers, hence the scenario looked like no egress copies were being generated for traffic going out of a core port.
Hence, 6.2.8 on wards, a new per-port CLI was provided which lets the user decide whether MiM/other internal headers should be preserved for the SPAN copy or not. Command to be used is "switchport monitor exclude header". More details for the command is present in the configuration guide.
Conditions:
Nexus 7000/Nexus 7700 switches with 6.2.2a or 6.2.6, traffic egressing out of a core port is being copied in the Egress SPAN Session and end analyzer does not have capability to parse MiM header.
6.2.8 on wards, traffic egressing out of a core port is being copied in the Egress SPAN Session, end analyzer does not have capability to parse MiM header and the CLI to enable stripping of internal headers "switchport monitor exclude header" is not applied on the SPAN destination port.
Workaround:
This is expected behavior and an enhancement has been put in place for 6.2.8 using CSCun74440 to enable user to pick whether MiM header should be seen at the destination or not, depending on the end analyzer capabilities.
This bug is now used to document the behavior.
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: * | 6.2(2a), 6.2(6) |
|
Known Fixed Releases: | 6.2(10), 6.2(10)S3 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus71454 | Title: | PVLAN VPC: peer-link flap causes primary legs in PVLAN host mode to flap |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
In a Private-Vlan VPC setup in private-vlan host mode, when peer link flaps, VPC leg in private-vlan host mode also flaps and comes back up in some time. There will be traffic loss from the VPC leg until the leg bringup happens again.
Conditions:
The VPC legs have to be private-vlan host mode as follows: "switchport mode private-vlan host"
Example configuration:
interface port-channel10
switchport
switchport mode private-vlan host
switchport private-vlan host-association 2 3
vpc 1
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 13-AUG-2015 |
|
Known Affected Releases: | 6.2(12)S29 |
|
Known Fixed Releases: * | 6.2(13.18)S0, 7.2(1)D1(0.43), 7.2(1)ZD(0.37), 7.3(0)D1(0.69), 7.3(0)PDB(0.23) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut29799 | Title: | Privilege escalation with o+w files and directories |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms:
Cisco NX-OS based devices contain a number of files and directories that are assigned weak file permissions. This could allow an attacker that was able to gain access to the
underlying operating system to view or modify certain files that should be restricted.
Conditions:
Nexus devices running an affected version of NX-OS Software.
Workaround:
None.
Further Problem Description:
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 13-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.392), 7.3(0)D1(0.69), 7.3(0)PDB(0.11) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv68982 | Title: | ERSPAN session not coming up due to lack of TCAM resources |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
ERSPAN sessions not coming up due the error "Sufficient free entries are not available in TCAM bank?after the switch was reloaded.
Conditions:
When there are large ACL configuration which is taking close to 100% of the TCAM Bank 0s, if you configure all ACLS first and then add ERSPAN config the ERSPAN session doesn't' come up.
If the ACL is partially configured and then ERSPAN is applied the ERSPAN is up. After this more ACL can be added.
But after reload the erspan will not come up.
Workaround:
Remove some of the ACL and apply ERSPAN again.
Further Problem Description:
|
|
Last Modified: | 17-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84449 | Title: | IGMP snooping entries ageout in AA FEX topologies |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
IGMP snooping entries are expiring after 5 seconds on one of the two vPC switches, while the entries are stable on the other vPC switch, which might cause traffic loss for 15-16 seconds (depending on the port-channel hashing result).
Conditions:
Issue can be seen in a vPC topology with AA FEX without having configured the IGMP snooping switch-querier (under "vlan configuration XYZ"), but when having PIM enabled SVI interfaces.
Workaround:
Configure IGMP snooping querier under the "vlan configuration XYZ" configuration mode.
or
Configure "ip igmp query-interval 30" under the SVI configuration mode.
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1 |
|
Known Fixed Releases: * | 7.2(1)D1(0.7), 7.2(1)N1(0.240), 7.2(1)N1(1), 7.2(1)ZD(0.6), 7.2(1)ZN(0.6), 7.3(0)D1(0.72), 7.3(0)RTG(0.27) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuq68778 | Title: | BGP snmp traps cbgpPeer2BkwardTran,cbgpPeer2FsmStChn sent malform inst. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Since the type and length are missing in OID instances of the cbgpPeer2 Trap Notifications, they are giving out malformed instance error.
Conditions:
This issue occurs when cbgpPeer2 Trap Notifications are configured and traps are sent to the remote machine.
Workaround:
No workaround available
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S58 |
|
Known Fixed Releases: | 6.2(10), 6.2(10)S72, 6.2(10.16)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.1(0)AV(0.38), 7.1(0)PDB(0.317), 7.1(0)SIB(99.82), 7.1(2)N1(0.576), 7.1(2)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu57637 | Title: | FCOE traffic is dropped at FEX FPC if storage vdc is created after ISSU |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
On N7k Platform, CRC giant-drops(ingress_giant_drops) seen on fex FPC ports on any qos template change after issu to 7.2 release image.
Conditions:
With N7k platform after issu to 7.2 version, if you do any qos template change and if you have fex in your setup, you will see MTU mismatch resulting in giant/CRC drops in the ingress of FPC ports.
FCoE frames with size more than 2104 bytes get dropped. The frames (with size less than 2104 bytes) are not affected.
Workaround:
configure/change qos template before issu.
or
shut/no-shut on fex FPC ports to reconfigure the mtu
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.514) |
|
Known Fixed Releases: | 6.2(13.4)S0, 7.2(0)CF(0.11), 7.2(0)D1(1), 7.2(0)D1(1.1), 7.2(0)ZD(0.205), 7.2(1)PIB(0.14), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu77709 | Title: | LISP: map-caches entries to non-routable RLOCs are installed in fwd |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A LISP map-cache entry on a xTR lists a group of locators as being in state "up" even while the routing table does not have an entry to reach them. They should be listed in state "no-route".
These locators are pushed down to the forwarding table and flows that match this forwarding entry are blackholed.
Conditions:
The main condition to see this problem is that the setup has a "split" RLOC view, i.e. the eTR registering the lisp database entry is able to see the RLOCs while the iTR is not.
From there the following needs to happen simultaneously to face this problem:
(1) Multiple map-cache entries in the xTR have the same locator set
(2) Some of the RLOCs in this locator set are permanently unreachable (no routing entry in RIB) from iTR
Workaround:
Enabling RLOC probing, which will complement the information from the routing table.
"lisp loc-reach-algorithm rloc-probing"
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: * | 7.2(1)D1(0.17), 7.2(1)N1(0.248), 7.2(1)N1(1), 7.2(1)ZD(0.13), 7.2(1)ZN(0.14), 7.3(0)D1(0.72), 7.3(0)DHB(0.31), 7.3(0)RTG(0.35), 7.3(0)ZD(0.85), 7.3(0)ZN(0.92) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuo52457 | Title: | Memory corruption Crash@pim_free |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
switch crashed due to memory corruption. The memory block that PIM tried to free appears to be corrupted (mtrack header).
Conditions:
None
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(6) |
|
Known Fixed Releases: | 6.0(2)A5(0.961), 6.0(2)A5(1), 6.0(2)U5(0.961), 6.0(2)U5(1), 6.1(2)I2(2c), 6.1(2)I3(1), 6.2(10), 6.2(10)CM(0.9), 6.2(8)KR(0.8), 6.2(8)TS(0.28) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu35152 | Title: | URIB service crash on N7K running 5.2(9) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
URIB service crash
Conditions:
This has been seen on N7K switch running 5.2(9) code while reloading on of the peer switch.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 5.2(9) |
|
Known Fixed Releases: | 6.2(13.6)S0, 7.0(3)I2(0.542), 7.0(3)I2(1), 7.2(1)D1(0.52), 7.2(1)N1(0.283), 7.2(1)N1(1), 7.2(1)ZD(0.46), 7.2(1)ZN(0.48) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu34174 | Title: | UIN-1::After switch reload macs are not in sync between VPC peers |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Duplicate traffic is noticed on downstream FEX connected to F2 cards (not F2CR or F3)
Conditions:
On switch reload, mac missing on one side of VPC and traffic hashes to the side missing.
Workaround:
clear mac address dynamic
OR clear mac address on the side present.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.506) |
|
Known Fixed Releases: * | 7.3(0)D1(0.69), 7.3(0)DHB(0.31), 7.3(0)PDB(0.15) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut40757 | Title: | MAC Move on N7K is causing up to 2 sec disruption to flows on some ports |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
MAC Move causes traffic drop
Conditions:
Unknown
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(8a)E2 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03125 | Title: | Rebase of dhcp_fhs project with REL_7_3_0_D1_0_2_S0 |
|
Status: * | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Following are components that will be brought into the project lineup:
Component: .acme_project (and-sw-bld64-1:/ws/shrinath-sjc/sync/.acme_project)
Component: build (and-sw-bld64-1:/ws/shrinath-sjc/sync/build)
Component: feature/cts (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/cts)
Component: feature/dhcp (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/dhcp)
Component: feature/dhcp/lib (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/dhcp/lib)
Component: feature/forwarding-sw/fib (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/forwarding-sw/fib)
Component: feature/vsh/clis (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/vsh/clis)
Component: feature/vsh/lib (and-sw-bld64-1:/ws/shrinath-sjc/sync/feature/vsh/lib)
Component: global (and-sw-bld64-1:/ws/shrinath-sjc/sync/global)
Component: infra/mts (and-sw-bld64-1:/ws/shrinath-sjc/sync/infra/mts)
Component: third-party/bin/linux (and-sw-bld64-1:/ws/shrinath-sjc/sync/third-party/bin/linux)
Component: third-party/src/linux (and-sw-bld64-1:/ws/shrinath-sjc/sync/third-party/src/linux)
Component: utils/cmd (and-sw-bld64-1:/ws/shrinath-sjc/sync/utils/cmd)
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 7.3(0.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui15592 | Title: | Nexus 7k unable to add spanning-tree commands to current interface |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Cannot add spanning-tree commands to current interface
Conditions:
any previously configured interface
Workaround:
default interface
More Info:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 5.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui15626 | Title: | Spanning-tree guard root cannot be entered if channel group mode active |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Interface command "spanning-tree guard root' fails if interface has channel group mode x active
Conditions:
Whenever channel-group mode x active is in current config
Workaround:
remove channel-group mode x active or default config
More Info:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 6.1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus52559 | Title: | MD floodLTL cause unnecessary flood frm M to learn MAC wrongly in F2e/F3 |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Whenever multicast traffic is flooded with MD flood LTL as the DI and if the chassis has any M modules that is powered up, the MD flood received in the M module is flooded back to the fabric.
This packet on reaching the F2e/F3 cards triggers egress MAC learn which sometimes could overwrite a existing MAC entry with a wrong destination port.
Conditions:
Conditions in which this issue could happen are:
1. Any M-series module should be up in the chassis
AND
2. MD flood LTL will be used always if Private VLAN SVI part of OIF list for the mutlicast group
OR
3. Until an optimised multicast MD LTL is obtained for a mutlicast group, MD flood LTL will be used for a very brief period.
Workaround:
No workaround.
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.2(12)S20 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv93182 | Title: | N7K %SYSMGR-2-VOLATILE_DB_FULL: high usage in /dev/shm |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
The following error is seen on the N7K after an upgrade to 7.2(0)D1(1)
%SYSMGR-2-VOLATILE_DB_FULL: System volatile database usage is unexpectedly high at 81%.
High utilization seen on the /dev/shm folder
Conditions:
upgrade to 7.2(0)D1(1)
Workaround:
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu39870 | Title: | NAM Module flooding accounting log |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
When a N7K-SM-NAM-9G-K9 Network Analysis Module is inserted into a chassis and powered up, it floods the accounting logs with unhelpful information:
Wed May 6 04:20:05 2015:type=start:id=vsh.5698:user=root:cmd=
Wed May 6 04:20:05 2015:type=stop:id=vsh.5698:user=root:cmd=
Wed May 6 04:20:07 2015:type=start:id=vsh.5714:user=root:cmd=
Wed May 6 04:20:08 2015:type=stop:id=vsh.5714:user=root:cmd=
Wed May 6 04:21:05 2015:type=start:id=vsh.5758:user=root:cmd=
Wed May 6 04:21:05 2015:type=stop:id=vsh.5758:user=root:cmd=
Conditions:
- Neuxs 7K with NX-OS 6.2(12) or other newer NX-OS
- This problem happens when the NAM module is powered on.
Workaround:
No workaround except to poweroff the NAM module.
Further Problem Description:
This is an issue for the accounting log that impacts TAC's ability to troubleshoot. This is a very serious issue. When the NAM module is inserted and powered up, it floods 4 empty accounting log messages every minute, which basically makes the "show accounting log" command useless to TAC. See below for an example of the flooding:
Wed May 6 04:20:05 2015:type=start:id=vsh.5698:user=root:cmd=
Wed May 6 04:20:05 2015:type=stop:id=vsh.5698:user=root:cmd=
Wed May 6 04:20:07 2015:type=start:id=vsh.5714:user=root:cmd=
Wed May 6 04:20:08 2015:type=stop:id=vsh.5714:user=root:cmd=
Wed May 6 04:21:05 2015:type=start:id=vsh.5758:user=root:cmd=
Wed May 6 04:21:05 2015:type=stop:id=vsh.5758:user=root:cmd=
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua39152 | Title: | Command injection with CA functionality |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
Cisco Nexus devices contain a local command injection vulnerability within the CA configuration commands of the CLI. An authenticated, local attacker could inject commands
that are subsequently executed on the underlying operating system with elevated privileges.
The vulnerability exists due to a failure to properly sanitize all user supplied input prior to using it to execute commands on the underlying operating system. An attacker with
administrative level privileges on an affected device could inject arbitrary commands that are then executed on the underlying operating system with elevated privileges.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.
Workaround:
None.
Further Problem Description:
This vulnerability can only be exploited by an administrator with sufficient privileges to execute the affected commands.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/6.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4139 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.0(2) |
|
Known Fixed Releases: * | 7.3(0)D1(0.67), 7.3(0)DHB(0.31), 7.3(0)IB(0.43), 7.3(0)PDB(0.32), 7.3(0)ZD(0.78) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu35062 | Title: | n7k hsrp error with more than 255 secondary ip on an interface |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
an interface with more than 255 secondary addresses configured will not allow you to configure hsrp ip address. the following error is seen
(config-if-hsrp)# ip x.x.x.x
ERROR: Invalid IP address((Mismatch with IP subnet))
Conditions:
when more than 255 secondary addresses are configured on the interface
Workaround:
use less than 255 secondary addresses per interface
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 6.2(12)E1, 6.2(13.3)S0, 6.2(14)FB(0.56), 7.0(3)I2(0.461), 7.0(3)I2(1), 7.2(1)D1(0.26), 7.2(1)N1(0.261), 7.2(1)N1(1), 7.2(1)ZD(0.21), 7.2(1)ZN(0.25) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv93032 | Title: | eVPC: dual-homed FEX goes offline when reloading one of the eVPC peers |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
dual-homed FEX goes offline when reloading one of the VPC peers
Conditions:
reload one of the peers
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut90135 | Title: | VSH cores during show commands on N7K |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
VSH process may crash when running show commands "show interface Ethernet ...".
Conditions:
The crash may occur on a Nexus switch when a user logs into the switch and runs show commands "show interface Ethernet ...".
The core was triggered because a shared library was not open successfully when system reached its resource limit.
Workaround:
Unknown at this point.
Further Problem Description:
Problem exists in Nexus 7000 NX-OS 6.2(12) and earlier releases.
Fixes had been integrated into Nexus 7000 NX-OS 6.2(14), 7.2(0)D1(1) and later releases.
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.2(2) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.36), 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.0(3)I2(0.528), 7.0(3)I2(1), 7.1(0)AV(0.74), 7.2(0)BA(0.25), 7.2(0)CF(0.11) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv51995 | Title: | locking in rpm keychain malloc/free to avoid crash in rip |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
RIP crash is seen when there are successive keychain config commands in rip.
Conditions:
Workaround:
The commands should not be immediate. if there is some delay between the commands issues then the issue will not be seen as it is a timing related one.
More Info:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 7.0(3)I2(0.510), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu70539 | Title: | N5K bgp process crash after configuring default-originate |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
N5K BGP process crash caused hap reset.
Conditions:
Configure "default-originate route-map |
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 7.0(5)N1(1) |
|
Known Fixed Releases: * | 7.0(3)I2(0.470), 7.0(3)I2(1), 7.0(7)N1(0.73), 7.0(7)N1(1), 7.0(7)ZN(0.154), 7.1(2)N1(0.576), 7.1(2)N1(1), 7.1(2)ZD(0.27), 7.1(2)ZN(0.38), 7.2(1)D1(0.9) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun31262 | Title: | moving nice associated interface across vdc leads to crash . |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
moving nice associated interface across vdc leads to crash . needs grace cleanup .
Conditions:
moving nice associated interface across vdc leads to crash . needs grace cleanup .
Workaround:
moving nice associated interface across vdc leads to crash . needs grace cleanup .
Further Problem Description:
moving nice associated interface across vdc leads to crash . needs grace cleanup .
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(8)EC(0.8) |
|
Known Fixed Releases: | 6.2(0)HS(0.10), 6.2(8), 6.2(8)S1, 6.2(8)S14, 6.2(8)S9, 6.2(8.5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv66399 | Title: | Forwarding address not set in OSPF for routes w/ different prefix length |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Forwarding address is not set while redistributing routes into OSPF
Conditions:
Issue is noticed when you have two routes with same network ID, but different prefix.
For example: 1.1.1.0/24 and 1.1.1.0/26
Workaround:
one possible workaround is to use "set forwarding-address" under the route-map that is applied for this redistribution into ospf. For additional help regarding rout-map config, please refer to the following configuration guide.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/configuration/guide/b-7k-Cisco-Nexus-7000-Series-NX-OS-Unicast-Routing-Configuration-Guide-Release-6x/n7k_unicast_config_route_policy_manager.html#concept_1358E894A7F942B787E9BC52150B485D
Further Problem Description:
This particular issue of NOT setting the forward address in external LSA
does NOT have any adverse impact or routing breakage. Forwarding address
of zero is interpreted as the advertising router. The extent of bad
effect on the forwarding is that it *may* result in one additional hop for
the packets (if the forwarding router is NOT the advertising router). Ref
rfc2328 section 12.4.4.1
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 7.3(0)IB(0.45) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCum15561 | Title: | FEX HIF-VLAN scale: Interfaces on 2248PQ error disabled on fex reload |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Not a scale, that customer would typically configure, and a workaround exists as well
Symptom:
On scale/batched triggers such as FEX reloads, peer reloads, etc, we see STP set port state failures.
Conditions:
Issue is specifically seen with a scale configuration of around 20 host interfaces or more with 75 VLANs per host interface on a 2248PQ FEX type. With this configuration, when batched triggers are executed, STP set port failure are seen.
Workaround:
Shut/no-shut of the interfaces where the error is seen
Further Problem Description:
None
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(1.5), 6.2(6)S12 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut83347 | Title: | MFDM crashes due to HB loss |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
MFDM crashes due to Heartbeat loss to sysmgr
Conditions:
Lots of Fex host side or network side port changes going on like port bring up / down and PC membership updates.
Workaround:
None
Further Problem Description:
This crash will be seen under heavy system load (overall mts queues being stuck) and not under normal scenarios.
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(8) |
|
Known Fixed Releases: * | 7.3(0)PDB(0.42) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu11282 | Title: | N7k: ITD probe with frequency config less than 5s seconds reverts to 60s |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ITD probes are only sent every 60 seconds when probe frequency is configured less than 5 seconds
Conditions:
ITD probe configured on Nexus 7000 running 6.2(10)
Workaround:
Configure probe frequency with at least 5 seconds frequency
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: | 6.2(13.3)S0, 6.2(14)FB(0.52), 7.2(0)D1(1), 7.2(0)D1(1.8), 7.2(0)ZD(0.216), 7.2(1)PIB(0.14), 7.3(0)D1(0.69), 7.3(0)DHB(0.31), 7.3(0)PDB(0.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus47263 | Title: | vPC suspension following reload with peer-link on F3 and PKA on M-Series |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A Nexus 7000 pair in vPC will suspend all vPCs on the secondary when the operational primary is reloaded.
Conditions:
When the vPC peer-link is configured on an F3 series line card and the peer-keepalive is configured on an M series line card.
Workaround:
Configure the peer-keepalive on the F3 card or management interface. The management interface will only prevent this if running 6.2(10) otherwise use the F3 card.
Further Problem Description:
Related defect CSCun82155.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.79), 7.2(1)D1(0.64), 7.2(1)ZD(0.57) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv83041 | Title: | snmpget does not work for CISCO-VPC-MIB objects 1.2.1.1.3 & 1.1.2.1.2 |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
snmpget for the objects 1.2.1.1.3 & 1.1.2.1.2 of CISCO-VPC-MIB returns No Such Instance currently exists at this OID.
snmpwalk for the same objects works fine.
MIB: CISCO-VPC-MIB
Object: cVpcPeerKeepAliveStatus
OID: 1.3.6.1.4.1.9.9.807.1.1.2.1.2
MIB: CISCO-VPC-MIB
Object: cVpcDualActiveDetectionStatus
OID: 1.3.6.1.4.1.9.9.807.1.2.1.1.3
Conditions:
Using snmpget to poll the above objects
Workaround:
use snmpwalk instead of snmpget
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv81861 | Title: | OSPF NSSA sending type 7 LSA after converted to regular area |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Type 7 LSA being sent by a device that is not a NSSA device
Conditions:
After changing from NSSA to regular area
Workaround:
None
Further Problem Description:
Recovery: restart ospf
|
|
Last Modified: | 29-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 7.3(0)IB(0.47) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv43023 | Title: | N7K: UPG to 7.2 causes VTP pruning to stop functioning |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Broadcast traffic is not forwarded to N7K after an upgrade, it is being pruned on downstream switches via VTP. ARPs for gateway may start failing.
Conditions:
VTP pruning enabled on N7K, and upgrade to 7.2
Workaround:
Reload of the N7K or remove & re-add 'feature VTP' corrects this state.
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: * | 7.2(1)D1(0.65), 7.2(1)ZD(0.58) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup86423 | Title: | MIB: MPLS-LSR-STD-MIB issues found by MPLS xOS automation |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The MPLS-LSR-STD-MIB (mplsLsrStdMIB) content may be erroneous or incomplete
Conditions:
none
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 01-AUG-2015 |
|
Known Affected Releases: | 7.1(0)D1(0.113) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)D1(0.487), 7.2(0)D1(1), 7.2(0)N1(0.183), 7.2(0)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum91206 | Title: | TACACS Acct error can cause "All servers failed to respond" syslog |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
Conditions:
A TACACS related error is generated when we enter a large and complicated command for example the following:
echo po21,po22,po23,po24 | tr ',' '\n' | sed 's/^/show port-channel database interface /' | vsh | grep "Ethernet.*/.*up" | sed 's/^.*Ethe/show cdp neigh int Ethe/'| sed 's/\[.*$//' | vsh | egrep "name" | cut -d '-' -f 1 | sort -u | egrep -c "abc123" | egrep -c "^1$"
0
switch# 2014 Jan 1 1:32:50 switch %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on vsh.10929
2014 Jan 1 1:34:55 switch %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by admin on vsh.10933
2014 Jan 1 1:36:59 switch %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
When using commands as long as the one shown here.. this issue is seen.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 6.1(4a) |
|
Known Fixed Releases: * | 6.2(10), 6.2(10)S81, 6.2(10.16)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.317), 7.0(0)KM(0.97), 7.0(3)I2(0.502), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq02309 | Title: | ATTip35430:FTP on nexus is not quitting if space is not enough |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
1. No clear error message is received when there is not enough
space.
2. File size is more than free space.
3. Incomplete image is copied if there is no enough memory.
Conditions:
while copying image using FTP
Workaround:
manually check and validate space
Further Problem Description:
1. We dont see clear error message when there is not enought space.
It says "No space left on device
Copy complete, now saving to disk (please wait)..." which is confusing.
Admin-WCAR2# dir bootflash:
0 Sep 06 00:21:18 2013 20130906_042118_poap_6556_init.log
0 Sep 06 01:26:23 2013 20130906_052623_poap_7079_init.log
2097177 Oct 04 17:54:03 2013 20130924_204635_poap_6974_1.log
830200 Oct 04 18:46:16 2013 20130924_204635_poap_6974_2.log
1048602 Sep 24 17:43:45 2013 20130924_204635_poap_6974_init.log
2097167 Oct 07 12:31:31 2013 20131004_231829_poap_6981_1.log
221641 Oct 07 13:11:32 2013 20131004_231829_poap_6981_2.log
1048586 Oct 04 20:20:32 2013 20131004_231829_poap_6981_init.log
40849 Apr 03 17:11:24 2014 20140403_205847_poap_7864_init.log
2097257 Apr 07 07:56:18 2014 20140405_000629_poap_7717_1.log
1100570 Apr 07 13:47:34 2014 20140405_000629_poap_7717_2.log
1048586 Apr 05 01:33:54 2014 20140405_000629_poap_7717_init.log
122140 Apr 18 14:54:23 2014 20140418_181629_poap_7737_init.log
1707 Sep 05 23:08:00 2013 JAF1730AJTK_17976417.lic
15072 Apr 18 14:00:27 2014 att-base
4096 Jun 18 13:08:24 2014 lost+found/
218199431 Sep 05 23:07:40 2013 n7000-s2-dk9.6.1.2.bin
421279771 Apr 03 03:29:08 2014 n7000-s2-dk9.6.2.6a.bin
420834028 May 06 13:39:27 2014 n7000-s2-dk9.6.2.8.bin
422304977 Jun 18 10:38:50 2014 n7000-s2-dk9.6.2.9.3.bin
36344320 Sep 05 23:06:32 2013 n7000-s2-kickstart.6.1.2.bin
37197824 Apr 02 17:43:33 2014 n7000-s2-kickstart.6.2.6a.bin
36619776 May 06 13:40:05 2014 n7000-s2-kickstart.6.2.8.bin
36637184 Jun 18 11:04:52 2014 n7000-s2-kickstart.6.2.9.3.bin
4096 Sep 06 00:20:45 2013 scripts/
4096 Jun 11 06:08:02 2014 vdc_2/
4096 Sep 06 00:20:07 2013 vdc_3/
4096 Sep 06 00:20:07 2013 vdc_4/
4096 Sep 06 00:20:07 2013 vdc_5/
4096 Sep 06 00:20:07 2013 vdc_6/
4096 Sep 06 00:20:07 2013 vdc_7/
4096 Sep 06 00:20:07 2013 vdc_8/
4096 Sep 06 00:20:07 2013 vdc_9/
Usage for bootflash://sup-local
1773735936 bytes used
42749952 bytes free
1816485888 bytes total
Admin-WCAR2# copy
ftp://natest@135.16.32.251/ios/Nexus/n7000_HDC/n7000-s2-dk9.6.2.10.bin.S2
0
n7000-s2-dk9.6.2.10.bin.S20 Enter vrf (If no input, current vrf
'default' is considered): management
Password:
/bootflash/n7000-s2-dk9.6.2.10.bin.S20: short write
***** Transfer of file Completed Successfully ***** Copy complete, now
saving to disk (please wait)...
Admin-WCAR2# copy
ftp://natest@135.16.32.251/ios/Nexus/n7000_HDC/n7000-s2-dk9.6.2.10.bin.S2
0
n7000-s2-dk9.6.2.10.bin.Stest Enter vrf (If no input, current vrf
'default' is considered): management
Password:
local: /bootflash/n7000-s2-dk9.6.2.10.bin.Stest: No space left on device
Copy complete, now saving to disk (please wait)...
Admin-WCAR2# dir bootflash:
0 Sep 06 00:21:18 2013 20130906_042118_poap_6556_init.log
0 Sep 06 01:26:23 2013 20130906_052623_poap_7079_init.log
2097177 Oct 04 17:54:03 2013 20130924_204635_poap_6974_1.log
830200 Oct 04 18:46:16 2013 20130924_204635_poap_6974_2.log
1048602 Sep 24 17:43:45 2013 20130924_204635_poap_6974_init.log
2097167
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: * | 6.2(10), 6.2(2)S6 |
|
Known Fixed Releases: | 6.2(10), 6.2(10)S71, 6.2(10.16)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.317), 7.1(0)AV(0.38), 7.1(0)D1(0.294), 7.1(0)EV(0.116), 7.1(0)OTT(0.40), 7.1(0)PDB(0.240) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur30049 | Title: | RPM's enhancement to add bgp-redist-unchanged for BGP's CSCud20941 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | This is an enhancement to add bgp-redist-unchanged option in route-map.Symptom:BGP sets next-hop-self for self-originated routes. not RFC4271 compliant, we need RPM to add bgp-redist-unchanged for setting ip next-hop.
Conditions:While redistributing routes, the next-hop is being changed. This option is needed to keep the next-hop unchanged.
Workaround:None.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.0(1) |
|
Known Fixed Releases: * | 6.2(10.21)S0, 6.2(12), 6.2(12)FB(0.7), 6.2(12)FT(0.5), 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.110), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur13210 | Title: | While applying config %PORT-PROFILE-3-INVALID_LOCK_INDEX traceback seen |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
While applying configs on non-default vdc after vdc reload trigger seeing port-profile tracebacks.
%PORT-PROFILE-3-TSP_INVALID_LOCK_INDEX: Lock index invalid
%PORT-PROFILE-3-INVALID_LOCK_INDEX: -Traceback
%PORT-PROFILE-3-TSP_LOCK_STACK_EMPTY: Lock stack empty
%PORT-PROFILE-3-LOCK_STACK_EMPTY: -Traceback
Conditions:
Reload non-default vdc with wr erase & once vdc is online apply configs.
Workaround:
No workaround.
Further Problem Description:
These are just some additional tracebacks reported and there is no functionality impact associated. And we generally get these
tracebacks in below cases:
1. Maximum number of locks allowed per process reached
2. Lock tried for a variable for which lock not required
Actually both the reasons are specific to codebase the reported syslog messages or tracebacks have no functionality impact associated with them.
We have to plan to address this issue in 6212 and at the same time, lower the syslog levels of concerned messages.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S90, 7.1(0)D1(0.320), 7.1(0)D1(0.342), 7.1(0)D1(0.64), 7.2(0)D1(0.392) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.408), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)N1(1), 7.2(0)PDB(0.353) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus48748 | Title: | vdc-operator on N7K VDC can show startup config using crafted CLI cmds |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
Cisco Nexus devices running Cisco NX-OS software contain an information disclosure vulnerability within the command line interpreter that could allow an authenticated, local attacker to
disclose the startup configuration of a device on which they are assigned to a Virtual Device Context (VDC).
The vulnerability exists improper input sanitization of a certain CLI command. An attacker assigned to the operator role of a VDC could leverage this vulnerability to display the startup
configuration the device that their VDC has been assigned to.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.
Workaround:
None.
Further Problem Description:
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 1.7/1.4:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(12), 6.2(12)S23, 6.2(12.4)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.110), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.408) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus63246 | Title: | N7K - SNMP - FEX above FEX0130 not show sensors in ciscoEntitySensorMIB |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Transceivers for FEX with configurations from FEX0131 to FEX0199 will not show
transceiver sensors in ciscoEntitySensorMIB
Conditions:
Configurations of FEX0131-FEX0199 will not show transceiver sensors in ciscoEntitySensorMIB
Workaround:
If all the fex configurations from FEX0101 through FEX0130 are not already
being used, then just reconfigure the FEX number to a number 130 or less
and the transceiver sensors will then show in ciscoEntitySensorMIB.
Further Problem Description:
Poll using DOM capable transceivers for easier analysis.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(12)S23, 7.2(0)D1(0.386) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)SIB(99.92), 7.2(0)BA(0.12), 7.2(0)CF(0.11), 7.2(0)D1(0.414), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)RTG(0.113), 7.2(0)VZD(0.6) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo41210 | Title: | DR/BDR role changes occurs during ospf process restart |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
DR/BDR role changes
Conditions:
restart ospf
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.1(0)D1(0.85) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.443), 7.2(0)D1(1), 7.2(0)FM(0.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtg65921 | Title: | nableing cts should not add "aaa group server radius aaa-private-sg" |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom: if you enable cts as an option then it adds "aaa group server radius aaa-private-sg"
to the config as a default with no radius server under it. You then start getting error messages
SF04-003-CSC-STG %RADIUS-3-RADIUS_ERROR_MESSAGE: problem in
reading radius server group configuration or group not found or empty
you have to put a bogus radius server under the line in order to stop messages. Removing the command will not stop the messages unless you reboot the switch.
Conditions: enabling cts
Workaround: disable cts
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 4.2(1) |
|
Known Fixed Releases: | 4.2(8)S25, 4.2(8.93)S0, 5.0(3)N1(1), 5.1(0.113)S9, 5.1(0.135)S0, 5.1(1), 7.0(0)BNZ(0.23) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus39311 | Title: | Monitoring LACP groupd via SNMP always returns value of 1 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The SNMP agent in the Nexus 7000 series always returns a value of 1 for the object dot3adAggAggregateOrIndividual, regardless of how the device is actually configured.
Conditions:
Workaround:
At this time, there is no workaround.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 6.2(13.11)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.422), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus57079 | Title: | N7K-F248XP-25E : intermittent link flaps on SFPs with no cable/fibre |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Link up/down events may show up on N7K-F248XP-25E ports with no cable/fibre, with/without dust plug.
Conditions:
Workaround:
Keep interface admin shut
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.35), 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.483), 7.2(0)D1(1), 7.2(0)PDB(0.406), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu15391 | Title: | vsi config is allowed on range of interface even with switchport |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | The issue is that "service instance" (vsi) command is visible under a "range of parent port interfaces" even though few or all of the parent ports are configured as switchport. If a parent port is switchport vsi command should be rejected or not be visible.
Symptom:
If a parent port in the range command is switchport vsi command should be rejected or not be visible.
Conditions:
Configuration time: The issue is that "service instance" (vsi) command is visible under a "range of parent port interfaces" even though few or all of the parent ports are configured as switchport. If a parent port is switchport vsi command should be rejected or not be visible.
Workaround:
Do not configure a VSI under a range of parent ports if few or all parent ports are switchport configured.
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.490) |
|
Known Fixed Releases: * | 7.3(0)D1(0.42), 7.3(0)D1(0.43), 7.3(0)DHB(0.14), 7.3(0)HM(0.36), 7.3(0)OTT(0.14), 7.3(0)PDB(0.15), 7.3(0)RTG(0.44), 7.3(0)ZD(0.56) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur23837 | Title: | VRRP: logging level vrrp-eng/cfg is not working |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
config logging level vrrp-eng/cfg [x] does not change the value in show log for vrrp
config ogging level vrrp-cfg and then logging level vrrp-eng would override the value for vrrp-cfg.
Conditions:
The symptoms are observed when feature vrrp and logging level vrrp-eng/cfg is configured.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S100 |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.110), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.408), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur10761 | Title: | clk_mgr crash on N7K |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Crash seen with cli 'show system internal clk_mgr get reference-port-ts interface eth7/15'
Conditions:
clk_mgr crash was seen with cli 'show system internal clk_mgr get reference-port-ts interface eth7/15'
Workaround:
N/A
Further Problem Description:
clk_mgr crash was seen with cli 'show system internal clk_mgr get reference-port-ts interface eth7/15'
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S82 |
|
Known Fixed Releases: * | 6.2(10), 6.2(10)S92, 6.2(10.16)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.110), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.408), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut58219 | Title: | lisp: rate limited SMRs slow-down multi-VM mobility in DC |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Convergence of LISP branch xTR map caches may be slow when VMs move from one DC to another.
Conditions:
The problem may show up under scale, i.e. when a larger number of VMs all move at once.
Workaround:
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.1(2), 7.2(0)D1(0.444) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.471), 7.2(0)D1(0.473), 7.2(0)D1(1), 7.2(0)N1(0.166), 7.2(0)N1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu14701 | Title: | N7k-(6.2.8a) allocate non-null label for loopback used for Anycast RP |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
2 N7k in anycast RP setup are NOT advertising an Implicit-Null for RP Loopback to their directly connected LDP neighbors. Traffic destined to this Loopback from directly connected neighbors is failing as is sent with an MPLS Label instead of unlabeled (IP).
Conditions:
Issue is seen when both RPs were isolated temporarily due to link flaps.
Workaround:
shut/no shut the loopback.
Remove and configure ldp.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 5.2(8), 6.2(10)E8 |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.1(2)N1(0.576), 7.1(2)N1(1), 7.1(2)ZD(0.26), 7.1(2)ZN(0.38), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.502) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut16676 | Title: | NXOS: Standby supervisor stuck in power-up |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Standby supervisor stuck in "powered-up" state where HA state stays in "HA synchronisation". This can happen after standby is reloaded - either manual reload/oir or part of ISSU
Following log is a main symptom of this issue.
show module internal activity module
11) At 312758 usecs after Sun Feb 15 07:46:58 2015
Queueing event: (reason: LC(s) coming up
Conditions:
Issue can happen after one modules is removed during booting sequence (during booting up/testing/initialization state). Module removed can be any module in the system (not necessary supervisor)
Workaround:
Reinsert module that has been removed during booting
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.22), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.459), 7.2(0)D1(1), 7.2(0)PDB(0.380), 7.2(0)PDB(0.381), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut44932 | Title: | sync-snmp-password failing for user part of the vdc-admin group |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The sync-snmp-password returns "group not found" error for users part of the vdc-admin group. Issue not seen in 7.0(5)N1(1)
NXOS# sh user-account
user:admin
this user account has no expiry date
roles:network-admin network-operator
user:testuser
roles:network-admin network-operator vdc-admin
NXOS# sync-snmp-password cisco123 testuser x.x.x.x
group not found
Conditions:
User part of the vdc-admin group
Workaround:
Remove the user from the vdc-admin group
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)ZN(99.147) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(2)N1(0.548), 7.1(2)N1(1), 7.1(2)ZD(0.6), 7.1(2)ZN(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.468), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut57885 | Title: | ip radius source-interface loopback10 missing |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After upgrade from 6.0(4) to 6.2(10), customer lost the config: 'ip radius source-interface loopback10'
Conditions:
This CLI behavior was changed in 6.2 where this CLI now works even if loopback interface does not exist.
Seen on N7010 upgrade with SUP1s.
ip radius source-interface loopback10 missing after non-ISSU from 6.0(4) to 6.2(10)
Workaround:
manually configure 'ip radius source-interface loopback10'
Further Problem Description:
attached supporting documentation
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.28), 7.0(0)FFW(0.7), 7.0(0)HSK(0.474), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.508), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut58316 | Title: | F3:Custom QoS policy increments interface output discards |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When a specific QoS policy is applied, the traffic coming through the interfaces shows output discards, but doesn't actually drop the traffic.
Conditions:
Custom QoS policy applied.
Workaround:
Take off the custom QoS policy. When the policy is defaulted, the counter errors stop incrementing.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.66), 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.483), 7.2(0)D1(1), 7.2(0)PDB(0.402), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu47124 | Title: | N7000 with F2E module fails to allocate LIF for L3 port-channel |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Port-channel LIF will not be present after removing the last port from PC member from a given ASIC.
Route installation fails later for the port-channel.
Conditions:
Port-channel 10
Members 1/1 and 2/1
No other ports are up in that given asics (2-4)
Port channel member 1/1 is removed from the Port-channel.
LIF for port channel 10 in LC 1 ASIC 0 is freed.
Later port-channel based route addition fails for that ASIC.
Workaround:
Delete and re-create the port-channel.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(10)E8, 6.2(12)E6, 6.2(13.3)S0, 6.2(14)FB(0.61), 6.2(14)FB(0.66), 7.2(0)CF(0.11), 7.2(0)D1(1), 7.2(0)D1(1.1), 7.2(0)ZD(0.201), 7.2(0)ZD(0.210) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu16615 | Title: | CTS SGACL unknown/unknown does not get hit on F3 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
SGACL any/any policy is hit for the case when traffic does not derive valid SGT/DGT. Expected result is that SGT = unknown/ DGT = unknown is hit.
Conditions:
SGT and DGT cannot be derived for Source IP and Dest IP.
Workaround:
Use some other type of acls to deny the ip's that would be untagged.
Further Problem Description:
This is an inherent flanker driver issue and exists in 6.2.x as well.
If unknown/unknown and any/any have same rules then this issue is not applicable.
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.490) |
|
Known Fixed Releases: * | 6.2(10)E3, 6.2(13.3)S0, 6.2(14)FB(0.66), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.505), 7.2(0)D1(1), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu49473 | Title: | Need delay as a configurable item under GIR custom profile |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Need delay as a configurable item under GIR custom profile
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
N/A
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.507) |
|
Known Fixed Releases: * | 7.2(0)CF(0.11), 7.2(0)D1(1), 7.2(0)D1(1.22), 7.2(0)ZD(0.228), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtu10586 | Title: | CDP memory leak on device id |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices contain a memory leak vulnerability. An unauthenticated, adjacent attacker can trigger a 1 byte memory leak by submitting a
maliciously crafted CDP packet to the affected device.
Conditions:
Cisco Nexus devices running an affected version of NX-OS Software.
Workaround:
If not required, Disabling CDP is an effective mitigation for this issue.
Further Problem Description:
This issue was identified during an internal security audit of Cisco Nexus and related devices.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
3.3/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(1) |
|
Known Fixed Releases: | 5.2(3.30)S0, 5.2(3.39)S0, 6.1(0.136)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx83727 | Title: | CDP memory leak on repeated TLVs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus 1000, 3000, 4000, 5000, and 7000 switches may leak memory when processing malformed Cisco Discovery Protocol (CDP) Packets, this can lead to an eventual reload of the switch. An adjacent attacker, with the ability to submit malformed CDP traffic to an affected device could cause a denial of service condition while the device reloads or fails over to a redundant Supervisor card if so equipped.
Conditions:
Cisco Nexus Switches running an affected version of NX-OS.
Workaround:
Disable CDP on the affecte device, the CDP protocol is enabled by default.
NX-OS:
no cdp enable
Further Problem Description:
This issue was identified through internal hardening efforts on the NX-OS platform.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-1323 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.0(1) |
|
Known Fixed Releases: | 5.2(7), 5.2(7)S14, 5.2(7.20)S0, 6.1(0.211)S0, 6.1(0.242)S0, 6.1(2.27) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud89415 | Title: | Crash on processing malformed LLDP packet |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
A vulnerability in the Link Layer Discovery Protocol (LLDP) code of
Cisco NX-OS Software could allow an unauthenticated, adjacent attacker
to crash an affected device.
The vulnerability is due to an error in parsing a malformed LLDP packet.
An attacker could exploit this vulnerability by sending a specially
crafted, malformed LLDP packet to an interface enabled for LLDP packet
processing.
Conditions:
LLDP is enabled on the interface on which the malformed packet is received.
Workaround:
There are no workarounds
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-4197 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(5) |
|
Known Fixed Releases: | 5.2(9), 5.2(9)S43, 5.2(9.84)S0, 6.0(2)U3(0.642), 6.0(2)U3(1), 6.0(2)U4(0.60), 6.0(2)U4(1), 6.1(4.97)S0, 6.1(5), 6.1(5.6)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti08891 | Title: | Shell access on CMP from Supervisor |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices may allow an authenticated attacher that has access to and permissions to load the debug-plugin from the command line shell to
modify certain files that should be restricted to system accounts only.
Conditions:
Cisco Nexus devices that run an affected version of NXOS software.
Workaround:
Restrict access to trusted users only.
Further Problem Description:
This issue can only be exploited by a fully privileged local user that also has obtained the debug-plugin and access codes from the Cisco TAC.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
3.5/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=&version=2.0
dispatch=1&version=2&vector=AV:N/AC:M/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.0(2a) |
|
Known Fixed Releases: | 5.1(0.228)S0, 5.1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua39124 | Title: | Rate limiting of FIP packets can cause DoS |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices that support Fiber Channel over Ethernet (FCoE) and have configured a rate limit filter on FCoE Initialization Protocol (FIP) messages could be exploited to
cause a denial of service condition. An unauthenticated, adjacent attacker could cause all FCoE enabled ports to drop FIP messages resulting in a denial of service condition
(DoS).
The vulnerability exists due to a design limitation of the rate filter feature on affected devices. Rate limits are applied to all FCoE enabled ports and not only on the port that
triggered the limiter. This results in all FIP messages on all FCoE enabled ports to be dropped while the rate limiter is preforming the Drop action.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS softare and configured to preform FCoE operations.
Workaround:
None.
Further Problem Description:
This is a product limitation, and as such it is not planned to be fixed.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-4138 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.0(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtk61404 | Title: | OpenSSL Ciphersuite Downgrade and J-PAKE Issues |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: * | Symptom:
The device may be affected by an OpenSSL vulnerabilities described in CVE-2010-4180 and CVE-2010-4252.
Conditions:
Device configured with any feature that uses SSL.
Workaround:
Not available
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.1/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C&version=2.0
CVE IDs CVE-2010-4180 and CVE-2010-4252 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.0(1a)N2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtk02306 | Title: | IPv6 glean performance is very less as NS packets are rate-limited |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Cisco Nexus 7000 experiences performance degradation when processing IPv6 packets.
During different tests, when a device/client sends ICMPv6 Neighbor Solicitation messages, not all packets
were rate-limited successfully, thus causing performance degradation.
Note: ICMPv6 Neighbor Advertisement and Neighbor Solicitation are used to facilitate host-router
discovery functions as part of the IPv6 Neighbor Discovery (ND) protocol. IPv4 is not impacted by this issue.
Conditions:
Cisco Nexus 7000 configured for IPv6.
Workaround:
Not available.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-0368 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.1(1) |
|
Known Fixed Releases: | 5.1(1.68)S0, 5.2(0.139)S0, 7.2(0)ZN(0.111) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub35293 | Title: | Netconf Crash |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom
Crash in NX-OS NetConf Process
Conditions:
An authenticated session, sends a crafted NetConf Payload to the device.
Workaround:
None.
Further Problem Description:
After a NetConf process crash, if the NetConf client reconnects the NetConf agent will be restarted.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4/3.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-3942 has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.2(0.47)S4 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte90387 | Title: | NX-OS arbitrary command injection in admin CLI |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
A vulnerability exists in NX-OS which can allow an authenticated, local attacker to execute arbitrary commands on an affected system. A successful
exploit would allow an attacker to gain unauthorized access to the underlying operating system.
Conditions:
Devices running affected versions of NX-OS software are vulnerable.
Workaround:
None
Further Problem Description:
This issue was discovered in internal security testing and has been resolved in all current versions of affected software.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2011-4240 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.2(1) |
|
Known Fixed Releases: | 4.2(4), 4.2(4.33), 4.2(4.36), 4.2(5.6), 5.0(2), 5.0(2)S64, 5.1(0.68), 5.1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtq13525 | Title: | Missing validity checks on length field of OSPF Opaque LSA updates |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | SYMPTOM:
NX-OS may forward corrupted LSAs and suffer from system
instability (high CPU).
CONDITIONS:
The OSPF process handles a malformed LSA update.
WORKAROUNDS:
There are no workarounds, but Cisco NX-OS OSPF MD5 authentication can
be used to mitigate this issue by preventing unauthenticated neighbors
from injecting malformed LSAs.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The Base and Temporal CVSS scores as of the time of evaluation
are 6.4/6.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:P/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2011-2031 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 5.2(0.270)S7 |
|
Known Fixed Releases: | 5.2(1)S17, 5.2(1.21)S0, 7.2(0)ZN(0.111) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua39088 | Title: | TACACS+ missing header length check |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
Cisco Nexus devices contain a vulnerability within the TACACS subsystem that could allow an unauthenticated, remote attack to crash the TACACS process. This could result
in an unexpected process restart.
The vulnerability exists due to a failure to properly limit the maximum message size that will be allocated for a TACACS message. An attacker that could place themselves
between an affected device and the AAA server, and knows the MD5 authentication token, could respond to a AAA request from an affected device with a malicious packet.
When processed the affected device may try to allocate a buffer that is larger than the available memory resulting in a core of the process.
Conditions:
Cisco Nexus devices running an affected version of NX-OS software and configured to preform TACACS authentication.
Workaround:
None.
Further Problem Description:
The TACACS process will be restarted by the device, but may result in a temporary denial of service condition.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2012-4137 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.0(1) |
|
Known Fixed Releases: | 6.1(1)S14, 6.1(1.13)S0, 6.2(0.217), 6.2(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo80764 | Title: | N5K - ISSU upgrade to 7.0.1.N1.1 changing config vrf name to unknown |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
upgrade to 7.0.1.N1.1 using ISSU can result in change in config where vrf name would show as unknown.
Conditions:
ISSU upgrade
Workaround:
reload the switch
Further Problem Description:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: * | 7.0(1)N1(1), 7.0(3)I2(0.529) |
|
Known Fixed Releases: | 7.0(0)HSK(0.433), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(2)N1(0.552), 7.1(2)N1(1), 7.1(2)ZD(0.8), 7.1(2)ZN(0.11), 7.2(0)BA(0.25), 7.2(0)D1(0.480), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur57084 | Title: | FEX Core Fails to Upload in Non-default VDC - No Workaround on NPE Image |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Nexus 2000 may fail to copy the core file to the Nexus 7000 during a crash but continues to try over and over:
N7k-2 SYSMGR-FEX101-3-CORE_OP_FAILED Core operation failed: send_msg_to_ccdmon: Could not send to CORE_DMON return -1 errno 32
N7k-2 SYSMGR-FEX101-5-SUBPROC_TERMINATED "System Manager (core-client)" (PID 1903) has finished with error code SYSMGR_EXITCODE_CORE_CLIENT_ERR (11).
Conditions:
When the Nexus 2000 connected to a non-default VDC crashes.
Workaround:
Contact Cisco TAC.
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)FHS(0.23), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.0(2)FIP(0.19), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)IB(122), 7.1(0)SIB(99.109) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue93156 | Title: | OWNER type for EIGRP/BGP/HSRP routes return incorrect value |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Using ONEPK if one try to develop application to read routes from the NE and the returned routes will have the incorrect owner type for the EIGRP,BGP and HSRP routes
Conditions:
This is specific to ONEPK
Workaround:
There is no workaround for this issue.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.0(2) |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(2.4.11)EA, 15.2(2.6.89)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.15.4)XEB, 15.3(2.8.2)PIB23, 15.3(2.9)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue44348 | Title: | transport allows same port for TCP and TLS |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The transport CLI allows the same port on tls and tcp
Conditions:
Nxos 110 Image was installed
Workaround:
None
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.1(1) |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(2.4.11)EA, 15.2(2.6.89)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.15.4)XEB, 15.3(2.8)T, 15.3(2.8.1)PIB23 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue60063 | Title: | NXOS CD2: onep_intf_get_sub_intf_list returns parent, peer subinterface |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
If subinterface is passed to the onep_interface_get_sub_interface_list() API, it returns parent interface and the peer subinterface as well
Conditions:
Onep is enabled, and application is connected to UUT.
Workaround:
Call the API on the interfaces other than subinterface.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.2(1) |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(2.4.11)EA, 15.2(2.6.89)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.15.4)XEB, 15.3(2.8.2)PIB23, 15.3(2.9)T |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue19674 | Title: | [Turbo] Java HA support |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
No HA support on JAVA
Conditions:
When N7K does an switchover, the app should wait and reconnect to the sup when active.
Workaround:
Do not have the app disconnect, just wait and reconnect.
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.2(0.78) |
|
Known Fixed Releases: * | 15.1(1)ICA4.122, 15.2(1)IC273.5, 15.2(1.2.7)PI22, 15.2(2.4.11)EA, 15.2(2.6.89)EA, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.3(2.10)T, 15.3(2.12.1)PIH22 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu39555 | Title: | Sometimes few HSRPVIP removed ISSU 6.0.2.N2(7)>7.0.6.N1(1)>7.2.0.N1(1) |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
IP address with be removed after we do ISSU from "H+MR6 [6.0(2)N2(7)] to IMR5[7.0(6)N1(1)] then to JJ[7.2(0)N1(1)]"
Conditions:
Need to perform 2step ISSU from H+MR6 [6.0(2)N2(7)] to IMR5[7.0(6)N1(1)] then to JJ[7.2(0)N1(1)] with virtual ip configured in HSRP.
After doing ISSU from H+MR6 to IMR5 ISSU will succeed, then when we do ISSU from IMR5 to JJ, will get below error
<<<%NETSTACK-2-CRIT_FAILURE: netstack [4007] Failed to configure IP address on Vlan834. IP address overlaps with one of the address configured on Vlan833. Vlan834 has been shutdown.Please change the IP address to avoid overlap and perform a "no shutdown">>>
and ip address will be removed on the vlan or vlan interface will be shutdown.
Workaround:
Need to reconfigure the ip address after correcting the network mask of HSRP ip in the vlan.
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(0.206) |
|
Known Fixed Releases: * | 7.0(0)FHS(0.23), 7.3(0)D1(0.45), 7.3(0)DHB(0.14), 7.3(0)IB(0.35), 7.3(0)N1(0.61), 7.3(0)N1(1), 7.3(0)OTT(0.14), 7.3(0)PDB(0.15), 7.3(0)RTG(0.44), 7.3(0)ZD(0.57) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtl06627 | Title: | Data traffic is affected when SPAN is >10g - MTU truncate / rate limiter |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Data traffic is affected when SPAN is more than 10g
Conditions:
When using SPAN on a Vlan passing more than 10g of traffic, normal data traffic is affected on the rest of the switch. The span port outputs at maxim rate, yet the other ports being used to transmit and receive data traffic start to drop this traffic.
Workaround(s):
A rate limit feature is implemented in 5.2.1 to reduce the rate of SPANNed traffic to the normal traffic will not be impacted. For pre-5.2.1 images, use a port-channel as the SPAN destination will increase the output bandwidth so it will not back presure the normal traffic.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: * | 5.1(1a) |
|
Known Fixed Releases: | 5.2(0.218)S0, 5.2(0.236)S0, 7.0(1)ZD(0.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur53122 | Title: | VxLAN N6K: Most TCs failing in regression script due to broken auto-rp |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
auto-rp is not supported if one device is configured as static and auto-rp candidate for different group.having more than one auto-rp group will always result failure
Conditions:
More than One auto-rp groups are configured
Workaround:
To have one auto-rp group configured
Further Problem Description:
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 7.1(0)D1(0.199) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum90964 | Title: | onep VTY SS does not receive interface update notifications |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
onep_vty_write() not flushing its internal buffer. Seen on both N3K and N7K.
Conditions:
Normal usage in general. The issue can however, be seen on a specific configuration of 'interface vlan 23'.
Workaround:
Due to the nature of this issue there is not a generic workaround. It is however recommended to perform all interface-vlan configuration at the beginning of the Puppet Manifest to have least exposure.
Further Problem Description:
Please see eng note.
|
|
Last Modified: | 12-AUG-2015 |
|
Known Affected Releases: | 7.0(1)N1(0.4) |
|
Known Fixed Releases: * | 15.1(2)IC66.2, 15.2(1)IC273.56, 15.2(1)ICA4.30, 15.2(2)DB101.101, 15.2(2)DB101.112, 15.2(4.0)ST, 15.2(4.0.64a)E, 15.2(5.0)ST, 15.4(2.14)T, 15.4(2.15)PI26a |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul93193 | Title: | wccp event-history errors shows "Error retrieving VRF ifindex" |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
there are no known functional impact -- wccp event-history errors shows "Error retrieving VRF ifindex"
Conditions:
there are no known functional impact -- wccp event-history errors shows "Error retrieving VRF"ifindex
Workaround:
there are no known functional impact -- wccp event-history errors shows "Error retrieving VRF ifindex"
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.2(6)S1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu99291 | Title: | Cisco Nexus 7000 VDC Authenticated Privilege Escalation Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A vulnerability in Command Line Interface (CLI) parser of the Cisco Nexus Operating
System (NX-OS) devices could allow an authenticated, local attacker to perform a
privilege escalation at the CLI.
The vulnerability is due to improper input validation of special characters within
filenames. An attacker could exploit this vulnerability by authenticating at the local
shell and writing a file to disk with certain special characters. The attacker could then
use that file with other CLI commands to obtain an shell prompt at their current
privilege level. An exploit could allowthe attacker to read/write files and perform
other privileged commands.
Conditions:
Device running with default configuration running an affected version of
software.
Workaround:
The user has to be authenticated so use care when distributing ''admin''
credentials to only trusted sources.
Further Problem Description:
Credit:
Cisco would like to thank Jens Krabbenhoeft for discovering and reporting this vulnerability.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
4.3/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4237 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 6.2(13.4)S0, 7.2(1)ZD(0.45) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv06177 | Title: | copy run to sftp on linux server fails |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
copy run sftp: fails for non-root users as it always uses root directory(/) as target. copy bootflash: sftp: works perfectly as it always uses /var/home/
Conditions:
++SFTP service should be running on Linux/Unix
++Non root credentials should be used.
Workaround:
Specify the complete path
switch# copy bootflash:test sftp:
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the sftp server: /home/kmuruga2/test^C
switch# copy running-config sftp:
Enter destination filename: [switch-running-config] /home/kmuruga2/test
Enter vrf (If no input, current vrf 'default' is considered): management
Enter hostname for the sftp server: 173.36.137.136
Enter username: kmuruga2
Password:
Connected to 173.36.137.136.
sftp> put /var/tmp/vsh/switch-running-config //home/kmuruga2/test
Uploading /var/tmp/vsh/switch-running-config to //home/kmuruga2/test
/var/tmp/vsh/switch-running-config 100% 3134 3.1KB/s 00:00
sftp> exit
Copy complete.
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 6.2(13.11)S0, 7.2(1)D1(0.50), 7.2(1)ZD(0.45), 7.3(0)IB(0.33) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv80499 | Title: | BGP flapping with same AS-PATH ACL matched in two or more route-map seqs |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Multiple BGP sessions fail to establish after link flap on route refresh on N7K. The sessions cycle between Idle/Active/Closing
Conditions:
This is seen when N7K have outbound policy route-map matching the same as-path ACL in two or more sequences of the same route-map.
Some of the peers are sending upwards of 50K prefixes and in the same update-group as other peers sending 10 to 100 prefixes.
Link flap to one or some of the peers or route refresh(clear ip bgp * soft) is the trigger.
Workaround:
Match the as-path once in the route-map and use other attributes to match the prefixes in other sequences.
Further Problem Description:
|
|
Last Modified: | 17-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(12), 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte65360 | Title: | Pvlan ports allow for vlan hopping |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Nexus devices that are directly connected to a host via a port configured as a Private VLAN port and the Nexus is connected to another device via a
Trunk Port. In this configuration a 802.1q tagged packet that does not match the Private VLAN configuration may be passed to another device via the
Trunk Port. It is expected that this packet would be dropped.
Conditions:
Nexus devices running an affected version of NX-OS.
Workaround:
None.
Further Problem Description:
PSIRT Evaluation:
This issue has been evaluated by PSIRT and it was determined it does not meet the criteria for a Cisco Security Advisory. This issue is being disclosed
via Release Note Enclosure and will receive no further updates from PSIRT.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are
3.3/2.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 17-AUG-2015 |
|
Known Affected Releases: | 5.0(2), 6.0(2), 6.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv12718 | Title: | G bit set for HSRP VMAC in vPC setup with state Listen/Listen |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Reachability to gateway IP (HSRP VIP) breaks when HSRP state is Listen/Listen.
Issue seen in a DCI setup where HSRP state across DCs with Active/Standby in one site and Listen/Listen in other site is preferred.
Conditions:
vPC setup maintaining HSRP state with 4 gateways.
Peer-link configured on F1 where proxy routing occurs with F1-M1 combination.
Device running 6.2.8 code, seen with 6.2.8b.
Not seen with 6.2.10, 6.2.12
Workaround:
If the setup is a DCI, apply FHRP isolation filters for the vlans in question.
If all 4 gateways in the same site, limit the hsrp number of gateway only to 2 devices by shutting down SVIs on two devices is the only workaround possible.
Further Problem Description:
|
|
Last Modified: | 17-AUG-2015 |
|
Known Affected Releases: | 6.2(8b), 7.3(0)D1(0.64) |
|
Known Fixed Releases: * | 7.3(0)PDB(0.31) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur18621 | Title: | Show snmp trap cmd doesn't show status of msdp trap configs. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Status of MSDP trap is not shown in the output of 'show snmp trap'
Conditions:
Trap type, Description and status is not shown for show snmp trap command for MSDP.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S89 |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(0)KM(0.110), 7.1(0)AV(0.38), 7.1(0)EV(0.137), 7.1(0)PDB(0.317), 7.1(0)SIB(99.82), 7.2(0)D1(0.360), 7.2(0)D1(1), 7.2(0)N1(0.43) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu76369 | Title: | Random characters in show ip igmp policy statistics reports vlan |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Random characters are observed in the output of 'show ip igmp policy statistics vlan <>
Nexus9k# show ip igmp policy statistics reports vlan 100
Interface \6?? doesn't exist
Nexus 9k# show ip igmp policy statistics reports vlan 100
Interface tN?? doesn't exist
Conditions:
If a SVI is not deployed on Nexus 9k and , show ip igmp policy statistics reports vlan <> is executed for the VLAN ,
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 7.3(0)D1(0.72), 7.3(0)RTG(0.20) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut75242 | Title: | ISSU upgrade: igmp HAP reset |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
An ISSU upgrade on a Nexus 6000 experiences a HAP reset when upgrading to 7.0(5)N1. On the vPC peer, each chassis crashes while the other is in the process of upgrading:
At 764728 usecs after
Reason: Reset triggered due to HA policy of Reset
Service: igmp hap reset
Version: 7.0(2)N1(1) << crash on standby as primary is in the process of upgrading during ISSU
At 203979 usecs after
Reason: Reset triggered due to HA policy of Reset
Service: igmp hap reset
Version: 7.0(5)N1(1) << crash on primary as standby is in the process of upgrading during ISSU
Conditions:
The device(s) experiences an 'igmp' process HAP reset during this upgrade regardless of whether or not the Aggregate is provisioned for igmp/multicast.
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 7.2(0)N1(0.117) |
|
Known Fixed Releases: * | 7.0(3)I2(0.519), 7.0(3)I2(1), 7.0(7)N1(0.293), 7.0(7)N1(1), 7.0(7)ZN(0.188), 7.2(1)D1(0.9), 7.2(1)N1(0.242), 7.2(1)N1(1), 7.2(1)ZD(0.8), 7.2(1)ZN(0.8) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu66267 | Title: | LISP: implicit iid 0 does not get assigned with proxy-itr configuration |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LISP traffic encapsulated with no Instance-ID may fail to be forwarded on the eTR/PeTR
Conditions:
The problem depends on configuration sequence and timing, i.e. is a race condition.
Workaround:
Configure explicitly "lisp instance-id 0" in the VRF that receives LISP-encapsulated packet with no Instance-ID
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 7.2(0.70), 7.3(0)ZD(0.10) |
|
Known Fixed Releases: * | 7.3(0)D1(0.72), 7.3(0)RTG(0.21) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtr38849 | Title: | N7K: Policy stats do not work when Object-groups are used in ACLs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | QoS Policy stats do not work when object-groups are used in ACLs that define the class-maps.
Symptom:
packet count is 0 for object group acl's
Conditions:
when object groups are used
Workaround:
avoid use of object group if stats are critical .functionality of object group is not broken
Further Problem Description:
packet count is 0 for object group acl's match filters
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 5.1(3) |
|
Known Fixed Releases: * | 7.0(0)FFW(0.11), 7.0(0)HSK(0.499) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv80861 | Title: | Forwarding address is set if the route is learned via multi-hop eBGP |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Forwarding address in OSPF type-5 LSA is set when route is learned via multi-hop eBG
Conditions:
redistributing multi-hop eBGP routes into OSPF.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud03123 | Title: | PIM Hello on EFP dropped |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:PIM hello packets received on an EFP interface are getting dropped
Conditions:PIM neighbors not formed behind EFP interface.
Workaround(s):
None.
Workaround:
More Info:L2tp with efp is not committed for freetown. L2mcast/EFP is also not a freetown requirement.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCus63044 | Title: | High CPU usage causes LDP service crash |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The LDP process is terminated with signal 11 and a core file generated. The process is terminated by sysmgr because it failed to respond to heartbeats.
Conditions:
Occurs when the system is under high load.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.2(8)E10 |
|
Known Fixed Releases: | 6.2(10)E5, 6.2(13.3)S0, 6.2(14)FB(0.65), 6.2(8)E10, 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.417) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur32003 | Title: | Applied bgp peer-policy may be missing in running-config |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
BGP and running-configuration is out of sync. Depends on sequence of configuring, one of following two symptoms may come up:
1. The inherit CLI is in effective in BGP, but inherit CLI is missing in running-config
2. The inherit CLI is shown in running-config but BGP does not take action on send-community inherited from template.
Conditions:
The problem is observed when send-community standard/extended/both command is inherited from a peer-policy template
Workaround:
Configure send-community standard/extended/both under individual neighbors instead of inherit from template
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S100 |
|
Known Fixed Releases: | 6.2(13.4)S0, 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.1(0)AV(0.38), 7.1(0)D1(0.330), 7.1(0)OTT(0.47), 7.1(0)PDB(0.283), 7.1(0)SIB(99.68), 7.2(0)D1(1), 7.2(0)N1(0.15) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur89779 | Title: | (S, G) not timing out even if there is no traffic |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
(S, G) entries are alive in network long after source has stopped sending traffic
Conditions:
In RP on a stick scenario. While Source S was active and RP received a (S, G, Rp-bit) prune message. There are active Receivers for G in the network joining shared tree even after Source has stopped but Unicast route to source is not changed.
Workaround:
Removing unicast route towards Source may help.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(12)S33, 7.1(0)D1(0.320), 7.3(0)ID(0.5) |
|
Known Fixed Releases: | 6.2(13.8)S0, 7.1(2)N1(0.574), 7.1(2)N1(1), 7.1(2)ZD(0.23), 7.1(2)ZN(0.35) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv73609 | Title: | Anycast HSRP group may remain in Initial state after shut/no shut |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
On a Nexus 7000, a HSRP group in listen state may go to initial state after a shut/no shut
Conditions:
The exact conditions for this issue are not known.
Workaround:
Removing all vlans from the anycast HSRP group, adding a single vlan followed by adding the remainder brings the group back to listen state.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv10652 | Title: | "bfd optimize subinterface" is lost after upgrade from 5.2(9) to 6.2(2) |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
"bfd optimize subinterface" configuration is lost when upgrade from 5.2.9 to 6.2.x
Conditions:
"bfd optimize subinterface" is configured and upgrade is directly from 5.2.x to 6.2.x.
Workaround:
NA
More Info:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: | 6.2(13.11)S0 |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua32410 | Title: | ifmgr crashed during N7K sup1 image boot |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
ifmgr crashs when booting N7K system image.
Conditions:
boot N7K switch using this image
Workaround:
There is no workaround.
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(1) |
|
Known Fixed Releases: * | 8.3(0)CV(0.118) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv52969 | Title: * | L2FM-M3-IT:f4_l3 crash while exec "sh hardwa intern statisti dev port" |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Conditions:
Workaround:
Further Problem Description:
[New process 1212]
#0 0x0e7b36c4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
Thread 1 (process 1212):
#0 0x0e7b36c4 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x0e7b8890 in *__GI_abort () at abort.c:88
#2 0x0e7ee0a4 in __libc_message (do_abort=2, fmt=0xe8d5794 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:173
#3 0x0e7fa774 in malloc_printerr (action=3, str=0xe8d588c "free(): invalid pointer", ptr=) at malloc.c:5974
#4 0x0e7fc550 in *__GI___libc_free (mem=0x100fcb50) at malloc.c:3625
#5 0x0f9a50b4 in mtrack_int_free (ptr=0x100fcb68, memseg=) at ../utils/malloc_track/mtrack.c:2753
#6 0x0fd06e88 in mtrack_free (ptr=) at ../include/isan/mtrack.h:312
#7 0x0fdd3690 in statlib_collect_counter_group (p_cb=0x1013c210, p_ctrarray=0x104c0888, n_collected=0xbfcc58d0, start_inst=0, stop_inst=0, force=1) at ../utils/usd/stats_infra/src/stat_util.c:1336
#8 0x0fdd4ec8 in statlib_get_requested_counter (p_cb=0x1013c210, p_req=0xbfcc5da4, n_ctrs=1501, getflags=2147483647, specflags=4294967295, behaviour=16, instance_bitmask=1,
p_fp_port_bitmask=0xbfcc5a58) at ../utils/usd/stats_infra/src/stat_util.c:1798
#9 0x0fdc8250 in stat_lib_get_stats_newreq (p_cb=0x1013c210, p_req=0xbfcc5da4, p_rsp=0x104a31f0) at ../utils/usd/stats_infra/src/stat_main.c:1150
#10 0x0fdc9890 in stat_lib_get_stats (hdl=269730320, p_req=0xbfcc5da4, p_rsp=0x104a31f0) at ../utils/usd/stats_infra/src/stat_main.c:1390
#11 0x0fdbd808 in usd_drv_get_stats (flag=CALLED_FROM_USER_SPACE, cmd=239, p_data=0x104a31f0) at ../utils/usd/libusd/usd_stats.c:65
#12 0x0fd9cfb8 in usd_sse_process_msg (q=5, msg_ref=0x104a28c8) at ../utils/usd/libusd/usd_sse.c:824
#13 0x10067758 in f4_l3_sse_hdlr (cb_data_p=) at ../platform/dc3/f4/f4_l3/f4_l3_services.c:6043
#14 0x0fdadd40 in usd_handle_event (psel_data=0x104a28c0) at ../utils/usd/libusd/usdw_main.c:344
#15 0x0fdae2c4 in usd_loop () at ../utils/usd/libusd/usdw_main.c:466
#16 0x1005fa38 in main (argc=, argv=) at ../platform/dc3/f4/f4_l3/f4_l3_main.c:386
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 7.0(0)HSK(0.493) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo61536 | Title: | OSPF/OSPFv3: Summay-address should allow tag value from 0-4294967295 |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Tag value for summary address can only be configured from 1 - 65535 using summary-address configuration.
Conditions:
Always
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.1(0)ZN(0.215) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(0)IB(120), 7.2(0)CF(0.11), 7.2(0)D1(0.481), 7.2(0)D1(1), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum77349 | Title: | checkpoint captured in 'show tech all' of NXOS displays snmp communities |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
tac-pac and 'show tech-support all' incorrectly has snmp community strings stored in plain text as well as the local user account md5 hashes
Conditions:
the problem is seen with the 'show checkpoint' output included in show tech
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.1(4) |
|
Known Fixed Releases: * | 6.2(10.21)S0, 6.2(12), 6.2(12)FT(0.9), 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.0(0)KM(0.119), 7.0(0)KMS(0.11), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.1(0)SIB(99.83) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus55175 | Title: | Gracefully handle the breakout failure from aclqos in dce-qos |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
The VDC bind for the breakout ports is not failed upon execution of the breakout CLI.
Conditions:
The ACLQoS returning failure for the breakout TLV verify message
The ACLQoS not returning response within the timeout period.
Workaround:
To come out of the breakout failures which was introduced by Qosmgr, please move the front panel port of the failed breakout interface to a different vdc (thru allocate interface command, this will internally execute the no breakout sequence and clean up the allocated hw resources) and then again you can reassign those FP ports to the VDC where it was earlier (through allocate interface command).
Say
1. Breakout of interface Eth 3/1 failed in VDC-2
2. Allocate interface Eth 3/1 to default VDC/ some other VDC ?allocate interface Ethernet 3/1)
3. Then reallocate Eth 3/1 to VDC-2
Further Problem Description:
Breakout CLI if failed due to error / timeout in ACLQOS, there was no console error. This fix propagates the error to VMM so that it can handle it appropriately. CSCus85678 raised to fix the recovery / error message
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S102 |
|
Known Fixed Releases: * | 6.2(12)E5, 6.2(13.3)S0, 6.2(14)FB(0.64), 7.1(0)ES(0.7), 7.1(0)SIB(99.92), 7.2(0)BA(0.12), 7.2(0)CF(0.11), 7.2(0)D1(0.408), 7.2(0)D1(1), 7.2(0)FM(0.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup80771 | Title: | In N7K storage VDC show tech-support shouldn't run show commands for eth |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
In N7K Storage VDC when you run show tech-support details command it has show commands for ethernet stuff and because of that we are seeing syntax error.
Conditions:
N7k running with storage VDC
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(8)S35 |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.411), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.353), 7.2(0)RTG(0.113), 7.2(0)VZD(0.6), 7.2(0)ZD(0.97) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus74278 | Title: | CPAK TX laser sending off in shut configuration at first time insertion |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Laser is on when insert a CPAK into shut down port
Conditions:
Normal condition
Workaround:
there is no wordaround
Further Problem Description:
N/A
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.395), 7.1(0)AV(0.74), 7.1(0)ES(0.7), 7.2(0)CF(0.11), 7.2(0)D1(0.430), 7.2(0)D1(1), 7.2(0)FM(0.3), 7.2(0)PDB(0.355), 7.2(0)VOF(0.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti04026 | Title: | undocumented user available with default password on nx-os systems |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Summary
There is an undocumented username that is added automatically by the installation process to an NX-OS system.
This username is ftpuser it is possible to establish a session using this username.
The user account however does not have any shell privileges
and may not be exploited in any known way.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
CVE ID has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 4.0(4)SV1(2), 5.1(3) |
|
Known Fixed Releases: | 4.2(8)S3, 4.2(8)S8, 4.2(8.17)S0, 4.2(8.5)S0, 5.1(10.1)S0, 5.2(0.221)S0, 7.0(1)ZD(0.3), 7.2(0)ZN(0.111) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu13792 | Title: | VPC doesn't come up after HMM is enabled |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
VPC peer-link comes up
Conditions:
two sides of port-channel mismatch
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 7.2(0)VZN(0.1) |
|
Known Fixed Releases: * | 7.0(0)FHS(0.23), 7.2(0)VZD(0.40), 7.3(0)D1(0.21), 7.3(0)D1(0.33), 7.3(0)DHB(0.2), 7.3(0)HM(0.36), 7.3(0)IB(0.35), 7.3(0)OTT(0.8), 7.3(0)RTG(0.39), 7.3(0)SL(0.73) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus63973 | Title: | "STP Pseduo-info" missing in "show run/start" when MST is used in VPC+ |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
'show running-config spanning-tree' or 'show startup-config' does not show 'spanning-tree pseduo-infomation'when its configured specifically.
Example:-
========
show run spanning-tree or show startup-config
!
spanning-tree mode mst
spanning-tree mst 0-2 priority 4096
spanning-tree mst configuration
name cisco
instance 1 vlan 100
instance 2 vlan 200
spanning-tree pseudo-information => ONLY THIS LINE IS MISSING <=
mst 0-2 root priority 0
Conditions:
- MST is used in vPC+ set up
- spanning-tree pseduo config is used to change the priority of the root.
Workaround:
Not needed as issue seems to be cosmetic i.e. it does not affect the functionality of pseudo config
Further Problem Description:
This can be seen Nexus 7000/5000/6000 configure in vPC+
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 7.0(0)FHS(0.23), 7.1(0)ES(0.24), 7.2(0)BA(0.25), 7.3(0)D1(0.28), 7.3(0)DHB(0.2), 7.3(0)HM(0.36), 7.3(0)IB(0.35), 7.3(0)OTT(0.8), 7.3(0)PDB(0.15), 7.3(0)RTG(0.39) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh71028 | Title: | vrrpv3 doesnt show the correct interface during conflict |
|
Status: * | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
While configuring vrrpv3 if there is a conflict vrrpv3 always show interface 0. vrrpv3 should show correct interface instance.
Conditions:
Configuration
Workaround:
None. Just a diagnostic issue when user trie to misconfigure the feature
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(1.143)S3 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo56967 | Title: | incorrect msg when otv is enabled in "f2e f3" vdc |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When a user tries to enable 'feature otv' in a VDC that has F3 and F2e it prints the following error:
switch-al-otv(config)# feature otv
Feature otv not supported in F2E without M1, M1XL or M2XL VDC
OTV can be enabled with F3 when the VDC is a F3 only VDC. OTV cannot be enabled for F3/F2e VDCs. The error message should read:
"Feature OTV is not supported on F3 + F2E VDC, only pure F3 VDC type is supported"
Conditions:
- Nexus 7000
- F3/F2e VDC
Workaround:
None
Further Problem Description:
A user will be able to enable 'feature otv' in a F3 only VDC, then go back and add the F2e module-type and interfaces but this is unsupported and should not be allowed. Please see CSCuj08074: Feature OTV enabled on a f2e f3 module-type vdc
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(10)FM(0.18) |
|
Known Fixed Releases: * | 7.3(0)RTG(0.57) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum77376 | Title: | Need to Supress Pim Message PIM-6-ROUTE_LOOKUP |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
2014 Jan 13 15:08:35 nexus2 PIM-6-ROUTE_LOOKUP pim [5984] Couldn't find PIM route (*, 224.0.0.0/4) in pim_process_mfdm_stats_msg()
2014 Jan 13 15:08:45 nexus2 PIM-4-SYSLOG_SL_MSG_WARNING PIM-6-ROUTE_LOOKUP: message repeated 3 times in last 78 sec
2014 Jan 13 15:09:26 nexus2 PIM-6-ROUTE_LOOKUP pim [5984] Couldn't find PIM route (*, 224.0.0.0/4) in pim_process_mfdm_stats_msg()
Conditions:
When upgraded to 6.2(x) code
Workaround:
reduce the pim logging severity to 4 or 5.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(6) |
|
Known Fixed Releases: * | 7.3(0)D1(0.72), 7.3(0)DHB(0.31), 7.3(0)RTG(0.43), 7.3(0)ZD(0.85), 7.3(0)ZN(0.92) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCth31803 | Title: | N7K: STP-2-VPC_PEERSWITCH_CONFIG_DISABLED on VDCs with no peer-switch |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | STP-2-VPC_PEERSWITCH_CONFIG_DISABLED syslog message displayed on VDCs that do not have vPC or STP configuration.
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: * | 5.0(2a), 6.1(2), 6.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun66725 | Title: | MST switch sends simulated RPVST bpdus on boundary ports no warning. |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
In a VPC network with N3k as an Access Switch, the Spanning Tree in MST mode does not work. The port-channels
stays in Blocking state.
Conditions:
Must have similar MST config in both N7k and N3k in a VPC network.
Workaround:
The spanning-tree mode is rapid-pvst in the N3k switch.
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 6.2(8)S0 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus71342 | Title: | F3 - MAC not installed when ARP bcast received on vlan with SVI |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
MAC address not learned in VLAN with SVI from ARP bcast only in F3 cards. Impact of issue is unexpected flooding or longer time to learn mac as it will need bidirectional traffic.
Conditions:
Happen with conversational learning enabled FP core port received ARP bcast in vlan with SVI
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.45), 7.2(0)D1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum23095 | Title: | PIM not auto-enabled in passive mode for Vinci enhanced multicast |
|
Status: * | Terminated |
|
Severity: | 4 Minor |
Description: | Symptom:
PIM is not auto-enabled on vinci vlans if "feature pim" is enabled after "ip multicast fabric-forwarding"
Conditions:
"feature pim" is enabled after "ip multicast fabric-forwarding"
Workaround:
Do the following two steps:
"no ip multicast fabric-forwarding"
"ip multicast fabric-forwarding"
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.0(2)N3(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua92729 | Title: | configure Order of show run vlan x is changed by feature dhcp |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Order of configuration of interface vlan is changes by 'feature dhcp'
Conditions:
- confire 'feature dhcp', and then order of the configuration changes at interface vlan.
- To my knowledge, 'description' and 'no shutdown' is effected.
- This issue is no impact for system.
// before
interface Vlan4
description VLAN4 <<<<
no shutdown <<<<
ip address 10.32.192.9/29
ip router eigrp 1
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 tsbinternet
hsrp 4
preempt
priority 105
ip 10.32.192.14
// after
interface Vlan4
ip address 10.32.192.9/29
ip router eigrp 1
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 tsbinternet
hsrp 4
preempt
priority 105
ip 10.32.192.14
description VLAN4 <<<<
no shutdown <<<<
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 5.2(4), 5.2(7), 6.0(2), 6.1(2), 6.2(12) |
|
Known Fixed Releases: * | 7.3(0)D1(0.79), 7.3(0)ZD(0.92) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut10399 | Title: | MAC address flooding on F3 linecard |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Brief flooding is noticed when vPC leg, on which the mac-address is learnt, is shut.
Conditions:
1. Happens only on F3 modules.
2. The mac-address is learnt only on one leg of vPC due to polarized flow.
Workaround:
No work around- default behavior.
Further Problem Description:
Per original design, when vPC leg is shut, the mac-address aging logic purges the mac-address if it was learnt only on that vPC leg causing a temporary flooding till the mac-address is learnt on the other vPC leg.
This fix provides a configuration knob ?mac address-table aging-mode portchannel-refresh? to prevent the temporary flooding. Rather the MAC would wait for a full age cycle across all the members before it would get purged.
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: * | 6.2(12), 7.3(0)D1(0.64) |
|
Known Fixed Releases: | 6.2(13.3)S0, 6.2(14)FB(0.27), 6.2(14)FB(0.29), 6.2(14)FB(0.30) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo12969 | Title: | ER-2-SYSTEM_MSG: fatal: Write failed:length of packet causing error 68 |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | Symptom:
The following messages were observed on Nexus-7710 during NX-OS version 6.2(8) [build 6.2(7.30)] testing. These messages appeared multiple times on the system log & i would request a clear interpretation of this messages as customer would also request the same.Also there was not functional or operational impact observed on ssh after getting these messages.
2014 Apr 2 22:09:43.569 k7-nac-7706-01 ER-2-SYSTEM_MSG: fatal: Write failed: Broken pipe .Client is 9.0.1.214,length of packet causing error 68 68 - sshd
2014 Apr 5 00:00:35.978005 k7-nac-7710-01-EDNL2 2-SYSTEM_MSG: fatal: Write failed: Broken pipe .Client is 9.0.1.214,length of packet causing error 140 140 - sshd
2014 Apr 5 06:00:37.017037 k7-nac-7710-01-EDNL2 2-SYSTEM_MSG: fatal: Write failed: Broken pipe .Client is 9.0.1.214,length of packet causing error 140 140 - sshd
Conditions:
Workaround:
None so far but there was no operational or functional impact observed on ssh.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: * | 6.2(8)BF(0.3), 7.3(0.56) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur25927 | Title: | "logging level session-mgr 7" not shown in running config after sso |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Logging level configuration "logging level session-mgr 7" got lost after switchover.
Conditions:
Problem happened only after switchover.
Workaround:
Manually configure "logging level session-mgr 7" again after switchover.
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S98 |
|
Known Fixed Releases: * | 7.3(0)IB(0.46) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut66193 | Title: | MCAST MET table shows negative utilization percentage |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
show hardware capacity forwarding | beg met
Feature Used %Used Free Total mcast-groups
----------------------------------------------------
UFIB ECMP 48 0.14 32720 32768
FCFIB ECMP 0 0.00 32720 32768
MFIB MET 31549 192.55 -15165 16384 28
MFIB MET showing more than 100% utilization.
Conditions:
customer had intermittent multicast packet drops in their network. After troubleshooting it was found that FIB TCAM and MET table were being exhausted.
%IPFIB-SLOT3-4-CLP_FIB_MCASTMET_EXHAUSTED: Met entry allocation from multicast region failed on instance 3
VDC2 %L2MCAST-SLOT3-2-L2MCAST_MAC_FULL_LC: Failed to insert entry in MAC table for FE 3 swidx 332 (0x14c) with err (mac table full).
After fixing the issue, no more logs were seen regarding met table exhaustion. But met utilization still shows wrong numbers.
However, "sh system internal forwarding multicast met utilization" output shows the proper output:
MET usage statistics for Instance 1
Total entries Total Used %Used Free %Free Blk-Used Mgroup
-----------------------------------------------------------------------------------------
16384 204 1.24 16180 98.75 15 24
Workaround:
Can use "show system internal forwarding multicast met utilization" on LC to obtain the same information.
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: * | 7.2(1)D1(0.65), 7.2(1)ZD(0.57), 7.3(0)PDB(0.43) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua04911 | Title: | Entering '@' symbol during console authentication removes previous text |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
When logging into the console on a Nexus switch if you attempt to enter a username with an '@' symbol all the previous text and the '@' is cleared from the line.
Conditions:
This happens with all versions of Nexus.
Radius and TACACS+ authentications over SSH allow users with an '@' in the username.
Workaround:
Use local authentication on the console.
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.0(1), 6.0(3) |
|
Known Fixed Releases: | 6.2(0.217) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus06818 | Title: | Ethpm sequence timeout with MCECM |
|
Status: * | Terminated |
|
Severity: | 4 Minor |
Description: | Symptom:
See the following sequence timeout syslog
VDC-2 %$ %ETHPORT-2-IF_SEQ_ERROR: Error ("sequence timeout") communicating with MTS_SAP_MCECM for opcode
Conditions:
Change system priority and flap peer-link. All vPC are flapped at both vPC peers
Workaround:
No function impact. No workaround needed. All ports are coming up.
Further Problem Description:
N/A
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.2(12)S1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc94862 | Title: | OSPF Summary LSA with lower cost the only one showing up in database |
|
Status: * | Terminated |
|
Severity: | 4 Minor |
Description: * | Symptom:
In a totally stubby area multi-homed on two N7K ABRs, the only summary LSA seen in the database of all OSPF routers is the one with the lowest cost.
Conditions:
In a totally stubby OSPF area, Area border routers (ABRs) originate a 0.0.0.0/0 summary Type 3 LSA into the area. In a dual-homed scenario, where two ABRs exist, all routers in the area should list two 0.0.0.0/0 LSAs in their OSPF database - one from each ABR.
This problem occurs extremely rarely when the end user adjusts the cost of LSA's being originated into a totally stubby area on one ABR by using the 'area [area-id] default-cost [cost]' command.
This problem has only ever been seen on initial setup of a totally stubby area.
Workaround:
Adjust the cost a second time, higher or lower, then revert to the original desired cost using the 'area [area-id] default-cost [cost]' command.
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 5.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv45421 | Title: | Multicast source address inverted in igmpv3 event-history log message |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Incorrect SRC address in log IGMP event-history message:
#show ip igmp snooping event-history vlan
2015 Jul 15 15:00:48.128938 igmp [1663]: [1676]: SN: <405> Received v3 Group-source-specific query for 239.195.1.3 from 10.21.25.252 on Vlan405 (mrt 1 sec)
2015 Jul 15 15:00:48.128928 igmp [1663]: [1676]: SN: <405> Received a v3 GSS-Query for group 239.195.1.3 (source-count 1) on Vlan405 (mrt 1 sec) src0:225.253.203.91, srcN:225.253.203.91
Conditions:
N7k + IGMPv3 + IGMP snooping
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 08-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 7.3(0)RTG(0.50) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup43885 | Title: | Verified Scalability Guide for WCCP for N7k needs to be published |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
For the N7k platforms there is no verified scalibility number available to confirm. It needs to be more clear to customers what the scalability limits on WCCP programming are supported.
To accomplish this, we should document a Verified Scalability Guide for WCCP which details a number of potential profiles that we can reliably supported.
Conditions:
In certain scenario where customer migrate from Cat6k to N7k, they end up in consume all the resource due to large number of policies.
One sceanio
Number of interfaces 60
WCCP service group 8
Each wccp service group have 8 or more ports attached.
5 ACLs each over 200 lines
MASK value 7F
In above scenario box was not even able to modify the polices in 5 Minutes and SPM timeout.
Only lower mask to 0xF didn't help.
Workaround:
Lower the number of interfaces wccp applied.
Lower the mask value
Reduce the number of port attached to each service group
Reduce the number of lines in ACL.
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.0(1)S3 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui26026 | Title: | Show running-config int Vlan X doesnt show VRRP track configuration |
|
Status: * | Other |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
- Show running-config int Vlan X doesnt show Track configuration in VRRP. And hence VRRP track is not working for the VLAN
- But show startup-config does
Example output
=============
!Command: show running-config interface Vlan2300
interface Vlan2300
no shutdown
ip address 10.10.10.10/24
vrrp 1
priority 105
address 10.10.10.1
no shutdown
N7K4_Default-Peer1# sh startup-config interface vlan 2300
interface Vlan2300
no shutdown
ip address 10.10.10.10/24
vrrp 1
priority 105
track 1 decrement 254
address 10.10.10.1
no shutdown
Conditions:
Sup1
6.1(1) or 6.1(3)
vPC set up
!
VRRP is configured on SVI's with object tracking is enabled
Example config:
============
version 6.1(3)
track 1 ip route 0.0.0.0/0 reachability
!
interface Vlan2300
no shutdown
ip address 10.10.10.10/24
vrrp 1
priority 105
track 1 decrement 254
address 10.10.10.1
no shutdown
Trigger:- Remove and reconfigure the SVI
Workaround:
System Switchover
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuf03433 | Title: | %RPM-3-MTS_SEND: rpm [6154] Error returned from mts_send() |
|
Status: * | Terminated |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
2013 Mar 7 18:28:33 n7k1-LHR-r4 %$ VDC-2 %$ %RPM-3-MTS_SEND: rpm [6154] Error returned from mts_send(), errno: fu ha standby message queued (0x00000020) in rpm_pbr_am_notify()
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.2(1.129)S3, 6.2(1.42)S1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur57296 | Title: | Sup2E needs to report internal resetreason more accurately during SWover |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
During a switchover, the internal reset-reason will report the last reason reload as a hardware watchdog which can be misleading. The system reset-reason will accurately report the switchover:
N7K# show system reset-reason
----- reset reason for module 1 (from Supervisor in slot 1) ---
1) At 749228 usecs after Wed Nov 5 17:19:16 2014
Reason: Reset triggered due to Switchover Request by Use r
Service:
Version: 6.2(10)
+++++
N7K# show logging onboard module 1 internal reset-reason
----------------------------
Module: 1 show clock
----------------------------
2014-11-05 17:46:59
Last log in OBFL was written at time Wed Nov 5 17:23:50 2014
Reset Reason for this card:
Image Version : 6.2(10)
Reset Reason (LCM): Unknown (0) at time Wed Nov 5 17:23:34 2014
Reset Reason (SW): Unknown (0)
Reset Reason (HW): Watchdog Timeout (2) at time Wed Nov 5 17:23:34 2014
Last log in OBFL was written at time Wed Nov 5 17:10:28 2014
Conditions:
This issue has been seen on a Sup2E. The internal reset-reason is reported as expected for a Sup1
Workaround:
None.
Further Problem Description:
Note: This bug is filed to address a cosmetic issue and should not address any functionality or introduce any changes in behavior during switchover operations.
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.469), 7.2(0)D1(1), 7.2(0)PDB(0.394), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuo45167 | Title: | Multicast v6 Vinci: src type is still named "ngmvpn" not "fabric_mcast" |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
OIF name is listed as ngmvpn instead of fabric_mcast in the show ipv6 mroute output when fabric_mcast process has added the OIF.
Conditions:
All conditions
Workaround:
no workaround
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 7.0(0)FVX(0.114) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv95965 | Title: | Invalid/Junk rate Counters on F2e ports |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Incorrect counter values seen on "show interface" output.
Load-Interval #1: 30 seconds
30 seconds input rate 12809305549613800 bits/sec, 0 packets/sec
30 seconds output rate 14247238984635495144 bits/sec, 165745683603626240 packets/sec
input rate 12809305.00 Gbps, 0 pps; output rate 14247238656.00 Gbps, 165745696.00 Gpps
Load-Interval #2: 5 minute (300 seconds)
300 seconds input rate 1053598559133522304 bits/sec, 30334100 packets/sec
300 seconds output rate 10854500997082648960 bits/sec, 400023229658757888 packets/sec
input rate 1053598528.00 Gbps, 30.33 Mpps; output rate 10854501376.00 Gbps, 400023232.00 Gpps
Negative counter values seen on the F2E ports.
Hardware statistics on module 04:
|------------------------------------------------------------------------|
| Device:Clipper MAC Role:MAC Mod: 4 |
| Packets
|------------------------------------------------------------------------|
Instance: 0 Ports:1-4
|----------|-------------------|------------------|
| | IN | OUT |
|----------|-------------------|------------------|
|Ingress | -000000000000004 | 0000000010250593 |
|----------|-------------------|------------------|
|Egress | 0000001237358558 | 0000002495477740 |
|----------|-------------------|------------------|
Clearing the counters and bouncing the ports doesn't resolve the isse
Conditions:
So far seen on N7K running the code 6.2(12) and F2E module.
Workaround:
None
Further Problem Description:
CU upgraded from 6.2.8a to 6.2.12 (non ISSU)
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.2(12) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCue29375 | Title: | SA failure: feature/dpvm/server/dpvm_mts.c |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Conditions:
Workaround:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 6.2(1.13) |
|
Known Fixed Releases: * | 6.2(1.15)S0, 6.2(2), 7.0(0.5), 7.0(3)IFC2(1), 7.0(3)IFC2(1.2), 7.0(3)IFC3(1), 7.0(3)IFC3(1.2), 7.0(3)IFD1(0.1), 7.0(3)IFD1(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCto33777 | Title: | No check in vPC for STP pathcost method |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: * |
Symptom:
The STP cost on vPC peers may differs. This might be result in inconsistency of STP topology
Conditions:
The STP pathcost method (long or short) is currently not checked in vPC global consistency check. If
this parameter is configured in different way on two vPC peers, it could result in different STP path cost
values.
Workaround:
Avoid different configuration of STP pathcost method on vPC peers.
Further Problem Description:
It is recommend to have the same STP pathcost method in the STP domain. Currently the
recommended STP pathcost method is long for environments which using 10GE links in the STP
domain.
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: * | 4.2(6), 5.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtx20125 | Title: | show spanning-tree vlan X - remove blank line every 128th entry |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
A blank line is printed every 128th entry when show spanning-tree vlan is issued. This can lead to misleading counts when this output is piped into wc lines.
Conditions:
This occurs when greater than 128 entries are displayed.
Workaround:
When piping this output into wc lines, exclude blank likes using the exclude pipe and a ^$ regex.
For example:
show spanning-tree vlan 100 | begin --- | exclude ^$ | wc lines
|
|
Last Modified: | 29-AUG-2015 |
|
Known Affected Releases: | 6.0(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut78155 | Title: | Add granular GM-LSP statistics for FabricPath IS-IS |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
"sh fabricpath isis traffic ethernet x/y" shoes all LSPs summed into a single value. Needs to show GM-LSP in a separate row:
S1# sh fabricpath isis traffic ethernet 4/5
Fabricpath IS-IS domain: default
Fabricpath IS-IS Traffic for Ethernet4/5:
PDU Received Sent RcvAuthErr OtherRcvErr ReTransmit
P2P-IIH 1195500 1195504 0 0 n/a
CSNP 2 1 0 0 n/a
PSNP 127592 151578 0 0 n/a
LSP 154109 128906 0 0 0
S1#
Conditions:
When you run fabricpath and monitor the traffic using "sh fabricpath isis traffic ethernet x/y" or "sh fabricpath isis traffic"
Workaround:
No Workaround
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 7.2(0.10) |
|
Known Fixed Releases: * | 7.3(0)D1(0.63), 7.3(0)DHB(0.2), 7.3(0)HM(0.47), 7.3(0)OTT(0.19), 7.3(0)PDB(0.25) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup59661 | Title: | Need CLI to display timeout scale value negotiated with client |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
new timeout scale value: 3(negotiated with client
Conditions:
new timeout scale value: 3(negotiated with client
Workaround:
new timeout scale value: 3(negotiated with client
Further Problem Description:
new timeout scale value: 3(negotiated with client
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.2(10)S7 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug73804 | Title: | Support for Internal PortLoopback test for Luke LC |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
No Internal (non-disruptive) portloopback test support for Luke LC prior to freetown maintenance release.
Conditions:
None. Dev filed bug.
Workaround:
None.
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 6.9(0.1) |
|
Known Fixed Releases: * | 6.2(0)HS(0.10), 6.2(1.137)S0, 6.2(2), 6.2(7)FM(0.6), 7.0(0)ZD(0.84), 7.0(3)IFC2(1), 7.0(3)IFC2(1.2), 7.0(3)IFD1(0.1), 7.0(3)IFD1(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv70984 | Title: | DOC: OTV VDC using F3 should not have the VLAN mode as Fabricpath |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
OTV Remote MAC learnt on ISIS and software but not hardware. This causes traffic blackhole for unicast.
Conditions:
F3 OTV
Workaround:
Change the VLAN mode to CE
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun03489 | Title: | [LIM] NxOS Scale Optimizations for 6.2.10 |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
None.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.2(6)S1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv68794 | Title: | PBR to a recursive DFA NextHop does not work |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
PBR to a recursive DFA NextHop does not work
Conditions:
PBR to a recursive DFA NextHop does not work
Workaround:
PBR to a recursive DFA NextHop does not work
Further Problem Description:
PBR to a recursive DFA NextHop does not work
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.2(1)D1(0.32) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv62567 | Title: | Early laser cut required on all ports during VDC bring down |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When a VDC is reloaded, the device connected to it might see the ports going down late resulting in traffic blackhole.
Conditions:
Not known at this point.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc29116 | Title: | NXOS must follow IOS format for BFD interval CLI on port-channels |
|
Status: * | Terminated |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
BFD configured on port-channel with un-supported timer.
Conditions:
Configure BFD timer less than 250 x 3 ms on port-channel.
Workaround:
Always, make sure that BFD timer configured on port-channel is atleast 250 x 3 ms.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus61786 | Title: | Need external loopback test added to GOLD |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Need to add external loopback test to the Generic Online Diagnostics(GOLD) tests.
Conditions:
Applies to platforms that use GOLD such as MDS 9700.
Workaround:
None.
Further Problem Description:
OHMS, which is the internal testing infrastructure on other MDS platforms, does have an external loopback test. GOLD needs to offer similar functionality.
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.2(13)FM(0.15), 6.2(9) |
|
Known Fixed Releases: * | 6.2(11.4)S0, 6.2(11c), 6.2(11c)S1, 6.2(13)FM(0.31), 6.2(13)FM(0.65), 6.2(13)GS(0.13), 6.2(13.1)S0, 7.1(1.72)S0, 7.2(0.55)S0, 7.3(0)D1(0.71) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv65642 | Title: | configuring vni crashes the Line Card UFIB process |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
LC ufib crash
Conditions:
vni config command
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.0(0)HSK(0.494) |
|
Known Fixed Releases: | 7.0(0)FFW(0.11), 7.0(0)HSK(0.522) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul01739 | Title: | reduce the size of ipqos tech support (42 MB) |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The size of ipqos tech support is 42 MB.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 6.2(5.38)S0 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq63391 | Title: | clear ip mroute for NXOS routers. |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
No single CLI to clear multicast state information from all multicast components.
Conditions:
The problem that exists with the current implementation may remove the state from MRIB but not essentially from other components which are MRIB clients.
Workaround:
Currently, we may be need to issue all the following CLIs to completely remove the multicast state entries:
1. clear ip igmp group vrf [do this only if you don't need traffic from any sources for this group]
2. clear ip pim route vrf
3. clear ip mroute data-created vrf
4. clear ip mroute vrf
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 6.2(0.278)S10, 6.2(8) |
|
Known Fixed Releases: * | 7.3(0)D1(0.76), 7.3(0)N1(0.103), 7.3(0)N1(1), 7.3(0)ZD(0.89), 7.3(0)ZN(0.96) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtk60962 | Title: | Capability to turn off port channel bundling syslog messages |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Require CLI option to turn on/off port channel interface logging per port channel
Conditions:
Configured port channel and member link flap.Current logging event command does not suppress port channel link events.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 4.2(4) |
|
Known Fixed Releases: * | 7.3(0)PDB(0.37) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud48660 | Title: | Enh: add 'show tech stp' to 'show tech-support details' |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
add 'show tech stp' to 'show tech-support details'
Conditions:
useful in debugging spanning tree problems.
Workaround:
execute 'show tech stp' separately
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 6.1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv65654 | Title: | show system internal forwarding nve command crashes the LC ipfib process |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
module-3# sh system internal forwarding nve
2015 Aug 5 19:21:32 switch %$ VDC-1 %$ %SYSMGR-SLOT3-2-SERVICE_CRASHED: Service "ipfib" (PID 3470) hasn't caught signal 6 (core will be saved).
2015 Aug 5 19:21:35 switch %$ VDC-1 %$ %SYSMGR-SLOT3-2-SERVICE_CRASHED: Service "ipfib" (PID 26454) hasn't caught signal 6 (core will be saved).
module-3# sh system internal forwarding nve peer 1
NVE Vtep interface: 0x49000001, name: nve1
--------------------
Could not find the PEER VLAN object for peer_id : 1, VLAN-ID: 4294967295
Conditions:
show system internal forwarding nve command
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.0(0)HSK(0.494) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.533) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv68983 | Title: | Diagnostic result statistics misleading |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The show diagnostic result ... statistics command online help is misleading. It appears to report test results, but is actually for reporting intermodule test transport statistics.
Conditions:
This issue only occurs on Cisco Nexus 7700 and MDS 9700 series systems.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 6.2(13) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv92582 | Title: | Enhancement request for reliable delivery of syslog messages using TCP |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Enhancement request for reliable delivery of syslog messages using TCP
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.1(0)N1(0.7) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh67898 | Title: | PoAP feature over FabricPath for N7K (Gibraltar) |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Add FP POAP feature support for N7K Gibraltar
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.2(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu13580 | Title: | Need ssh login grace timeout command in Nexus 5k platform. |
|
Status: * | Other |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ip ssh timeout command is not present on the Nexus 5k.
User can not configure login grace timeout which will enforce negotiation and authentication to be within login grace time , otherwise ssh server process will get terminated and ssh connection can not be established.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: * | 7.0(7)ZN(0.206) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj20960 | Title: | Improve serviceability of show tech xml |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
This bug requests to add these commands in show tech xml:
show xml server internal exec-info all
show xml server internal history errors
show xml server internal history commands
Conditions:
this bug affects software up to 6.2(2)
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.2(2) |
|
Known Fixed Releases: * | 6.2(10), 6.2(10)FM(0.28), 6.2(10)NO(0.17), 6.2(8)KR(0.8), 6.2(8.9)S0, 6.2(9)FM(0.73), 7.0(3)I2(0.524), 7.0(3)I2(1), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCta19766 | Title: | N7K: Need an option to modify ssh known_hosts file |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Need commands to display and edit ssh known_hosts file.
Solution:
Will add the commands to export and import the ssh known_hosts file to and from bootflash. Modifying/editing the file as mentioned in the bug could be complicated, so we leave that part to the user.
Since this enhancement is only required in the scenario where IP address is recycled frequently, and no functionality is affected, we will move it to Bogota.
Workaround:
As a workaround, the user has to verfiy the ssh key every time a new IP address is configured using a "yes" when asked for verification.
Other than this, we already have an option to clear the known_hosts file from CLI using the command:
clear ssh hosts
This CLI will clear the known_hosts file for the user who executes this command.
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: * | 4.1(5), 5.1(0.172)S24 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug55348 | Title: | Enable ability to change syslog destination port |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Needs changes for logging port for syslog.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 5.2(2a), 6.1(2), 6.1(3) |
|
Known Fixed Releases: * | 7.0(0)BZ(0.46), 7.0(0)HSK(0.317), 7.0(0)KM(0.97), 7.0(3)I2(0.496), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 7.1(0)BF(0.99), 7.1(0)D1(0.171), 7.1(0)FC(0.2) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCug40913 | Title: | Enhance URIB-UFDM communication to prevent CSCud72318 |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The switch is unable to program in new routes into hardware.
The number of used buffers for UFDM-URIB communication will be stuck at 9:
switch(config)# show routing mem statistics
URIB SHRD MEM: allocated high-water maximum current #
bytes bytes bytes of allocs
ufdm buffers 1088064 1208960 2096840 9
Conditions:
Seen after several days of randomly clearing routes and clearing bgp neighbors.
Workaround:
Reboot to recover.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 5.1(5)E2, 6.1(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu02940 | Title: | Mismatch in group-to-RP NLRI format interpretation between BGP & NGMVPN |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
NGMVPN BSR with hash is not properly advertised via BGP MVPN AF.
Conditions:
No conditions.
Workaround:
A workaround is currently in place from NGMVPN side.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.480) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCug29891 | Title: | Need IPv6 URIB add/delete event-history |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
On IPV4, there is CLI to display each particular prefix's adding and deleting events history for tracking routes update, it doesn't have the same capability on IPV6.
So we request IPV6 URIB add/delete event history support, the CLI is like:
show routing ipv6 event-history add-route
show routing ipv6 event-history delete-route
We need that on both N7k and N3k, N6K platform.
Conditions:
none
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.1(3), 7.2(0.10) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCun68802 | Title: | Packets not matched under "sh route-map name pbr-statistics" |
|
Status: | Other |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Packets not matched under "sh route-map name pbr-statistics"
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 6.2(8)EC(0.7) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup43950 | Title: | N7K CLI needs to be added to verify the total policies for WCCP and SPM |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
In the customer environment we find that customer applied the wccp polices which N7K can't handle to program in the beginning and /or any time changes were made to ACL, interface added, any service removed etc.
Conditions:
When is using huge wccp policies to redirect internet and intranet traffic for different groups in enterprise deployment then customer end up consuming all the TCAM and take bit longer to find out that issue was due to the large polices.
Some easly cli should be provided to confirm the policies and can be confirmed against the scalability guide.
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.0(4)S3 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum89692 | Title: | support L2/L3 detect and appro warning message when policy not applied |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
switchport_noswtichport to be determined and appropriate warning message to be displayed while attaching port ingress to service group.
Conditions:
switchport_noswtichport to be determined and appropriate warning message to be displayed while attaching port ingress to service group.
Workaround:
switchport_noswtichport to be determined and appropriate warning message to be displayed while attaching port ingress to service group.
Further Problem Description:
switchport_noswtichport to be determined and appropriate warning message to be displayed while attaching port ingress to service group.
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 6.2(8)FH(0.36) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCts88978 | Title: | Need explicit log msgs instead of logging 'last msg repeated n times' |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
'last msg repeated n times' will be printed for repeating msg
Conditions:
Repeating back-to-back msgs
Workaround(s):
None
Workaround:
Further Problem Description:
This enhancement adds the below config knob to enable/disable log rate-limiting:
(config)# [no] logging rate-limit
By default rate-limiting will be enabled.
To verify:
# show logging rate-limit
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 5.2(1), 6.2(1.125)S3 |
|
Known Fixed Releases: | 7.0(0)BZ(0.46), 7.0(0)HSK(0.357), 7.0(6)N1(0.276), 7.0(6)N1(1b), 7.0(7)ZD(0.139), 7.0(7)ZN(0.133), 7.0(7)ZN(0.135), 7.1(0)AV(0.38), 7.1(0)D1(0.337), 7.1(0)EV(0.125) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut75676 | Title: | VSI_OVER_FEX changes |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
This bug is used to track the development of VSI Over Project
Conditions:
This bug is used to track the development of VSI Over Project
Workaround:
Enhancement
Further Problem Description:
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 7.2(0)D1(0.462) |
|
Known Fixed Releases: * | 7.0(0)FHS(0.23), 7.1(0)ES(0.24), 7.2(0)EVF(0.3), 7.2(0)VOF(0.11), 7.2(0)VOF(0.2), 7.2(0)VOF(0.3), 7.2(0)VOF(0.4), 7.2(0)VOF(0.6), 7.2(0)VOF(0.8), 7.2(0)VZD(0.12) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuf80016 | Title: | EEM does not run commands on second vdc |
|
Status: * | Terminated |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
You have EEM script which should execute some commands on the different vdc. For intance,
BESPIN# show run | b manager
event manager applet test
event cli match "show interface"
action 1.0 cli switchto vdc BESPIN-VDC2
action 2.0 cli conf t
action 3.0 cli vlan 3
action 3.1 cli exit
You do not see any error message, but the commands are not run on the second vdc
Conditions:
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 6.0(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv41145 | Title: | NX-OS BGP doesn't send ext-community in updates in vrf-lite |
|
Status: | Open |
|
Severity: * | 6 Enhancement |
Description: | Symptom:
BGP in NX-OS will not send extended community attributes in UPDATEs when configured with vrf-lite.
Conditions:
Configure with vrf-lite and BGP
Workaround:
Enable the MPLS feature and configure an RD in the vrf.
Further Problem Description:
|
|
Last Modified: | 07-AUG-2015 |
|
Known Affected Releases: | 6.2(8a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCty07278 | Title: | PSB SEC-MGT-DEFT-2: Remote SNMP admin should be disabled by default |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Devices running NX-OS may fail to properly implement Cisco's Security Baseline standards. All products must meet the requirements of the PSB or obtain waivers from the CSDL-Core team. In this case NX-OS devices has SNMP protocol enabled by default when the switch comes up.
Conditions:
Devices running Nexus Operating System.
Workaround:
User can disable SNMP protocol using the CLI ?no snmp protocol enable?.
Further Problem Description:
Though SNMP is enabled by default in NX-OS, only V3 users can access with proper community info (only V3 admin user is created by default with credentials). And hence no security issue, other than violation of security baseline stds.
This issue was identified as either a Hardening issue or a Product Security Baseline (PSB Violation). PSIRT has provided this internal RNE to document the issue and provide reference should a customer be impacted.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 0/0:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:N/I:N/A:N/E:U/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 06-AUG-2015 |
|
Known Affected Releases: | 6.0(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut30711 | Title: | Enh: Nexus 7004 and 7018 chassis show extra fans during EPLD upgrade |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When trying to check impact or run an EPLD upgrade, a Nexus 7004 and Nexus 7018 show extra Fan modules with "Module is not Online" status. This is mis-leading. Filing an enhancement bug to fix this.
Conditions:
Only seen on Nexus 7004 and Nexus 7018 chassis EPLD upgrade
Workaround:
None, there is no impact to the actual EPLD upgrade which is completed successfully.
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(12) |
|
Known Fixed Releases: * | 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.2(0)CF(0.11), 7.2(0)D1(0.459), 7.2(0)D1(1), 7.2(0)PDB(0.386), 7.2(0)VZD(0.26) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCug64700 | Title: | NX-OS parser: auto-complete functionality for certain QoS commands |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: * | Ability to auto-complete for certain commands
class-map
Symptom:
auto complete of acl names was not happening.
Conditions:
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 5.2(3a) |
|
Known Fixed Releases: * | 7.3(0)RTG(0.64) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03483 | Title: | Authentication key size of NTP should be 32 bits |
|
Status: * | Other |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ntp authentication-key md5 word
word - should be of 32 bit characters
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZD(0.38) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur44048 | Title: | FTAG entries cleared from ftag2erbdg table in vPC+ port-channel |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Multidestination traffic egressing a vPC+ port-channel in I state is dropped by the Nexus 7000
Conditions:
vPC+
no lacp suspend-individual enabled on the port-channel
Reload Nexus 7000
vPC Port-channel members come up in 'I' state following reload
Workaround:
Toggle the vPC members between mode on and lacp enabled. Ensure that once configured for mode on that both peers report the members in the 'P' state. At that point enable LACP on the members again. The interfaces will return to t'I' state, however, now the ftag_to_erbdg_or_dvif table will now be programmed properly.
Further Problem Description:
This is due to a misprogramming of the ftag_to_erbdg_or_dvif table and will result in EG egress_ftag2erdbg miss drops on the mac for the egress port:
7K# slot X quoted "show hardware internal statistics device mac errors port X"
20630 EB egress_ftag2erdbg miss drops 0000000057202146 17 -
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 6.2(10), 6.2(2), 6.2(2a), 6.2(6), 6.2(6a), 6.2(6b), 6.2(8a), 6.2(8b) |
|
Known Fixed Releases: * | 6.2(13.3)S0, 6.2(14)FB(0.28), 7.1(0)AV(0.81), 7.1(0)ES(0.18), 7.2(0)BA(0.25), 7.2(0)CF(0.11), 7.2(0)D1(0.494), 7.2(0)D1(1), 7.2(0)ZD(0.176), 7.3(0)IB(0.19) |
|
|
| |
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论