| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu72094 | Title: | Cisco APIC Access Control Vulnerability |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Summary
A vulnerability in the cluster management configuration of the Cisco Application Policy Infrastructure Controller (APIC) and the Cisco Nexus 9000
Series ACI Mode Switch could allow an authenticated, remote attacker to access the APIC as the root user.
The vulnerability is due to improper implementation of access controls in the APIC filesystem. An attacker could exploit this vulnerability by
accessing the cluster management configuration of the APIC. An exploit could allow the attacker to gain access to the APIC as the root user and
perform root-level commands.
Cisco has released software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150722-apic
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7.4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-4235 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 1.0(1e), 1.0(1h), 1.0(1k), 1.0(1n), 1.0(2j), 1.0(2m), 1.0(2n), 1.0(3f), 1.0(3i), 1.0(3k) |
|
Known Fixed Releases: | 1.0(3o), 1.0(4o), 1.1(1j), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo97578 | Title: | APIC is vulnerable to XSS (cross-site scripting) attacks |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: * | Symptoms:
The APIC UI should contain more measures to prevent cross site scripting attacks.
Conditions:
None
Workaround:
None
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 1.0(0.160f) |
|
Known Fixed Releases: | 1.0(0.238), 1.0(0.240), 1.0(0.246), 1.0(0.248), 1.0(0.254), 1.0(0.265), 1.0(0.275j), 1.0(0.287), 1.0(0.318), 1.0(0.352) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur69353 | Title: | Cisco Nexus 9000 Series Switches APIC OpenSSH Vulnerabilities |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco Nexus 9000 Series Switches LAN Switch Software includes a version of APIC OpenSSH that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2007-2243, CVE-2007-4752, CVE-2008-1483, CVE-2008-1657, CVE-2008-3234, CVE-2008-5161
This bug was opened to address the potential impact on this product.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
None.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.5/6.2:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C&version=2.0
CVE-2007-2243 and CVE-2008-3234 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 1.0(2h), 1.0(4e) |
|
Known Fixed Releases: | 1.1(0.443), 1.1(1j) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq92240 | Title: | N9K / Denial of Service Vulnerability in service Platform Manager |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
Cisco Nexus 9000 Software reloads unexpectedly. After reload ''show version'' reports
---snip---
Last reset at [...]
Reason: Reset triggered due to HA policy of Reset
System version: 6.1(2)I2(3)
Service: Platform Manager hap reset
---snip---
''show core will also show two core file in ''platform'' process
Conditions:
Running 6.1(2)I2(3) while conducting an SNMP polling on the device.
Workaround:
None.
Further Problem Description:
The SNMP subsystem of Cisco Nexus 9000 Software contains a vulnerability that would allow a remote,
authenticated attacker to trigger a reload on an affected system.
This vunlnerabiliy only affects Nexus 9K platforms.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as
of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0686 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I2(3) |
|
Known Fixed Releases: | 6.1(2)I3(0.209), 6.1(2)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut13651 | Title: | APIC NTP security vulnerability |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptoms:
The Cisco Fabric Application Policy Infrastructure Controller (APIC) includes a
version of Network Time Protocol Daemon (NTPD) that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2013-5211
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2013-5211 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 1.1(0.696a) |
|
Known Fixed Releases: | 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo02489 | Title: | Deny traffic with log keyword is permitted through |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
During testing of Cisco Nexus 9000 Series Switches, it was found that when an ACE entry in a deny ACL has the
log keyword present, packets are rate-limited and sent to software for logging purposes. These logged packets
should be dropped by software ACL. However, they get forwarded to the final destination although the ACL
applied denies the traffic.
Conditions:
This was observed on Cisco Nexus 9000 Series Switches only running versions prior to this bugfix.
Workaround:
Using the hardware rate limiter using the following configuration to drop all packets sent to software for
logging purposes:
hardware rate-limiter access-list-log 0
The other option is to not use logging of deny ACL.
Please note that both these options are basically disabling the logging feature.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2014-3330 has been assigned to document this issue.
Additional details about the vulnerability described here can be found at:
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3330
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I2(1) |
|
Known Fixed Releases: | 6.1(2)I2(1.18), 6.1(2)I2(1.21), 6.1(2)I2(2), 6.1(2)I2(2a), 6.1(2)I2(2c) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv61351 | Title: | Cisco Nexus 9000 ARP Denial of Service (DoS) Vulnerability |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: * | Symptoms:
A vulnerability in the Address Resolution Protocol (ARP) input packet
processing of the Cisco Nexus Operating System (NX-OS) devices
unauthenticated, adjacent attacker to cause a denial of service (DoS)
condition.
The vulnerability is due to improper input validation of the ARP packet and
the Maximum Transmission Unit (MTU) size which results in a buffer overflow
which can cause the DoS condition. An attacker could exploit this vulnerability
by sending a crafted ARP packet to the device. An exploit could allow the attacker
to cause the device to be unavailable due to a DoS condition of the ARP module.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
The MTU size should be configured lower.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2015-4323 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 14-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.9) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84967 | Title: | ifav41 - Validation of x509 Cert submitted failed during cfg import |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
a) Expired user authentication certificates cannot be deleted.
b) Expired user authentication certificates cannot be deleted via config import with replace option.
Conditions:
User submits an x509 certificate to be used for authentication and the certificate expires.
Workaround:
Replace the certificate with a new valid certificate. Deletion of the aaaUserCert object will now be permitted.
Further Problem Description:
The aaaUserCert mo contains user certificates in x509 format. x509 certificates are validated when submitted (or imported via config import). They are also being validated during deletion which causes this issue.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCun34482 | Title: | Xbar needs to be down if a higig link goes down/recovers multiple times |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
Fabric Module Internal link flaps can cause memory to be held in xbar manager process which in turn can result in problem getting the Line cards in other slots to come online.
Conditions:
Hardware Problem with Fabric Module on Nexus 9500 switch
Workaround:
Further Problem Description:
Following are the messages logged when the issue happens
%XBAR-2-XBAR_HGLINK_DOWN: fabric link 8 on fabric module 25 unit 1 connected to module 3 unit 1 is down
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I1(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv24988 | Title: | ACI contract missing for static path with ondemand policy via VPC in EPG |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Server has a VPC link to a couple of leaf, only one of leaf has the configured contract deployed, but the rules is not found from the other leaf when the problem happen. The configuration would work from beginning. The rule used to be programmed in both leaf but was incorrectly deleted from one VPC leg.
From the policyelement log, svc_ifc_policyelement.log for example.
4079||15-07-08 20:54:55.583+00:00||fv||DBG4||co=doer:0:0:0xf0e19:9,dn=uni/epp/fv-[uni/tn-TestTenant/ap-TestAppPro/epg-TestEPG]||No end-points left; unprogramming rules||../dme/svc/policyelem/src/gen/ifc/beh/imp/./fv/AREpPBI.cc
But if we issue "show system internal epm vlan EPG-ENCAPVLAN", there are active EP there.
Conditions:
The server connects to a couple of leaf switches via VPC.
The static path over the VPC is configured under the EPG which could be associated with physical domain or VMM domain.
The policy immediacy of the static path is set as "on demand"
Workaround:
Workaround:
1. If they can avoid policy download set to lazy on the EPG, then we wont have this issue.
2. Clear task on that vlan should trigger the delete of all eps. Or
3. Delete add of EPG would also work as a workaround.
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 11.1(1.268), 11.1(1o), 11.2(0.28) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv69713 | Title: | Cisco NX-OS IGMP Malformed Packet DoS Vulnerability |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: * | Symptom:
A vulnerability in the Internet Group Management Protocol (IGMP) Version 3 (IGMPv3) input
packet processing of the Nexus Operating System (NX-OS) could allow an unauthenticated,
adjacent attacker to cause the IGMP process to restart due to a malformed IGMP packet.
This can cause a denial of service (DoS) condition on the device.
The vulnerability is due to improper input validation when ensuring that the memory allocated
is large enough for the number of included sources in the IGMPv3 packet. An attacker could
exploit this vulnerability by sending a crafted IGMPv3 packet to the device. An exploit could
allow the attacker to cause the IGMP process to restart due to a buffer overflow which causes
the DoS condition. If the malformed IGMPv3 packet is continuously sent the device the DoS
condition will remain and the device is unavailable.
Conditions:
IGMP Version 3 snooping is configured on one or more Virtual Local Area Networks (VLANs).
Workaround:
The IGMP Version 3 snooping configuration has to be removed.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-4324 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.81) |
|
Known Fixed Releases: | 7.0(3)I2(0.546), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur63227 | Title: | Traffic drop for BGP RNH routes during switchover |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Temporary traffic loss during switchover
Conditions:
When BGP prefixes have the Nexthop learnt over BGP itself and in the presence of a default route in the system then during switchover BGP prefixes can have some temporary traffic drop. This will get fixed up after BGP convergence is done post switchover.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(1.53) |
|
Known Fixed Releases: * | 7.0(3)DEV1(1), 7.0(3)DEV1(1.5), 7.0(3)I1(0.185), 7.0(3)I1(0.190), 7.0(3)I1(0.225), 7.0(3)I1(1), 7.0(3)I1(1.20), 7.0(3)I1(1.214), 7.0(3)I1(1.216), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv35406 | Title: | Nexus 9300 does not learn MAC addresses on FEX HIF ports |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Nexus 9300 switches may not learn MAC addresses on FEX HIF ports
Conditions:
Nexus 9300 running 7.0(3)I1(2) with FEX attached.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)I1(2.4), 7.0(3)I1(3), 7.0(3)I2(0.487), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu81949 | Title: | 9372TX:Ports go down randomly, dont negotiate 1g on extended cable later |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Intermittent failure of interfaces on the Nexus 9372TX switches running 6.1(2)I3(4a), with the interfaces sometimes remaining down and not recovering. Reload might or might not recover it.
We dont know the trigger as of now.
This is a typical interface config:
interface Ethernet1/42
switchport access vlan 28
spanning-tree port type edge
speed auto 100 1000
Some trigger breaks the port and it does not come up with an extended cable ((about 175 - 250 feet)) using patch panel in between. Same port comes up with directly stretched cable of about 15-100 feet with or without patch panel. When you shift the same cable with same host from broken port to new port, it works.
With extended cable in broken condition (with the fact that host works on 1gig):
+ 'speed auto 100' gets the port up in 100g
+ 'speed auto' does not get the port up
+ 'speed 100' gets it to work
+ 'speed 1000' doesn't
+ 'speed auto 100 1000' doesn't
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(4a) |
|
Known Fixed Releases: * | 6.1(2)I3(4b), 7.0(3)DEV1(1), 7.0(3)DEV1(1.5), 7.0(3)I1(2.6), 7.0(3)I1(2.7), 7.0(3)I1(3), 7.0(3)I2(0.435), 7.0(3)I2(1), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv76497 | Title: | ACI: FEX bringup fails with image below 5.x |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
-Unable to add FEX to ACI fabric
-"Show fex detail" output shows FEX in Registering or Image Download state
-FEX doesn't show up in GUI
Conditions:
-FEX with software image below 5.x connected to ACI fabric
-This has been seen on 2248TP-1GE model FEX
Workaround:
Connect FEX to a parent switch with 5.x or later image so that it downloads more recent software, then connect to ACI fabric.
Further Problem Description:
leaf# show system internal fex internal event-history errors
8) Event:E_DEBUG, length:68, at 513793 usecs after Mon Aug 24 xx:xx:xx 2015
[102] srg chk: main version mismatch: rcvd 4.2(1)N1(1) mine 11.1(1j)
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 11.2(0.46) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu62942 | Title: | N9K3: ARP packet not forwarded on FEX with DAI |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ARP reply is not forwarded on FEX host interface
Conditions:
- DAI is enabled
- Host is connected on FEX
Workaround:
- Connect host to parent switch
OR
- Disable DAI
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)DEV1(1), 7.0(3)DEV1(1.5), 7.0(3)I1(2.12), 7.0(3)I1(3), 7.0(3)I2(0.439), 7.0(3)I2(0.449), 7.0(3)I2(1), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv55863 | Title: | traffic loss due to invalid pcTag for actrlPfxEntry |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic loss due to invalid pcTag in the node for external subnet's Prefix Entry (represented by model class actrl:PfxEntry).
Conditions:
1. Configure l3extInstPs on l3out
2. Add contract relation between the l3extInstPs and EPGs
3. Delete the l3extInstPs
4. Repeat steps 1 to 3
Workaround:
Clean reboot the node.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 1.1(1o) |
|
Known Fixed Releases: | 1.1(1.142), 1.1(1r), 1.2(0.41) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut81254 | Title: | Scale: Max-host mode - many LPM routes are not programmed on FM |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Conditions:
It has to be max-host mode with scale
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(1.173), 7.0(3)I1(1.187) |
|
Known Fixed Releases: | 6.1(2)I3(4.6), 6.1(2)I3(5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv05779 | Title: | Traffic flows through fabric even when interfaces are suspended |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Ports are suspended but hosts are still able to communicate
Conditions:
server is configured for a bond with no LACP. Leafs are doing LACP and interfaces go suspended but traffic still flows.
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: * | 11.0(4o), 11.1(1o) |
|
Known Fixed Releases: | 11.1(1.277) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu83343 | Title: | Evaluation of fabric-apic for OpenSSL June 2015 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: |
Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.0(4j) |
|
Known Fixed Releases: * | 1.1(1.135a), 1.1(1.142), 1.1(2.17), 1.1(2b), 1.1(2h), 1.2(0.31), 1.2(0.41), 1.2(0.49), 1.2(0.76a), 1.2(0.77b) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv96035 | Title: | Stateless downgrade steps should be documented in release notes |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Customer is aware of the steps and implications of a Stateless downgrade
Conditions:
Customer wishes to perform a downgrade and it is considered stateless. This can be found within the release notes for certain versions that fall under this criteria
Workaround:
Proposing the following steps to be documented as a "stateless downgrade":
1. do a config export
2. "eraseconfig" from the apics
3. setup-clean-config.sh on the switches
4. reload everything
5. do fabric discovery
6. Downgrade
7. "eraseconfig setup" from the apics,
8. setup-clean-config.sh from the switches
9. do initial setup script on the apics
10. discover the fabric using the EXACT same node id's and names as in the config export
11. import the config export using merge
Combined with a node indicating that they will haveto plan for an outage, as this requires the fabric be rebuilt
Further Problem Description:
|
|
Last Modified: | 29-AUG-2015 |
|
Known Affected Releases: | 1.0(4o), 1.1(1o), 1.1(1r), 1.1(2h) |
|
Known Fixed Releases: | 1.0(4o), 1.1(1j), 1.1(1r), 1.1(2h) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv94180 | Title: | N9KEVPN VTEP Unknown Punt Reason |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
UDP / TFTP packet punted to CPU for unknown reason.
Conditions:
- Seen on a N9K running 7.0(3)I1(2)
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 30-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)I2(0.593), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv70029 | Title: | VPN routes should be accepted if it has its own FabricAS# in ASPATH attr |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A spine drops the Multiprotocol Border Gateway Protocol (MBGP) routes when it receives the prefixes that have its own fabric autonomous system number in the BGP AS-PATH attribute in the default VRF.
Conditions:
The problem is seen when we have eBGP peering with external router and we receive a route with the same AS in AS_PATH as fabric AS.
We need to enable 'Allow Self AS' for the route to be accepted by the Border Leaf for ipv4/v6 address family. When this route is exported to default VRF and received by Spine RR's over MPBGP, spines drop it as we don't have 'Allow Self AS' enabled for VPNv4/v6 AF. iBGP shouldn't check for AS PATH as it is applicable only for eBGP Peers.
Workaround:
No workaround.
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 11.2(0.37) |
|
Known Fixed Releases: * | 11.1(2.287), 11.2(0.45) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw01814 | Title: | N9k VSH crash when using enable 15 command to change privilege level |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Unable to change the privilege level using the "enable 15" command with feature privilege enabled
Conditions:
Workaround:
none
Further Problem Description:
the failure will be accompanied by a crash in VSH process
VDC-1 %$ %SYSMGR-2-LAST_CORE_BASIC_TRACE: : PID 10977 with message vsh(non-sysmgr) crashed, core will be saved .
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(3) |
|
Known Fixed Releases: * | 7.0(3)I2(0.594), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus68764 | Title: | Nexus 9k: assess GHOST vulnerability in glibc (CVE-2015-0235) |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
On January 27, 2015, a buffer overflow vulnerability in the GNU C library (glibc) was publicly announced. This vulnerability is related to the various gethostbyname functions included in glibc and affect applications that call these functions. This vulnerability may allow an attacker to obtain sensitive information from an exploited system or, in some instances, perform remote code execution with the privileges of the application being exploited. This vulnerability is documented in CVE-2015-0235.
A Cisco Security Advisory has been published to document this vulnerability at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
This bug has been opened to address the potential impact on this product.
Conditions:
Under normal conditions the D9036 does not take hostnames as an input parameter. This vulnerability is not exploitable remotely
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
All previously released versionsand NX-OS software are affected. The fix will be delivered for currently supported releases as follows:
NX-OS 7.0 release - first fixed release is 7.0.3 which is available on CCO
NX-OS 6.1 release - is scheduled to be available in April 2015
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 10/7.8
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(3) |
|
Known Fixed Releases: * | 6.1(2)I3(3.61), 6.1(2)I3(4), 7.0(3)I1(0.274), 7.0(3)I1(1), 7.0(3)I2(0.522), 7.0(3)I2(0.83), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut25121 | Title: | OSPF crash seen while executing "show ip ospf router" command |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
OSPFv2 crashes
Conditions:
If routes are churning when "show ip ospf route" is issued, OSPFv2 may crash.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(1.124), 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(0)HSK(0.433), 7.0(3)I1(1.140), 7.0(3)I1(2), 7.0(3)IEF1(2), 7.0(3)IEF1(2.7), 7.0(3)IX1(1.93), 7.0(3)IX1(2), 7.1(0)AV(0.74), 7.1(0)ES(0.18), 7.1(0)IB(120) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv01243 | Title: | Tunnel intf missing on TOR after MTU change/ host reload |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Tunnel interface for non-opflex vmknic to the AVS host is missing on the TOR/leaf.
Conditions:
When the MTU of the VMKNIC on the ESX host ( Either opflex vmknic or LB VTEP) is changed . Also happens ( rarely ) when the ESX host is reloaded.
Workaround:
Issue a vem stop on the AVS host and wait for 5 minutes followed by a vem start
Further Problem Description:
|
|
Last Modified: | 03-AUG-2015 |
|
Known Affected Releases: | 1.0(4o) |
|
Known Fixed Releases: * | 1.1(1.119), 1.1(1j), 1.2(0.32) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv06077 | Title: | ACI Fabric HW Install guide says to install simulator on the APIC |
|
Status: * | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ACI Fabric HW Install guide has a prerequisite to install the simulator software on the actual APIC.
Conditions:
N/A - This is a documentation issue.
Workaround:
The proper perquisite is to install the APIC software on the APIC, not the APIC simulator software.
Further Problem Description:
N/A
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: | 1.1(1j) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus04099 | Title: | N6k/7k/9k: SSH/Telnet connection refused |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
SSH/telnet connection is refused.
N7k# sh sockets connection
Total number of tcp sockets: 3
Active connections (including servers)
Protocol State/ Recv-Q/ Local Address(port)/
Context Send-Q Remote Address(port)
tcp(4/6) LISTEN 0 *(22)
Wildcard 0 *(*) Vlan1838 >>> In the failed switch we see a interface associated.
tcp(4/6) LISTEN 0 *(23)
Wildcard 0 *(*) Vlan1838 >>> In the failed switch we see a interface associated.
Conditions:
Issue seen on Nexus 6000/7000/9000.
Workaround:
Disable and enable the ssh feature
no feature ssh
feature ssh
Further Problem Description:
|
|
Last Modified: | 04-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(0.167) |
|
Known Fixed Releases: * | 6.0(2)A4(3.39), 6.0(2)A4(4), 6.0(2)A5(1.37), 6.0(2)A5(2), 6.0(2)A6(0.59), 6.0(2)A6(1), 6.0(2)U4(3.39), 6.0(2)U4(4), 6.0(2)U5(1.37), 6.0(2)U5(2) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv62956 | Title: | Endpoint not cleared after VIP migration, COOP black-holes traffic |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
Stale endpoint entry after a VIP is migrated away to another pair of leafs. if VIP is returned to original pair of leafs, then endpoint entry is still in tables and COOP is not updated.
Conditions:
Workaround:
Under vsh; clear endpoint that is affected on all pair of leafs
Further Problem Description:
version 11.1(1o)
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv20590 | Title: | MAX_COMPONENTS exceeded error should state what the max is |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When a filter is used on the APIC REST API, the error: "filter::Composite::MAX_COMPONENTS exceeded." may be seen.
Conditions:
This will be seen if there are more than 20 filter expressions.
Workaround:
Do not use more than 20 filter expressions.
Further Problem Description:
This request is to enhance the error returned from the REST API to indicate what the maximum number of filter
expressions are so that users of the REST API can adjust the queries without having to guess at the maximum.
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.114a), 1.1(1.119), 1.1(1.147a), 1.1(1.149a), 1.1(1.150), 1.2(0.16) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut48218 | Title: | ISIS: forwarding adjacency next-hops unresolved after reload |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After reload or power-cycle, ISIS next-hop forwarding adjacencies remain unresolved.
Conditions:
This is seen with configurations in which BFD is NOT present, since BFD masks
the issue.
Workaround:
1. The issue can be resolved by pinging the next-hop
2. If bfd is enabled, the issue will not be seen
Further Problem Description:
|
|
Last Modified: | 10-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(1) |
|
Known Fixed Releases: * | 7.0(3)I2(0.542), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84391 | Title: | Cisco LAN Switch Software Password Exposure Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
A vulnerability in Cisco LAN Switch Software could allow an authenticated, remote attacker to expose passwords in plain text format.
The vulnerability is due to older versions being able to decrypt passwords. An attacker could exploit this vulnerability to expose passwords in
plain text format.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-4213 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 11-AUG-2015 |
|
Known Affected Releases: | 1.1(1g) |
|
Known Fixed Releases: | 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu77225 | Title: | user admin cli access to fabric node locked out |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptoms:
A vulnerability in the Nexus 9000 series switch could allow an authenticated, remote attacker to limit or disable user-access to the affected
appliance. The vulnerability is due to large files being created or transferred to the /tmp directory. An attacker could exploit this
vulnerability by exhausting all memory allocation in the /tmp directory.
Conditions:
When a user with admin role copies or creates a large file in /tmp directory.
Workaround:
To recover from this state, either reload the switch or clear the files from /tmp.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/4:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:H/RL:U/RC:C&version=2.0
CVE ID has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 11.1(1c) |
|
Known Fixed Releases: | 11.1(0.242), 11.1(0.243), 11.1(1.249), 11.1(1f), 11.1(1g) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv34261 | Title: | inter-context local EP not removed after EP moving |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Server and client are in different context (vrf).
When the server virtual IP moved to a new TOR, then move back to the original TOR,
clinet to server traffic is still forwarded to the new TOR and dropped.
Conditions:
Server and client are in different context.
Server IP moved to other TOR and moved back
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 11.1(1.265), 11.1(1r), 11.2(0.33), 11.2(0.38) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu61998 | Title: | Microsegment EPG must be removed before downgrade to pre FCS+9 release |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
The microsegment endpoint group (EPG) is in the incorrect state after downgrading.
Conditions:
This issue occurs when downgrading from 1.1(1x) to an earlier release with microsegmented EPGs.
Workaround:
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: * | 1.1(0.927a), 1.2(0.43a) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv13231 | Title: | Decommissioned Spines Remain in Leaf's BGP session List |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
For a spine was decommissioned, its still showing as part of BGP sessions in Leaf.
leaf104# show bgp sessions vrf overlay-1
Total peers 3, established peers 2
ASN 100
VRF overlay-1, local ASN 100
peers 3, established peers 2, local router-id 10.0.0.93
State: I-Idle, A-Active, O-Open, E-Established, C-Closing, S-Shutdown
Neighbor ASN Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)
10.0.0.94 100 2 01:11:21|never |never I 0/0 2/0 ===>It was decommissioned.
10.0.40.93 100 0 01:32:31|never |never E 56249/179 0/0
10.0.40.64 100 0 01:08:13|never |never E 48219/179 0/0
Conditions:
The spine has to met the conditions below:
1. Route reflector enabled for that spine
2. The spine was decommissioned (remove from controller)
Workaround:
On the leaf where you want to clean the config
1. issue "acidiag touch clean"
2. issue "reload"
Further Problem Description:
|
|
Last Modified: | 18-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.153a), 1.1(1.155a), 1.1(1.157a), 1.1(1.159b), 1.1(1r), 1.1(2a), 1.2(0.41), 1.2(0.49) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv18090 | Title: | Duplicate l3extRsPathL3OutAtt.addr prevents DHCP Relay creation |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
An administrator attempts to configure a DHCP Relay Policy under a tenant and defines a DHCP server that is located outside the Cisco ACI fabric using an L3out. The following error is generated:
"Server Error:400 - child (Rn) of class dhcpGwDef is already attached. dn[(Dn0)] Dn0=, Rn=gwdef-[IP_ADDRESS],"
The administrator may also be attempting to configure a second Logical Interface Profile with the same IP address as the first on an L3out and a DHCP Relay Policy already exists that specifies the L3out.
Conditions:
An L3out is configured that has two Logical Interface Profiles that have matching IP addresses. This includes VPC SVI configurations that have 0.0.0.0 configured by default and cannot be changed.
Workaround:
Remove the second Logical Interface Profile that has the same IP address as the first on an L3out. This may restrict potential L3out configurations.
Change the IP address of the second Logical Interface Profile. This is not possible with a VPC configuration using SVI.
Provide DHCP services via an alternative means, such as via an Application EPG or L2 External Network.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j), 1.2(0.1) |
|
Known Fixed Releases: * | 1.1(1.101a), 1.1(1.105a), 1.1(1.109a), 1.1(1.112a), 1.1(1.114a), 1.1(1.119), 1.1(2h), 1.2(0.16) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv68397 | Title: | Interface does not bring up with GLC-SX-MM and GLC-SX-MMD |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
Interface on N9K is using with GLC-SX-MM or GLC-SX-MMD.
When it is connected with Hwaeii MSPP(Optix OSN3500), interface doesn't bring up at all.
Conditions:
NX-OS version: 7.0.3.I1(2)
Hwaeii MSPP(Optix OSN3500) is connected with N9K include GLC-SX-MM or GLC-SX-MMD.
Workaround:
None
Further Problem Description:
None
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.0(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75926 | Title: | TSW: reader/ae cored with 20 parallel report generations |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Troubleshooting wizard report generation may be incomplete or may het timed out if more than 4 reports are asked to be generated concurrently. If too many reports are generation duration overlap then some processes running on that APIC may restart.
Conditions:
More than 4 trouble shooting wizard sessions are manually triggered or are configured via scheduler to generate report at the same time.
Workaround:
Limit the number of report generations running concurrently to 4. For scheduled report generation please set the scheduler's trigger time at least 10mins later than that of the previous session.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv34275 | Title: | acidiag bond0test brings APIC interface down |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Cisco APIC interface connection into the fabric may go down when using the command "acidiag bond0test"
Conditions:
Cisco APIC interface connection into the fabric may go down when using the command "acidiag bond0test". bond0test attempts to bring down the connections of the APIC to the fabric while testing each link by pinging a known address. However, if a non-default infra subnet range it used, the test will fail and one of the interfaces will remain down. Default subnet range is 10.0.0.0/16.
The command "ip link show" on the APIC for the bond0 interface will show the bonded interfaces and status.
Workaround:
If this occur, reload the APIC to bring the interface back up.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j), 1.1(1o) |
|
Known Fixed Releases: * | 1.1(1.135a), 1.1(1.138), 1.1(2h), 1.2(0.41), 1.2(0.49) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56165 | Title: | [eft-bputra] Contracts: InterTenant\Context issues when vzAny configured |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Endpoint groups (EPGs) can communicate across VRFs when no contract is configured.
Conditions:
This issue occurs when a vzAny contract (a contract for a collection of endpoint groups within a context) is configured and provided in a Private Network in a tenant, and an EPG in the same tenant consumes a shared service contract provided by a different tenant or a different context (Private Network).
Workaround:
Use a specific consumer and provider instead of vzAny.
Further Problem Description:
The vzAny contract causes a rule with any (*) pcTag. This rule allows traffic from EPgs from a different VRF when not expected.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.867h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu87097 | Title: | Not able to remove the export destination from coreexp-default |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
submit button is disabled.
Conditions:
Not able to remove the export destination from coreexp-default
Workaround:
add description, after deleted the export destination
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(4j), 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu64372 | Title: | Invalid wiring fault is raised for cortina 16 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
fault raised on old interfaces which no longer exist
Conditions:
This behaviour occurs when
1. a fault raised on an interface e.g. wiring mismatch
2. the system is brought offline
3. the linecard is removed and replaced in a different slot
4. the system is brought online
5. The fault for the original interface still exists
Workaround:
Replace the linecard in the original slot and then bring down the links.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.936a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv04230 | Title: | Please raise a fault if a user configures a bgp peer with a non /32 mask |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Prefix peering is allowed to be configured but may result in odd behavior.
Conditions:
A BGP peer can be configured with a netmask that is not /32.
Workaround:
Do not use a netmask when configuring a BGP peer.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu77748 | Title: | inband management IP address = 0.0.0.0 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
inband management is not reachable, VRF is not listed in leafs and in GUI you can see the IP address as 0.0.0.0 for inband.
Conditions:
delete and add of inband configs in loop, then upgrade
Workaround:
delete the address-pool, node-management-address, node-connectivity-group and inband-EPG are re-add the config, now inband will be configured and accessible.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1d) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu10767 | Title: | No fault raised when Gipo address falls within VMM domain mcast pool |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Multicast and broadcast traffic fails on one endpoint group.
Conditions:
This issue occurs when the VMM Domain is in AVS VXLAN mode, and the domain multicast address overlaps with the multicast address pool range.
Workaround:
1. Delete VMM domain and re-create with a multicast address that does not overlap with the multicast pool.
OR
2. Leave the broken EPG as is (ie, do not delete it), and move ports on that EPG to another newly created EPG.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(4a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv08961 | Title: | mgmtSubnet should be configured as source address in iptables on apic |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When we configure mgmtSubnet under External Management Network Instance Profiles, it should be source address in iptables on apic. However it is configured as destination address in iptables. Hence External Management Network Instance Profiles does not work as expected for apic.
Conditions:
When we configure mgmtSubnet under External Management Network Instance Profiles.
Workaround:
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.89), 1.1(2h), 1.2(0.13), 1.2(0.9a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu74771 | Title: | leaf removal notification to topomgr |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
There is no notification or message sent to topomgr regarding the leaf being decomissioned. So this grpref wouldn't get deleted. Also state transitions of grpref happens based on the notifications form leaf. When a decomission happens there is no communication between leaf and apic to remove this.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1b) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu61394 | Title: | naming a vcenter domain 'vm' leads to it failing to deploy |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The DVS is not created on the vCenter in some circumstances and an FSM fault may be raised.
Conditions:
This occurs if the VMM Domain is named 'vm', 'datastore', 'host' or 'network'.
Workaround:
Use a different name for the vCenter Domain.
Further Problem Description:
None.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.867h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv81082 | Title: | VXLAN F&L: need UDP checksum recaculation after IP recirculation |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
UDP checksum is not updated
Conditions:
post re-write of IP destination address in ingress
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.544) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56113 | Title: | APIC: VPC stalepath if Policy group changed from VPC to PC |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Stale fabricPathEp representing VPC are present.
Conditions:
When an infraAccBndlGrp's link aggregation type (lagT) is change from "node" (VPC) to "link" (PC), there might a stale fabricPathEp corresponding to the VPC.
Workaround:
- Change the link aggregation type of the infraAccBndlGrp to "node".
- Delete the infraAccBndlGrp
- Recreate it with link aggregation type as "link".
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.914a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu16881 | Title: | downloaded-image-bad fault raised for downloaded images |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A fault is raised indicating that an image downloaded into the repository is bad, whereas the image is good.
Conditions:
Intermittently when running 1.0(4*) image on APIC cluster.
Workaround:
Delete the image from firmware repository and re-download the image into repository.
Further Problem Description:
Fault is raised incorrectly for a good image. Image is added to the repository and is good. This bug has no impact on the functionality of upgrades.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(4f) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73403 | Title: | nwissues raised on contract |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
"actrl::PfxEntry in use" fault raised on an l3ext::InstP even though the prefix is not colliding with any other l3ext::InstP.
Traffic is not impacted.
Conditions:
* Transit case and actrl::PfxEntry installed on remote TOR with proper PcTag.
* The l3ext::InstP's pctag changes and has to get propagated to the actrl::PfxEntry on the remote TOR.
* PcTag gets propagated properly but also raises an "actrl::PfxEntry in use" fault.
Workaround:
If possible, acknowledge or ignore the fault otherwise delete & reconfigure the Prefix from the l3ext::InstP.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.949a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84962 | Title: | After host reboot veths stuck in WAIT ACK as immediate EPPs got deleted |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Immediate EPP might get deleted from the TORs on host reboots behind Fabric Interconnect pair leading to veths stuck in WAIT ACK state for a Long time on the host resulting in traffic loss.
Conditions:
Any Immediate mode EPP like IP/MAC /VM attribute based EPG with resolution Immediacy as Immediate can get deleted when you do host reboots behind a Fabric Interconnect pair which is connected to TOR Pairs via 2 vpcs if the TOR learns the new hosts opflex on a different vpc pair after reboot .
Workaround:
Find out the host on the AVS on which the missing Immediate EPPs were learnt first and then do a vem stop and again do a vem start after 5 mins . The EPPs should be programmed on the TORs .
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1d), 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.58a), 1.1(1.60a), 1.1(1.62a), 1.1(1.65), 1.1(1.72a), 1.1(1.75a), 1.1(1.78a), 1.1(1.81), 1.1(1.83a), 1.1(1.86a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75565 | Title: | APIC GUI does not displays incorrectly API configured subjects |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The vzRsSubjFiltAtt within InTerm/OutTerm in a vzSubj does not show in APIC GUI.
Conditions:
The vzSubj is configured by XML API.
Workaround:
There is no way to find it from GUI until export the configuration. To delete it, it can only be done by the XML API.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(3k), 1.0(4h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu35714 | Title: | TSW: traceroute doesn't allow changing from udp/tcp to icmp |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In troubleshooting wizard CLI protocol for traceroute can't be changed to icmp without first stopping the traceroute session.
Conditions:
Traceroute session is active and it is not in stopped state.
Workaround:
Stop the traceroute session before changing the protocol to icmp.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.884a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv04692 | Title: | vPC is down : Fault F1296 raised for vPC in Disabled state |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Fault F1296 "vPC down" raised even if vPC has been disabled from the WebUI
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.1(1.155a), 1.1(1.157a), 1.1(1.159b), 1.1(1.95a), 1.1(1.97), 1.1(2a), 1.1(2h), 1.2(0.13), 1.2(0.49), 1.2(0.9a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84727 | Title: | ifav41 - UID of user configured MO's becomes 0 after config import |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
UID property is set to 0 for objects created during config import
Conditions:
This happens during atomic import (best effort is not affected by this) for objects that are created during import (object does not already exist)
Workaround:
Use best-effort import, or delete / recreate the affected objects. Note that there is no functional impact of UID being 0. All features will continue to work.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1g) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu93955 | Title: | APIC: shutdown from API - server goes to init1 - should be powered off |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When choosing shutdown from API (e.g. GUI in System->Controllers), APIC server does not power-off fully, but goes into init 1.
Conditions:
You would like to power-off the APIC server to move to another location.
Workaround:
Use CIMC to power-off the APIC Server
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(3k), 1.1(1f) |
|
Known Fixed Releases: * | 1.1(1.135a), 1.1(2h) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv04199 | Title: | ifav41 - swicth dme logs missing in techsupport in 1.0.4 if apic on 1.1 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Logs are not included in tech-support if the APICs are upgraded to a newer image whiie switches are still not upgraded.
Conditions:
APICs on a newer image which switches are on older image.
Workaround:
Collect the logs on switches manually on the switches if a tech-support needs to be collected when switches are still not upgraded.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1.72a) |
|
Known Fixed Releases: * | 1.1(1.138b), 1.1(2h) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv20621 | Title: | Rest API Doc - indicate maximum number of filter expressions allowed |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The REST API User's guide does not document the maximum number of filter expressions that can be used in a scoping filter option that allows filter expressions.
Conditions:
The REST API scoping filters that allow filter expressions are:
query-target-filter
rsp-subtree-filter
These only allow 20 filter expressions but this is not documented anywhere.
Workaround:
None.
Further Problem Description:
This requests documenting the number of filter expressions that can be used in a scoping filter option.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.124a), 1.1(2h) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv84870 | Title: | APIC: default cert not applied correctly after booting up |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
When APIC culster boot up without keyring config, default keyring is applied for https access.
However, the fact of the matter is that localhost cert is applied instead of default cert.
Conditions:
This symptom is observed when APICs boot up withoud keyring config.
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j), 1.1(2h) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv59001 | Title: | SSTE: Error ("(null)") communicating with MTS_SAP_PIXM_LOCAL |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
%ETHPORT-5-IF_SEQ_ERROR: Error ("(null)") communicating with MTS_SAP_PIXM_LOCAL for opcode MTS_OPC_PIXM_ALLOC_LTL (RID_PORT: port-channel10)
Conditions:
nve interface uncfg/cfg
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.511) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut19544 | Title: | L3 SVI config failed after changing the encap-vlan to the existing intf |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | After modifying encap vlan for L3Out, new encap vlan get programmed into hardware
Symptom:
l3extRsPathL3OutAtt exists with new correct vlan
l3extExtEncapDef exists with the old vlan
l3extExtEncapAllocator Encap Vlan object does not exist for this specific L3Out
Encap vlan does not get programmed into Leaf
Conditions:
Modification to the encap-vlan value for the SVI of an L3Out
Workaround:
Remove the SVI for the L3Out and recreate it
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 1.1(0.716a) |
|
Known Fixed Releases: | 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu86842 | Title: | Uploading APIC firmware (.iso) fails via the POST |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
When uploading firmware files to the APIC using the "Upload Firmware To APIC" option in the web GUI, the operation fails just after the "Finalizing" stage. The following error is generated and the upload does not complete.
Upload error: 403
Conditions:
The "Upload Firmware To APIC" download task is used to upload firmware files to the APIC using the web GUI. The client's connection may be unreliable, causing an internal timeout to occur.
Workaround:
Retry the upload operation. Alternatively, use the "Create Outside Firmware source" option to create an SCP or HTTP source for the firmware files.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv77081 | Title: | BMR1: Delete and re-add L3Outs: 4/121 instances are in internal-error |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
graphinst stuck in fault with internal error and failed-to-apply state
Conditions:
Back-to-back delete/add of l3outs (used by graph service nodes) causes graphinst to be stuck in fault with internal error and failed-to-apply state
Workaround:
Choose the device selection policy for the specific graph instance and delete, readd the L3 external network association from "Logical Interface Context (vnsLIfCtx)" to L3 External Network.
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 1.1(2c) |
|
Known Fixed Releases: * | 1.2(0.50a), 1.2(0.56b), 1.2(0.58a), 1.2(0.60) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv46644 | Title: | Enhancement: Need per filter DSCP marking on ACI Fabric |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Need ability to mark dscp value based in the traffic type (L4 port and protocol) on traffic.
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 22-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 1.2(0.62) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv57705 | Title: | Export job not marking scheduler window instance as executed |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Export job is not running at configured intervals
Conditions:
Scheduler name is longer than 16 characters
Workaround:
1. Use a scheduler name less than 16 characters
or
2. Configure window length of the scheduler to be ~1-2 minutes
Further Problem Description:
|
|
Last Modified: | 23-AUG-2015 |
|
Known Affected Releases: | 1.0(4o) |
|
Known Fixed Releases: | 1.1(1.142), 1.1(2h), 1.2(0.41) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCum39204 | Title: | Tracking bug for consistency checker for VxLAN |
|
Status: * | Fixed |
|
Severity: | 3 Moderate |
Description: | new feature
Symptom:
consistency checker in vxlan topology fails
Conditions:
vxlan topology where MACs are learnt over regular and nve interfaces
Workaround:
not available
Further Problem Description:
NA
|
|
Last Modified: | 24-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I1(1.130), 7.0(3)I1(1.101), 7.0(3)I1(1.106), 7.0(3)I1(1.206) |
|
Known Fixed Releases: | 6.1(2)I2(2a), 6.1(2)I2(2c), 6.1(2)I3(0.169), 6.1(2)I3(1), 7.0(3)I1(1.130), 7.0(3)I1(1.7), 7.0(3)I1(2) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv22847 | Title: | traffic ingress nonDF/RPFintf and bridging without /32 mrib won't work |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
Mcast Bidir traffic bridging doesn't work in a multi-access network scenario when traffic coming from RPF VLAN
Conditions:
In a multi-access Bidir network, when the mcast bidir traffic is received on the RPF VLAN, bridging to local receivers won't work if a /32 route is not present becasue of other receivers on another DF VLAN or L3 routes port. /m routes cannot deliver traffic to the non-DF RPF VLAN unless a /32 route is present due to other receivers
Normally RPF VLAN is always DF looser hence the IGMP receivers won't create /32 route. In order for bridging to work on RPF VLAN we need /32 route to be created
Workaround:
Have another receiver on a DF winner VLAN for same group.
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.455) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv89630 | Title: | BD subnet under user Tenant not being propgated under L3 Out in common |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A BD configured under Tenant B utilizes Tenant A's VRF and L3 EXT. The BD subnets marked public should be advertised out of the L3 Ext dynamic routing protocol, but the subnet is not seen as an advertised route.
Conditions:
Dynamic Routing Protocol Configured under the L3Ext. BD from another Tenant targeting VRF and L3 Ext.
Workaround:
The workaround is to add the exact subnet configured under the BD under the external epg. This should be configured under a l3extInstP on the l3ext
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 1.1(2h) |
|
Known Fixed Releases: * | 1.1(2.17), 1.2(0.69a), 1.2(0.71) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu55772 | Title: | Bidir not support /32 grp-prefix for N9k |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
On n9k it won't be possible to support /32 grp-prefix ranges becasue of a HW limitation(/m mcast routes cannot be installed in HW). All Bidir group ranges hence need to be configured in the range /24-/31. /24 limitation comes from another bug.
Conditions:
Configuration of /32 group ranges will still be allowed by the CLI and routes installed in HW but traffic won't be forwarded correctly.
Workaround:
Configure Bidir group ranges with masks length between /24 and /31
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.328) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo25060 | Title: | ipv4/ipv6 for vrf all consistency-checker timeout with multi-vrf context |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Syslogs show that a "full" inconsistency run does not complete.
Conditions:
L3 inconsistency runs do not complete when command is run for all vrfs at the same time.
Workaround:
run this command per vrf.
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I2(1.27), 6.1(2)I2(2a), 7.0(3)I2(0.307) |
|
Known Fixed Releases: * | 6.1(2)I2(2a), 6.1(2)I2(2c), 7.0(3)I2(0.462), 7.0(3)I2(1), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv57868 | Title: | LACP Hot-standby fast-select not applied |
|
Status: | Terminated |
|
Severity: | 3 Moderate |
Description: | Symptom:
LACP failover to a hot-standby link takes >2 seconds to convergence between vPC peers
Conditions:
This issue is specific to vPC where one leaf has an interface in a P state (participating) and the vPC peer leaf has the interface in an H state. When the active link fails, the interface in the H state takes >2 seconds to move into a bundle status. This delay is the same when LACP fast select is enabled or disabled.
Workaround:
None
Further Problem Description:
This is expected behavior and consistent with vPC operation on other NXOS platforms. LACP Hot-standby between vPC peers
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv95372 | Title: | N9K IP Redirect has Incorrect Gateway Address |
|
Status: | Other |
|
Severity: | 3 Moderate |
Description: | Symptom:
N9K generates a redirect has the wrong gateway address.
Conditions:
N9K running 7.0(3)I1(2) or 7.0(3)I2(1)
Workaround:
- Disable IP redirects under the SVI(s) in question
- Configure the host to ignore IP redirects
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv88252 | Title: | Crash @ qosmgr_dce_print_cos2q_maps |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Nexus 9K crashes with ipqosmgr on running the command show class-map type queuing c-out-8q-q-default
Conditions:
When running the command show class-map type queuing c-out-8q-q-default
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 7.0(3)IND2(1.64) |
|
Known Fixed Releases: | 6.1(2)I3(4.25), 6.1(2)I3(5), 7.0(3)I1(2.21), 7.0(3)I1(3), 7.0(3)I2(0.576), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv89437 | Title: | EIGRP Policy needs to be required/red underline |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
EIGRP Process not running yet interface is configured with IP.
Conditions:
Deploying EIGRP L3 Out
Workaround:
On the Logical Interface Profile of the L3 Out, use the action menu to "create EIGRP interface profile" or from the navigation menu, right click the Logical Interface Profile and select "create EIGRP interface profile"
Further Problem Description:
Since the EIGRP Interface profile is required to start the EIGRP process on the switch, this field should be underlined red. Or the default EIGRP interface profile should be used. A fault should also be raised if the EIGRP interface policy is not
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(2h), 1.2(0.58a) |
|
Known Fixed Releases: | 1.1(2.21), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv70149 | Title: | icmp traffic from fabric to L3out dead |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Traffic drop in communication with Layer3 Outside (represented by model class l3ext:Out).
Conditions:
vzAny used on a node where Layer 3 Outside is deployed.
vzAny is in same VRF as Layer3 Outside.
The above led to an implicit deny rule having higher priority than the required permit rule.
Workaround:
Dont use vzAny in the same VRF and on the same node as Layer 3 Outside.
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(1.153a) |
|
Known Fixed Releases: * | 1.1(1r), 1.1(2.17), 1.1(2b), 1.2(0.49), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv74692 | Title: | Intuit Intersite traffic convergence takes more time |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In large scale setup where tenant common contains most contract configuration, modification requests will be delayed when deploying to the switch.
Conditions:
This can happen when many tenant configs are using contracts in tenant common.
Workaround:
Further Problem Description:
Following are the config details.
1 Ctx, 3 Bds, 1400 EPGs and one contract per EPG, 1400 InstPs with one or more l3extSubnets(2125 l3extSubnets).
All are in tenant common.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(1q), 1.1(2c) |
|
Known Fixed Releases: | 1.1(2.17), 1.2(0.58a), 1.2(0.60), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu31633 | Title: | Policy Firmware errors with Operation Too Slow but CLI SCP works fine |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
APIC GUI fails to download firmware with the following error:
Failed to download the firmware image from source:, reason:unknown failure, details: Operation too slow. Less than 1000000 bytes/sec transferred the last 30 seconds
Conditions:
Version 1.0(4h)
Workaround:
use the APIC CLI command
SCP username@:// admin@localhost:/tmp
to download the firmware file to /tmp and import the firmware into the Management Information Tree with the APIC CLI command
cd /tmp
Firmware add
Further Problem Description:
The APIC GUI uses CURL to download the file and tracks the download speeds and terminates the download if the speed drops below 1 MB/s (Mega-Byte, not Mega-Bits).
The APIC CLI command SCP does not terminate the file transfer if speeds drop below a certain level.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.0(4h) |
|
Known Fixed Releases: * | 1.1(2.17), 1.2(0.1), 1.2(0.62), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv96140 | Title: | adding l3out with no protocol removes interleak of existing proto |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When multiple l3 Out are configured on same Ctx and same leaf, if protocol configuration is inconsistent (one l3Out is configured for ospf, other without protocols), interleak configuration can become inconsistent
Conditions:
Workaround:
After configuration of second L3 Out (without protocol) go back and redeploy first L3 Out with protocol (ospf in this case).
Redeployment can be done by enable/disable OSPF, or by add/remove any l3extSubnet for first L3 Out
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(1r) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv89569 | Title: | N9K 9372 inlet sensor misbehavior |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
N9K-C9372 Inlet sensor reports invalid high temperature data. This will raise faults such as sensor temperature crossing minor/major threshold.
Conditions:
Faults regarding sensor 1 crossing high temp threshold are cosmetic.
Workaround:
No workaround currently.
Further Problem Description:
Fix will be in future release.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 11.0(4o) |
|
Known Fixed Releases: * | 11.2(0.48) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv65927 | Title: | ACI: PortChannel Member Policy for fast LACP timeout not working |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LACP fast timeout on PortChannel Member Policy does not take effect when added as an Override policy on the Interface Policy Group
Conditions:
Version 1.1(1j)
Workaround:
None
Further Problem Description:
To change the priority or timeout for LACP on a port-channel or vPC, you create a PortChannel Member Policy setting the timeout to Fast and apply the policy on the Interface Group Policy for the vPC or port-channel. The PortChannel Member Policy is applied as an Override Policy Group. After applying the policy, the other side still sees the fabric switches using a "slow" [30 second] timeout for the port-channel.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2.17), 1.1(2a), 1.1(2h), 1.2(0.49), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw01175 | Title: | Some TACACS+ message types sent from ACI nodes missing remote address |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
ACI nodes doesn't send Remote Address in TACACS+ authorization messages.
Conditions:
Normal operation
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 30-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv94453 | Title: | VRF Context RD is set as 0:0 when "rd auto" is enabled |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When "rd auto" is enabled under VRF context, it is expected to concatenate . But for some VRF, it is set as 0:0
Failing VRF,
VRF-Name: TEST1, VRF-ID: 4, State: Up
VPNID: unknown
RD: 0:0 ===> RD set to 0:0
VNI: 100001
Max Routes: 0 Mid-Threshold: 0
Table-ID: 0x80000004, AF: IPv6, Fwd-ID: 0x80000004, State: Up
Table-ID: 0x00000004, AF: IPv4, Fwd-ID: 0x00000004, State: Up
Working VRF,
VRF-Name: TEST2, VRF-ID: 3, State: Up
VPNID: unknown
RD: 10.1.1.1:3
VNI: 100004
Max Routes: 0 Mid-Threshold: 0
Table-ID: 0x80000003, AF: IPv6, Fwd-ID: 0x80000003, State: Up
Table-ID: 0x00000003, AF: IPv4, Fwd-ID: 0x00000003, State: Up
Conditions:
When "rd auto" is used under VRF context.
Workaround:
Manually configure the RD under VRF context
N9K(config)# vrf context TEST1
N9K(config-vrf)# rd 10.1.1.1:4
N9K(config-vrf)# address-family ipv4 uni
N9K(config-vrf-af-ipv4)# route-target both 10.1.1.1:4
N9K(config-vrf-af-ipv4)# route-target both 10.1.1.1:4 evpn
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.559), 7.0(3)I2(1) |
|
Known Fixed Releases: | 7.0(3)I2(0.592), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCut84983 | Title: | Enforce log rotation for access.log |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
-Fault "Storage unit /data on node mounted at /data is X full"
-Output of du -H | sort -n (as root) shows that nginx is taking up large amount of space, causing the above fault
Conditions:
-APIC running 1.0(3f)
-access.log file in /data/nginx/logs/ taking up large amount of hard drive space
Workaround:
1-Access APIC as root
2-Remove access.log file from /data/nginx/logs
3-touch access.log file in /data/nginx/logs
4-reboot APIC
OR
1-Upgrade code to fixed version and log will automatically rotate
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 1.0(3f) |
|
Known Fixed Releases: | 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv82826 | Title: | APIC Attach Command Using external instead of Authenticated user |
|
Status: | Other |
|
Severity: | 4 Minor |
Description: * | Symptom:
When ssh to APIC by TACACS account (say acsuser) then attach to leaf101 by attach command, by default APIC would use "external@leaf101" instead of "acsuser@leaf101"
Conditions:
1. ssh to APIC using remote AAA user
2. attach spine/leaf from APIC by "attach" command
Workaround:
1.using the command "ssh username@leaf" command
2.Or we can customize the cisco av-pair in TACACS server by adding the UID, however at this stage, Cisco ACS can only map user to shell-profile by group. That means we will have to put each user to a dedicate group and dedicate shell-profile to do so.
Cisco-avpair = "shell:domains = all/admin/(16001)"
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 1.1(1j), 1.1(1o) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv94846 | Title: | some of the configured SSL Ciphers in nginx are not working |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: * | Symptom:
When trying to connect to APIC OOB management IP address connection fails
Conditions:
if the cipher used are one of the followings:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
Workaround:
use some of the other configured ciphers:
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv86710 | Title: | IGMP Query messages sent from APIC via OOBMGMT |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
APIC sends IGMP v2 membership query messages to 224.0.0.1 out of it's OOBMGMT interface
Conditions:
None, this is configured in the Linux Kernel as the default behavior
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2.23), 1.2(0.69a), 1.2(0.71), 1.2(0.71c), 1.2(0.80a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv81316 | Title: | no fault created when exceeding rising threshold for l2.IngrPktsPart5min |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
No fault was created although unicast packet counter exceeds rising threshold (critical) for class l2.IngrPktsPart5min
Conditions:
Rising threshold (critical) for L2 unicast ingress packets is configured as monitoring policy and it is associated with an EPG.
Then, exceeding the threshold as follows:
admin@apic1:~> moquery -d /uni/tn-TEST-A/ap-app/epg-EPG-A/CDl2IngrPktsPart5min-101
Total Objects shown: 1
# l2.IngrPktsPart5min
nodeId : 101
childAction :
cnt : 16
dn : /uni/tn-TENANT1/ap-app/epg-EPG1/CDl2IngrPktsPart5min-101
-----snip-----
repIntvEnd : 2015-08-04T19:02:23.183+09:00
repIntvStart : 2015-08-04T18:59:42.382+09:00
rn : CDl2IngrPktsPart5min-101
status :
unicastAvg : 691996
unicastBase : 0
unicastCum : 1195720569
unicastLast : 1554603
unicastMax : 2071286
unicastMin : 0
unicastPer : 11071950
unicastRate : 68854.982245
unicastSpct : 0
unicastThr : lastReadingCrit,lastReadingHigh <-- This indicates exceeding the critical threshold
unicastTr : 0
unicastTrBase : 26719631
Workaround:
none.
Further Problem Description:
This defect is under investigation.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.62) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv80873 | Title: | CallHome E-mail Notification Has No From E-mail Address |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
The call home notification send by APIC/SPINE/LEAF appear no FROM E-MAIL address even it has been configured.
svc_ifc_eventmgr is using "MAIL FROM" SMTP command to indicate the source, however major SMTP servers like IIS is looking for the FROM Header inside of SMTP DATA command.
Conditions:
Any SMTP servers other than SendMail
Workaround:
Use SENDMAIL as the SMTP Server
Further Problem Description:
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 1.1(1j), 1.1(1o) |
|
Known Fixed Releases: * | 1.2(0.60) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv26878 | Title: | Local admin user logging in to APIC CLI with ssh key missing admin group |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When logging in as a local user with admin privileges and using an ssh key, the admin group is missing from the user. When logging in as the same user with a password, the admin group is present. This creates an issue where the user wants to run `acidiag` commands, but is unable to because they logged in using ssh public key authentication.
Conditions:
Logging into APIC CLI using SSH with public key authentication
Workaround:
Use a password instead
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.119), 1.1(2h), 1.2(0.13), 1.2(0.32), 1.2(0.9a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56183 | Title: | trouble shooting wizard not work when source and dest use same MAC addr |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
source = 192.168.68.10 (in EPG group-1)
dest = 192.168.66.10 (in EPG group-2)
the two endpoints operate normally, They are using the same MAC address.
In trouble-shooting wizard, input the source/dest ip address, and start the session, it gives error message Says: "Error processing data returned from server: TypeError: Cannot read property 'nodes' of undefined"
Conditions:
Using a switch to emulate end-points, it will cause the same MAC with many IP addresses.
Workaround:
make sure Source MAC and Destination MAC are not the same.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.867h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73404 | Title: | common domain not picked up at times causing l2RsPathDomAtt not deployed |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When an endpoint group (EPG) is deployed on 2 interfaces of a ToR, one interface with the VLAN scope configured as global and the other configured as local, the common domain (the domain associated with both the EPG and the interface) needs to be picked for EPG deployment. At times, when the interface with a global VLAN scope is associated with multiple domains (domains with overlapping VLAN namespaces), instead of the common domain getting picked up for deployment, another domain gets picked up. This leads to an EPG not getting deployed on the port with a local VLAN scope.
Conditions:
Workaround:
On the port the EPG deployment failed, undeploy and redeploy the EPG on that port.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.945) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv78766 | Title: | "%ETHPORT-3-IF_UNSUPPORTED_TRANSCEIVER:" for LOROM twiax cable |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Syslog message
%ETHPORT-3-IF_UNSUPPORTED_TRANSCEIVER: Transceiver on interface Ethernet1/5 is not supported
%ETHPORT-4-IF_NON_QUALIFIED_TRANSCEIVER: Non-qualified transceiver on interface Ethernet1/5 was detected
Conditions:
When following Twiax cable/SFP is inserted into Nexus N9K-C9396PX running 6.1(2)I3(4b)
Ethernet1/5
transceiver is present
type is SFP-H10GB-CU5M
name is CISCO-LOROM
part number is LRHSPB54A050
revision is B0
serial number is XXXXXXX
nominal bitrate is 10300 MBit/sec
Link length supported for copper is 5 m
cisco id is --
cisco extended id number is 4
DOM is not supported
Workaround:
Issue is cosmetic in nature as switch detects the SFP okay and interface also comes up okay.
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(4b) |
|
Known Fixed Releases: * | 7.0(3)I2(0.568), 7.0(3)I2(0.587), 7.0(3)I2(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv18401 | Title: | Please add additional recommended action for deployment-failed epg fault |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
If the EPG tied to a VMM domain fails to deploy the fault recommended actions may not include an action that is specific to the use of static encapsulation. This could prevent customers from resolving the issue on their own.
Conditions:
If a VMM domain is tied to an EPG with a Port Encap value but the encapsulation blocks for that domain are all dynamic, the deployment of the EPG will fail with a fault due to invalid encapsulation identifier.
The use of a Port Encap value when associating an EPG to a VMM domain requires a static encapsulation block at the VLAN pool used by the domain.
Workaround:
Set the encap to an encapsulation that is in a static encap block.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.101a), 1.1(1.105a), 1.1(1.109a), 1.1(1.112a), 1.1(1.114a), 1.1(1.119), 1.1(2h), 1.2(0.13), 1.2(0.9a) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu92628 | Title: | Leaf - show endpoint command output hard to read |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
The output from the "show endpoint" command is difficult to interpret.
Conditions:
When running the "show endpoint" command on a Leaf CLI.
Workaround:
None at this point.
But it would be good if the vlan/domain name length is maintained shorter than 35 spacings.
Further Problem Description:
The placeholder width for vlan/domain name, as displayed in "show endpoint" command was just 15. Due to this those names with length more than 15 was getting garbled. The length is now increased to 35.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 1.1(1.75a), 1.1(1.78a), 1.1(1.81), 1.1(2.48), 1.1(2h) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv96656 | Title: | Double "/" added to remote path URL for remote location |
|
Status: | Other |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Since 1.1(2h), the Remote Path must start with "/". However there is one "/" already appended to the IP address automatically, which result of double "//" in the URL send to remote SFTP/SCP server.
For customers they use to Cygwin as the SFTP/SCP server, the SFTP server won't work with this URL "sftp://192.168.0.100:22//home/aci/Fabric3/" would return error "No such file or directory. failed to send file"
Conditions:
Workaround:
Use postman to configure the remote location without "/" at the beginning
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(2h) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv78574 | Title: | encryption key pop-up not updating when encryption keys are cleared |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
The Global AES Encryption pop-up opened from the Configuration Export Policy pane in the APIC UI may not
update when changes are made.
Conditions:
This occurs when the encryption key is updated using this pop-up. The old passphrase remains displayed even though the encryption key has been cleared.
Workaround:
Just close the pop-up the Configuration Export pane will update showing that encryption is disabled.
Further Problem Description:
None
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 1.1(2c) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv59075 | Title: | Update L4-L7 Compat List versions |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Latest versions are unlisted
Conditions:
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-734587.html
Workaround:
Further Problem Description:
|
|
Last Modified: | 23-AUG-2015 |
|
Known Affected Releases: | 1.0(4k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut80948 | Title: | Need input validation for SCP backups via GUI |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
SCP export on APIC fails with Fault F0053 during misconfiguration
"File x could not be uploaded. No such file or directory. Error in the SSH layer. failed to send file."
If the destination location is SCP and you do not specify a leading / before the remote path, the transfer could fail.
Example:
Remote Path: mnt/data (doesn't work)
Remote Path: /mnt/data (works)
Conditions:
Configuring export to SCP remote location
Configure remote path without a leading /
Workaround:
Configure remote path with the required leading /
Further Problem Description:
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: * | 1.0(3i), 1.1(0.766m), 1.1(2h) |
|
Known Fixed Releases: | 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv99399 | Title: | ACI Support outbound and inbound prefix-list+routemap based filtering |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ACI (as of 1.1(2h) does not have the ability to perform inbound or outbound filtering of prefixes for routing protocols (BGP/OSPF/EIGRP) on a selective basis using an equivalent mechanism as those provided by prefix-lists.
Conditions:
ACI version 1.1(2h) and lower
Workaround:
Perform inbound/outbound route filtering at the routing tier connecting to the ACI border leaves
Further Problem Description:
This is an enhancement DDTS that tracks the availability of "prefix-list" filtering functionality both in and out of the ACI fabric border leaves on a per neighbor basis.
|
|
Last Modified: | 28-AUG-2015 |
|
Known Affected Releases: | 1.1(2h) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv98285 | Title: | Warning Required Upon the APIC Upgrade If Any Major Faults Existed |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
With any major faults existed, upgrade the ACI fabric would very likely cause unexpected outage and put customer into a very frustrated situation.
If there could be a warning "There are $Number of major faults found, It is highly recommended to resolve those faults before the upgrade" displayed when customer attempt to upgrade the APIC or Fabric, this would give customer an indication and opportunity to resolve them in order prevent any unexpected outage post the upgrade.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 1.1(1r), 1.1(2h) |
|
Known Fixed Releases: * | 1.1(2.23) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv78429 | Title: | PIM Bidir src vlan bridging with DF intf presented would fail |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Bidir multicast traffic bridging on n9k doesn't work
Conditions:
Traffic ingressing a DF Winner interface(non-DF), won't be bridged to local receivers.
Workaround:
Move receivers on non-DF router or just use routing. This issue will be fixed in next maintenance release
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.508) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu25181 | Title: | AAA provider config should create matching iptable rules on fabric nodes |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The AAA providers timeout for authentication on the ACI fabric nodes but not on the APICs.
Conditions:
This occurs when the mgmt tenant has the default configuration.
Workaround:
The mgmt tenant needs at a minimum a contract that permits the AAA provider protocols that are required (out-of-band contract in the case of the out-of-band EPG) applied for both provided and consumed as well as a subnet that permits the AAA provider
Further Problem Description:
This request is being made to ask that the proper rules get updated on the fabric node when the AAA provider configuration is applied so that the mgmt tenant configuration is no longer required.
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: * | 7.3(0)ZN(0.99) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu38573 | Title: | Feature Request - PVLAN functionality / Intra-EPG Isolation on ACI |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Unable to provide Intra-EPG isolation between endpoints. Similar feature to PVLANs.
Conditions:
All version of ACI up to 1.1(1)
Workaround:
None. This functionality currently does not exist.
Further Problem Description:
|
|
Last Modified: | 25-AUG-2015 |
|
Known Affected Releases: * | 7.3(0)ZN(0.99) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq78913 | Title: | ENH: Need to preserve CoS across ACI Fabric for IP packets |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
CoS is not preserved across the fabirc for IP traffic.
Conditions:
IP traffic comes into the ACI fabric over a trunk with Dot1p markings.
Workaround:
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 11.0(1b) |
|
Known Fixed Releases: * | 11.2(0.41), 11.2(0.46) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv39937 | Title: | Weak CBC mode and weak ciphers should be disabled in N9K |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Cisco Nexus devices running Cisco NX-OS may be flagged by security scanners due to the inclusion of SSH Ciphers and HMAC algorithms that are
considered to be weak.
These may be identified as 'SSH Server CBC Mode Ciphers Enabled' and 'SSH Server weak MAC Algorithms Enabled' or similar. These are valid
findings and are not false positives.
Conditions:
Cisco Nexus devices running an affected version of Cisco NX-OS software.
The NX-OS SSH is enabled
Workaround:
None
Further Problem Description:
This defect was filed as an enhancement to have legacy weak Ciphers and MAC algorithms disabled in the product or to be user configurable, but
off by default.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal
resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(2) |
|
Known Fixed Releases: * | 7.0(3)I2(0.490), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv94711 | Title: | Doc Bug- Static Binding (Leaves) behaviour |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Not able to assign IP address to an interface in one of the leaf switches for L3out
Conditions:
There is a static binding (leaves) for that switch to assign that switch to some EPG
Workaround:
Configure Static Binding (Path) instead for the interfaces to be used for an EPG.
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 1.0(3n) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu18737 | Title: | "ip http source-interface" is shown twice in config |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The "ip http source-interface" command is shown twice in both running and startup config.
Conditions:
The "ip http source-interface" command is shown twice in both running and startup config.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 26-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I3(4) |
|
Known Fixed Releases: * | 6.1(2)I3(4a), 7.0(3)I1(2.4), 7.0(3)I1(3), 7.0(3)I2(0.455), 7.0(3)I2(1), 8.3(0)CV(0.123) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu64002 | Title: | ACI nodes do not send Remote Address in TACACS+ message |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ACI nodes doesn't send Remote Address in TACACS+ messages. Thus, end point filter won't work on ACS for users authenticating on ACI nodes. Also IP addresses they are coming from won't be logged on ACS.
Conditions:
normal operation
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 27-AUG-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: | 1.1(1.126a), 1.1(1.128a), 1.1(1.130a), 1.1(1.132a), 1.1(1.135a), 1.1(1.138), 1.1(2h), 1.2(0.16), 1.2(0.32) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu58380 | Title: | Prevent deletion of default controller scheduler policy "ConstSchedP" |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Cannot upgrade APIC controllers from GUI.
Conditions:
This issue occurs when a user deletes the default controller scheduler policy "ConstSchedP."
Workaround:
Reconfigure the default controller scheduler policy "ConstSchedP" manually.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.914a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu87040 | Title: | ARP Flood Checkbox BD Config Enhancement |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When changing a BD configuration from the default of Hardware Proxy to L2 Uknonwn Unicast = Flood, the ARP Flooding checkbox does not automatically check also. After submitting change without checking ARP Flooding, a Fault is raised (see attachment). When manually checking ARP Flooding, Fault goes away since this is a valid configuraiton.
Conditions:
APIC GUI configuration for BD.
Workaround:
Manually check the ARP Flooding checkbox.
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.9) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv78581 | Title: | No such file or directory while executing the "show version build-info" |
|
Status: * | Other |
|
Severity: * | 6 Enhancement |
Description: | Symptom:
following is the command we executed on build 143. I got following message.
Fretta-S1-bldchk1# show version build-info
cat: /isan/etc/build-info-system: No such file or directory
Fretta-S1-bldchk1#
Fretta-S1-bldchk1# show version internal build-identifier
nxos image file: bootflash:///sanity.image : S143
Fretta-S1-bldchk1#
Fretta-S1-bldchk1#
Fretta-S1-bldchk1# dir
20051 Aug 04 16:14:38 2015 20150804_161213_poap_6858_init.log
30643 Aug 09 00:23:01 2015 20150809_001939_poap_6574_init.log
983 Aug 10 10:58:45 2015 20150810_105824_poap_6587_init.log
368043008 Aug 12 15:32:52 2015 diag-sup-x86_64.0810
369482 Aug 11 18:06:55 2015 ethpm_info_global_testStaticRoute
4096 Aug 06 16:25:32 2015 home/
230802 Aug 11 18:06:55 2015 im_info_global_testStaticRoute
16384 Aug 04 13:07:45 2015 lost+found/
593994240 Aug 07 17:46:37 2015 n6700-dk9.7.0.3.I2.0.274P.143.gbin
593957376 Aug 10 14:34:00 2015 n6700-dk9.7.0.3.I2.0.274P.145.gbin
656077312 Aug 06 13:26:44 2015 n9000-dk9.7.0.3.I2.0.274P.126.gbin
656155136 Aug 06 12:34:59 2015 n9000-dk9.7.0.3.I2.0.274P.126.gbin.sys.135259mitrived
142707 Aug 09 00:23:02 2015 poap_debugs_6574.txt
19049 Aug 10 10:58:46 2015 poap_debugs_6587.txt
99735 Aug 04 16:14:38 2015 poap_debugs_6858.txt
593994240 Aug 06 11:28:03 2015 sanity-golden.gbin
656077312 Aug 06 14:09:37 2015 sanity-golden.image
593994240 Aug 06 11:46:11 2015 sanity.image
4096 Aug 04 13:10:09 2015 scripts/
5087933 Aug 09 02:55:05 2015 sh_tech_mod_all
249661 Aug 11 18:06:55 2015 tech_support_l3vm_testStaticRoute
4096 Aug 06 14:23:08 2015 virt_strg_pool_bf_vdc_1/
4096 Aug 06 14:20:11 2015 virtual-instance/
112 Aug 06 14:22:53 2015 virtual-instance.conf
Usage for bootflash://
5457014784 bytes used
227016171520 bytes free
232473186304 bytes total
Fretta-S1-bldchk1#
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 31-AUG-2015 |
|
Known Affected Releases: | 7.0(3)I1 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv63617 | Title: | Allow user to Admin Down APIC interfaces from GUI to clear fault F0103 |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Fault F0103 "Physical interface eth1/2 on Node 1 is now down"
Conditions:
Eth1/2 on APIC connected at one point and then disconnected
Fault raised and unable to clear via GUI
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu63208 | Title: | ACI: Expected behavior for route leaking for Inter-Tenant\Context config |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Unexpected behavior seen with contract application on EPGs when using route leaking for Inter-Tenant and Inter-Context Communications.
Conditions:
Fabric configured for route leaking for Inter-Tenant and Inter-Context Communications.
Workaround:
Create public subnet under BD
Further Problem Description:
Document expected behavior and valid configuration for route leaking for Inter-Tenant and Inter-Context Communications.
|
|
Last Modified: | 21-AUG-2015 |
|
Known Affected Releases: | 1.0(4h), 1.1(0.867h), 1.1(0.932a) |
|
Known Fixed Releases: * | 1.2(0.9a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv87987 | Title: | N9K: Add Support for ARP ACL's in CoPP Policy |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The Nexus 9000 NX-OS does not support the ability to configure ARP access-lists in the CoPP policy that enable a match on the source IP address.
Conditions:
This feature applies to the CoPP policy.
Workaround:
All ARP traffic can be policed in the CoPP policy (default). We can also match on MAC the L2 mac address using a MAC access-list. We just don't have the ability to match on the source IP address.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.94) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCur50494 | Title: | ACI:N9K: Fabric init should pair node NTP to APIC to avoid clock prob |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
A fabric switch is unable to join a Cisco ACI fabric, potentially due to a certificate not being valid on the switch. Upon checking the system time on the fabric switch, it is found that the time is not synchronized with the rest of the fabric.
Conditions:
The system time on the fabric switch is not synchronized with the rest of the fabric.
Workaround:
No known workarounds.
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 1.0(1e), 1.0(1h), 1.0(1j), 1.0(1k) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv81972 | Title: | Allow sequential allocation of Vlans for Dynamic Vlan pools |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When allocating vlans from a dynamic vlan pool, all vlans are allocated in a non-sequential manner.
This results in increased coordination between the networking / ACI teams and the server (UCS-FI6296) teams to coordinate vlan allocation.
Conditions:
Day-1
Workaround:
No workaround
Further Problem Description:
|
|
Last Modified: | 20-AUG-2015 |
|
Known Affected Releases: | 1.0(2m), 1.0(3i), 1.0(4n) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv57830 | Title: | Reduce Collection Freq of FIB Overrun Syslog Messages |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Syslog messages overwhelm terminal session when excessive amounts of fib insertion failures occur within a short time frame.
Conditions:
When there is a fib insertion failure, a syslog message is created for each insertion failure.
Workaround:
No workarounds available at this time
Further Problem Description:
Customer is asking for all FIB insertion error syslogs occurring within a configurable interval to be combined into one syslog message to reduce the overall number of syslogs occurring during such interval.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 6.1(2)I1(3.159) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv56986 | Title: | 'show interface x/y transceiver detail" does not show light level |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
interface on leaf show link failure, connection on the other end to non-aci switch show up
Conditions:
The SFP was incorrect - One side was 1310nm and the other was 850nm.
After replacing the SFPs to have 1310nm on all ports, everything came up and worked.
Workaround:
there is no information on the interface output, information has to be viewed physically. In many cases, data center is remote, this causes delay in resolution of the issue
Further Problem Description:
|
|
Last Modified: | 05-AUG-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur20013 | Title: | Fault should be raised when ACI fabric components are not synced w NTP |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Traffic Map and atomic counters do not work as expected even though traffic is flowing correctly through the spine.
Conditions:
When NTP time is not synchronized
Workaround:
Fix the NTP time synchronization issue.
Further Problem Description:
The objective of this bug is to provide a placeholder to raise a fault when such a scenario occurs so that we can alert the fabric admins to this being the case.
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.0(1e) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu71147 | Title: | APIC directly connected subnets don't get advertised in OSPF |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
With current Bputra FCS release, APIC doesn't advertise directly connected subnets in OSPF even if it is specified in rtctrl-export.
Conditions:
In Intuit's ACI ASA and F5 Service design, one F5 is configured thru L3Out peer routing in their PCI Compliance context/segment with static routes for F5 VIP and SNAT subnets.
Both of the external and internal interfaces of the ASA firewall between the regular data context and Compliance context are configured as L3Out peer routing with OSPF.
The F5 connected subnet including its selfIP and float IP cannot be advertised thru OSPF with current Bputra release.
Workaround:
configure a static route that covers the connected subnet and the static route will be advertised thru OSPF
Further Problem Description:
|
|
Last Modified: | 19-AUG-2015 |
|
Known Affected Releases: | 1.1(0.936d) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1) |
|
|
| |
:
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论