| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu05227 | Title: | vxlan tunnels removed when ports are removed/added into pc config |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: | Symptom:
VXLAN tunnels are removed when ports are removed/added into the PC configuration.
Conditions:
Workaround:
vem restart
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3.46a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03171 | Title: | APIC 1.1.1j : VMM crashes child (Rn) of class compIp is already attached |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
VMM process dumps core after upgrade to 1.1(1j)
In /var/log/dme/log/svc_ifc_vmmmgr.bin.log.stderr file we observe error message such as follows:
terminate called after throwing an instance of 'error::CoreException'
what(): child (Rn) of class compIp is already attached. dn[(Dn0)] Dn0=, Rn=ip-[fe80::aaaa:bbbb:cccc:dddd]
Conditions:
This problem occurs when duplicate IPv4/IPv6 addresses are reported by vCenter in the guest.net data of virtual machine (GuestInfo managed objects).
Such condition may occur, for instance, when virtual interfaces exist and IPv6 auto-configuration is enabled
Workaround:
Remove duplicate IP address configuration from the virtual machine.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1m), 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut64977 | Title: | N9K: odd number Vlans are missing in vtpVlanTable |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
vtpVlanTable does not instantiate odd numbered vlans during snmpwalk.
snmpget works fine for both odd and even vlans.
Conditions:
Permform snmpwalk on vtpVlanTable with odd numbered vlans (3,5,7,9 etc. configured).
Workaround:
Use snmpget to retrieve values for odd numbered vlans.
Further Problem Description:
The issue exists in NXOS software release 7.0(3)I1(1). The fix exists in 7.0(3)I2(1) and all the later releases.
|
|
Last Modified: | 08-OCT-2015 |
|
Known Affected Releases: | 7.0(3)I1(1.168) |
|
Known Fixed Releases: * | 7.0(3)I2(0.376), 7.0(3)I2(1), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36), 7.0(3)IX1(1.256), 7.0(3)IX1(2), 8.3(0)CV(0.72) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw63648 | Title: | dev-pkg fault, previous process was hanging around |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
APIC communication to ASA was broken due to hung up process
Conditions:
APIC communication to ASA was broken due to hung up process
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 11-OCT-2015 |
|
Known Affected Releases: | 1.1(1s) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu05108 | Title: | On Vmotion the EP still has the previous Hv ID based useg applied |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The Hypervisor based ( Host Matching) microsegment EPG for Source Host still applied on the Endpoint VM after vmotion to a different Host .
Conditions:
Vmotion of a VM between 2 hosts with Source Host having a Hypervisor ID based EPG policy applied .
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.8) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu79239 | Title: | core on ifc_reader - error cannot create or open DB ~/ifc_policymgr.db |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
APICs cored on the ifc_reader process with a error (Server error cannot create or open DB: var/run/mgmt/db/ifc_policymgr/S32_R1/ifc_policymgr.db) being displayed in the GUI anytime a policy is clicked on.
Conditions:
APICs core and lose connectivity to one another. APIC's believe they're fully fit but no longer have the one of the other APICs in topology.
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3f) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75496 | Title: | Cannot configure L3 Out static route via GUI |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Cannot create static route through the APIC when using GUI. The Prefix prompt will not recognize any value.
Conditions:
When attempting to add a static route through the GUI. Prefix prompt will not accept any value preventing the configuration to be completed.
Workaround:
Use CLI or REST API to add the external routed network if static routes are needed.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1c) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu83343 | Title: | Evaluation of fabric-apic for OpenSSL June 2015 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: |
Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, CVE-2014-8176
This bug has been opened to address the potential impact on this product.
Conditions:
Exposure is not configuration dependent.
Workaround:
Not available.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the
time of evaluation are: 7.8/6.4
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4j) |
|
Known Fixed Releases: * | 1.1(1.135a), 1.1(1.142), 1.1(2.17), 1.1(2b), 1.1(2h), 1.2(0.31), 1.2(0.41), 1.2(0.49), 1.2(0.76a), 1.2(0.77b) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu61826 | Title: | svc_ifc_opflexelem_core core encuntered with 1.0.4.j build |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:Opflex Element process restart on the ToR
Conditions:ESX host connect. Timing related. Cannot happen easily.
Workaround:No workaround necessary. opflex element process will restart automatically.
More Info:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.8) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73003 | Title: | On downgrading some fvCEps are getting lost |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Some end-points are not getting reported under EPG.
Conditions:
When leaves are downgraded in quick succession after APIC, this happens.
Workaround:
End-points will get reported successfully after they age out and learned again.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.945a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv33239 | Title: | Loose-node not created after receiving conflicting LLDP mgmt IPs |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Loose node is initially created, but quickly deleted on specific leaf node.
Conditions:
Following port-channel bringup, leaf node momentarily received conflicting LLDP mgmt IPs for links within a port-channel.
Workaround:
Shut / No shut of the affected port-channel.
Clear reload of switch
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 1.1(1.114a), 1.1(1.119), 1.1(1n), 1.2(0.16), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu42733 | Title: | APIC with different image in existing cluster causes inconsistent state |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The APIC appliance sees a crash in the DMEs while getting a replication transaction, or when a configuration is missing on the APIC that was introduced with different version.
Conditions:
This issue occurs in an existing cluster:
- If an appliance is decommissioned and brought back with a different version than other appliances, which are in majority
- If an appliance is introduced as a new appliance to extend a cluster but is running a different version than other appliances
Workaround:
Before introducing new appliances in the existing cluster, make sure it is running the same version as other appliances. If the appliance is already introduced with a different version, to fix this problem:
1. Decommission the appliance that is running a different version (decommission is done from the other appliance in the cluster)
2. Upgrade to the same version as the rest of the cluster (acidiag installer)
3. Reboot clean of the appliance after it has been upgraded (eraseconfig)
4. Commission appliance back in the cluster
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4h), 1.1(0.895a), 1.1(0.897a), 1.1(1.90a), 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu36916 | Title: | ACI : ARP storm on l3out blocks ARP reponses to infra pool |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms:
The iStack does not provide adequately process a large volume of ARP messages and puts the processing to the CPU. This can cause the system to
appear to become unresponsive during an ARP-storm. The system will recover when the ARP-storm passes.
<B>Symptom:</B>
APIC unable to resolve ARP requests when there are a large number of ARP messages.
<B>Conditions:</B>
A large number of ARP messages must be present on the VLAN.
<B>Workaround:</B>
None
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/2.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(3f), 11.0(4) |
|
Known Fixed Releases: * | 1.1(0.902a), 1.1(0.904), 1.1(1j), 1.1(2.24), 1.2(1.17), 11.1(0.220) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu61433 | Title: | Dupe Tunnels after detach / Attach host causing epm core |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:Crash in epm on leaf switch due to duplicate tunnels
Conditions:This can happen when the southbound tunnels are created with AVS/Microsoft/VMware vShield. In certain conditions e.g. host attach/detach the old tunnels was not getting cleaned.
Workaround:Clean reboot leaf
More Info:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.9) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv55863 | Title: | traffic loss due to invalid pcTag for actrlPfxEntry |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic loss due to invalid pcTag in the node for external subnet's Prefix Entry (represented by model class actrl:PfxEntry).
Conditions:
1. Configure l3extInstPs on l3out
2. Add contract relation between the l3extInstPs and EPGs
3. Delete the l3extInstPs
4. Repeat steps 1 to 3
Workaround:
Clean reboot the node.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1o) |
|
Known Fixed Releases: * | 1.1(1.142), 1.1(1r), 1.2(0.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu06634 | Title: | Enable func type option for LDev in Device wizard |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The package is device only supports go throught. However when user create a service graph using those package devices, those device's mode becomes go to.
That was the bug which has already been resolved.
Conditions:
N/A
Workaround:
Do not need workarounds. Already fixed.
Further Problem Description:
No futhere problem
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4l), 1.1(0.839a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu27351 | Title: | Unable to change the PN to 'Unenforced' |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Command fails with error "Configuration is invalid due to GraphInst does not have any configuration parameters" after a policy based upgrade.
Conditions:
Policy-based upgrade was done from 867d or earlier image to a latter version
Workaround:
Please run the script cleanupRsLIfCtxToBD.py by pointing it at your APIC ip address. Script can be obtained from AS folks
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.867b), 1.1(0.872a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu58397 | Title: | scripthandler memory usage is linearly increasing |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The memory usage of scripthandler keeps increasing. This should happen only when L4L7 device packages are used in the APIC. The issue specifically happens when a device package is removed and installed again.
Conditions:
This issue does not happen every time a device package is removed and installed. There is a timing element to this and the issue is seen only when multiple conditions occur together.
Workaround:
Delete the L4L7 device package and install them again.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.912a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu53624 | Title: | Top level folder names with default names are not marked RED |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
user can submit the template even the top folder has a name ends with -default and it is red.
Conditions:
after fix,if top folder has a name ends with -default, it can not be submitted.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4g), 1.0(4l) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv49478 | Title: | Tenant add/delete causes contract associations to fail with vzAny |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
BD routes were not programmed on the border leaf.
Conditions:
policyelem was missing vzAnyDef for the affected VRF. fvPndgAnyDefCont contained several vzRsToAnyDef with missing-target and no vzAnyDef existed on switch for the affected VRF.
This can be seen when a tenant is added-deleted that contained a tie in to vzAny. You will find that the old tenant still has an fvRsToRemoteAnyDef even though that tenant no longer exists. This object will also be in a missing-target state.
Workaround:
1. Clean reboot of the leaf should fix policy resolution.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1.121a) |
|
Known Fixed Releases: * | 1.1(1.138), 1.1(2h), 1.2(0.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu97734 | Title: | Flapping "reverse port filter" creates a stale rule |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic is still allowed even though it is expected to be blocked
Conditions:
Condition 1 :
Flapping "reverse port filter" 3 or more times.
Condition 2 :
When using vzAny and consumer/provider endpoints reside in different leaves, deleting one of the subject from the contract. This condition is not related to "reverse port fitler" existence.
Workaround:
Non-disruptive workarounds:
1. Remove and re-apply the contract
2. Remove the filter association from the subject and re-apply
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 1.1(1.83a), 1.1(1.86a), 1.1(1.87), 1.1(1r), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu64031 | Title: | aclqos Core downgrading from 936a to 4h |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When downgrading fabric from 1.1 release to an earlier release, aclqos process is coring
Conditions:
This will happen if IPv6 L3 prefixes (l3extSubnet) are configured on the system, and then fabric is downgraded.
Workaround:
Please use one of the following workarounds:
1. Delete IPv6 prefixes before downgrading leafs
2. Downgrade APICs before downgrading leaves
3. Downgrade leaves to version 1.04K or later
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu40110 | Title: | Fex not coming up with fabric L2 mtu size change |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
FEX not coming up.
Conditions:
Fabric MTU is set below 1500.
Workaround:
Don't set fabric MTU below 1500.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.890a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw37030 | Title: | show queuing interface ethernet is showing incorrect pg id |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
show queuing interface ethernet is showing wrong cos to PG mapping
Conditions:
configure more than 1 queue
Workaround:
configure 1 queue
Further Problem Description:
|
|
Last Modified: | 05-OCT-2015 |
|
Known Affected Releases: | 7.0(3)IFD1(0.17) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw20223 | Title: | [Camden][N9K] Flows fail to install if port-channel used as output port |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When user tries to install a flow low installation fail if the monitor device is connected to port channel that consists of 40G interface ports
Conditions:
For NDB 2.2 when connected to a Openflow device of N9K platform of Camden image
Workaround:
Wait for Camden MR1 release and update the N9K device the image with Camden MR1
Further Problem Description:
|
|
Last Modified: | 06-OCT-2015 |
|
Known Affected Releases: | 7.0(3)I2(1) |
|
Known Fixed Releases: * | 7.0(3)I2(1.16), 7.0(3)I2(2), 7.1(0)I3(0.48), 7.1(0)I3(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv56042 | Title: | dot1dStpPortTable does not instantiate some interfaces |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
dot1dStpPortTable does not instantiate some interfaces
Conditions:
Mibwalk dot1dStpPortTable for a given vlan or mst context.
Workaround:
None.
Further Problem Description:
The fix exists in NXOS software release 7.0(3)I1(3), 7.0(3)I2(1) and all the later releases.
|
|
Last Modified: | 02-OCT-2015 |
|
Known Affected Releases: | 7.0(3)I2(0.494) |
|
Known Fixed Releases: * | 7.0(3)I2(0.519), 7.0(3)I2(1), 7.0(3)I2(1.5), 7.0(3)I2(2), 7.0(3)IMK2(1), 7.0(3)IMK2(1.65), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36), 7.0(3)IX1(1.247), 7.0(3)IX1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu83805 | Title: | N9000 CoPP acl statistics not working |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ACL stats under "show system internal access-list input entries detail" is not shown for CoPP ACLs
Conditions:
CoPP stats were disabled in the previous release as part of efforts to batching/ reducing delay for fetching stats of CoPP ACLs across all modules.
Enabling it now to help troubleshoot CoPP related issues.
Workaround:
Further Problem Description:
|
|
Last Modified: | 02-OCT-2015 |
|
Known Affected Releases: | 7.0(3)I1(2) |
|
Known Fixed Releases: * | 7.0(3)I1(2.6), 7.0(3)I1(3), 7.0(3)I2(0.486), 7.0(3)I2(1), 7.0(3)IMK2(1), 7.0(3)IMK2(1.15), 7.0(3)ITI2(1), 7.0(3)ITI2(1.36), 7.0(3)IX1(1.247), 7.0(3)IX1(2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv89898 | Title: | Switch Crash due to EPMC process |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
The Parent Leaf of the FEX crashes when the EP moves from AVS to a host connected to the FEX.
Conditions:
Fex is single homed to the crashed leaf, while AVS is vPC'ed to this and another leaf.
Crash happens when the EP moves from AVS to a host connected to the FEX.
Workaround:
Not move EP from AVS to FEX
Further Problem Description:
none
|
|
Last Modified: | 03-OCT-2015 |
|
Known Affected Releases: | 11.1(2h) |
|
Known Fixed Releases: * | 11.2(0.45) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw35569 | Title: | PFC SubTlv in Dcbx tlv shows # of pfc VL supported as 8 but can conf 4 |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
PFC Subtlv shows "Number of TC that can simultaneously support PFC" field as 08 but we can configure maximum of 04 TC simultaneously for PFC
Conditions:
All Conditions
Workaround:
NA
Further Problem Description:
NA
|
|
Last Modified: | 05-OCT-2015 |
|
Known Affected Releases: | 7.0(3)IFD1(0.17) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw35542 | Title: | sh qos dcbxp incompatibility interface showing wrong local pg info |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
showing invalid bandwidth value and showing wrong PG-cos mapping in show qos dcbx incompatible interface
Conditions:
when there is PG params mismatch
Workaround:
configure same PG params on both side
Further Problem Description:
|
|
Last Modified: | 05-OCT-2015 |
|
Known Affected Releases: | 7.0(3)IFD1(0.17) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw54615 | Title: | Havasu: CRC frames getting dropped in cut-through mode |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Packets with Bad CRC get dropped at switch ingress.
Conditions:
Switch is programmed in cut-through mode. i.e.
no switching-mode store-forward
Workaround:
None
Further Problem Description:
If the switch is programmed to operate in the cut-through mode then the packets ingressing with bad CRC get dropped. This is true for packets of all sizes.
|
|
Last Modified: | 06-OCT-2015 |
|
Known Affected Releases: | 7.0(3)IX1(1.239) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw61183 | Title: | persistent fault of [FSM:FAILED]: Addition or Deletion of Port Group |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Persistent fault of [FSM:FAILED]: Addition or Deletion of Port Group seen on APIC after remove/restore tenant config.
Conditions:
Large scale tenant config with 2400 EPGs, and APIC is integrated with VCenter 5.5 using AVS/VxLan mode.
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 09-OCT-2015 |
|
Known Affected Releases: | 1.1(1s) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw47383 | Title: | Need default route for ospf |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Default route injection for OSPF is not supported in the CLI with the current software version for EFT. It will be supported in the next version.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 10-OCT-2015 |
|
Known Affected Releases: | 1.2(0.132) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84437 | Title: | Vmk attach not sent as Fabric fails to send DVS policy in certain cases |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Vtep Tunnels for vxlan Loadbalancing might go missing leading to traffic drop when opflex times out due to stress load on rebooting couple of hosts with a few hundred veths.
Conditions:
This is seen in stress conditions on hosts with multi vmk foe VXLAN Loadbalancing configured which might be triggered due to conditions like when hosts with few hundred veths are rebooted with microsegmentation enabled .
Workaround:
Vem restart on the host after Verifying that the same number of tunnels do not exist on the TOR as the number of VEM vmks ,
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1g) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu11669 | Title: | pam.module.log not rotating on switch |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The installer can fail as one of the partitions on the switch is full.
Conditions:
Switch has been running for some time.
Workaround:
Rrun 'df -h' on the switch and check all partitions that are full and cleanup unwanted files. For this specific bug remove the pam.module.log file from /var/run/mgmt/log.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.1(0.855), 1.1(0.867g), 1.1(0.873), 1.1(0.892a), 1.1(0.895a), 1.1(0.897), 1.1(1j), 1.1(2.24), 1.2(1.17), 11.1(0.216) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75974 | Title: | Multiple tunnels for AVS host with VXLAN LB goes missing while upgrade |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Traffic loss as the Tunnels for multi vmk host configured for VXLAN Loadbalancing go missing on the TORs while doing an upgrade of the system
Conditions:
Tunnels can go missing on hosts configured for VXLAN LB while upgrading leading to traffic loss .
Workaround:
Tunnels will be formed back after you do the following workaround on the host.
??? Do a Vem stop
??? wait for 5 mins (so that Odev is deleted)
??? then do vem start.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1c) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu10767 | Title: | No fault raised when Gipo address falls within VMM domain mcast pool |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Multicast and broadcast traffic fails on one endpoint group.
Conditions:
This issue occurs when the VMM Domain is in AVS VXLAN mode, and the domain multicast address overlaps with the multicast address pool range.
Workaround:
1. Delete VMM domain and re-create with a multicast address that does not overlap with the multicast pool.
OR
2. Leave the broken EPG as is (ie, do not delete it), and move ports on that EPG to another newly created EPG.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu63849 | Title: | VMNetworking config is not wiped out after replace config via import |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When executing config import with replace option, some vmm domains may remain on the system
Conditions:
This will happen when there are no VMM domains in the exported configuration
Workaround:
Manually delete the VMM domains, either before or after import.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.932a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu16881 | Title: | downloaded-image-bad fault raised for downloaded images |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A fault is raised indicating that an image downloaded into the repository is bad, whereas the image is good.
Conditions:
Intermittently when running 1.0(4*) image on APIC cluster.
Workaround:
Delete the image from firmware repository and re-download the image into repository.
Further Problem Description:
Fault is raised incorrectly for a good image. Image is added to the repository and is good. This bug has no impact on the functionality of upgrades.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4f) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv34275 | Title: | acidiag bond0test brings APIC interface down |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Cisco APIC interface connection into the fabric may go down when using the command "acidiag bond0test"
Conditions:
Cisco APIC interface connection into the fabric may go down when using the command "acidiag bond0test". bond0test attempts to bring down the connections of the APIC to the fabric while testing each link by pinging a known address. However, if a non-default infra subnet range it used, the test will fail and one of the interfaces will remain down. Default subnet range is 10.0.0.0/16.
The command "ip link show" on the APIC for the bond0 interface will show the bonded interfaces and status.
Workaround:
If this occur, reload the APIC to bring the interface back up.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j), 1.1(1o) |
|
Known Fixed Releases: * | 1.1(1.135a), 1.1(1.138), 1.1(2h), 1.2(0.41), 1.2(0.49), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv12776 | Title: | APIC GUI Slow response for "Tenant" tab with 6000 tenants |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
APIC GUI slow response when moving into "Fabric" tab.
Conditions:
6000 tenants
Workaround:
none
Further Problem Description:
none
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup81384 | Title: | Need to improve the write erase command |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: * | Symptom:
We need a way to improve the write erase command to allow users to be able to delete the mgmt interface without having to delete the boot variables.
Conditions:
None
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 6.1(2)I2(3) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut93251 | Title: | End Point Attach/Detach Fails with Multiple Graphs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When the same end points are used for multiple service graphs, attach/detach notifications only occur for one of the graphs in certain scenarios.
Conditions:
- L4-7 device package integration for ADCs (Citrix, F5, etc.)
- End point attachment notifications enabled
- Multiple service graphs using the same provider EPG
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3m), 1.1(0.766m) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv57705 | Title: | Export job not marking scheduler window instance as executed |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Export job is not running at configured intervals
Conditions:
Scheduler name is longer than 16 characters
Workaround:
1. Use a scheduler name less than 16 characters
or
2. Configure window length of the scheduler to be ~1-2 minutes
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4o) |
|
Known Fixed Releases: * | 1.1(1.142), 1.1(2h), 1.2(0.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84727 | Title: | ifav41 - UID of user configured MO's becomes 0 after config import |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
UID property is set to 0 for objects created during config import
Conditions:
This happens during atomic import (best effort is not affected by this) for objects that are created during import (object does not already exist)
Workaround:
Use best-effort import, or delete / recreate the affected objects. Note that there is no functional impact of UID being 0. All features will continue to work.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1g) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv44272 | Title: | Cannot deploy service graph with imported L4-L7 device |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Imported L4-L7 device fails to deploy with
Server Error:400 - unknown property value TR-ASAv, name tDn, class vnsRsLDevCtxToLDev
[(Dn0)] Dn0=,
Conditions:
Workaround:
Modify POST manually to include full DN of attribute tDn for object vnsRsLDevCtxToLDev and send POST through API
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.128a), 1.1(1.130a), 1.1(1.132a), 1.1(1.135a), 1.1(1.138), 1.1(1r), 1.2(0.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu02547 | Title: | Port is in out-of-service after add/delete from existing Port-Channel |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Port is in out-of-service after add/delete from existing Port-Channel
Conditions:
* Port is getting used by an l3Out
* subinterface is deployed on the port.
* Port is added to an existing port channel.
Workaround:
* Remove the port from the port-channel.
* Delete the relationship between the l3Out (specifically the relationship to the path present under the l3ext::LIfP) and the port. It will convert the port to layer-2 and will delete the sub-interface.
* Re-add the relationship. It will re-deploy the sub-interface and bring the port in-service.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3.48a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut98699 | Title: | FCS+9 On-line help page content empty for 3ext_infoSubnetA_info |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | This is only for the FCS+9 release which hasn't shipped yet.
Symptom:
The online help page is blank when the "i" symbol is selected for the subnet entry for the tenant created external instance profile.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.825a) |
|
Known Fixed Releases: * | 1.1(0.890), 1.1(1j), 1.1(2.24), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv04692 | Title: | vPC is down : Fault F1296 raised for vPC in Disabled state |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Fault F1296 "vPC down" raised even if vPC has been disabled from the WebUI
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.1(1.155a), 1.1(1.157a), 1.1(1.159b), 1.1(1.95a), 1.1(1.97), 1.1(2.17), 1.1(2a), 1.1(2h), 1.2(0.13), 1.2(0.49) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu61394 | Title: | naming a vcenter domain 'vm' leads to it failing to deploy |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The DVS is not created on the vCenter in some circumstances and an FSM fault may be raised.
Conditions:
This occurs if the VMM Domain is named 'vm', 'datastore', 'host' or 'network'.
Workaround:
Use a different name for the vCenter Domain.
Further Problem Description:
None.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.867h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu52922 | Title: | Display Virtual Device ID in Deployed Device Properties |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The F5 BIG-IP, when used with ACI device package integration, creates a unique partition for each ACI tenant. The partition name is in the format:
apic_XXXX
where XXXX is the ACI L4-7 virtual device ID. This value is currently not displayed in the APIC GUI.
Conditions:
ACI L4-7 device package integration with F5 BIG-IP
Workaround:
You can query the vnsVDev class in the ACI object model to determine the tenant and context a L4-7 virtual device is associated with.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3n) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56218 | Title: | fabric not converged with mtu size of less than 1500 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Leaf node is not joining the fabric after:
1. Change fabric mtu size to some value less then 1500.
2. Reload the leaf after that.
After this Infra vlan on that leaf node ends up using the fabric mtu.
Conditions:
Fabric mtu size changed to some value less then 1500.
Workaround:
Change the fabric mtu size to a value greater then 1500 and clean reboot the leaf.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(0.225) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv20590 | Title: | MAX_COMPONENTS exceeded error should state what the max is |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When a filter is used on the APIC REST API, the error: "filter::Composite::MAX_COMPONENTS exceeded." may be seen.
Conditions:
This will be seen if there are more than 20 filter expressions.
Workaround:
Do not use more than 20 filter expressions.
Further Problem Description:
This request is to enhance the error returned from the REST API to indicate what the maximum number of filter
expressions are so that users of the REST API can adjust the queries without having to guess at the maximum.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.114a), 1.1(1.119), 1.1(1.147a), 1.1(1.149a), 1.1(1.150), 1.1(2h), 1.2(0.16), 1.2(0.49), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56390 | Title: | reload command does not work for 9504 switch in ACI mode |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The reload command produces no output and no response when executed on the 9504 switch.
Conditions:
This occurs when the 9504 is running an ACI image.
Workaround:
You can use either of the following options:
vsh -c "reload"
Or:
system-reboot
Or:
Call TAC and ask that the TAC engineer login as root and use 'shutdown -r now'.
Further Problem Description:
None
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(0.208) |
|
Known Fixed Releases: * | 1.1(0.945a), 1.1(0.949a), 1.1(1j), 1.1(2.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03823 | Title: | Please raise a warning or minor fault if only one apic in cluster |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
An ACI Fabric should have 3 APICs in a production cluster to have the best minimum redundancy and avoid the
potential for data and config loss. There is no fault raised if the number of APICs is less than 3.
Conditions:
If the number of APICs is less than 3, no fault is raised.
Workaround:
None.
Further Problem Description:
The solution to this was not a fault but rather an alert is printed in Red when the user can read the controller status and the number of controllers in the cluster is less than 3.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.130a), 1.1(1.132a), 1.1(1.135a), 1.1(1.138), 1.1(2h), 1.2(0.1), 1.2(0.41), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73403 | Title: | nwissues raised on contract |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
"actrl::PfxEntry in use" fault raised on an l3ext::InstP even though the prefix is not colliding with any other l3ext::InstP.
Traffic is not impacted.
Conditions:
* Transit case and actrl::PfxEntry installed on remote TOR with proper PcTag.
* The l3ext::InstP's pctag changes and has to get propagated to the actrl::PfxEntry on the remote TOR.
* PcTag gets propagated properly but also raises an "actrl::PfxEntry in use" fault.
Workaround:
If possible, acknowledge or ignore the fault otherwise delete & reconfigure the Prefix from the l3ext::InstP.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.949a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75565 | Title: | APIC GUI does not displays incorrectly API configured subjects |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The vzRsSubjFiltAtt within InTerm/OutTerm in a vzSubj does not show in APIC GUI.
Conditions:
The vzSubj is configured by XML API.
Workaround:
There is no way to find it from GUI until export the configuration. To delete it, it can only be done by the XML API.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3k), 1.0(4h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu35714 | Title: | TSW: traceroute doesn't allow changing from udp/tcp to icmp |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In troubleshooting wizard CLI protocol for traceroute can't be changed to icmp without first stopping the traceroute session.
Conditions:
Traceroute session is active and it is not in stopped state.
Workaround:
Stop the traceroute session before changing the protocol to icmp.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.884a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84391 | Title: | Cisco LAN Switch Software Password Exposure Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
A vulnerability in Cisco LAN Switch Software could allow an authenticated, remote attacker to expose passwords in plain text format.
The vulnerability is due to older versions being able to decrypt passwords. An attacker could exploit this vulnerability to expose passwords in
plain text format.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-4213 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1g) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu00707 | Title: | [epRetPol][tn-common]: seeing epRetPol on some nodes not updated |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Changes to default endpoint retention policy is not getting applied to all Ctx
Conditions:
This can happen if Ctx is not explicitly referring to default policy.
Workaround:
Explicitly associate Ctx with default policy
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3.47a), 1.1(0.867g) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56165 | Title: | [eft-bputra] Contracts: InterTenant\Context issues when vzAny configured |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Endpoint groups (EPGs) can communicate across VRFs when no contract is configured.
Conditions:
This issue occurs when a vzAny contract (a contract for a collection of endpoint groups within a context) is configured and provided in a Private Network in a tenant, and an EPG in the same tenant consumes a shared service contract provided by a different tenant or a different context (Private Network).
Workaround:
Use a specific consumer and provider instead of vzAny.
Further Problem Description:
The vzAny contract causes a rule with any (*) pcTag. This rule allows traffic from EPgs from a different VRF when not expected.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.867h) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu60758 | Title: | contracts were not created after delete/add tenant Tl3out1 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The proper rules did not get installed properly after deleting or adding a tenant.
Conditions:
This issue occurs when the tenant has a contract in tenant common that was used by many hundreds of EPGs. Due to a timing issue, in one case, cleanup/restore did not happen correctly.
Workaround:
Delete or recreate the affected EPGs relation to the contract.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.907g) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu74771 | Title: | leaf removal notification to topomgr |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
There is no notification or message sent to topomgr regarding the leaf being decomissioned. So this grpref wouldn't get deleted. Also state transitions of grpref happens based on the notifications form leaf. When a decomission happens there is no communication between leaf and apic to remove this.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1b) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu84497 | Title: | tech-support trim functionlaity got broken with latest release via UI |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
If user selects a custom time range while keeping the category field to be "system info" in GUI for techsupport policy then techsupport files are not exported.
Conditions:
Techsupport policy configured via GUI with custom (i.e. non-default) time range and category is "system info" (same as "all").
Workaround:
Any of the following workarounds can be used:
(a) Enumerated the specific categories required without selecting "system info" via category selection popup in GUI.All the categories can be selected to get the same behavior as "system info" Then custom time range can be used.
(b) Don't change time window and category - i.e. leave them to their default values
(c) Use CLI to collect tech support with custom time range and "system info" category
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1h), 1.1(1i) |
|
Known Fixed Releases: * | 1.1(1.142), 1.1(1.149a), 1.1(1.150), 1.1(1l), 1.2(0.1), 1.2(0.41), 1.2(0.49), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv01243 | Title: | Tunnel intf missing on TOR after MTU change/ host reload |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Tunnel interface for non-opflex vmknic to the AVS host is missing on the TOR/leaf.
Conditions:
When the MTU of the VMKNIC on the ESX host ( Either opflex vmknic or LB VTEP) is changed . Also happens ( rarely ) when the ESX host is reloaded.
Workaround:
Issue a vem stop on the AVS host and wait for 5 minutes followed by a vem start
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4o) |
|
Known Fixed Releases: * | 1.1(1.119), 1.1(1j), 1.2(0.32), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu09759 | Title: | Add a configuration knob to enable/disable BD Subnet check for IP learn |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The new BD subnet check knob for IP learns is applicable only for IPv4 endpoints. Support for IPv6 endpoints is added in the next maintenance release.
Conditions:
IPv6 addresses can be learnt by the leaf node even if the IPv6 address of the endpoint is outside the configured BD IPv6 subnet range.
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(0.202) |
|
Known Fixed Releases: * | 1.1(0.887a), 1.1(0.890a), 1.1(0.892a), 1.1(0.895a), 1.1(0.897), 1.1(1j), 1.1(2.24), 1.2(1.17), 11.1(0.214), 11.1(0.215) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv18090 | Title: | Duplicate l3extRsPathL3OutAtt.addr prevents DHCP Relay creation |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
An administrator attempts to configure a DHCP Relay Policy under a tenant and defines a DHCP server that is located outside the Cisco ACI fabric using an L3out. The following error is generated:
"Server Error:400 - child (Rn) of class dhcpGwDef is already attached. dn[(Dn0)] Dn0=, Rn=gwdef-[IP_ADDRESS],"
The administrator may also be attempting to configure a second Logical Interface Profile with the same IP address as the first on an L3out and a DHCP Relay Policy already exists that specifies the L3out.
Conditions:
An L3out is configured that has two Logical Interface Profiles that have matching IP addresses. This includes VPC SVI configurations that have 0.0.0.0 configured by default and cannot be changed.
Workaround:
Remove the second Logical Interface Profile that has the same IP address as the first on an L3out. This may restrict potential L3out configurations.
Change the IP address of the second Logical Interface Profile. This is not possible with a VPC configuration using SVI.
Provide DHCP services via an alternative means, such as via an Application EPG or L2 External Network.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j), 1.2(0.1) |
|
Known Fixed Releases: * | 1.1(1.101a), 1.1(1.105a), 1.1(1.109a), 1.1(1.112a), 1.1(1.114a), 1.1(1.119), 1.1(2h), 1.2(0.16), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu33503 | Title: | Allow both directions rules missing for inter-tenant shared EPG contract |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Inter-tenant contract is missing rules to allow return traffic in provider context/scope if both EPGs are shared.
Conditions:
Consumer and Provider EPGs are in different tenants and network contexts (VRFs).
Both consumer and provider EPGs are configured as shared.
Contract rule is using 'Allow both directions'.
Workaround:
Create a separate rule in the provider contract to allow the return traffic.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4h) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv65927 | Title: | ACI: PortChannel Member Policy for fast LACP timeout not working |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LACP fast timeout on PortChannel Member Policy does not take effect when added as an Override policy on the Interface Policy Group
Conditions:
Version 1.1(1j)
Workaround:
None
Further Problem Description:
To change the priority or timeout for LACP on a port-channel or vPC, you create a PortChannel Member Policy setting the timeout to Fast and apply the policy on the Interface Group Policy for the vPC or port-channel. The PortChannel Member Policy is applied as an Override Policy Group. After applying the policy, the other side still sees the fabric switches using a "slow" [30 second] timeout for the port-channel.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2.17), 1.1(2a), 1.1(2h), 1.2(0.49), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a), 1.2(0.83), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut96132 | Title: | Pro epg shared subnet configured as non-shared in concrete model |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Remote endpoints of shared service provider EPG not getting unlearned on consumer leaf.
Conditions:
This can happen if there is vzAny and shared service provider in the same Context / VRF
Workaround:
Workarounds:
1. Delete and re-add the subnet under the shared service provider epg.
2. Change description of the EPg.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3.42a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03266 | Title: | Selecting No for Close Confirmation Exits Wizard |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After selecting Cancel while creating or applying a service graph template, a warning confirmation box appears. Selecting No still closes the wizard.
Conditions:
- Using APIC GUI to Create a L4-L7 Service Graph Template or Apply L4-L7 Service Graph Template
Workaround:
No workaround available.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu23146 | Title: | Trimming behaviour is different if done via cli and gui on ifc |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Tech support filtering based on category could miss some files when triggered from GUI.
Conditions:
If tech support is collected with filtering based on category via GUI, then the trimmed tar ball may not have all the needed logs.
Workaround:
workaround 1: Don't use filtering based on category.
Workaround 2: Apply the filtering via CLI as follows.
1. collect normal tech support with export destination as Controller
2. login to the Controller and apply the filtering via CLI.
3. techsupport-filter filter starttime endtime category
Further Problem Description:
tech support filtering based on time and category works fine, when issued via APIC CLI.
tech support filtering based on time and category works on ACI-switches, when issued via GUI/CLI.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4h) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu14565 | Title: | Tunnel interface lost on delete/recreating intf policy group |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The tunnel interface for an AVS host (using opflex) is not created if the vPC interface is deleted and added back again within 5 mins.
This can impact forwarding for VMs on that host.
Conditions:
This issue occurs when the vPC configuration is deleted and added back, including an association to AEP for the domain.
Workaround:
Either of the following:
- vem stop; wait 5 min; vem start
- Or keep a 5 mins delay after vpc configuration deletion, before adding it back.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4b) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu00666 | Title: | changing from LACP to mac-pinning does not change port groups in vCenter |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The load balancing is set to the wrong configuration of "Route based on IP hash" when "mac-pinning" is chosen for the vswitch LACP policy
Conditions:
the policy was changed to mac-pinning to LACP and then back to mac pinning
Workaround:
change the load balancing manually on every port group within vCenter
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3f) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv46644 | Title: | Enhancement: Need per filter DSCP marking on ACI Fabric |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Need ability to mark dscp value based in the traffic type (L4 port and protocol) on traffic.
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(1j) |
|
Known Fixed Releases: * | 1.2(0.161a), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu75926 | Title: | TSW: reader/ae cored with 20 parallel report generations |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Troubleshooting wizard report generation may be incomplete or may het timed out if more than 4 reports are asked to be generated concurrently. If too many reports are generation duration overlap then some processes running on that APIC may restart.
Conditions:
More than 4 trouble shooting wizard sessions are manually triggered or are configured via scheduler to generate report at the same time.
Workaround:
Limit the number of report generations running concurrently to 4. For scheduled report generation please set the scheduler's trigger time at least 10mins later than that of the previous session.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu56113 | Title: | APIC: VPC stalepath if Policy group changed from VPC to PC |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Stale fabricPathEp representing VPC are present.
Conditions:
When an infraAccBndlGrp's link aggregation type (lagT) is change from "node" (VPC) to "link" (PC), there might a stale fabricPathEp corresponding to the VPC.
Workaround:
- Change the link aggregation type of the infraAccBndlGrp to "node".
- Delete the infraAccBndlGrp
- Recreate it with link aggregation type as "link".
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.914a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv10412 | Title: | UI Page stuck in loading state when deselect the L3 port |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
page stuck in loading state
Conditions:
deselect the L3 port
Workaround:
Reload the page.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.2(0.1) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv04230 | Title: | Please raise a fault if a user configures a bgp peer with a non /32 mask |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Prefix peering is allowed to be configured but may result in odd behavior.
Conditions:
A BGP peer can be configured with a netmask that is not /32.
Workaround:
Do not use a netmask when configuring a BGP peer.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv08961 | Title: | mgmtSubnet should be configured as source address in iptables on apic |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When we configure mgmtSubnet under External Management Network Instance Profiles, it should be source address in iptables on apic. However it is configured as destination address in iptables. Hence External Management Network Instance Profiles does not work as expected for apic.
Conditions:
When we configure mgmtSubnet under External Management Network Instance Profiles.
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.89), 1.1(2h), 1.2(0.13), 1.2(0.9a), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv74692 | Title: | Intuit Intersite traffic convergence takes more time |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In large scale setup where tenant common contains most contract configuration, modification requests will be delayed when deploying to the switch.
Conditions:
This can happen when many tenant configs are using contracts in tenant common.
Workaround:
Further Problem Description:
Following are the config details.
1 Ctx, 3 Bds, 1400 EPGs and one contract per EPG, 1400 InstPs with one or more l3extSubnets(2125 l3extSubnets).
All are in tenant common.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1q), 1.1(2c) |
|
Known Fixed Releases: * | 1.1(2.17), 1.1(3f), 1.2(0.58a), 1.2(0.60), 1.2(0.76a), 1.2(0.77b), 1.2(0.80a), 1.2(0.83), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu40547 | Title: | corrupt commit log issue on restart |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
All replicas of a specific shard think their commit log is corrupted and trying to resync database from other replica. So the shard is unavailable.
Conditions:
All replicas of a process crashes due to some other reason in middle of updating the header in commit log. The recovery logic considers partially written header as a corruption case and tries to recover from clean state. This condition is rare and happens after multiple failures.
Workaround:
The workaround is to manually recover the DB from purgatory path.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.882a) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv13231 | Title: | Decommissioned Spines Remain in Leaf's BGP session List |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
For a spine was decommissioned, its still showing as part of BGP sessions in Leaf.
leaf104# show bgp sessions vrf overlay-1
Total peers 3, established peers 2
ASN 100
VRF overlay-1, local ASN 100
peers 3, established peers 2, local router-id 10.0.0.93
State: I-Idle, A-Active, O-Open, E-Established, C-Closing, S-Shutdown
Neighbor ASN Flaps LastUpDn|LastRead|LastWrit St Port(L/R) Notif(S/R)
10.0.0.94 100 2 01:11:21|never |never I 0/0 2/0 ===>It was decommissioned.
10.0.40.93 100 0 01:32:31|never |never E 56249/179 0/0
10.0.40.64 100 0 01:08:13|never |never E 48219/179 0/0
Conditions:
The spine has to met the conditions below:
1. Route reflector enabled for that spine
2. The spine was decommissioned (remove from controller)
Workaround:
On the leaf where you want to clean the config
1. issue "acidiag touch clean"
2. issue "reload"
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.153a), 1.1(1.155a), 1.1(1.157a), 1.1(1.159b), 1.1(1r), 1.1(2.17), 1.1(2a), 1.2(0.41), 1.2(0.49), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73008 | Title: | Taking long time to recover from faults after adding back one BD |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Deletion of a BD from tenant common takes a long time to converge.
Conditions:
This can happen if large scale configuration (many hundreds) of EPGs with contracts are associated with this single BD, as this will cause all of the EPGs and contracts to get undeployed.
Workaround:
Disassociate EPGs from the BD gradually before deleting the BD.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.936d) |
|
Known Fixed Releases: * | 1.1(1r), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73036 | Title: | ACI N9K: L3Out and EPG in Same Common VRF Cannot Communicate |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
An administrator has configured an L3Out that uses a Private Network (PN) in the Common tenant. The same PN is used by EPGs in other tenants, but EPGs are unable to establish connections outside the L3Out.
Conditions:
Both EPGs and the L3Out use the same PN in the Common tenant.
Workaround:
Change Policy Control Enforcement to "Unenforced" for the Private Network in Common
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(0.208), 11.1(0.236) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv74498 | Title: | Security Privilege for physDomP is not honored |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A user with the appropriate permissions cannot make a physical domain association on an EPG.
Conditions:
A user configured with a security domain including the tenant and physical domain.
The security domain has the appropriate privileges to write a fv:RsDomAtt object and read a phys:DomP object.
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(2.17), 1.1(3f), 1.2(0.66), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu13617 | Title: | [eft-bputra] vzAny does not include external EPGs |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
vzAny contracts that are applied do not include externally routed networks (external EPGs) in policy application.
Conditions:
Using an L3Out and having a contract set as provided or consumed or both onvzAny (EPg Collection for Context).
Workaround:
Apply contract to external EPGs specifically.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.766m), 1.1(0.766p), 1.1(0.849) |
|
Known Fixed Releases: * | 1.1(0.860), 1.1(1j), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw58467 | Title: | Invalid Path/Vlan config faults after upgrade to 139j |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Faults seen on the Leaf switch when assigning the same VRF to the interfaces which belong to different vlan domains. faults can be monitored by executing "show faults tenant " on the CLI exec prompt. The Description for the faults can indicate "Invalid Path Configuration" or "Invalid VLAN Configuration" or a combination of both.
Conditions:
This fault is seen when one or more vlan-domains are different between interfaces on a leaf switch which are assigned to the same VRF.
This fault is a warning fault and does not have functional impact to VRF deployement or traffic forwarding.
Workaround:
The expected configuration is interfaces belonging to the same VRF on the leaf switch should have the same VLAN domains.
Further Problem Description:
|
|
Last Modified: | 23-OCT-2015 |
|
Known Affected Releases: | 1.2(0.132) |
|
Known Fixed Releases: * | 1.2(0.181a), 1.2(0.184a) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuu70647 | Title: | N9k not able to suppress Sev 3 FEX syslog messages with sylog level at 2 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LLDP syslog messages not suppressed when logging level is changed.
Conditions:
Seen with LLDP logs
Workaround:
No Known workaround.
Further Problem Description:
|
|
Last Modified: | 23-OCT-2015 |
|
Known Affected Releases: | 6.1(2)I3(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw46076 | Title: | Cisco APIC Privileged Escalation SSH Key Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
A vulnerability in Secure Shell (SSH) key handling for user accounts in the Cisco Application Policy Infrastructure
Controller (APIC) could allow an authenticated, local attacker to escalate their privilege level.
The vulnerability is due to improper validation of the SSH key adding by the local user to their account. An attacker
could exploit this vulnerability by authenticating to the device and adding a SSH key to their local account. An exploit
could allow the attacker to escalate their privilege level on the local shell to perform unauthorized actions.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.2:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:L/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6333 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 24-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(3.10), 1.2(0.139a), 1.2(0.147), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu73404 | Title: | common domain not picked up at times causing l2RsPathDomAtt not deployed |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When an endpoint group (EPG) is deployed on 2 interfaces of a ToR, one interface with the VLAN scope configured as global and the other configured as local, the common domain (the domain associated with both the EPG and the interface) needs to be picked for EPG deployment. At times, when the interface with a global VLAN scope is associated with multiple domains (domains with overlapping VLAN namespaces), instead of the common domain getting picked up for deployment, another domain gets picked up. This leads to an EPG not getting deployed on the port with a local VLAN scope.
Conditions:
Workaround:
On the port the EPG deployment failed, undeploy and redeploy the EPG on that port.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.945) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuw51559 | Title: | APIC ML2 apic_sync_interval config option should be documented |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | Symptom:
apic_sync_interval option is available in APIC ML2 driver, but it's behavior is not documented
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 03-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv26878 | Title: | Local admin user logging in to APIC CLI with ssh key missing admin group |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
When logging in as a local user with admin privileges and using an ssh key, the admin group is missing from the user. When logging in as the same user with a password, the admin group is present. This creates an issue where the user wants to run `acidiag` commands, but is unable to because they logged in using ssh public key authentication.
Conditions:
Logging into APIC CLI using SSH with public key authentication
Workaround:
Use a password instead
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.119), 1.1(2h), 1.2(0.13), 1.2(0.32), 1.2(0.9a), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv95922 | Title: | BD should indicate if it is being overwritten by fvRtPolModAtt |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
BD shows L3 configuration, but acts as L2 (or vice versa) after a SGT gets applied to the BD.
Conditions:
BD is configured as L3, but after service graph is applied with default settings, will act as L2 with no indication of such on the BD
Workaround:
You an seethe relationship if you grab all properties subtree, but this is not ideal
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(2h) |
|
Known Fixed Releases: * | 1.2(0.89), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv24351 | Title: | Download info of ACI SDK and model is incorrect in documentation |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Customer was looking to download ACI python SDK and found documentation in Cisco.com.
The document found is - http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/api/python/install/b_Install_Cisco_APIC_Python_SDK_Standalone.pdf
Conditions:
Information about APIC python SDK download was found in http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/api/python/install/b_Install_Cisco_APIC_Python_SDK_Standalone.pdf
Workaround:
TAC provided correct information for download via APIC GUI instead
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1r), 1.2(0.80a), 1.2(0.83), 1.2(0.94), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu06490 | Title: | GUI banner has APIC login screen in the background |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
User sees their web page convoluted by the apic login banner acting as a background in the separate frame.
Conditions:
GUI banner configured in the apic.
Workaround:
Remove APIC login banner from the GUI banner frame. May be able to get around this by having the webpage load its own background image in the meantime, but this will not work for linked sites that do not load their own bg image.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3k) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv36802 | Title: | Please print a warning to not reboot/shutdown when extracting iso on sim |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
APIC Simulator install may become corrupted if it is interrupted during the first boot after an install of a new iso.
Conditions:
This can occur if the interruption occurs by a power cycle, restart or reboot of some kind/
Workaround:
The ISO can be reinstalled from scratch or TAC can be called to log in as root on the ifc terminal to remove the /local/iFabric directory and reboot the simulator.
Further Problem Description:
During the first boot when installing a new version, the iso is extracted onto the hard drive. If this is interrupted the files on the hard drive may be incomplete and upon the next boot the software will not be able to start up properly and will hang.
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.124a), 1.1(1.126a), 1.1(1.128a), 1.1(1.130a), 1.1(1.132a), 1.1(1.135a), 1.1(1.138), 1.1(2h), 1.2(0.32), 1.2(0.41) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu33576 | Title: | show system internal qos vlan command doesnt work when specifying vlan |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
No output when trying to specify vlan using or commands
Conditions:
Workaround:
Use the command
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.1(0.902a), 1.1(0.904), 1.1(0.920a), 1.1(0.927a), 1.1(0.930a), 1.1(0.932a), 1.1(0.936a), 1.1(0.939a), 1.1(0.941), 1.1(1j) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu77302 | Title: | APIC GUI changes TENANT_NAME/default to common/default in BD properties |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
APIC GUI changes TENANT_NAME/default to common/default in BD properties
Conditions:
Reproduction steps:
- I've configure tenant
- 2 EPGs, they are in the same BD-100.
- Each EPG is in different subnet 192.168.1.0/24 and 192.168.100.0/24
- configure private network in non-common tenant -> e.g TENANT_NAME/default
- under BD configure private network: TENANT_NAME/default
Workaround:
N/A
Further Problem Description:
N/A
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1b) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu94226 | Title: | APIC: Add CLI command to shutdown Controller as ADMIN User |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
APIC: shutdown command exits in webui but not available on apic cli level
Conditions:
APIC cli in use and logged as admin
Workaround:
Use CIMC
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1f) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu20014 | Title: | VM Networking Topology shows duplicate switch ID's |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
same switch is shown multiple times in topo view of the hypervisor
Conditions:
n/a
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(3n) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu07600 | Title: | incorrect garp description in help page of EP Move Detection Mode |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
'EP Move Detection Mode' help page is described as below.
GARP is not 'Generic Attribute Registration Protocol', but Gratuitous ARP.
---
EP Move Detection Mode
The Generic Attribute Registration Protocol (GARP) was defined by the IEEE to provide a generic framework so bridges (or other devices like switches) could register and de-register attribute values, such as VLAN identifiers and multicast group membership.
GARP defines the architecture, rules of operation, state machines and variables for the registration and de-registration of attribute values.
https://[ip_address_of_apic]/help/content/index.html#fv_infoBD.html
---
Conditions:
Workaround:
none, it's just a document issue
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.766m) |
|
Known Fixed Releases: * | 1.1(0.855), 1.1(1j), 1.1(2.24), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut97020 | Title: | ACI: inconsistency between Auto-mdix of show interface and mdix of GUI |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
Auto-mdix output of show interface and mdix output of GUI are different.
For example, when you issue show interface e1/1 on the leaf switch, 'Auto-mdix is turned off' will be displayed.
When you check eth1/1 interface with GUI or issue cat mit/sys/phys-\[eth1--1\]/summary, 'mdix : auto' will be displayed.
Conditions:
This symptom is observed when compared between show interface output on ishell mode and GUI output .
Workaround:
none, it's just a cosmetic issue
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(2m), 11.0(3i) |
|
Known Fixed Releases: * | 1.1(0.846), 1.1(0.867b), 1.1(0.869a), 1.1(0.872a), 1.1(0.873), 1.1(1j), 1.1(2.24), 1.2(1.17), 11.1(0.202) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv03994 | Title: | GUI: Multple Contract Relationships do not render correctly |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
When two different contracts exist between the an EPG & External L3/L2 network, only one contract link will show at a time. When one contract is removed, the other contract relationship link in the UI appears.
Conditions:
All APIC versions up to 1.1(1j)
Workaround:
NA. This is a cosmetic bug only. The contract relationships are still being enforced, and can be verified through the Contracts pane, or visore.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu94911 | Title: | Wrong name for "Router Configurations" Panel |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
the panel name should be "Router Configurations" instead of "Route configurations".
Conditions:
Click "router configuration" page under "Networking" section.
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(0.153), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv29901 | Title: | TxId Fields Mislabeled |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
The Current Transition ID (currentTxId) and ACKed Transition ID (ackedTxId) fields on the Deployed Devices properties page are mislabeled. They should both be labeled as Transaction instead of Transition.
Conditions:
Viewing L4-L7 Deployed Devices in the APIC GUI.
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.7), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv18401 | Title: | Please add additional recommended action for deployment-failed epg fault |
|
Status: | Fixed |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
If the EPG tied to a VMM domain fails to deploy the fault recommended actions may not include an action that is specific to the use of static encapsulation. This could prevent customers from resolving the issue on their own.
Conditions:
If a VMM domain is tied to an EPG with a Port Encap value but the encapsulation blocks for that domain are all dynamic, the deployment of the EPG will fail with a fault due to invalid encapsulation identifier.
The use of a Port Encap value when associating an EPG to a VMM domain requires a static encapsulation block at the VLAN pool used by the domain.
Workaround:
Set the encap to an encapsulation that is in a static encap block.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.1(1.101a), 1.1(1.105a), 1.1(1.109a), 1.1(1.112a), 1.1(1.114a), 1.1(1.119), 1.1(2h), 1.2(0.13), 1.2(0.9a), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu58380 | Title: | Prevent deletion of default controller scheduler policy "ConstSchedP" |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Cannot upgrade APIC controllers from GUI.
Conditions:
This issue occurs when a user deletes the default controller scheduler policy "ConstSchedP."
Workaround:
Reconfigure the default controller scheduler policy "ConstSchedP" manually.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.914a) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu74743 | Title: | If APIC has BSW disconnected, put a fault on EPG when a domain is mapped |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
vlans are not getting pushed to switches after mapping a VMM domain to an EPG
Conditions:
fabricLooseNode shows "disconnected-from-network". Links may be down to the blade switch.
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.0(4h) |
|
Known Fixed Releases: * | 1.2(0.1), 1.2(0.16), 1.2(0.19a), 1.2(0.21a), 1.2(0.22), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu03257 | Title: | EPM and EPMC changes for MAC/IP based EPG feature |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
- IP/MAC Ckt EP configuration not supported in combination with static EP configurations
- IP/MAC Ckt EP configuration not supported with L2-only BDs (config will not be blocked, it just won't take effect as there is
no L3 learning in these BDs)
- IP/MAC Ckt EP configuration not supported with external and Infra BDs (again because there is no L3 learning in these BDs)
- IP/MAC Ckt EP configuration not supported with shared services provider config (same or overlapping prefix cannot be used for shared services provider and IP Ckt EP). However, this config can be applied in BDs having shared services consumer EPGs.
- IP/MAC Ckt EP configuration not supported with dynamic EPGs. Only static EPGs are supported
- No fault will be raised if the IP/MAC Ckt EP prefix configured is outside BD subnet range. This is because user can configure BD subnet and IP/MAC Ckt EP in any order and so this is not error condition. If the final configuration is such that IP/MAC Ckt EP prefix configured is outside all BD subnets, the config has no impact and is not an error condition.
- Dynamic deployment of contracts based on instrImmedcy set to onDemand/lazy not supported, only immediate mode is supported.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(3.928) |
|
Known Fixed Releases: * | 1.2(0.31), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu71147 | Title: | APIC directly connected subnets don't get advertised in OSPF |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
With current Bputra FCS release, APIC doesn't advertise directly connected subnets in OSPF even if it is specified in rtctrl-export.
Conditions:
In Intuit's ACI ASA and F5 Service design, one F5 is configured thru L3Out peer routing in their PCI Compliance context/segment with static routes for F5 VIP and SNAT subnets.
Both of the external and internal interfaces of the ASA firewall between the regular data context and Compliance context are configured as L3Out peer routing with OSPF.
The F5 connected subnet including its selfIP and float IP cannot be advertised thru OSPF with current Bputra release.
Workaround:
configure a static route that covers the connected subnet and the static route will be advertised thru OSPF
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(0.936d), 1.1(1o) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv46711 | Title: | Enhancement: Need aggregates support on BGP on ACI Layer 3 Out |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Need BGP to support route aggregation on ACI Layer 3 Out. As well as the corresponding bgp attributes (atomic aggregate, aggregator id and as set...etc)
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
N/A
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(1j), 11.1(1o) |
|
Known Fixed Releases: * | 1.2(1.17), 11.2(0.57) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu87040 | Title: | ARP Flood Checkbox BD Config Enhancement |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When changing a BD configuration from the default of Hardware Proxy to L2 Uknonwn Unicast = Flood, the ARP Flooding checkbox does not automatically check also. After submitting change without checking ARP Flooding, a Fault is raised (see attachment). When manually checking ARP Flooding, Fault goes away since this is a valid configuraiton.
Conditions:
APIC GUI configuration for BD.
Workaround:
Manually check the ARP Flooding checkbox.
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.9) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu81845 | Title: | ACI BGP Peer Configuration Enhancement |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When configuring the BGP peer in APIC, the field "Local Autonomous System Number:" is confusing.
Conditions:
Configuring BGP Peer in APIC.
Workaround:
None.
Further Problem Description:
When seeing the field "Local Autonomous System Number:" we think it refers to our BGP AS number (the MP-BGP RR number), rather than the "Local-AS" number we want to use to peer with our neighbor. It would be more clear and similar to NX-OS configuration if it was identified as "Local-AS Number:" instead. There is a tip statement in the configuration right below this field that tries to make this field contents more clear with the message "This value must not match the MP-BGP RR policy?. The proposed suggestion of "Local-AS:" instead should make this more clear. The link below identifies how "Local-AS" is the more common terminology.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13761-39.html
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 7.3(0)ZN(0.9) |
|
Known Fixed Releases: * | 1.1(2h), 1.2(0.1), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu64002 | Title: | ACI nodes do not send Remote Address in TACACS+ message |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ACI nodes doesn't send Remote Address in TACACS+ messages. Thus, end point filter won't work on ACS for users authenticating on ACI nodes. Also IP addresses they are coming from won't be logged on ACS.
Conditions:
normal operation
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.0(4) |
|
Known Fixed Releases: * | 1.1(1.126a), 1.1(1.128a), 1.1(1.130a), 1.1(1.132a), 1.1(1.135a), 1.1(1.138), 1.1(2.36), 1.1(2h), 1.2(0.16), 1.2(0.32) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu94860 | Title: | APIC GUI - Reword subnet scope checkboxes |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The meaning and function of subnet checkboxes are unclear from the wording.
Conditions:
When creating a subnet under and Endpoint Group or Bridge Domain.
Workaround:
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: * | 1.2(0.86a), 1.2(0.89), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut98863 | Title: | Implement show bgp vpnv4/vpnv6 unicast summary vrf all in ibash |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
The show bgp vpnv4/vpnv6 command chain is not available in ibash in ACI mode.
Conditions:
N/A
Workaround:
N/A
Further Problem Description:
N/A
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 11.1(0.180) |
|
Known Fixed Releases: * | 1.2(0.119a), 1.2(0.120a), 1.2(0.121a), 1.2(0.123), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv16874 | Title: | Need to always enable ospf on loopback interface. affects ecmp with nssa |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
* This is a change in behavior of NXOS and OSPF.
* The change implements that OSPF is now enabled on the Loopback interfaces to ensure proper ECMP are available with an NSSA area.
* This also impacts the OSPF Forwarder Address in the Link State Advertisement, meaning it will be the Loopback address linked to the OSPF Router ID
* As a result, you may see that you are learning the same Router ID in multiple VRFs.
* This can have an impact if you are "stitching" together the NSSA and non-NSSA areas via a directly connected external device (Eg: ASA Firewall), as the external device will learn the Router ID from two separate OSPF areas.
* As the Forwarder address will now match the Router ID, it may potentially begin to blackhole traffic in one of the OSPF areas - likely the NSSA area
Conditions:
* 1.1(2h)
* 2 separate VRFs with OSPF, one of type NSSA
* These VRFs exist on the same Leaf switches
Workaround:
The solution moving forward is to ensure that you configure different Router IDs per VRF - L3-out
Further Problem Description:
|
|
Last Modified: | 14-OCT-2015 |
|
Known Affected Releases: | 1.1(1j) |
|
Known Fixed Releases: | 1.1(1.114a), 1.1(1.119), 1.1(2h), 1.2(0.16), 1.2(1.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu49742 | Title: | MSFT Domain encap block change requires remediate from SCVMM |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
In Microsoft SCVMM, if a VM network is already attached and used by virtual machines, and if an admin changes the VLAN number of this VM network on SCVMM, the virtual machine VLAN information is not automatically updated on Hyper-V Host virtual machines.
Conditions:
When a VLAN number is changed in the APIC controller, and this VLAN was being used by VM networks in the SCVMM, this will cause a traffic outage for the virtual machines.
Workaround:
On detection of a VLAN encap change operation on an APIC, the SCVMM Admin must run this script provided by Microsoft to update the virtual machine with the changed VM network VLAN information: https://gallery.technet.microsoft.com/Finds-Non-Compliant-cf534440. This script updates virtual machine VLAN information on SCVMM VM network configured VLANs.
Further Problem Description:
|
|
Last Modified: | 05-OCT-2015 |
|
Known Affected Releases: * | 1.1(0.902d), 1.2(0.127a) |
|
Known Fixed Releases: | |
|
|
| |
2013 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论